#668932: No need to sanitize HTTP_HOST twice.

From: Damien Tournoud <damien@tournoud.net>


---
 bootstrap.inc |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git includes/bootstrap.inc includes/bootstrap.inc
index a5c601a..c43a715 100644
--- includes/bootstrap.inc
+++ includes/bootstrap.inc
@@ -579,9 +579,10 @@ function drupal_settings_initialize() {
     // Otherwise use $base_url as session name, without the protocol
     // to use the same session identifiers across http and https.
     list( , $session_name) = explode('://', $base_url, 2);
-    // We escape the hostname because it can be modified by a visitor.
+    // HTTP_HOST can be modified by a visitor, but we already sanitized it
+    // in drupal_settings_initialize().
     if (!empty($_SERVER['HTTP_HOST'])) {
-      $cookie_domain = check_plain($_SERVER['HTTP_HOST']);
+      $cookie_domain = $_SERVER['HTTP_HOST'];
     }
   }
   // Strip leading periods, www., and port numbers from cookie domain.