Not following spec for REQUEST_URI
|Reported by:||sterlo||Owned by:||sterlo|
Possibly related: #16932
The spec for REQUEST_URI:
Request-URI = "*" | absoluteURI | abs_path | authority
The specs for REQUEST_URI in Apache are such that it allows for absolute paths to a given resource.
Given that throughout WordPress there are concatenations like:
$_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']
These are intended to generate "mysite.com/resources"
But in certain cases will generated "mysite.com/mysite.com/resources"
GET http://subdomain.mydomain.com/ HTTP/1.1
This should be allowed.
Apache in this case sets the URI to "http://subdomain.mydomain.com/myfile.php"
Solution: Do not assume that URI is not an absolute path.
A quick fix is something like the patch attached.