mdeboer · May 5, 2017 20:12
diff --git a/CVE-2017-8295.patch b/CVE-2017-8295.patch
 --- a/wp-includes/pluggable.php	2017-03-10 16:06:34.000000000 +0100
 +++ b/wp-includes/pluggable.php	2017-05-05 21:44:15.000000000 +0200
 @@ -323,11 +323,8 @@
 
 	if ( !isset( $from_email ) ) {
 		// Get the site domain and get rid of www.
 -		$sitename = strtolower( $_SERVER['SERVER_NAME'] );
 -		if ( substr( $sitename, 0, 4 ) == 'www.' ) {
 -			$sitename = substr( $sitename, 4 );
 -		}
 -
 +		$sitename = parse_url( network_home_url(), PHP_URL_HOST );
 +		
 		$from_email = 'wordpress@' . $sitename;
 	}
 
 @@ -1491,7 +1488,7 @@
 		$notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( "comment.php?action=spam&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n";
 	}
 
 -	$wp_email = 'wordpress@' . preg_replace('#^www\.#', '', strtolower($_SERVER['SERVER_NAME']));
 +	$wp_email = 'wordpress@' . parse_url(network_home_url(), PHP_URL_HOST);
 
 	if ( '' == $comment->comment_author ) {
 		$from = "From: \"$blogname\" <$wp_email>";
	--- a/wp-includes/pluggable.php 2017-03-10 16:06:34.000000000 +0100
	+++ b/wp-includes/pluggable.php 2017-05-05 21:44:15.000000000 +0200
	@@ -323,11 +323,8 @@

	if ( !isset( $from_email ) ) {
	// Get the site domain and get rid of www.
	- $sitename = strtolower( $_SERVER['SERVER_NAME'] );
	- if ( substr( $sitename, 0, 4 ) == 'www.' ) {
	- $sitename = substr( $sitename, 4 );
	- }
	-
	+ $sitename = parse_url( network_home_url(), PHP_URL_HOST );
	+
	$from_email = 'wordpress@' . $sitename;
	}

	@@ -1491,7 +1488,7 @@
	$notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( "comment.php?action=spam&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n";
	}

	- $wp_email = 'wordpress@' . preg_replace('#^www\.#', '', strtolower($_SERVER['SERVER_NAME']));
	+ $wp_email = 'wordpress@' . parse_url(network_home_url(), PHP_URL_HOST);

	if ( '' == $comment->comment_author ) {
	$from = "From: \"$blogname\" <$wp_email>";