From 04030f324c41bcc6d938fa3cad42b10261ca17dd Mon Sep 17 00:00:00 2001
From: Tim Starling <tstarling@users.mediawiki.org>
Date: Tue, 7 Jun 2011 03:31:09 +0000
Subject: [PATCH] When detecting $wgServer, do not fall back to
 $_SERVER['HTTP_HOST']. It's unlikely that this is used by anything, since
 SERVER_NAME takes precedence, and SERVER_NAME is required by CGI 1.1 and
 appears to always be set by the major web servers. If it were ever used, it
 would open up a cache-poisoning vulnerability. Partially reverts r8010.

---
 includes/DefaultSettings.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index f56f233d80..f3b5a1f96a 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -63,8 +63,6 @@ if( isset( $_SERVER['SERVER_NAME'] )
 	$serverName = $_SERVER['SERVER_NAME'];
 } elseif( isset( $_SERVER['HOSTNAME'] ) ) {
 	$serverName = $_SERVER['HOSTNAME'];
-} elseif( isset( $_SERVER['HTTP_HOST'] ) ) {
-	$serverName = $_SERVER['HTTP_HOST'];
 } elseif( isset( $_SERVER['SERVER_ADDR'] ) ) {
 	$serverName = $_SERVER['SERVER_ADDR'];
 } else {
-- 
2.20.1