[nycphp-talk] $_server['server_name'] versus $_server[http-host']
Dan Cech
dcech at phpwerx.net
Thu Mar 16 15:10:59 EST 2006
Cliff Hirsch wrote:
> So it seems like servername is certainly fine and http_host is fine if I
> just take a whitelist approach.
If only it were that simple.
The contents of $_SERVER['SERVER_NAME'] is also dependent on the setting
of UseCanonicalName in the relevant section of your Apache or
VirtualHost config.
If UseCanonicalName is On, $_SERVER['SERVER_NAME'] will contain the
ServerName specified in your Apache or VirtualHost config, regardless of
the Host: header sent by the client.
*However* if UseCanonicalName is Off, $_SERVER['SERVER_NAME'] will
contain the same (potentially tainted) value as $_SERVER['HTTP_HOST'].
$_SERVER['SERVER_SIGNATURE'] will also contain whatever is specified in
the Host: header, however at least on my test server it will have html
special characters escaped.
Dan
More information about the talk
mailing list