$host =
strtolower(preg_replace('/:\d+$/', '',
trim($host)));
// as the host can come from the user (HTTP_HOST and depending on the configuration, SERVER_NAME too can come from the user)
// check that it does not contain forbidden characters (see RFC 952 and RFC 2181)
// use preg_replace() instead of preg_match() to prevent DoS attacks with long host names
if ($host && '' !==
preg_replace('/(?:^\[)?[a-zA-Z0-9-:\]_]+\.?/', '',
$host)) { if (!
$this->isHostValid
) { return '';
} $this->isHostValid = false;
throw new SuspiciousOperationException(sprintf('Invalid Host "%s".',
$host));
} if (\
count(self::
$trustedHostPatterns) > 0
) { // to avoid host header injection attacks, you should provide a list of trusted host patterns
if (\
in_array($host, self::
$trustedHosts)) { return $host;
} foreach (self::
$trustedHostPatterns as $pattern) { if (preg_match($pattern,
$host)) {