diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 9f37dfc..d236365 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -711,12 +711,16 @@ function drupal_environment_initialize() {
function drupal_valid_http_host($host) {
// Limit the length of the host name to 1000 bytes to prevent DoS attacks with
// long host names.
- return strlen($host) <= 1000
+ $length = strlen($host) <= 1000;
// Limit the number of subdomains and port separators to prevent DoS attacks
// in conf_path().
- && substr_count($host, '.') <= 100
- && substr_count($host, ':') <= 100
- && preg_match('/^\[?(?:[a-zA-Z0-9-:\]_]+\.?)+$/', $host);
+ $subdomains = substr_count($host, '.') <= 100;
+ $ports = substr_count($host, ':') <= 100;
+ $characters = preg_match('/^\[?(?:[a-zA-Z0-9-:\]_]+\.?)+$/', $host);
+
+ $trusted = drupal_check_trusted_hosts($host);
+
+ return $length && $subdomains && $ports && $characters && $trusted;
}
/**
@@ -3503,3 +3507,28 @@ function drupal_check_memory_limit($required, $memory_limit = NULL) {
// - The memory limit is greater than the memory required for the operation.
return ((!$memory_limit) || ($memory_limit == -1) || (parse_size($memory_limit) >= parse_size($required)));
}
+
+function drupal_check_trusted_hosts($host) {
+ $trusted_hosts =& drupal_static(__FUNCTION__, array());
+ $trusted_host_patterns = variable_get('trusted_host_patterns', array());
+
+ if (PHP_SAPI !== 'cli' && !empty($trusted_host_patterns)) {
+
+ if (in_array($host, $trusted_hosts)) {
+ return $host;
+ }
+
+ foreach ($trusted_host_patterns as $pattern) {
+ $pattern = sprintf('{%s}i', str_replace('}', '\\}', $pattern));
+ if (preg_match($pattern, $host)) {
+ $trusted_hosts[] = $host;
+
+ return TRUE;
+ }
+ }
+
+ return FALSE;
+ }
+
+ return TRUE;
+}
diff --git a/modules/system/system.install b/modules/system/system.install
index 43c7383..b279e28 100644
--- a/modules/system/system.install
+++ b/modules/system/system.install
@@ -514,6 +514,28 @@ function system_requirements($phase) {
}
}
+ // See if trusted hostnames have been configured, and warn the user if they
+ // are not set.
+ if ($phase == 'runtime') {
+
+ $trusted_host_patterns = variable_get('trusted_host_patterns', array());
+ if (empty($trusted_host_patterns)) {
+ $requirements['trusted_host_patterns'] = array(
+ 'title' => t('Trusted Host Settings'),
+ 'value' => t('Not enabled'),
+ 'description' => t('The trusted_host_patterns setting is not configured in settings.php. This can lead to security vulnerabilities. It is highly recommended that you configure this. See Protecting against HTTP HOST Header attacks for more information.', array('@url' => 'https://www.drupal.org/node/1992030')),
+ 'severity' => REQUIREMENT_ERROR,
+ );
+ }
+ else {
+ $requirements['trusted_host_patterns'] = array(
+ 'title' => t('Trusted Host Settings'),
+ 'value' => t('Enabled'),
+ 'description' => t('The trusted_host_patterns setting is set to allow %trusted_host_patterns.', array('%trusted_host_patterns' => join(', ', $trusted_host_patterns))),
+ );
+ }
+ }
+
return $requirements;
}
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index 449f188..6e6e716 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -565,3 +565,40 @@ $conf['404_fast_html'] = '