From 9e5fdbf8d0e83369c06416a51b8d649e5ecf8a26 Mon Sep 17 00:00:00 2001
From: Dejan Marjanovic <dm@php.net>
Date: Fri, 22 Mar 2013 22:13:35 +0000
Subject: [PATCH] Added note to SERVER_PORT to warn about spoofing

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@329894 c90b9560-bf6c-de11-be94-00142212c4b1
---
 language/predefined/variables/server.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/language/predefined/variables/server.xml b/language/predefined/variables/server.xml
index 9b09055db2..52939d6979 100644
--- a/language/predefined/variables/server.xml
+++ b/language/predefined/variables/server.xml
@@ -392,6 +392,15 @@
        using SSL, for instance, will change this to whatever your
        defined secure HTTP port is.
       </simpara>
+      <note>
+       <simpara>
+        Under the Apache 2, you must set <literal>UseCanonicalName = On</literal>, 
+        as well as <literal>UseCanonicalPhysicalPort = On</literal> in order to
+        get the physical (real) port, otherwise, this value can be spoofed and it
+        may or may not return the physical port value.
+        It is not safe to rely on this value in security-dependent contexts.
+       </simpara>
+      </note>
      </listitem>
     </varlistentry>