Mercurial > defr > drupal > core
comparison includes/bootstrap.inc @ 15:4347c45bb494 6.7
Drupal 6.7
| author | Franck Deroche <webmaster@defr.org> |
|---|---|
| date | Tue, 23 Dec 2008 14:32:44 +0100 |
| parents | 8b6c45761e01 |
| children | 3edae6ecd6c6 |
comparison
equal
deleted
inserted
replaced
| 14:626fcabfa4b8 | 15:4347c45bb494 |
|---|---|
| 1 <?php | 1 <?php |
| 2 // $Id: bootstrap.inc,v 1.206.2.6 2008/10/22 19:26:01 goba Exp $ | 2 // $Id: bootstrap.inc,v 1.206.2.7 2008/12/08 11:49:48 goba Exp $ |
| 3 | 3 |
| 4 /** | 4 /** |
| 5 * @file | 5 * @file |
| 6 * Functions that need to be loaded on every Drupal request. | 6 * Functions that need to be loaded on every Drupal request. |
| 7 */ | 7 */ |
| 236 return $conf; | 236 return $conf; |
| 237 } | 237 } |
| 238 | 238 |
| 239 $confdir = 'sites'; | 239 $confdir = 'sites'; |
| 240 $uri = explode('/', $_SERVER['SCRIPT_NAME'] ? $_SERVER['SCRIPT_NAME'] : $_SERVER['SCRIPT_FILENAME']); | 240 $uri = explode('/', $_SERVER['SCRIPT_NAME'] ? $_SERVER['SCRIPT_NAME'] : $_SERVER['SCRIPT_FILENAME']); |
| 241 if (strpos($_SERVER['HTTP_HOST'], '/') !== FALSE) { | |
| 242 // A HTTP_HOST containing slashes may be an attack and is invalid. | |
| 243 header('HTTP/1.1 400 Bad Request'); | |
| 244 exit; | |
| 245 } | |
| 246 $server = explode('.', implode('.', array_reverse(explode(':', rtrim($_SERVER['HTTP_HOST'], '.'))))); | 241 $server = explode('.', implode('.', array_reverse(explode(':', rtrim($_SERVER['HTTP_HOST'], '.'))))); |
| 247 for ($i = count($uri) - 1; $i > 0; $i--) { | 242 for ($i = count($uri) - 1; $i > 0; $i--) { |
| 248 for ($j = count($server); $j > 0; $j--) { | 243 for ($j = count($server); $j > 0; $j--) { |
| 249 $dir = implode('.', array_slice($server, -$j)) . implode('.', array_slice($uri, 0, $i)); | 244 $dir = implode('.', array_slice($server, -$j)) . implode('.', array_slice($uri, 0, $i)); |
| 250 if (file_exists("$confdir/$dir/settings.php") || (!$require_settings && file_exists("$confdir/$dir"))) { | 245 if (file_exists("$confdir/$dir/settings.php") || (!$require_settings && file_exists("$confdir/$dir"))) { |
| 270 } | 265 } |
| 271 } | 266 } |
| 272 } | 267 } |
| 273 | 268 |
| 274 /** | 269 /** |
| 270 * Validate that $_SERVER['HTTP_HOST'] is safe. | |
| 271 * | |
| 272 * As $_SERVER['HTTP_HOST'] is user input, ensure it only contains characters | |
| 273 * allowed in hostnames. See RFC 952 (and RFC 2181). $_SERVER['HTTP_HOST'] is | |
| 274 * lowercased. | |
| 275 * | |
| 276 * @return | |
| 277 * TRUE if only containing valid characters, or FALSE otherwise. | |
| 278 */ | |
| 279 function drupal_valid_http_host() { | |
| 280 $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']); | |
| 281 return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $_SERVER['HTTP_HOST']); | |
| 282 } | |
| 283 | |
| 284 /** | |
| 275 * Loads the configuration and sets the base URL, cookie domain, and | 285 * Loads the configuration and sets the base URL, cookie domain, and |
| 276 * session name correctly. | 286 * session name correctly. |
| 277 */ | 287 */ |
| 278 function conf_init() { | 288 function conf_init() { |
| 279 global $base_url, $base_path, $base_root; | 289 global $base_url, $base_path, $base_root; |
| 280 | 290 |
| 281 // Export the following settings.php variables to the global namespace | 291 // Export the following settings.php variables to the global namespace |
| 282 global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile, $update_free_access; | 292 global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile, $update_free_access; |
| 283 $conf = array(); | 293 $conf = array(); |
| 294 | |
| 295 if (!drupal_valid_http_host()) { | |
| 296 // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack. | |
| 297 header('HTTP/1.1 400 Bad Request'); | |
| 298 exit; | |
| 299 } | |
| 284 | 300 |
| 285 if (file_exists('./'. conf_path() .'/settings.php')) { | 301 if (file_exists('./'. conf_path() .'/settings.php')) { |
| 286 include_once './'. conf_path() .'/settings.php'; | 302 include_once './'. conf_path() .'/settings.php'; |
| 287 } | 303 } |
| 288 | 304 |
| 303 } | 319 } |
| 304 else { | 320 else { |
| 305 // Create base URL | 321 // Create base URL |
| 306 $base_root = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http'; | 322 $base_root = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http'; |
| 307 | 323 |
| 308 // As $_SERVER['HTTP_HOST'] is user input, ensure it only contains | 324 $base_url = $base_root .= '://'. $_SERVER['HTTP_HOST']; |
| 309 // characters allowed in hostnames. | |
| 310 $base_url = $base_root .= '://'. preg_replace('/[^a-z0-9-:._]/i', '', $_SERVER['HTTP_HOST']); | |
| 311 | 325 |
| 312 // $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not | 326 // $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not |
| 313 // be modified by a visitor. | 327 // be modified by a visitor. |
| 314 if ($dir = trim(dirname($_SERVER['SCRIPT_NAME']), '\,/')) { | 328 if ($dir = trim(dirname($_SERVER['SCRIPT_NAME']), '\,/')) { |
| 315 $base_path = "/$dir"; | 329 $base_path = "/$dir"; |