Support » Plugin: WP Super Cache » bug with use of $_SERVER["HTTP_HOST"] instead of SERVER_NAME

  • This is a minor but fundamental bug in the design of supercache IMHO

    On most server configurations, $_SERVER["HTTP_HOST"] will happily return whatever the heck the user’s browser sent in it’s headers, even if it’s malformed on purpose. Supercache attempts to filter it, but only in a trivial way.

    However if you’d use $_SERVER["SERVER_NAME"] instead, it will come from the apache/php environement instead which is far more trustworthy.

    This is why when you look at your supercache directory will will see things like uppercase hostnames or subdomains that aren’t even real – it’s your server being probed by bad code from the http headers and supercache dutifully creating a directory for the request.

    SERVER_NAME would help avoid that
    Setup a PHPINFO page and play with your http headers and url and see the difference.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Donncha Ó Caoimh


    Thanks. I have a feeling that using SERVER_NAME in some installs causes it’s own problems but I can’t remember what right now. I’ll do a search/replace though and run it on my own blogs for a few days/put it in the dev version.

    WordPress itself seems conflicted on the issue, half the hacks in there use SERVER_NAME the other half HTTP_HOST

    The problem is the .htaccess code has to stay consistent with the internal approach. Unfortunately the wordpress site_url is just not available there.

    Probably IIS hosts with PHP respond differently than apache or even nginx.

    You might just want to set a global variable or even a constant for the hostname and allow it to be adjusted as needed.

    But browser provided headers should never be accepted as the default. SERVER_NAME is far preferred over HTTP_HOST, unless SERVER_NAME is just not available in the environment.

    Plugin Author Donncha Ó Caoimh


    I think you could be right about IIS and the next version, if it has SERVER_NAME in it, is going to blow up for some users. I guess I’ll fail over and set SERVER_NAME from HTTP_HOST when it’s not defined …

    I change the nginx server config like this, then everything works perfect:

    fastcgi_param SERVER_NAME $host;

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘bug with use of $_SERVER["HTTP_HOST"] instead of SERVER_NAME’ is closed to new replies.