[wp-trac] [WordPress Trac] #25239: $_SERVER['SERVER_NAME'] not a reliable when generating email host names
WordPress Trac
noreply at wordpress.org
Sun Jul 30 22:51:24 UTC 2017
#25239: $_SERVER['SERVER_NAME'] not a reliable when generating email host names
-------------------------------------------------+-------------------------
Reporter: layotte | Owner:
Type: defect (bug) | SergeyBiryukov
Priority: normal | Status: reviewing
Component: Mail | Milestone: Future
Severity: normal | Release
Keywords: has-patch dev-feedback needs- | Version: 3.8
testing | Resolution:
| Focuses:
-------------------------------------------------+-------------------------
Comment (by kitchin):
Contrary to comments above, general opinion is that HTTP_HOST can be
unsafe client data, while SERVER_NAME is a server configuration and so
pretty safe. For example, https://stackoverflow.com/questions/2297403
/http-host-vs-server-name
That may not be 100% guaranteed on all servers, so distrusting SERVER_NAME
may be wise, but comment:91 is not generally right about "client supplied
data."
Also, grepping the trunk code base...
SERVER_NAME (excluding OPENSSL_TLSEXT_SERVER_NAME) is found in:
12 hits in 5 files
HTTP_HOST is found in:
26 hits in 14 files
Figures are the same for the current release, WP 4.8.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/25239#comment:92>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list