Change the default setting of UseCanonicalName to off and remove

that directive from the default config.

This could use some review because it has potential security
implications.  In particular, it could cause cross-site scripting
vulnerabilities if people rely on SERVER_NAME without validating
it.  But we have been running with this in our default config file
for a while, and it vastly reduces the confusion that comes
from people setting ServerName incorrectly.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/simple-conf@160595 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/docs/conf/extra/httpd-default.conf.in b/docs/conf/extra/httpd-default.conf.in
index 5fd1166f16dc82acbc39eaf00588d5add4b63c47..02a587c53015872297da443d7163776a8e740bf9 100644 (file)
--- a/docs/conf/extra/httpd-default.conf.in
+++ b/docs/conf/extra/httpd-default.conf.in
@@ -28,6 +28,15 @@ MaxKeepAliveRequests 100
 #
 KeepAliveTimeout 15
 
+#
+# UseCanonicalName: Determines how Apache constructs self-referencing 
+# URLs and the SERVER_NAME and SERVER_PORT variables.
+# When set "Off", Apache will use the Hostname and Port supplied
+# by the client.  When set "On", Apache will use the value of the
+# ServerName directive.
+#
+UseCanonicalName Off
+
 #
 # AccessFileName: The name of the file to look for in each directory
 # for additional configuration directives.  See also the AllowOverride 

diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in
index 94baddb274cfb9cf064a75763840bd61c6d75bf2..a62467b7a706424d9fc328bb7c8857ae59cc02d5 100644 (file)
--- a/docs/conf/httpd.conf.in
+++ b/docs/conf/httpd.conf.in
@@ -97,20 +97,9 @@ ServerAdmin you@example.com
 # it explicitly to prevent problems during startup.
 #
 # If your host doesn't have a registered DNS name, enter its IP address here.
-# You will have to access it by its address anyway, and this will make 
-# redirections work in a sensible way.
 #
 #ServerName www.example.com:80
 
-#
-# UseCanonicalName: Determines how Apache constructs self-referencing 
-# URLs and the SERVER_NAME and SERVER_PORT variables.
-# When set "Off", Apache will use the Hostname and Port supplied
-# by the client.  When set "On", Apache will use the value of the
-# ServerName directive.
-#
-UseCanonicalName Off
-
 #
 # DocumentRoot: The directory out of which you will serve your
 # documents. By default, all requests are taken from this directory, but

diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml
index f2acbffa5f1a212c2bc11b6c017d1f1cf1ea6ebe..ad8e8b78f674c3f59c693c43ee9bd9f1db3075c6 100644 (file)
--- a/docs/manual/mod/core.xml
+++ b/docs/manual/mod/core.xml
@@ -2956,7 +2956,7 @@ certain events before failing a request</description>
 <description>Configures how the server determines its own name and
 port</description>
 <syntax>UseCanonicalName On|Off|DNS</syntax>
-<default>UseCanonicalName On</default>
+<default>UseCanonicalName Off</default>
 <contextlist><context>server config</context><context>virtual host</context>
 <context>directory</context></contextlist>
 

diff --git a/server/core.c b/server/core.c
index 3c72b61cef95a49eb43a1712d6035f2c6bb4c10d..b0e14c4224b6f5eb8ed28f4cd44fa2931bd9a2b0 100644 (file)
--- a/server/core.c
+++ b/server/core.c
@@ -876,8 +876,8 @@ AP_DECLARE(const char *) ap_get_server_name(request_rec *r)
     d = (core_dir_config *)ap_get_module_config(r->per_dir_config,
                                                 &core_module);
 
-    if (d->use_canonical_name == USE_CANONICAL_NAME_OFF) {
-        return r->hostname ? r->hostname : r->server->server_hostname;
+    if (d->use_canonical_name == USE_CANONICAL_NAME_ON) {
+        return r->server->server_hostname;
     }
 
     if (d->use_canonical_name == USE_CANONICAL_NAME_DNS) {
@@ -895,7 +895,7 @@ AP_DECLARE(const char *) ap_get_server_name(request_rec *r)
     }
 
     /* default */
-    return r->server->server_hostname;
+    return r->hostname ? r->hostname : r->server->server_hostname;
 }
 
 /*