Close #3292
diff --git a/system/core/Config.php b/system/core/Config.php
index 02e6dd8..d8a606c 100644
--- a/system/core/Config.php
+++ b/system/core/Config.php
@@ -87,7 +87,9 @@
// Set the base_url automatically if none was provided
if (empty($this->config['base_url']))
{
- if (isset($_SERVER['HTTP_HOST']))
+ // The regular expression is only a basic validation for a valid "Host" header.
+ // It's not exhaustive, only checks for valid characters.
+ if (isset($_SERVER['HTTP_HOST']) && preg_match('/^((\[[0-9a-f:]+\])|(\d{1,3}(\.\d{1,3}){3})|[a-z0-9\-\.]+)(:\d+)?$/i', $_SERVER['HTTP_HOST']))
{
$base_url = (is_https() ? 'https' : 'http').'://'.$_SERVER['HTTP_HOST']
.substr($_SERVER['SCRIPT_NAME'], 0, strpos($_SERVER['SCRIPT_NAME'], basename($_SERVER['SCRIPT_FILENAME'])));