Description: Don't use SERVER_NAME for emails
 WordPress uses the SERVER_NAME variable to generate the from address for
 password resets. This variable can be set by the hostname sent by the
 client, which means it can be spoofed.

 This patch fixes CVE-2017-8295
Author: Maarten de Boer
Origin: upstream, https://core.trac.wordpress.org/attachment/ticket/25239/CVE-2017-8295.patch
Bug: https://core.trac.wordpress.org/ticket/25239
Bug-Debian: https://bugs.debian.org/862053
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2017-06-09
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -327,11 +327,8 @@
 
 	if ( !isset( $from_email ) ) {
 		// Get the site domain and get rid of www.
-		$sitename = strtolower( $_SERVER['SERVER_NAME'] );
-		if ( substr( $sitename, 0, 4 ) == 'www.' ) {
-			$sitename = substr( $sitename, 4 );
-		}
-
+		$sitename = parse_url( network_home_url(), PHP_URL_HOST );
+		
 		$from_email = 'wordpress@' . $sitename;
 	}
 
@@ -1512,7 +1509,7 @@
 		$notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( "comment.php?action=spam&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n";
 	}
 
-	$wp_email = 'wordpress@' . preg_replace('#^www\.#', '', strtolower($_SERVER['SERVER_NAME']));
+	$wp_email = 'wordpress@' . parse_url(network_home_url(), PHP_URL_HOST);
 
 	if ( '' == $comment->comment_author ) {
 		$from = "From: \"$blogname\" <$wp_email>";
