#346285 by pwolanin: accept empty host headers from HTTP/1.0 clients.

From: Damien Tournoud <damien@tournoud.net>


---

 includes/bootstrap.inc                  |   28 ++++++++++++++++++++--------
 modules/simpletest/tests/bootstrap.test |    4 +++-
 2 files changed, 23 insertions(+), 9 deletions(-)


diff --git includes/bootstrap.inc includes/bootstrap.inc
index cc9e388..425479c 100644
--- includes/bootstrap.inc
+++ includes/bootstrap.inc
@@ -392,6 +392,13 @@ function drupal_initialize_variables() {
   if (!isset($_SERVER['SERVER_PROTOCOL']) || ($_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.0' && $_SERVER['SERVER_PROTOCOL'] != 'HTTP/1.1')) {
     $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.0';
   }
+
+  if (!drupal_valid_http_host()) {
+    // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack.
+    header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request');
+    exit;
+  }
+
   // Enforce E_ALL, but allow users to set levels not part of E_ALL.
   error_reporting(E_ALL | error_reporting());
 
@@ -422,8 +429,19 @@ function drupal_initialize_variables() {
  *  TRUE if only containing valid characters, or FALSE otherwise.
  */
 function drupal_valid_http_host() {
-  $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']);
-  return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $_SERVER['HTTP_HOST']);
+  if (isset($_SERVER['HTTP_HOST'])) {
+    $_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']);
+    return preg_match('/^\[?(?:[a-z0-9-:\]_]+\.?)+$/', $_SERVER['HTTP_HOST']);
+  }
+  else if ($_SERVER['SERVER_PROTOCOL'] == 'HTTP/1.0') {
+    // Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is
+    // defined for E_ALL compliance.
+    $_SERVER['HTTP_HOST'] = '';
+    return TRUE;
+  }
+  else {
+    return FALSE;
+  }
 }
 
 /**
@@ -437,12 +455,6 @@ function conf_init() {
   global $databases, $db_prefix, $cookie_domain, $conf, $installed_profile, $update_free_access;
   $conf = array();
 
-  if (!drupal_valid_http_host()) {
-    // HTTP_HOST is invalid, e.g. if containing slashes it may be an attack.
-    header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request');
-    exit;
-  }
-
   if (file_exists(DRUPAL_ROOT . '/' . conf_path() . '/settings.php')) {
     include_once DRUPAL_ROOT . '/' . conf_path() . '/settings.php';
   }
diff --git modules/simpletest/tests/bootstrap.test modules/simpletest/tests/bootstrap.test
index 41850b5..5852068 100644
--- modules/simpletest/tests/bootstrap.test
+++ modules/simpletest/tests/bootstrap.test
@@ -68,7 +68,7 @@ class BootstrapIPAddressTestCase extends DrupalWebTestCase {
     // Cluster environment.
     $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'] = $this->cluster_ip;
     $this->assertTrue(
-      ip_address(true) == $this->cluster_ip,
+      ip_address(TRUE) == $this->cluster_ip,
       t('Cluster environment got cluster client IP')
     );
     $_SERVER['HTTP_HOST'] = 'security/.drupal.org:80';
@@ -81,6 +81,8 @@ class BootstrapIPAddressTestCase extends DrupalWebTestCase {
     $this->assertFalse(drupal_valid_http_host(), t('HTTP_HOST with .. is invalid'));
     $_SERVER['HTTP_HOST'] = '[::1]:80'; // IPv6 loopback address
     $this->assertTrue(drupal_valid_http_host(), t('HTTP_HOST containing IPv6 loopback is valid'));
+    $_SERVER['HTTP_HOST'] = '';
+    $this->assertTrue(drupal_valid_http_host(), t('Empty HTTP_HOST is valid'));
   }
 }