Problem/Motivation

drupal_detect_baseurl() contains functionality that looks like it should closely mirror, or be identical to, some code in conf_path(). Rewriting similar or identical code in separate places in drastically different ways degrades legibility and understandability of the codebase overall.

Proposed resolution

If the relevant code is intended to be identical in functionality, ensure it is identical in the codebase.

Remaining tasks

Patch.

User interface changes

None.

API changes

None.

Original report by @Damien Tournoud

In install.php:

function drupal_detect_baseurl($file = 'install.php') {
  global $profile;
  $proto = $_SERVER['HTTPS'] ? 'https://' : 'http://';
  $host = $_SERVER['SERVER_NAME'];
  $port = ($_SERVER['SERVER_PORT'] == 80 ? '' : ':' . $_SERVER['SERVER_PORT']);
  $uri = preg_replace("/\?.*/", '', $_SERVER['REQUEST_URI']);
  $dir = str_replace("/$file", '', $uri);

  return "$proto$host$port$dir";
}

in conf_path():

    // Create base URL
    $base_root = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http';

    // As $_SERVER['HTTP_HOST'] is user input, ensure it only contains
    // characters allowed in hostnames.
    $base_url = $base_root .= '://' . preg_replace('/[^a-z0-9-:._]/i', '', $_SERVER['HTTP_HOST']);

    // $_SERVER['SCRIPT_NAME'] can, in contrast to $_SERVER['PHP_SELF'], not
    // be modified by a visitor.
    if ($dir = trim(dirname($_SERVER['SCRIPT_NAME']), '\,/')) {
      $base_path = "/$dir";
      $base_url .= $base_path;
      $base_path .= '/';
    }
    else {
      $base_path = '/';
    }

Comments

arhak’s picture

arhak commented
Title: base url detection is incoherent between install time and runtime » code cleanup: base url detection is incoherent between install time and runtime
Category: bug » task

is this a bug or kind of code cleanup request?

boaz_r’s picture

boaz_r commented

1. On this issue see another bug I just posted: #364028
2. Also, the code in conf_path() should omit the isset() check on $_SERVER['HTTPS']. Its redundant. Instead of:

    $base_root = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http';

We could use just:

    $base_root = ($_SERVER['HTTPS'] == 'on') ? 'https' : 'http';

point #1 above (the other bug) relates to this point.

thedavidmeister’s picture

thedavidmeister commented
Issue summary: View changes

Just linking the issue in #2 properly #364028: Incorrect checking of https protocol in drupal_detect_baseurl() will lead to problems on IIS.

I can confirm this is NOT an issue in D8 because there is no separate file for installing, we only have bootstrap now.

thedavidmeister’s picture

thedavidmeister commented
Issue summary: View changes
David_Rothstein’s picture

David_Rothstein commented
Related issues: +#364028: Incorrect checking of https protocol in drupal_detect_baseurl() will lead to problems on IIS, +#226873: With drupal_detect_baseurl(), D8: now unused - remove it, D7: make use of request_uri() and test

All sorts of issues with this function, apparently.

Status: Active » Closed (outdated)

Automatically closed because Drupal 7 security and bugfix support has ended as of 5 January 2025. If the issue verifiably applies to later versions, please reopen with details and update the version.