From 815ac8a3be770b7de7a805a551f136cc6bb9f83c Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Tue, 28 Oct 2014 21:32:20 +0200
Subject: Close #3292

---
 system/core/Config.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'system/core/Config.php')

diff --git a/system/core/Config.php b/system/core/Config.php
index 02e6dd84f..d8a606c14 100644
--- a/system/core/Config.php
+++ b/system/core/Config.php
@@ -87,7 +87,9 @@ class CI_Config {
 		// Set the base_url automatically if none was provided
 		if (empty($this->config['base_url']))
 		{
-			if (isset($_SERVER['HTTP_HOST']))
+			// The regular expression is only a basic validation for a valid "Host" header.
+			// It's not exhaustive, only checks for valid characters.
+			if (isset($_SERVER['HTTP_HOST']) && preg_match('/^((\[[0-9a-f:]+\])|(\d{1,3}(\.\d{1,3}){3})|[a-z0-9\-\.]+)(:\d+)?$/i', $_SERVER['HTTP_HOST']))
 			{
 				$base_url = (is_https() ? 'https' : 'http').'://'.$_SERVER['HTTP_HOST']
 					.substr($_SERVER['SCRIPT_NAME'], 0, strpos($_SERVER['SCRIPT_NAME'], basename($_SERVER['SCRIPT_FILENAME'])));
-- 
cgit v1.2.3-24-g4f1b