[wp-trac] [WordPress Trac] #25239: $_SERVER['SERVER_NAME'] not a reliable when generating email host names
WordPress Trac
noreply at wordpress.org
Sun Oct 8 23:26:19 UTC 2017
#25239: $_SERVER['SERVER_NAME'] not a reliable when generating email host names
-------------------------------------------------+-------------------------
Reporter: layotte | Owner:
Type: defect (bug) | SergeyBiryukov
Priority: normal | Status: reviewing
Component: Mail | Milestone: Future
Severity: normal | Release
Keywords: has-patch dev-feedback needs- | Version: 3.8
testing | Resolution:
| Focuses:
-------------------------------------------------+-------------------------
Comment (by dvershinin):
Replying to [comment:94 seayou]:
> Having the same issue with my nginx configuration. I have
`default_server` set in my configuration.
>
> I was thinking about that if it's safe to set `fastcgi_param
SERVER_NAME "something.com";` in nginx as I deliberately don't want
`server_name` to be set. Could that have any negative effect in other
parts of WP or plugins (well that's a long shot)?
I can think that it's a good solution, but you might stay unprotected from
possible (future?) vulnerabilities that lie with use of `HTTP_HOST` (as
opposed to `SERVER_NAME`) in PHP code.
Maybe better of making sure that only specific `Host` header field values
are accepted for `default_server`. Like [https://www.getpagespeed.com
/server-setup/security/stop-google-analytics-spam-bots-reduce-server-load
this] (it is implementation of canonical host names in nginx, sort of).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/25239#comment:96>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list