[wp-trac] [WordPress Trac] #17047: Not following spec for REQUEST_URI
WordPress Trac
noreply at wordpress.org
Sun Feb 8 00:31:30 UTC 2015
#17047: Not following spec for REQUEST_URI
---------------------------+-----------------------------
Reporter: sterlo | Owner: sterlo
Type: defect (bug) | Status: reviewing
Priority: normal | Milestone: Future Release
Component: Rewrite Rules | Version: 3.1
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
---------------------------+-----------------------------
Comment (by jeremyfelt):
We do a similar check in `wp-login.php` and `auth_redirect()` when
determining if SSL should be used:
{{{
if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) {
wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
exit();
} else {
wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] .
$_SERVER['REQUEST_URI'] );
exit();
}
}}}
I think the approach in
[https://core.trac.wordpress.org/attachment/ticket/17047/17047.patch
17047.patch] makes sense, though I'm not sure that we should use
`HTTP_HOST` as the replacement in this situation. If the server (likely
Apache) is passing on `REQUEST-URI` untouched, it's possible that
`HTTP_HOST` may also be unreliable.
I haven't actually tested any of this. :) I think an Apache VM and proxy
are needed to really go all in. It seems that Nginx corrects these values
before hitting PHP.
Related #29709, which may technically be a duplicate due to the root
cause.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/17047#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list