1

I have read the first comment here which said:

All elements of the $SERVER array whose keys begin with 'HTTP' come from HTTP request headers and are not to be trusted.

As well as this answer which said:

$_SERVER["HTTP_HOST"] is the HTTP Host header, as sent from the client. That makes this header generally unsafe.

They are all saying that $_SERVER['HTTP_HOST'] is not safe, BUT there is only one alternative so far as I can see which is $_SERVER['SERVER_NAME'].

$_SERVER['SERVER_NAME'] is also not safe which is highlighted in the official doc:

Note: Under Apache 2, UseCanonicalName = On and ServerName must be set. Otherwise, this value reflects the hostname supplied by the client, which can be spoofed. It is not safe to rely on this value in security-dependent contexts.

So, my question is that there is really no alternative ( considered safe ) to $_SERVER['HTTP_HOST']? Otherwise, I have to use it anyway even though I know it is not safe because I have no choice...

Edited: My purpose is to get the base URL. And I don't have control because this is in a plugin for users who might misconfigure Apache.

yobebix932
  • 57
  • 4
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. – Community Nov 10 '22 at 09:25
  • 2
    You should tell us your use case so we can figure out alternatives solutions – Randommm Nov 10 '22 at 09:33
  • 1
    Safe *for what*? What are you trying to use it for? Also, what control do you have over the Apache configuration - i.e. are you distributing an application to users who might misconfigure Apache, or installing it on a system you have complete control over? – IMSoP Nov 10 '22 at 09:33
  • @Randommm Sorry! I have edited my question. – yobebix932 Nov 10 '22 at 09:37
  • @IMSoP You're right, I don't have control over the Apache configuration because the code will be distributed for users who might misconfigure Apache. – yobebix932 Nov 10 '22 at 09:38
  • 1
    I'm still not clear on the requirement - get the base URL *for what*, and in what circumstances? What are the consequences of it being manipulated? The notion of some values being "safe" and some "unsafe" isn't very helpful - you always have to think about what problem or attack you are trying to protect against. – IMSoP Nov 10 '22 at 09:46
  • @IMSoP The code is distributed to users ( I don't know who would use it, that's the circumstances you are referring? ). "What are the consequences of it being manipulated", I don't know because I'm not the expert, that's why I refer to the doc and people who wrote the answer. So do you mean it generally is safe to use? – yobebix932 Nov 10 '22 at 10:06
  • Is it a WordPress plugin? You might want to use get_site_url() then..... – Bret Weinraub Nov 10 '22 at 10:59
  • @BretWeinraub I have looked at the code, it uses `get_option(siteurl)`. Not sure if this function uses $_SERVER['HTTP_HOST'], but other function might use the `$_SERVER` like https://developer.wordpress.org/reference/functions/wp_guess_url/#source ...So cannot sure if the function is completely safe to use too... – yobebix932 Nov 10 '22 at 11:09

1 Answers1

0

"Safe" is always a relative term. A kitchen knife is not safe to use if you hold it by the blade, but that doesn't mean you should look for alternatives, it means you learn how to handle it safely.

$_SERVER['HTTP_HOST'] is "unsafe" in the sense that it could be controlled by the visitor to the page in some circumstances. If you're distributing a plugin, it's also under the control of any other PHP code running in the same request, since it's a writeable global variable. It is not "unsafe" in the sense that a raptor will attack if you use it.

Like with the kitchen knife, the solution is not to avoid it, it's to handle it correctly. For instance, if you're outputting a link, and don't want a weirdly-formatted value to produce something that's not a proper URL, you can validate the value (check it contains only the characters you'd expect in a hostname) or sanitise it (strip out unexpected characters).

Or, if you're worried about the value changing or not being what the site owner expects, you could have the site owner confirm it during a setup process, and store the result in a config file.

IMSoP
  • 89,526
  • 13
  • 117
  • 169