[wp-trac] [WordPress Trac] #8593: HTTP_HOST being manipulated improperly for redirects

WordPress Trac wp-trac at lists.automattic.com
Fri Dec 12 16:37:23 GMT 2008 

#8593: HTTP_HOST being manipulated improperly for redirects
---------------------+------------------------------------------------------
 Reporter:  revmj    |       Owner:  anonymous              
     Type:  defect   |      Status:  new                    
 Priority:  normal   |   Milestone:  2.8                    
Component:  General  |     Version:                         
 Severity:  normal   |    Keywords:  HTTP_HOST redirect loop
---------------------+------------------------------------------------------
 When redirecting a hit to the proper URL, WordPress makes some bad
 assumptions. Specifically, during redirects, any port information provided
 by the client is dropped. If I go to http://example.com:80/, I get
 redirected to http://example.com/. If I go to https://example.com:443/, I
 get redirected to https://example.com/.

 Thus far, no problem has occurred because we are on on server that uses
 default ports. However, lets say my web server is running http on 8080 and
 https on 8443. Now when I go to http://example.com:8080/ and get
 redirected to http://example.com/, it fails. As a workaround, you can
 change the following settings:
 WordPress address: http://example.com:8080/
 Blog address: http://example.com:8080/

 While this clears up the problem for http requests, you will not be able
 to use https becuse and attempt to go to https://example.com:8443/ now
 redirects to https://example.com:8080/ and it fails because the server
 does not speak ssl on 8080.

 Additionally, when you have an https proxy in front of your web server
 such as pound (with http on port 80 and https on port 8443), you run into
 another problem caused by this same bug. In this situation if you attempt
 to go to https://example.com/, the proxy server accepts the request and
 then on the back end makes a none ssl connection to apache. Good so far,
 but in order to not make any assumptions, the proxy server tells apache
 that the request was for 'https://example.com:443/' and apache sets
 HTTP_HOST (very appropriately) to example.com:443. WordPress sees this
 request and redirects it to 'https://example.com/' by responding to the
 web browser with a 'Location:' header. Thus the browser sends another
 request for 'https://example.com/' and starts the whole process over again
 resulting in an infinite redirect.

 As specifying a port is completely valid, this is a clear case of
 WordPress not handling things appropriately.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/8593>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list