Mercurial > defr > drupal > core

comparison includes/bootstrap.inc @ 19:3edae6ecd6c6 6.9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Drupal 6.9
author Franck Deroche <franck@defr.org>
date Thu, 15 Jan 2009 10:15:56 +0100
parents 4347c45bb494
children
comparison
equal deleted inserted replaced
18:f5131a9cd9e5 19:3edae6ecd6c6
1 <?php 1 <?php
2 // $Id: bootstrap.inc,v 1.206.2.7 2008/12/08 11:49:48 goba Exp $ 2 // $Id: bootstrap.inc,v 1.206.2.9 2009/01/14 19:10:25 goba Exp $
3 3
4 /** 4 /**
5 * @file 5 * @file
6 * Functions that need to be loaded on every Drupal request. 6 * Functions that need to be loaded on every Drupal request.
7 */ 7 */
265 } 265 }
266 } 266 }
267 } 267 }
268 268
269 /** 269 /**
270 * Validate that $_SERVER['HTTP_HOST'] is safe. 270 * Validate that a hostname (for example $_SERVER['HTTP_HOST']) is safe.
271 * 271 *
272 * As $_SERVER['HTTP_HOST'] is user input, ensure it only contains characters 272 * As $_SERVER['HTTP_HOST'] is user input, ensure it only contains characters
273 * allowed in hostnames. See RFC 952 (and RFC 2181). $_SERVER['HTTP_HOST'] is 273 * allowed in hostnames. See RFC 952 (and RFC 2181). $_SERVER['HTTP_HOST'] is
274 * lowercased. 274 * lowercased.
275 * 275 *
276 * @return 276 * @return
277 * TRUE if only containing valid characters, or FALSE otherwise. 277 * TRUE if only containing valid characters, or FALSE otherwise.
278 */ 278 */
279 function drupal_valid_http_host() { 279 function drupal_valid_http_host($host) {
280 $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']); 280 return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $host);
281 return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $_SERVER['HTTP_HOST']);
282 } 281 }
283 282
284 /** 283 /**
285 * Loads the configuration and sets the base URL, cookie domain, and 284 * Loads the configuration and sets the base URL, cookie domain, and
286 * session name correctly. 285 * session name correctly.
290 289
291 // Export the following settings.php variables to the global namespace 290 // Export the following settings.php variables to the global namespace
292 global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile, $update_free_access; 291 global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile, $update_free_access;
293 $conf = array(); 292 $conf = array();
294 293
295 if (!drupal_valid_http_host()) { 294 if (isset($_SERVER['HTTP_HOST'])) {
296 // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack. 295 // As HTTP_HOST is user input, ensure it only contains characters allowed
297 header('HTTP/1.1 400 Bad Request'); 296 // in hostnames. See RFC 952 (and RFC 2181).
298 exit; 297 // $_SERVER['HTTP_HOST'] is lowercased here per specifications.
298 $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']);
299 if (!drupal_valid_http_host($_SERVER['HTTP_HOST'])) {
300 // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack.
301 header('HTTP/1.1 400 Bad Request');
302 exit;
303 }
304 }
305 else {
306 // Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is
307 // defined for E_ALL compliance.
308 $_SERVER['HTTP_HOST'] = '';
299 } 309 }
300 310
301 if (file_exists('./'. conf_path() .'/settings.php')) { 311 if (file_exists('./'. conf_path() .'/settings.php')) {
302 include_once './'. conf_path() .'/settings.php'; 312 include_once './'. conf_path() .'/settings.php';
303 } 313 }
1010 break; 1020 break;
1011 1021
1012 case DRUPAL_BOOTSTRAP_LATE_PAGE_CACHE: 1022 case DRUPAL_BOOTSTRAP_LATE_PAGE_CACHE:
1013 // Initialize configuration variables, using values from settings.php if available. 1023 // Initialize configuration variables, using values from settings.php if available.
1014 $conf = variable_init(isset($conf) ? $conf : array()); 1024 $conf = variable_init(isset($conf) ? $conf : array());
1015 // Load module handling.
1016 require_once './includes/module.inc';
1017 $cache_mode = variable_get('cache', CACHE_DISABLED); 1025 $cache_mode = variable_get('cache', CACHE_DISABLED);
1018 // Get the page from the cache. 1026 // Get the page from the cache.
1019 $cache = $cache_mode == CACHE_DISABLED ? '' : page_get_cache(); 1027 $cache = $cache_mode == CACHE_DISABLED ? '' : page_get_cache();
1020 // If the skipping of the bootstrap hooks is not enforced, call hook_boot. 1028 // If the skipping of the bootstrap hooks is not enforced, call hook_boot.
1021 if ($cache_mode != CACHE_AGGRESSIVE) { 1029 if (!$cache || $cache_mode != CACHE_AGGRESSIVE) {
1030 // Load module handling.
1031 require_once './includes/module.inc';
1022 bootstrap_invoke_all('boot'); 1032 bootstrap_invoke_all('boot');
1023 } 1033 }
1024 // If there is a cached page, display it. 1034 // If there is a cached page, display it.
1025 if ($cache) { 1035 if ($cache) {
1026 drupal_page_cache_header($cache); 1036 drupal_page_cache_header($cache);