Skip to content

Unfortunate crossover of HTTP_HOST and SERVER_PORT variables #223

New issue
New issue
Closed
Closed
Unfortunate crossover of HTTP_HOST and SERVER_PORT variables#223
@zeleznypa

Description

@zeleznypa
zeleznypa
opened on Mar 20, 2023

An unfortunate combination of parameters leads to an unexpected result when generating a URL.

http/src/Http/RequestFactory.php

Lines 84 to 95 in da24b94

if (
(isset($_SERVER[$tmp = 'HTTP_HOST']) || isset($_SERVER[$tmp = 'SERVER_NAME']))
&& preg_match('#^([a-z0-9_.-]+|\[[a-f0-9:]+\])(:\d+)?$#Di', $_SERVER[$tmp], $pair)
) {
$url->setHost(rtrim(strtolower($pair[1]), '.'));
if (isset($pair[2])) {
$url->setPort((int) substr($pair[2], 1));
} elseif (isset($_SERVER['SERVER_PORT'])) {
$url->setPort((int) $_SERVER['SERVER_PORT']);
}
}
}

When a user accesses the address http://example.local, NGINX passes the value example.local to the variable $_SERVER['HTTP_HOST']. Nette will use this as the basis for future URL generation. However, it does not find a value for the port in the content and so reaches for the $_SERVER['SERVER_PORT'] variable, which may lead to an undesirable result.

If there is an extra nginx proxy in front of the application that listens for example on port 80 and then redirects the communication to the application that listens by default on port 8080, the value of this variable will be just 8080. But the user has entered and is expecting port 80.

If the variable $_SERVER['HTTP_HOST'] is populated but does not contain the port part, it means that the default is used, i.e. 80 for HTTP and 443 for HTTPS.

Using $_SERVER['SERVER_PORT'] only makes sense in conjunction with $_SERVER['SERVER_NAME'].

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions