[wp-trac] [WordPress Trac] #19892: wp_fix_server_vars() mangles REQUEST_URI on some servers [patch included]

WordPress Trac wp-trac at lists.automattic.com
Wed Jan 25 00:58:48 UTC 2012 

#19892: wp_fix_server_vars() mangles REQUEST_URI on some servers [patch included]
--------------------------+-----------------------------
 Reporter:  jrf           |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  3.3.1
 Severity:  normal        |   Keywords:  has-patch
--------------------------+-----------------------------
 == Bug manifestation: ==

 On some server setups, saving settings on any settings page which uses
 options.php - including the twentyeleven theme options pages - results in
 a ''You do not have sufficient permissions to access this page.''-error
 page, even if you are the (super-)admin of the website.[[BR]]

 The changed settings *are* however saved, but the bug obviously causes a
 usability issue.[[BR]]
 [[BR]]



 == The cause of the issue: ==

 The issue is ultimately caused by (shared-)hosting companies which - for
 security reasons - set the {{{$_SERVER['SERVER_SOFTWARE']}}} variable to
 MS IIS when in reality the server runs on a Linux variant.[[BR]]
 [[BR]]

 The {{{$_SERVER['SERVER_SOFTWARE']}}} variable being MS IIS causes
 ''wp_fix_server_vars()'' to double the query vars resulting in a mangled
 {{{$_SERVER['REQUEST_URI']}}}.[[BR]]

 I.e.: ''"/wp-admin/themes.php?page=theme_options"'' becomes ''"/wp-
 admin/themes.php?page=theme_options?page=theme_options"''[[BR]]
 [[BR]]


 As the {{{$_SERVER['REQUEST_URI']}}} variable is used by the
 ''settings_fields()'' function to generate the hidden form fields for the
 option pages, this then in turn results in a mangled ''_wp_http_referer''
 form value.[[BR]]

 I.e.: {{{<input type="hidden" name="_wp_http_referer" value="/wp-
 admin/themes.php?page=theme_options?page=theme_options" />}}}[[BR]]
 [[BR]]


 As the '''''options.php''''' file, after saving the changed settings, uses
 the ''_wp_http_referer'' field value to redirect the page - which it then
 can't - , the user ends up on the ''You do not have sufficient permissions
 to access this page.''-error page.[[BR]]
 [[BR]]



 == Patch/fix for the issue: ==

 In file '''''wp-includes/load.php''''' change '''''line 75''''' from:

 {{{
 if ( ! empty( $_SERVER['QUERY_STRING'] ) ) {
 }}}
 to
 {{{
 if ( ! empty( $_SERVER['QUERY_STRING'] ) && strpos (
 $_SERVER['REQUEST_URI'], '?' ) === false ) {
 }}}

 N.B.: line number based on WP 3.3.1. trunk[[BR]]
 [[BR]]




 == Additional info: ==

 This bug has been in the WP code base for a while. It might be useful to
 add this issue to the FAQ in the documentation for those users/webmasters
 who do not always upgrade to the latest & greatest WP version.[[BR]]


 A user/webmaster who encounters this issue should probably get advice
 along the following lines:[[BR]]

 a. Determine that the problem is really caused by this issue by verifying
 that they really run on Linux and by checking that the
 {{{$_SERVER['SERVER_SOFTWARE']}}} is a MS IIS variant - they can use
 ''phpinfo()'' to do so.[[BR]]

 b. Upgrade to a WP version which includes the above patch once it has been
 released.[[BR]]

 c. Contact their webhost to see if they are willing to change the
 {{{$_SERVER['SERVER_SOFTWARE']}}} variable to reflect reality.[[BR]]

 d. If neither of the above is possible/works and they are sure that this
 bug is the cause of their problems, they can apply the following quick &
 dirty fix to solve it without touching the core files:[[BR]]


 Add the following code to their wp-config.php file anywhere above the ''/*
 That's all, stop editing! Happy blogging. */'' line.
 {{{
 /**
  * Quick fix for server software bug
  */
 $_SERVER['SERVER_SOFTWARE'] = 'Apache';
 }}}
 [[BR]]


 == Related bug reports found: ==

 * #15209 {{{$_SERVER['REQUEST_URI']}}} Doesn't always work correctly
 * #12346 Saving settings in multiple plugins results in You do not have
 sufficient permissions to access this page.


 This ticket has been opened as the previous two bug reports where too old
 to reopen.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/19892>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list