function conf_init in Drupal 5
Same name and namespace in other branches
- 4 includes/bootstrap.inc \conf_init()
- 6 includes/bootstrap.inc \conf_init()
Loads the configuration and sets the base URL, cookie domain, and session name correctly.
1 call to conf_init()
- _drupal_bootstrap in includes/
bootstrap.inc
File
- includes/
bootstrap.inc, line 249 - Functions that need to be loaded on every Drupal request.
Code
function conf_init() {
global $base_url, $base_path, $base_root;
// Export the following settings.php variables to the global namespace
global $db_url, $db_prefix, $cookie_domain, $conf, $installed_profile;
$conf = array();
if (isset($_SERVER['HTTP_HOST'])) {
// As HTTP_HOST is user input, ensure it only contains characters allowed
// in hostnames. See RFC 952 (and RFC 2181).
// $_SERVER['HTTP_HOST'] is lowercased here per specifications.
$_SERVER['HTTP_HOST'] = strtolower($_SERVER['HTTP_HOST']);
if (!drupal_valid_http_host($_SERVER['HTTP_HOST'])) {
// HTTP_HOST is invalid, e.g. if containing slashes it may be an attack.
header('HTTP/1.1 400 Bad Request');
exit;
}
}
else {
// Some pre-HTTP/1.1 clients will not send a Host header. Ensure the key is
// defined for E_ALL compliance.
$_SERVER['HTTP_HOST'] = '';
}
include_once './' . conf_path() . '/settings.php';
if (isset($base_url)) {
// Parse fixed base URL from settings.php.
$parts = parse_url($base_url);
if (!isset($parts['path'])) {
$parts['path'] = '';
}
$base_path = $parts['path'] . '/';
// Build $base_root (everything until first slash after "scheme://").
$base_root = substr($base_url, 0, strlen($base_url) - strlen($parts['path']));
}
else {
// Create base URL
$base_root = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' ? 'https' : 'http';
$base_url = $base_root .= '://' . $_SERVER['HTTP_HOST'];
// $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not
// be modified by a visitor.
if ($dir = trim(dirname($_SERVER['SCRIPT_NAME']), '\\,/')) {
$base_path = "/{$dir}";
$base_url .= $base_path;
$base_path .= '/';
}
else {
$base_path = '/';
}
}
if (!$cookie_domain) {
// If the $cookie_domain is empty, try to use the session.cookie_domain.
$cookie_domain = ini_get('session.cookie_domain');
}
if ($cookie_domain) {
// If the user specifies the cookie domain, also use it for session name.
$session_name = $cookie_domain;
}
else {
// Otherwise use $base_url as session name, without the protocol
// to use the same session identifiers across http and https.
list(, $session_name) = explode('://', $base_url, 2);
// We try to set the cookie domain to the hostname.
// We escape the hostname because it can be modified by a visitor.
if (!empty($_SERVER['HTTP_HOST'])) {
$cookie_domain = check_plain($_SERVER['HTTP_HOST']);
}
}
// To prevent session cookies from being hijacked, a user can configure the
// SSL version of their website to only transfer session cookies via SSL by
// using PHP's session.cookie_secure setting. The browser will then use two
// separate session cookies for the HTTPS and HTTP versions of the site. So we
// must use different session identifiers for HTTPS and HTTP to prevent a
// cookie collision.
if (ini_get('session.cookie_secure')) {
$session_name .= 'SSL';
}
// Strip leading periods, www., and port numbers from cookie domain.
$cookie_domain = ltrim($cookie_domain, '.');
if (strpos($cookie_domain, 'www.') === 0) {
$cookie_domain = substr($cookie_domain, 4);
}
$cookie_domain = explode(':', $cookie_domain);
$cookie_domain = '.' . $cookie_domain[0];
// Per RFC 2109, cookie domains must contain at least one dot other than the
// first. For hosts such as 'localhost' or IP Addresses we don't set a cookie domain.
if (count(explode('.', $cookie_domain)) > 2 && !is_numeric(str_replace('.', '', $cookie_domain))) {
ini_set('session.cookie_domain', $cookie_domain);
}
session_name('SESS' . md5($session_name));
}