diff options
| author | Andrey Andreev <narf@devilix.net> | 2014-10-28 20:32:20 +0100 |
|---|---|---|
| committer | Andrey Andreev <narf@devilix.net> | 2014-10-28 20:32:20 +0100 |
| commit | 815ac8a3be770b7de7a805a551f136cc6bb9f83c (patch) | |
| tree | c605ac9dae927bb3e85ce618e140cb9942eede0f /system | |
| parent | 98251706c81a7ca6057430c7c6a56ee4dfbe10a0 (diff) | |
Close #3292
Diffstat (limited to 'system')
| -rw-r--r-- | system/core/Config.php | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/system/core/Config.php b/system/core/Config.php index 02e6dd84f..d8a606c14 100644 --- a/system/core/Config.php +++ b/system/core/Config.php @@ -87,7 +87,9 @@ class CI_Config { // Set the base_url automatically if none was provided if (empty($this->config['base_url'])) { - if (isset($_SERVER['HTTP_HOST'])) + // The regular expression is only a basic validation for a valid "Host" header. + // It's not exhaustive, only checks for valid characters. + if (isset($_SERVER['HTTP_HOST']) && preg_match('/^((\[[0-9a-f:]+\])|(\d{1,3}(\.\d{1,3}){3})|[a-z0-9\-\.]+)(:\d+)?$/i', $_SERVER['HTTP_HOST'])) { $base_url = (is_https() ? 'https' : 'http').'://'.$_SERVER['HTTP_HOST'] .substr($_SERVER['SCRIPT_NAME'], 0, strpos($_SERVER['SCRIPT_NAME'], basename($_SERVER['SCRIPT_FILENAME']))); |