Ticket #4732 (new defect)

Opened 1 year ago

Last modified 5 months ago

Standardize REQUEST_URI, was: $guessurl wrong in install.php

Reported by: ar0n Assigned to: anonymous
Priority: normal Milestone: 2.9
Component: Administration Version: 2.2
Severity: major Keywords: has-patch
Cc: sciolizer@gmail.com

Description

Apache >1.3 has a function implemented that gets the real uri named original_uri() (util_script.c).

Let's say wordpress is located at http://example.com/wordpress .

A standard request looks like this: 

GET /wordpress/wp-admin/install.php HTTP/1.1

Okey ... now apache original_uri(r) returns /wp-admin/index.php So PHP global variable $_SERVER[ 'REQUEST_URI' ]; looks like "/wp-admin/index.php"

upgrade-functions.php , upgrade-schema.php: 

$guessurl = preg_replace('|/wp-admin/.*|i', '', $schema . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);

$guessurl is "http://example.com/wordpress" cool :)

But what if the request is forwarded by squid with default config in accel vhost mode.

Here goes ...

The request is: 

GET http:///example.com/wordpress/wp-admin/install.php HTTP/1.1

Apache original_uri(r) returns http:///example.com/wordpress/wp-admin/install.php which is legal.

PHP global variable $_SERVERREQUEST_URI? is "http:///example.com/wordpress/wp-admin/install.php"

upgrade-functions.php , upgrade-schema.php: 

$guessurl = preg_replace('|/wp-admin/.*|i', '', $schema . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);

$guessurl is "http://example.comhttp://example.com/wordpress" not cool :(

The problem with this that values 'siteurl' and 'home' will be wrong in the options table.

This code solves the problem (replaceing it in both places): 

$guessurl = eregi($schema . $_SERVER['HTTP_HOST'], $_SERVER['REQUEST_URI']) ? preg_replace('|/wp-admin/.*|i', '', $_SERVER['REQUEST_URI']) : preg_replace('|/wp-admin/.*|i', '', $schema . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);

APACHE: v2.2.4 OS: BSD PHP: 5.2.4RC1-dev SQUID: 2.6

Yours, Aron Szabo

Attachments

guessurl.patch (1.5 kB) - added by hansengel on 01/06/08 22:58:59.
Patch to fix $guessurl
req-uri.patch (484 bytes) - added by azaozz on 03/05/08 10:22:57.

Change History

08/13/07 15:33:32 changed by ryan

  • keywords changed from $guessurl install.php to $guessurl install.php has-patch.

08/13/07 17:44:56 changed by westi

/me wonders out loud ...

Are there any other places where we assume the string we recieve via the GET request has had the http://domain.name stripped from the front?

Should we also move the duplicated code to a function rather than copy and pasting the fix into two places maybe something like:

guess_blog_root_url in wp-admin/includes/upgrade.php that returns the full root url for us.

08/13/07 20:18:17 changed by markjaquith

If this is a problem we should probably just standardize $_SERVER['REQUEST_URI'] early on in WP load.

08/14/07 17:07:00 changed by Nazgul

  • keywords changed from $guessurl install.php has-patch to $guessurl install.php needs-patch.
  • milestone changed from 2.2.3 to 2.3 (trunk).

09/12/07 21:59:43 changed by ryan

  • milestone changed from 2.3 to 2.4 (next).

01/06/08 22:58:59 changed by hansengel

  • attachment guessurl.patch added.

Patch to fix $guessurl

01/06/08 22:59:55 changed by hansengel

  • keywords changed from $guessurl install.php needs-patch to $guessurl install.php has-patch needs-testing.

Patched with rev. 6568 (latest ATM).

01/18/08 23:51:13 changed by sciolizer

  • cc set to sciolizer@gmail.com.

I ran into the same problems with squid changing the REQUEST_URI, but I found that if you have access to the squid.conf file, you can workaround the problem (until the patch becomes mainstream) by changing the cache_peer line to include the "originserver" option. You must have the rproxy patch, or be using Squid v3.

For example:

cache_peer 127.0.0.1 parent 80 7 no-query round-robin no-digest originserver

This will prevent squid from altering the REQUEST_URI, and is probably a good idea regardless of whether Wordpress uses REQUEST_URI or not, since other sites might be depending on it.

My workaround only works if you are using one squid server. If you are using multiple squid servers, then there is the possibility that the REQUEST_URI will be changed at the first one and not reverted at the last one. (I'm no squid expert, and I haven't tried this setup.)

Also, I would like to point out that the use of REQUEST_URI in the Wordpress source is much more systemic than just schema.php and upgrade.php. An rgrep on my copy returns 33 hits (version 2.3 of Wordpress).

03/05/08 06:59:14 changed by azaozz

  • keywords changed from $guessurl install.php has-patch needs-testing to has-patch.
  • summary changed from $guessurl wrong in install.php to Standardize REQUEST_URI, was: $guessurl wrong in install.php.

Not sure how often this can happen but when it happens, it's probably a show stopper. Like markjaquith, I think it's best to standardize it early as at last count REQUEST_URI is used 43 times.

03/05/08 10:22:57 changed by azaozz

  • attachment req-uri.patch added.

06/12/08 15:14:15 changed by sambauers

Issues discussed here will be impacted by the implementation of #7129, which proposes to move the discussed regular expressions to a single function.

06/24/08 17:36:23 changed by ryan

(In [8182]) wp_guess_url() and install styling fixes from sambauers. fixes #7129 see #4732