[E_WARNING] Undefined array key "host" in wp-includes/canonical.php on line 717

[ArtZ91]

The error of level E_WARNING was catched by using set_error_handler.

The issue related to requests coming from the IP address 85.142.100.134 (which appears to be a scanner from cyberok.ru) that are triggering warnings in WordPress.

access log records:

domain:443 85.142.100.134 - - [19/Apr/2025:23:18:23 +0300] "GET / HTTP/1.1" 301 3405 "-" "Mozilla/5.0 (compatible; CyberOKInspect/1.0; +https://www.cyberok.ru/policy.html)"
domain:443 85.142.100.134 - - [19/Apr/2025:23:18:23 +0300] "GET / HTTP/1.1" 200 21814 "https://91.107.124.26/" "Mozilla/5.0 (compatible; CyberOKInspect/1.0; +https://www.cyberok.ru/policy.html)"
domain:443 85.142.100.134 - - [19/Apr/2025:23:19:41 +0300] "HELP" 400 3602 "-" "-"
domain:443 85.142.100.134 - - [19/Apr/2025:23:19:41 +0300] "EHLO" 400 3602 "-" "-"
domain:443 85.142.100.134 - - [19/Apr/2025:23:19:55 +0300] "GET / HTTP/1.0" 301 3410 "-" "-"
domain:443 85.142.100.134 - - [19/Apr/2025:23:19:41 +0300] "GET / HTTP/1.0" 301 3410 "-" "-"

Debug backtrace:

Array
(
    [0] => Array
        (
            [file] => \/var\/www\/domain\/wp-includes\/canonical.php
            [line] => 717
            [function] => {closure}
        )

    [1] => Array
        (
            [file] => \/var\/www\/domain\/wp-includes\/class-wp-hook.php
            [line] => 324
            [function] => redirect_canonical
        )

    [2] => Array
        (
            [file] => \/var\/www\/domain\/wp-includes\/class-wp-hook.php
            [line] => 348
            [function] => apply_filters
            [class] => WP_Hook
            [type] => ->
        )

    [3] => Array
        (
            [file] => \/var\/www\/domain\/wp-includes\/plugin.php
            [line] => 517
            [function] => do_action
            [class] => WP_Hook
            [type] => ->
        )

    [4] => Array
        (
            [file] => \/var\/www\/domain\/wp-includes\/template-loader.php
            [line] => 13
            [function] => do_action
        )

    [5] => Array
        (
            [file] => \/var\/www\/domain\/wp-blog-header.php
            [line] => 19
            [args] => Array
                (
                    [0] => \/var\/www\/domain\/wp-includes\/template-loader.php
                )

            [function] => require_once
        )

    [6] => Array
        (
            [file] => \/var\/www\/domain\/index.php
            [line] => 17
            [args] => Array
                (
                    [0] => \/var\/www\/domain\/wp-blog-header.php
                )

            [function] => require
        )

)

[abcd95]

Hey @ArtZ91, Thanks for raising the ticket.

Could you possibly outline the details on how to reproduce this error?
A step-by-step guide or a screencast would be super helpful in identifying the root cause.

[SirLouen]

@ArtZ91 I'm not 100% confident, but it appears that the scanner is accessing your host without the Host header, which might be triggering that warning.

When you fill this kind of reports, ideally I would recommend you to download this plugin into your site
​https://wordpress.org/plugins/test-reports/ and send the environment variables or attach the Site Health > Info report

Which provides some variables of what you are using, php versions, server info, etc...

[ArtZ91]

Environment

• WordPress: 6.8
• PHP: 8.3.10
• Server: Apache/2.4.52 (Ubuntu)
• Database: mysqli (Server: 8.0.41-0ubuntu0.22.04.1 / Client: mysqlnd 8.3.10)
• Browser: Chrome 135.0.0.0
• OS: Windows 10/11
• Theme: private 1.0
• MU Plugins:
  • aios-firewall-loader.php
• Plugins:
  • Admin Columns 4.7.7
  • Advanced Custom Fields PRO 6.4.0.1
  • All-In-One Security (AIOS) 5.4.0
  • Cyr-To-Lat 6.3.0
  • Disable Comments 2.4.7
  • Redirection 5.5.2
  • Show Current Template 0.5.2
  • SVG Support 2.5.14
  • Test Reports 1.2.0
  • UpdraftPlus - Backup/Restore 1.25.5
  • WP Crontrol 1.18.0
  • WP Mail Logging 1.14.0
  • WP Mail SMTP 4.4.0
  • Yoast Duplicate Post 4.5
  • Yoast SEO 24.9
  • User Switching 1.9.2

Steps to Reproduce

Not reproduced yet / Steps unknown

Additional Notes

There is no clear understanding yet which process is causing the problem.

Internal wp-cron requests from 127.0.0.1 are executed suspiciously at the same time as this problem, but the logs only catch a GET request to the site root / from the scanner.

"ERROR_LEVEL":"E_DEPRECATED",
"HTTPS":"on",
"HTTP_HOST":"NULL",
"HTTP_REFERER":"NULL",
"HTTP_USER_AGENT":"NULL",
"IS_WP_CRON":false,
"REMOTE_ADDR":"85.142.100.140",
"REQUEST_METHOD":"GET",
"REQUEST_URI":"\/",
"SCRIPT_FILENAME":"\/var\/www\/<domain>\/index.php",
"SERVER_NAME":"<domain>"

[SirLouen]

@ArtZ91 I need to check, but judging from your environment, my intuition says that the problem is with Apache2, it’s not sanitizing the Host header.

I'm going to see if I can setup an Apache host a try again (wordpress-develop env by default uses nginx reverse proxy with FPM-PHP hosts for WP). Still if this is the problem, host existance should be checked before using it in the informed variable, hence, there is a potential issue to be sorted, just we need some reproduction steps to consistently reproduce this issue until it gets sorted.

[SirLouen]

Bug Reproduction Report

Description

✅ This report validates that the issue can be reproduced.

Environment

• WordPress: 6.9-alpha-60093-src
• PHP: 8.2.28
• Server: Apache/2.4.63 (Unix)
• Database: mysqli (Server: 8.4.5 / Client: mysqlnd 8.2.28)
• Browser: Chrome 135.0.0.0
• OS: Windows 10/11
• Theme: Minimal Child Theme 1.0.2
• MU Plugins: None activated
• Plugins:
  • Test Reports 1.2.0

Reproduction Steps

1. First, you need a server that can accept requests without a Host. I tried to make Nginx do this, but could not find an easy solution. So the only alternative was to use Apache2 (this is why I asked here for the environment vars, I had a suspicion that A2 was the culprit.

2. Second, we need to make sure that Apache2 has the guard down. We need to set HttpProtocolOptions Unsafe for the VirtualHost

3. Third, we should issue a request with very low standards. Like this one:

   curl -v -k --http1.0 -H 'Host:' http://localhost:8889
   

Note that in my case I'm using the wordpress-develop build, with an slightly modified version to use Apache2 instead of Nginx

If you want to run my config in wordpress-develop you can get my patch with
npm run grunt patch:https://github.com/WordPress/wordpress-develop/pull/8722

Actual Results

1. ✅ Error condition occurs (reproduced).

Here is the debug log that displays the same error that the reporter is reporting: ​https://gist.github.com/SirLouen/16ad44e99dbcf9ef7bd932663ba48e2f#file-debug-log

Additional Notes

• Despite A2 being the culprit, I believe that this warning should be handled.
• I'm not 100% confident that it feels that it's complex that this error happens in any modern well configured server, but as always, better safe than sorry.

Instructions to check this here:
https://core.trac.wordpress.org/ticket/63316#comment:5

Trac ticket: https://core.trac.wordpress.org/ticket/63316

[SirLouen]

Testing instructions and patched provided. Reading for testing.