[wp-trac] [WordPress Trac] #25239: $_SERVER['SERVER_NAME'] not a reliable when generating email host names

WordPress Trac noreply at wordpress.org
Mon Jul 31 08:30:31 UTC 2017


#25239: $_SERVER['SERVER_NAME'] not a reliable when generating email host names
-------------------------------------------------+-------------------------
 Reporter:  layotte                              |       Owner:
     Type:  defect (bug)                         |  SergeyBiryukov
 Priority:  normal                               |      Status:  reviewing
Component:  Mail                                 |   Milestone:  Future
 Severity:  normal                               |  Release
 Keywords:  has-patch dev-feedback needs-        |     Version:  3.8
  testing                                        |  Resolution:
                                                 |     Focuses:
-------------------------------------------------+-------------------------

Comment (by RedSand):

 Replying to [comment:92 kitchin]:
 > Contrary to comments above, general opinion is that while HTTP_HOST can
 be unsafe client data, SERVER_NAME is a server configuration and so pretty
 safe. For example, https://stackoverflow.com/questions/2297403/http-host-
 vs-server-name
 >
 > That may not be 100% guaranteed on all servers, so distrusting
 SERVER_NAME may be wise, but comment:91 is not generally right about
 "client supplied data."

 I'd disagree on that. If `UseCanonicalName` (or equivalent) is not set
 properly on the server, then the `SERVER_NAME` can be overridden with the
 value of `HTTP_HOST`. Remember that ''"pretty safe" != "secure"''. I would
 say that comments by @pessoft were correct in the general meaning.

 In general I agree with @pessoft's recommendation. As he noted, it also
 would take of of issues with CLI.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/25239#comment:93>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list