Description: Don't use SERVER_NAME for emails
 WordPress uses the SERVER_NAME variable to generate the from address for
 password resets. This variable can be set by the hostname sent by the
 client, which means it can be spoofed.

 This patch fixes CVE-2017-8295
Author: Maarten de Boer
Origin: upstream, https://core.trac.wordpress.org/attachment/ticket/25239/CVE-2017-8295.patch
Bug: https://core.trac.wordpress.org/ticket/25239
Bug-Debian: https://bugs.debian.org/862053
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2017-06-09
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -329,11 +329,8 @@ function wp_mail( $to, $subject, $messag
 
 	if ( !isset( $from_email ) ) {
 		// Get the site domain and get rid of www.
-		$sitename = strtolower( $_SERVER['SERVER_NAME'] );
-		if ( substr( $sitename, 0, 4 ) == 'www.' ) {
-			$sitename = substr( $sitename, 4 );
-		}
-
+		$sitename = parse_url( network_home_url(), PHP_URL_HOST );
+		
 		$from_email = 'wordpress@' . $sitename;
 	}
 
@@ -1529,7 +1526,7 @@ function wp_notify_postauthor( $comment_
 		$notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( "comment.php?action=spam&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n";
 	}
 
-	$wp_email = 'wordpress@' . preg_replace('#^www\.#', '', strtolower($_SERVER['SERVER_NAME']));
+	$wp_email = 'wordpress@' . parse_url(network_home_url(), PHP_URL_HOST);
 
 	if ( '' == $comment->comment_author ) {
 		$from = "From: \"$blogname\" <$wp_email>";
