drupal_settings_initialize() contains the following comment.

// HTTP_HOST can be modified by a visitor, but we already sanitized it
// in drupal_settings_initialize().

$_SERVER['HTTP_HOST'] is sanitized in drupal_environment_initialize(), not drupal_settings_initialize(). The correct comment would be:

// HTTP_HOST can be modified by a visitor, but we already sanitized it
// in drupal_environment_initialize().

Issue fork drupal-3463022

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

avpaderno created an issue. See original summary.

avpaderno opened merge request !8869

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Status: Active » Needs review
chandansha’s picture

chandansha commented
Status: Needs review » Reviewed & tested by the community

i have reviewed MR 8869. Check comment now it will correct.
i moved it to RTBC.
THANKS!!

poker10’s picture

poker10 commented
Issue tags: +Pending Drupal 7 commit
Related issues: +#668932: Duplicate sanitzing of HTTP_HOST?

This looks good to me, thanks!

Just to add, this comment was committed in #668932: Duplicate sanitzing of HTTP_HOST? and it seems like there was a typo. The issue summary correctly mentioned drupal_environment_initialize(), but in the patch drupal_settings_initialize() was added instead.

  • poker10 committed ce54b1ea on 7.x 
    Issue #3463022 by avpaderno: Correct a comment in...
poker10’s picture

poker10 commented
Status: Reviewed & tested by the community » Fixed
Issue tags: -Pending Drupal 7 commit

Committed to 7.x, thanks everyone!

poker10 closed merge request !8869

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.