Comment 3 for bug 1175446

The attacks on $cfg->wwwroot and $cfg->noreplyaddress are only possible by sending across a specially tailored HTTP request at just the right time during the installation process. So, I'm going to call them a non-issue. Very paranoid admins can guard against these by providing a $cfg->wwwroot and $cfg->noreplyaddress directly in their config.php, but I don't think we need to remove the automatic setting of it for lazy admins.

Regarding the lib/web.php part, I see where $_SERVER['HTTP_HOST'] is used by get_requested_host_name(). But that function is only used two places:

1. In get_full_script_path(), which is then used by AccessDeniedException()
2. In smarty(), where, if and only if $cfg->cleanurluserssubdomains is turned on, it is used to create a "fake wwwroot" for Javascript to come from.

Both of these seem to be related to Richard Mansfield's changes in May 2012 to allow for clean url user subdomains, i.e. making the clean URL for a user's address be https://aaronw.mahara.org . Perhaps we could strengthen this by changing get_requested_host_name() so that it runs $_SERVER['HTTP_HOST'] through a regular expression that makes sure it only matches a valid domain-name-compatible hostname, e.g. [a-z0-9]{2}|[a-z0-9][a-z0-9-]*[a-z0-9](\.[a-z0-9]{2}|[a-z0-9][a-z0-9-]*[a-z0-9])* .