[wp-trac] [WordPress Trac] #25239: $_SERVER['SERVER_NAME'] not a reliable when generating email host names
WordPress Trac
noreply at wordpress.org
Mon Jul 31 08:30:31 UTC 2017
#25239: $_SERVER['SERVER_NAME'] not a reliable when generating email host names
-------------------------------------------------+-------------------------
Reporter: layotte | Owner:
Type: defect (bug) | SergeyBiryukov
Priority: normal | Status: reviewing
Component: Mail | Milestone: Future
Severity: normal | Release
Keywords: has-patch dev-feedback needs- | Version: 3.8
testing | Resolution:
| Focuses:
-------------------------------------------------+-------------------------
Comment (by RedSand):
Replying to [comment:92 kitchin]:
> Contrary to comments above, general opinion is that while HTTP_HOST can
be unsafe client data, SERVER_NAME is a server configuration and so pretty
safe. For example, https://stackoverflow.com/questions/2297403/http-host-
vs-server-name
>
> That may not be 100% guaranteed on all servers, so distrusting
SERVER_NAME may be wise, but comment:91 is not generally right about
"client supplied data."
I'd disagree on that. If `UseCanonicalName` (or equivalent) is not set
properly on the server, then the `SERVER_NAME` can be overridden with the
value of `HTTP_HOST`. Remember that ''"pretty safe" != "secure"''. I would
say that comments by @pessoft were correct in the general meaning.
In general I agree with @pessoft's recommendation. As he noted, it also
would take of of issues with CLI.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/25239#comment:93>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list