[wp-trac] [WordPress Trac] #17047: Not following spec for REQUEST_URI
WordPress Trac
wp-trac at lists.automattic.com
Mon Apr 4 20:11:00 UTC 2011
#17047: Not following spec for REQUEST_URI
---------------------------+-----------------------------
Reporter: sterlo | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Rewrite Rules | Version: 3.1
Severity: normal | Keywords: has-patch
---------------------------+-----------------------------
Possibly related: #16932
Spec: http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.2
Structure: http://en.wikipedia.org/wiki/URI_scheme#Examples
The spec for REQUEST_URI:
{{{
Request-URI = "*" | absoluteURI | abs_path | authority
}}}
The specs for REQUEST_URI in Apache are such that it allows for absolute
paths to a given resource.
Given that throughout WordPress there are concatenations like:
{{{
$_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']
}}}
These are intended to generate "mysite.com/resources"
But in certain cases will generated "mysite.com/mysite.com/resources"
Case Study:
{{{
GET http://subdomain.mydomain.com/ HTTP/1.1
}}}
This should be allowed.
Apache in this case sets the URI to
"http://subdomain.mydomain.com/myfile.php"
Solution: Do not assume that URI is not an absolute path.
A quick fix is something like the patch attached.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/17047>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list