Page MenuHomePhabricator

WebRequest::detectServer() appends ":80" to hostname when HTTP_X_FORWARDED_PROTO == "https"
Closed, ResolvedPublic


Seen in labs when running a MediaWiki-Vagrant configured wiki behind yuviproxy. Configuration sets $wgServer = WebRequest::detectServer() which works great when HTTP_X_FORWARDED_PROTO is unset or http. When it is https, detectServer() adds ":80" to the generated url (eg "").

This is caused by a mismatch between the standard port for https (443) and the active SERVER_PORT reported by Apache (80). detectServer() calls IP::combineHostAndPort( $host, $port=80, $stdPort=443 ) which leads to a return value of $host:80 since the active port and the default port do not match.

I think naively that this could be fixed by choosing to set $port = $stdPort when $_SERVER['HTTP_X_FORWARDED_PROTO'] is set to 'https' and assume the upstream ssl proxy is running on the standard port 443.

Can anyone think of a realistic deployment scenario where this would be the wrong behavior?

Version: 1.24rc
Severity: normal



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:43 AM
bzimport set Reference to bz70021.
bzimport added a subscriber: Unknown Object (MLST).

gerritadmin wrote:

Change 156236 had a related patch set uploaded by BryanDavis:
Use protocol default port with HTTP_X_FORWARDED_PROTO

gerritadmin wrote:

Change 156236 merged by jenkins-bot:
Use protocol default port with HTTP_X_FORWARDED_PROTO