From 2c474d2a055faefd9100830d9503c6f47ee3be65 Mon Sep 17 00:00:00 2001
From: Angie Byron <webchick@24967.no-reply.drupal.org>
Date: Sun, 3 Jan 2010 01:23:49 +0000
Subject: #668932 by Damien Tournoud : Remove duplicate sanitzing of HTTP_HOST.

---
 includes/bootstrap.inc | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'includes')

diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 5b424829e..9710669b7 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -580,9 +580,10 @@ function drupal_settings_initialize() {
     // Otherwise use $base_url as session name, without the protocol
     // to use the same session identifiers across http and https.
     list( , $session_name) = explode('://', $base_url, 2);
-    // We escape the hostname because it can be modified by a visitor.
+    // HTTP_HOST can be modified by a visitor, but we already sanitized it
+    // in drupal_settings_initialize().
     if (!empty($_SERVER['HTTP_HOST'])) {
-      $cookie_domain = check_plain($_SERVER['HTTP_HOST']);
+      $cookie_domain = $_SERVER['HTTP_HOST'];
     }
   }
   // Strip leading periods, www., and port numbers from cookie domain.
-- 
cgit v1.2.3