WordPress.org

Make WordPress Core

Opened 2 months ago

Last modified 6 days ago

#53998 new enhancement

Use network_home_url() instead of $_SERVER['HTTP_HOST'] for added safety.

Reported by: wp_kc Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords: dev-feedback
Focuses: Cc:

Description

Would it not be safer from XSS if uses of $_SERVER[HTTP_HOST] were replaced with network_home_url()? It looks to me like network_home_url() reads the server host name from the site settings instead of relying on a possibly manipulated $_SERVER[HTTP_HOST] value.

For example, I came across this code in /wp-admin/includes/class-wp-list-table.php...

<?php
/**
 * Displays the pagination.
 *
 * @since 3.1.0
 *
 * @param string $which
 */
protected function pagination( $which ) {
   ...
   $current_url = set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
   ...
}

Wouldn't this be safer if it were re-written as...

<?php
/**
 * Displays the pagination.
 *
 * @since 3.1.0
 *
 * @param string $which
 */
protected function pagination( $which ) {
   ...
   $current_url = network_home_url( $_SERVER['REQUEST_URI'] );
   ...
}

A search through the WP source code shows $_SERVER[HTTP_HOST] is used 27 times across 15 files.

Change History (2)

#1 @mukesh27
2 months ago

  • Component changed from Administration to General
  • Focuses administration coding-standards removed
  • Keywords dev-feedback added; needs-design-feedback removed

#2 @sabernhardt
6 days ago

  • Version trunk deleted

Related: #16858

Note: See TracTickets for help on using tickets.