diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index dc569b1647..11e0d34789 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -709,8 +709,8 @@ function drupal_environment_initialize() {
/**
* Validates that a hostname (for example $_SERVER['HTTP_HOST']) is safe.
*
- * @return
- * TRUE if only containing valid characters, or FALSE otherwise.
+ * @return bool
+ * TRUE if only containing valid characters, or FALSE otherwise.
*/
function drupal_valid_http_host($host) {
// Limit the length of the host name to 1000 bytes to prevent DoS attacks with
@@ -720,7 +720,8 @@ function drupal_valid_http_host($host) {
// in conf_path().
&& substr_count($host, '.') <= 100
&& substr_count($host, ':') <= 100
- && preg_match('/^\[?(?:[a-zA-Z0-9-:\]_]+\.?)+$/', $host);
+ && preg_match('/^\[?(?:[a-zA-Z0-9-:\]_]+\.?)+$/', $host)
+ && drupal_check_trusted_hosts($host);
}
/**
@@ -3849,3 +3850,28 @@ function drupal_clear_opcode_cache($filepath) {
@apc_delete_file($filepath);
}
}
+
+function drupal_check_trusted_hosts($host) {
+ $trusted_hosts =& drupal_static(__FUNCTION__, array());
+ $trusted_host_patterns = variable_get('trusted_host_patterns', array());
+
+ if (PHP_SAPI !== 'cli' && !empty($trusted_host_patterns)) {
+
+ if (in_array($host, $trusted_hosts)) {
+ return $host;
+ }
+
+ foreach ($trusted_host_patterns as $pattern) {
+ $pattern = sprintf('{%s}i', str_replace('}', '\\}', $pattern));
+ if (preg_match($pattern, $host)) {
+ $trusted_hosts[] = $host;
+
+ return TRUE;
+ }
+ }
+
+ return FALSE;
+ }
+
+ return TRUE;
+}
diff --git a/modules/system/system.install b/modules/system/system.install
index d5e67435d8..421b7a00d0 100644
--- a/modules/system/system.install
+++ b/modules/system/system.install
@@ -520,6 +520,28 @@ function system_requirements($phase) {
}
}
+ // See if trusted hostnames have been configured, and warn the user if they
+ // are not set.
+ if ($phase == 'runtime') {
+
+ $trusted_host_patterns = variable_get('trusted_host_patterns', array());
+ if (empty($trusted_host_patterns)) {
+ $requirements['trusted_host_patterns'] = array(
+ 'title' => t('Trusted Host Settings'),
+ 'value' => t('Not enabled'),
+ 'description' => t('The trusted_host_patterns setting is not configured in settings.php. This can lead to security vulnerabilities. It is highly recommended that you configure this. See Protecting against HTTP HOST Header attacks for more information.', array('@url' => 'https://www.drupal.org/node/1992030')),
+ 'severity' => REQUIREMENT_ERROR,
+ );
+ }
+ else {
+ $requirements['trusted_host_patterns'] = array(
+ 'title' => t('Trusted Host Settings'),
+ 'value' => t('Enabled'),
+ 'description' => t('The trusted_host_patterns setting is set to allow %trusted_host_patterns.', array('%trusted_host_patterns' => join(', ', $trusted_host_patterns))),
+ );
+ }
+ }
+
return $requirements;
}
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index b044be3bc6..35181aaaf3 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -600,6 +600,43 @@ $conf['404_fast_html'] = '