[wp-trac] [WordPress Trac] #25239: $_SERVER['SERVER_NAME'] not a reliable when generating email host names
WordPress Trac
noreply at wordpress.org
Sun Jul 30 18:51:50 UTC 2017
#25239: $_SERVER['SERVER_NAME'] not a reliable when generating email host names
-------------------------------------------------+-------------------------
Reporter: layotte | Owner:
Type: defect (bug) | SergeyBiryukov
Priority: normal | Status: reviewing
Component: Mail | Milestone: Future
Severity: normal | Release
Keywords: has-patch dev-feedback needs- | Version: 3.8
testing | Resolution:
| Focuses:
-------------------------------------------------+-------------------------
Comment (by pessoft):
* If client supplied data ( like contents of `$_SERVER['SERVER_NAME']` )
are not validated securely then it shouldn't be used. So replacement of
all such occurrences with trusted data source makes sense. layotte's
attachment:server_name.diff shows where these replacements should be done
in preparation of From email addresses.
* For source of the domain I think that solution suggested in cloudstek's
attachment:CVE-2017-8295.patch: `parse_url( network_home_url(),
PHP_URL_HOST )` looks better.
* Also for backward compatibility I would also consider to keep the `www.`
removal.
* Usage of always available domain name from network_home_url() instead
unreliable `$_SERVER['SERVER_NAME']` fixes also issues for those who call
WP directly by PHP ( for example in situations where WP cron is invoked
using system cron and php-cli ).
I'll put together an attachment where I combine the solutions as described
in the points above, in a hope to speed up fix for this ticket.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/25239#comment:91>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list