[nycphp-talk] $_server['server_name'] versus $_server[http-host']
Cliff Hirsch
cliff at pinestream.com
Thu Mar 16 14:17:29 EST 2006
So it seems like servername is certainly fine and http_host is fine if I
just take a whitelist approach.
-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Michael Sims
http_host is going to be whatever the user sent you. server_name is
going
to be whatever the ServerName directive in Apache says. These may be
the
same, or may be vastly different. Using http_host may be dangerous.
A) user asks for "example.com". Apache's setup catches the request with
a
VirtualHost block with a ServerName of "example.com". Both variables
are
the same.
B) user asks for "example.com". Apache's setup catches the request with
a
VirtualHost block with a ServerName of "www.example.com" and a
ServerAlias
of "example.com". server_name should now be "www.example.com" while
http_host is still "example.com".
C) user asks for "<script>hack me! hack you! hack everyone!</script>".
Since that isn't set up as a ServerName in your Apache setup, Apache's
setup catches the request with the DEFAULT VirtualHost block with a
ServerName of "www.example.com" and a ServerAlias of "example.com".
server_name should now be "www.example.com" while http_host is
"<script>hack me! hack you! hack everyone!</script>". Echoing http_host
back to the user is possibly dangerous.
More information about the talk
mailing list