Drupal Association members fund grants that make connections all over the world.
After upgrading to drupal 5.14 (from 5.12) I found that under certain circumstances HTTP_HOST is not defined or sent to the drupal website.
This may affect drupal 6.8 as well, but I have not yet gotten around to confirming this.
With the latest version, the drupal_valid_http_host() function was created.
This fails when HTTP_HOST is undefined or blank.
I suspect that this also causes the following issue: http://drupal.org/node/346175
Most notable is the line: This is in violation of section 14.23 of the HTTP 1.1 protocol
The problem here is that this effectively causes a denial of service to those not following the standard (which makes me feel warm and fuzzy on the inside) but on a production system this kind of action cannot be tolerated.
I have supplied a patch that checks for HTTP_HOST if available, but if undefined acceptance is still granted.
|#57||346285-followup-d7.patch||4.51 KB||Damien Tournoud|
Passed: 8973 passes, 0 fails, 0 exceptions View
|#53||346285-followup-d6.patch||2.18 KB||Damien Tournoud|