id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
9786	WordPress should not sniff servers by name	filosofo	filosofo	"In {{{wp-includes/vars.php}}} !WordPress sets the global variable $is_apache according to the {{{$_SERVER['SERVER_SOFTWARE']}}} string.  

Just as with !JavaScript browser sniffing by User Agent, this approach is doomed to failure.  I know I'm not the only one who renames servers for whimsy or security-by-obscurity.  

I think a general solution would be to test for the desired behavior that we want.  For example, $is_apache is used in two places: the permalink options page and the apache_mod_loaded() function.  For the latter, we should be able just to strip out the $is_apache check.  For the permalinks options page, couldn't we use apache_mod_loaded() itself?"	defect (bug)	closed	normal		Permalinks		normal	wontfix	needs-patch server-sniffing