Index: includes/bootstrap.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v
retrieving revision 1.145.2.9
diff -u -p -r1.145.2.9 bootstrap.inc
--- includes/bootstrap.inc	24 Aug 2008 09:00:25 -0000	1.145.2.9
+++ includes/bootstrap.inc	22 Oct 2008 19:03:02 -0000
@@ -201,6 +201,11 @@ function conf_path() {
 
   $confdir = 'sites';
   $uri = explode('/', $_SERVER['SCRIPT_NAME'] ? $_SERVER['SCRIPT_NAME'] : $_SERVER['SCRIPT_FILENAME']);
+  if (strpos($_SERVER['HTTP_HOST'], '/') !== FALSE) {
+    // A HTTP_HOST containing slashes may be an attack and is invalid.
+    header('HTTP/1.1 400 Bad Request');
+    exit;
+  }
   $server = explode('.', implode('.', array_reverse(explode(':', rtrim($_SERVER['HTTP_HOST'], '.')))));
   for ($i = count($uri) - 1; $i > 0; $i--) {
     for ($j = count($server); $j > 0; $j--) {