Opened 8 years ago
Last modified 2 months ago
#36486 new defect (bug)
is_apache in vars.php does not always work
Reported by: | amandato | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 4.4.2 |
Component: | Rewrite Rules | Keywords: | has-patch |
Focuses: | Cc: |
Description
The $is_apache variable does not always work when using an Apache module like security2_module with the SecServerSignature option. By removing the word "Apache" from the name of the server vars.php will no longer detect that the server is Apache.
function_exists('apache_get_version')!== false |
Any Apache only function will work.
See attached patch from WP 4.4.2
I discovered this caused issues with the RewriteRules, randomly WordPress would add index.php/ within the permalinks when editing the permalink options in the wp-admin.
Not sure if this should be called a bug or an enhancement, leave it up to core team to decide that.
I would not remove the first 2 checks though, it is possible that the apache_get_version is disabled in the php.ini. I would recommend adding the option to the current checks just to be 100% sure.
Attachments (1)
Change History (5)
#2
@
6 years ago
- Keywords has-patch added
Hello,
what happened to the patch? do you need another patch format? The bug still exists in the latest version...
#3
@
5 years ago
#4
@
2 months ago
I've encountered instances where the Server header lacks explicit mention of Apache or LiteSpeed. It's worth noting that as of 2024, it is common to see the Server header removed as a security best practice or changed through popular proxy cache services.
The OWASP Secure Headers Project explicitly advises removing the Server header to minimize potential information disclosure.
https://owasp.org/www-project-secure-headers/#prevent-information-disclosure-via-http-headers
Cloudflare's widely used proxy cache service defaults to replacing the Server header value with "cloudflare".
In my experience, numerous WordPress security and caching plugins rely on variables such as $is_apache, $is_nginx, $is_IIS, and $is_iis7 to determine how to configure their features.
If better defining these variables proves challenging, a potential solution could involve providing more formal ways for developers to explicitly define their environment. This could be achieved through methods like wp-config definitions, offering an alternative way to convey this critical information.
Patch for this ticket from WinMerge (let me know if you need a different patch format)