Make WordPress Core

Ticket #25239: CVE-2017-8295.patch

File CVE-2017-8295.patch, 941 bytes (added by cloudstek, 7 years ago)
  • wp-includes/pluggable.php

    old new  
    323323
    324324        if ( !isset( $from_email ) ) {
    325325                // Get the site domain and get rid of www.
    326                 $sitename = strtolower( $_SERVER['SERVER_NAME'] );
    327                 if ( substr( $sitename, 0, 4 ) == 'www.' ) {
    328                         $sitename = substr( $sitename, 4 );
    329                 }
    330 
     326                $sitename = parse_url( network_home_url(), PHP_URL_HOST );
     327               
    331328                $from_email = 'wordpress@' . $sitename;
    332329        }
    333330
     
    14911488                $notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( "comment.php?action=spam&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n";
    14921489        }
    14931490
    1494         $wp_email = 'wordpress@' . preg_replace('#^www\.#', '', strtolower($_SERVER['SERVER_NAME']));
     1491        $wp_email = 'wordpress@' . parse_url(network_home_url(), PHP_URL_HOST);
    14951492
    14961493        if ( '' == $comment->comment_author ) {
    14971494                $from = "From: \"$blogname\" <$wp_email>";