[wp-trac] [WordPress Trac] #17047: Not following spec for REQUEST_URI

WordPress Trac noreply at wordpress.org
Sun Feb 8 00:31:30 UTC 2015

#17047: Not following spec for REQUEST_URI
 Reporter:  sterlo         |       Owner:  sterlo
     Type:  defect (bug)   |      Status:  reviewing
 Priority:  normal         |   Milestone:  Future Release
Component:  Rewrite Rules  |     Version:  3.1
 Severity:  normal         |  Resolution:
 Keywords:  has-patch      |     Focuses:

Comment (by jeremyfelt):

 We do a similar check in `wp-login.php` and `auth_redirect()` when
 determining if SSL should be used:

 if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) {
         wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
 } else {
         wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] .

 I think the approach in
 17047.patch] makes sense, though I'm not sure that we should use
 `HTTP_HOST` as the replacement in this situation. If the server (likely
 Apache) is passing on `REQUEST-URI` untouched, it's possible that
 `HTTP_HOST` may also be unreliable.

 I haven't actually tested any of this. :) I think an Apache VM and proxy
 are needed to really go all in. It seems that Nginx corrects these values
 before hitting PHP.

 Related #29709, which may technically be a duplicate due to the root

Ticket URL: <https://core.trac.wordpress.org/ticket/17047#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list