[wp-trac] [WordPress Trac] #25239: $_SERVER['SERVER_NAME'] not a reliable when generating email host names
WordPress Trac
noreply at wordpress.org
Thu May 18 18:00:49 UTC 2017
#25239: $_SERVER['SERVER_NAME'] not a reliable when generating email host names
-------------------------------------------------+-------------------------
Reporter: layotte | Owner:
Type: defect (bug) | SergeyBiryukov
Priority: normal | Status: reviewing
Component: Mail | Milestone: Future
Severity: normal | Release
Keywords: has-patch dev-feedback needs- | Version: 3.8
testing | Resolution:
| Focuses:
-------------------------------------------------+-------------------------
Comment (by rawrly):
Because the ticket and this case is a bit old, and has begun to take on a
lots of side-issues related to the same bit of code I wanted to summarize
the issue(s) at hand and repeat the currently open questions and solutions
provided i a concise manner for those just catching up:
Original ticket's focus:
Not always does `$_SERVER['SERVER_NAME']` get passed down to PHP from the
web-server environment. This causes emails to be fail to send due to
invalid email address From address fields.
This affects some nginx server configurations as well as wp-cli and
sometimes via Cron tasks. Leading to emails being unable to be sent when
they are related to the function of the request.
The later reported vulnerability:
A pseudo-vulnerability was released related to this portion of WP core
code in early 2017, where in specific and unlikely server configurations
this could be used to intercept password reset tokens.
Where this bug stands is two parts:
There is an inconvenient choice for the FQDN after @ when generating the
From address in emails, where in some situations it will cause emails to
not be sent and the application to not function correctly.
There is an unlikely but possible vulnerability also related to this same
portion of code, and the fact it accepts browser input (the value from the
Host header field) for the value of the email address to send emails From.
Proposed Patches summary:
Most patches have been focused on how to get a FQDN from somewhere other
that `$_SERVER['SERVER_NAME']`
"server_name.diff" does a replacement of all `$_SERVER['SERVER_NAME']` to
now use $current_site->domain
"25239.patch" creates a function get_email_domain() which uses
preg_replace to extract the domain name from get_home_url(
get_current_blog_id() ) -- there has been comments related to how this is
an incomplete fix due to limitations of the preg_replace regex.
"pluggable.php" is similar to 25239.patch
"CVE-2017-8295.patch" uses parse_url() to extract the domain from
network_home_url()
Recommendations that lack patches:
Creating a new wp_option value for the site's maintenance email address,
which would be used in the From field for these sort of emails
---
There are still two open questions related to:
"Whose responsibility is it to police SERVER_NAME in a multi-domain
configuration? "
"What are the arguments against having an option for setting the email
address with a sensible default?"
Which have gone answered and I don't want to quash these questions with
the summary.
So please, chime in if you feel a solution which patches may be a good fix
ASAP (since security) and which are more complete fixes (or if you have
another proposal please add it here).
---
IMHO I feel the wp_options value proposal is a more complete fix, but
requires a more work and testing (and requires a fall-back in case this
value of this option is NULL). While the CVE-2017-8295.patch fits the bill
for a sufficient "just works" patch if someone wants to kabash that
security issue and these bugs for the short term and give more time for a
more complete fix to be tested, verified and implemented.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/25239#comment:89>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list