Last active
December 13, 2015 18:18
-
-
Save dmp1ce/4954119 to your computer and use it in GitHub Desktop.
Drupal 6 code which is responsible for asking for Bad Request pages.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * Validate that a hostname (for example $_SERVER['HTTP_HOST']) is safe. | |
| * | |
| * As $_SERVER['HTTP_HOST'] is user input, ensure it only contains characters | |
| * allowed in hostnames. See RFC 952 (and RFC 2181). $_SERVER['HTTP_HOST'] is | |
| * lowercased. | |
| * | |
| * @return | |
| * TRUE if only containing valid characters, or FALSE otherwise. | |
| */ | |
| function drupal_valid_http_host($host) { | |
| return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $host); | |
| } | |
| /** | |
| * Loads the configuration and sets the base URL, cookie domain, and | |
| * session name correctly. | |
| */ | |
| function conf_init() { | |
| global $base_url, $base_path, $base_root; | |
| // Export the following settings.php variables to the global namespace | |
| global $db_url, $db_prefix, $db_collation, $cookie_domain, $conf, $installed_profile, $update_free_access; | |
| $conf = array(); | |
| if (!isset($_SERVER['SERVER_PROTOCOL']) || ($_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.0' && $_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.1')) { | |
| $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.0'; | |
| } | |
| if (isset($_SERVER['HTTP_HOST'])) { | |
| // As HTTP_HOST is user input, ensure it only contains characters allowed | |
| // in hostnames. See RFC 952 (and RFC 2181). | |
| // $_SERVER['HTTP_HOST'] is lowercased here per specifications. | |
| $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']); | |
| if (!drupal_valid_http_host($_SERVER['HTTP_HOST'])) { | |
| // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack. | |
| header($_SERVER['SERVER_PROTOCOL'] .' 400 Bad Request'); | |
| exit; | |
| } | |
| } | |
| else { | |
| // Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is | |
| // defined for E_ALL compliance. | |
| $_SERVER['HTTP_HOST'] = ''; | |
| } | |
| if (file_exists('./'. conf_path() .'/settings.php')) { | |
| include_once './'. conf_path() .'/settings.php'; | |
| } | |
| // Ignore the placeholder URL from default.settings.php. | |
| if (isset($db_url) && $db_url == 'mysql://username:password@localhost/databasename') { | |
| $db_url = ''; | |
| } | |
| if (isset($base_url)) { | |
| // Parse fixed base URL from settings.php. | |
| $parts = parse_url($base_url); | |
| if (!isset($parts['path'])) { | |
| $parts['path'] = ''; | |
| } | |
| $base_path = $parts['path'] .'/'; | |
| // Build $base_root (everything until first slash after "scheme://"). | |
| $base_root = substr($base_url, 0, strlen($base_url) - strlen($parts['path'])); | |
| } | |
| else { | |
| // Create base URL | |
| $base_root = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http'; | |
| $base_url = $base_root .= '://'. $_SERVER['HTTP_HOST']; | |
| // $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not | |
| // be modified by a visitor. | |
| if ($dir = trim(dirname($_SERVER['SCRIPT_NAME']), '\,/')) { | |
| $base_path = "/$dir"; | |
| $base_url .= $base_path; | |
| $base_path .= '/'; | |
| } | |
| else { | |
| $base_path = '/'; | |
| } | |
| } | |
| if ($cookie_domain) { | |
| // If the user specifies the cookie domain, also use it for session name. | |
| $session_name = $cookie_domain; | |
| } | |
| else { | |
| // Otherwise use $base_url as session name, without the protocol | |
| // to use the same session identifiers across HTTP and HTTPS. | |
| list( , $session_name) = explode('://', $base_url, 2); | |
| // We escape the hostname because it can be modified by a visitor. | |
| if (!empty($_SERVER['HTTP_HOST'])) { | |
| $cookie_domain = check_plain($_SERVER['HTTP_HOST']); | |
| // Strip leading periods, www., and port numbers from cookie domain. | |
| $cookie_domain = ltrim($cookie_domain, '.'); | |
| if (strpos($cookie_domain, 'www.') === 0) { | |
| $cookie_domain = substr($cookie_domain, 4); | |
| } | |
| $cookie_domain = explode(':', $cookie_domain); | |
| $cookie_domain = '.'. $cookie_domain[0]; | |
| } | |
| } | |
| // To prevent session cookies from being hijacked, a user can configure the | |
| // SSL version of their website to only transfer session cookies via SSL by | |
| // using PHP's session.cookie_secure setting. The browser will then use two | |
| // separate session cookies for the HTTPS and HTTP versions of the site. So we | |
| // must use different session identifiers for HTTPS and HTTP to prevent a | |
| // cookie collision. | |
| if (ini_get('session.cookie_secure')) { | |
| $session_name .= 'SSL'; | |
| } | |
| // Per RFC 2109, cookie domains must contain at least one dot other than the | |
| // first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain. | |
| if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) { | |
| ini_set('session.cookie_domain', $cookie_domain); | |
| } | |
| session_name('SESS'. md5($session_name)); | |
| } | |
| ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment