HTTP_HOST being manipulated improperly for redirects
|Reported by:||revmj||Owned by:||markjaquith|
When redirecting a hit to the proper URL, WordPress makes some bad assumptions. Specifically, during redirects, any port information provided by the client is dropped. If I go to http://example.com:80/, I get redirected to http://example.com/. If I go to https://example.com:443/, I get redirected to https://example.com/.
Thus far, no problem has occurred because we are on on server that uses default ports. However, lets say my web server is running http on 8080 and https on 8443. Now when I go to http://example.com:8080/ and get redirected to http://example.com/, it fails. As a workaround, you can change the following settings:
WordPress address: http://example.com:8080/
Blog address: http://example.com:8080/
While this clears up the problem for http requests, you will not be able to use https becuse and attempt to go to https://example.com:8443/ now redirects to https://example.com:8080/ and it fails because the server does not speak ssl on 8080.
Additionally, when you have an https proxy in front of your web server such as pound (with http on port 80 and https on port 8443), you run into another problem caused by this same bug. In this situation if you attempt to go to https://example.com/, the proxy server accepts the request and then on the back end makes a none ssl connection to apache. Good so far, but in order to not make any assumptions, the proxy server tells apache that the request was for 'https://example.com:443/' and apache sets HTTP_HOST (very appropriately) to example.com:443. WordPress sees this request and redirects it to 'https://example.com/' by responding to the web browser with a 'Location:' header. Thus the browser sends another request for 'https://example.com/' and starts the whole process over again resulting in an infinite redirect.
As specifying a port is completely valid, this is a clear case of WordPress not handling things appropriately.
Change History (17)
- Component changed from General to Canonical
- Owner changed from anonymous to markjaquith
- Keywords needs-patch added
- Milestone changed from Future Release to 2.9