diff options
| -rw-r--r-- | includes/bootstrap.inc | 27 | ||||
| -rw-r--r-- | modules/simpletest/tests/bootstrap.test | 6 |
2 files changed, 24 insertions, 9 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 9e9e527a5..7eead8055 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -392,6 +392,18 @@ function drupal_initialize_variables() { if (!isset($_SERVER['SERVER_PROTOCOL']) || ($_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.0' && $_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.1')) { $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.0'; } + // Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is + // defined for E_ALL compliance. + if (!isset($_SERVER['HTTP_HOST'])) { + $_SERVER['HTTP_HOST'] = ''; + } + + if (!drupal_valid_http_host()) { + // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack. + header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request'); + exit; + } + // Enforce E_ALL, but allow users to set levels not part of E_ALL. error_reporting(E_ALL | error_reporting()); @@ -422,8 +434,13 @@ function drupal_initialize_variables() { * TRUE if only containing valid characters, or FALSE otherwise. */ function drupal_valid_http_host() { - $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']); - return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $_SERVER['HTTP_HOST']); + if (isset($_SERVER['HTTP_HOST']) && $_SERVER['HTTP_HOST'] != '') { + $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']); + return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $_SERVER['HTTP_HOST']); + } + else { + return TRUE; + } } /** @@ -437,12 +454,6 @@ function conf_init() { global $databases, $db_prefix, $cookie_domain, $conf, $installed_profile, $update_free_access; $conf = array(); - if (!drupal_valid_http_host()) { - // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack. - header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request'); - exit; - } - if (file_exists(DRUPAL_ROOT . '/' . conf_path() . '/settings.php')) { include_once DRUPAL_ROOT . '/' . conf_path() . '/settings.php'; } diff --git a/modules/simpletest/tests/bootstrap.test b/modules/simpletest/tests/bootstrap.test index 29191eeaf..a27f8cfaf 100644 --- a/modules/simpletest/tests/bootstrap.test +++ b/modules/simpletest/tests/bootstrap.test @@ -68,7 +68,7 @@ class BootstrapIPAddressTestCase extends DrupalWebTestCase { // Cluster environment. $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'] = $this->cluster_ip; $this->assertTrue( - ip_address(true) == $this->cluster_ip, + ip_address(TRUE) == $this->cluster_ip, t('Cluster environment got cluster client IP') ); $_SERVER['HTTP_HOST'] = 'security/.drupal.org:80'; @@ -81,6 +81,10 @@ class BootstrapIPAddressTestCase extends DrupalWebTestCase { $this->assertFalse(drupal_valid_http_host(), t('HTTP_HOST with .. is invalid')); $_SERVER['HTTP_HOST'] = '[::1]:80'; // IPv6 loopback address $this->assertTrue(drupal_valid_http_host(), t('HTTP_HOST containing IPv6 loopback is valid')); + $_SERVER['HTTP_HOST'] = ''; + $this->assertTrue(drupal_valid_http_host(), t('Empty HTTP_HOST is valid')); + $_SERVER['HTTP_HOST'] = NULL; + $this->assertTrue(drupal_valid_http_host(), t('NULL HTTP_HOST is valid')); } } |