diff options
Diffstat (limited to 'includes/bootstrap.inc')
| -rw-r--r-- | includes/bootstrap.inc | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc index 5b424829e..9710669b7 100644 --- a/includes/bootstrap.inc +++ b/includes/bootstrap.inc @@ -580,9 +580,10 @@ function drupal_settings_initialize() { // Otherwise use $base_url as session name, without the protocol // to use the same session identifiers across http and https. list( , $session_name) = explode('://', $base_url, 2); - // We escape the hostname because it can be modified by a visitor. + // HTTP_HOST can be modified by a visitor, but we already sanitized it + // in drupal_settings_initialize(). if (!empty($_SERVER['HTTP_HOST'])) { - $cookie_domain = check_plain($_SERVER['HTTP_HOST']); + $cookie_domain = $_SERVER['HTTP_HOST']; } } // Strip leading periods, www., and port numbers from cookie domain. |