diff options
| -rw-r--r-- | includes/bootstrap.inc | 40 | ||||
| -rw-r--r-- | modules/simpletest/tests/bootstrap.test | 20 |
2 files changed, 24 insertions, 36 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 27cd8400e..97e7ee9c8 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -402,16 +402,22 @@ function drupal_initialize_variables() { if (!isset($_SERVER['SERVER_PROTOCOL']) || ($_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.0' && $_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.1')) { $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.0'; } - // Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is - // defined for E_ALL compliance. - if (!isset($_SERVER['HTTP_HOST'])) { - $_SERVER['HTTP_HOST'] = ''; - } - if (!drupal_valid_http_host()) { - // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack. - header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request'); - exit; + if (isset($_SERVER['HTTP_HOST'])) { + // As HTTP_HOST is user input, ensure it only contains characters allowed + // in hostnames. See RFC 952 (and RFC 2181). + // $_SERVER['HTTP_HOST'] is lowercased here per specifications. + $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']); + if (!drupal_valid_http_host($_SERVER['HTTP_HOST'])) { + // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack. + header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request'); + exit; + } + } + else { + // Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is + // defined for E_ALL compliance. + $_SERVER['HTTP_HOST'] = ''; } // Enforce E_ALL, but allow users to set levels not part of E_ALL. @@ -434,23 +440,13 @@ function drupal_initialize_variables() { } /** - * Validate that $_SERVER['HTTP_HOST'] is safe. - * - * As $_SERVER['HTTP_HOST'] is user input, ensure it only contains characters - * allowed in hostnames. See RFC 952 (and RFC 2181). $_SERVER['HTTP_HOST'] is - * lowercased. + * Validate that a hostname (for example $_SERVER['HTTP_HOST']) is safe. * * @return * TRUE if only containing valid characters, or FALSE otherwise. */ -function drupal_valid_http_host() { - if (isset($_SERVER['HTTP_HOST']) && $_SERVER['HTTP_HOST'] != '') { - $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']); - return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $_SERVER['HTTP_HOST']); - } - else { - return TRUE; - } +function drupal_valid_http_host($host) { + return preg_match('/^\[?(?:[a-zA-Z0-9-:\]_]+\.?)+$/', $host); } /** diff --git a/modules/simpletest/tests/bootstrap.test b/modules/simpletest/tests/bootstrap.test index a27f8cfaf..149c5ef49 100644 --- a/modules/simpletest/tests/bootstrap.test +++ b/modules/simpletest/tests/bootstrap.test @@ -71,20 +71,12 @@ class BootstrapIPAddressTestCase extends DrupalWebTestCase { ip_address(TRUE) == $this->cluster_ip, t('Cluster environment got cluster client IP') ); - $_SERVER['HTTP_HOST'] = 'security/.drupal.org:80'; - $this->assertFalse(drupal_valid_http_host(), t('HTTP_HOST with / is invalid')); - $_SERVER['HTTP_HOST'] = 'security\\.drupal.org:80'; - $this->assertFalse(drupal_valid_http_host(), t('HTTP_HOST with \\ is invalid')); - $_SERVER['HTTP_HOST'] = 'security<.drupal.org:80'; - $this->assertFalse(drupal_valid_http_host(), t('HTTP_HOST with < is invalid')); - $_SERVER['HTTP_HOST'] = 'security..drupal.org:80'; - $this->assertFalse(drupal_valid_http_host(), t('HTTP_HOST with .. is invalid')); - $_SERVER['HTTP_HOST'] = '[::1]:80'; // IPv6 loopback address - $this->assertTrue(drupal_valid_http_host(), t('HTTP_HOST containing IPv6 loopback is valid')); - $_SERVER['HTTP_HOST'] = ''; - $this->assertTrue(drupal_valid_http_host(), t('Empty HTTP_HOST is valid')); - $_SERVER['HTTP_HOST'] = NULL; - $this->assertTrue(drupal_valid_http_host(), t('NULL HTTP_HOST is valid')); + $this->assertFalse(drupal_valid_http_host('security/.drupal.org:80'), t('HTTP_HOST with / is invalid')); + $this->assertFalse(drupal_valid_http_host('security\\.drupal.org:80'), t('HTTP_HOST with \\ is invalid')); + $this->assertFalse(drupal_valid_http_host('security<.drupal.org:80'), t('HTTP_HOST with < is invalid')); + $this->assertFalse(drupal_valid_http_host('security..drupal.org:80'), t('HTTP_HOST with .. is invalid')); + // IPv6 loopback address + $this->assertTrue(drupal_valid_http_host('[::1]:80'), t('HTTP_HOST containing IPv6 loopback is valid')); } } |