[nycphp-talk] $_server['server_name'] versus $_server[http-host']
Michael Sims
jellicle at gmail.com
Thu Mar 16 14:11:33 EST 2006
On Thursday 16 March 2006 13:23, Cliff Hirsch wrote:
> If I have several URLs points at the same server and want to setup my
> links to refer to the URL that was originally submitted, does this mean
> I should be using http_host, not server_name?
http_host is going to be whatever the user sent you. server_name is going
to be whatever the ServerName directive in Apache says. These may be the
same, or may be vastly different. Using http_host may be dangerous.
A) user asks for "example.com". Apache's setup catches the request with a
VirtualHost block with a ServerName of "example.com". Both variables are
the same.
B) user asks for "example.com". Apache's setup catches the request with a
VirtualHost block with a ServerName of "www.example.com" and a ServerAlias
of "example.com". server_name should now be "www.example.com" while
http_host is still "example.com".
C) user asks for "<script>hack me! hack you! hack everyone!</script>".
Since that isn't set up as a ServerName in your Apache setup, Apache's
setup catches the request with the DEFAULT VirtualHost block with a
ServerName of "www.example.com" and a ServerAlias of "example.com".
server_name should now be "www.example.com" while http_host is
"<script>hack me! hack you! hack everyone!</script>". Echoing http_host
back to the user is possibly dangerous.
I think we've had this discussion before about script_name and php_self and
so on. Don't trust user input.
Michael Sims
More information about the talk
mailing list