diff --git a/include/class_CSRFProtection.inc b/include/class_CSRFProtection.inc index a2d8148889e33f720c0aeec3a188e0c898a7f6ac..9c80b84e54f2f25744d6c43c68832708f9fd3860 100644 --- a/include/class_CSRFProtection.inc +++ b/include/class_CSRFProtection.inc @@ -56,7 +56,8 @@ class CSRFProtection $origin = preg_replace('|^[^/]+://([^/]+)(/.*)?$|', '\1', $origin); $target = FALSE; if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) { - $target = $_SERVER['HTTP_X_FORWARDED_HOST']; + /* Only take the first value, there may be several separated by commas */ + list($target) = explode(',', $_SERVER['HTTP_X_FORWARDED_HOST'], 2); } else if (!empty($_SERVER['HTTP_HOST'])) { $target = $_SERVER['HTTP_HOST'];