Description: Don't treat localhost as same host
 Fixes CVE-2018-10101
Author: ocean90
Origin: upstream, https://core.trac.wordpress.org/changeset/42894
Applied-Upstream: 4.9.5
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2018-04-15
--- a/wp-includes/http.php
+++ b/wp-includes/http.php
@@ -530,7 +530,7 @@
 	$parsed_home = @parse_url( get_option( 'home' ) );
 
 	if ( isset( $parsed_home['host'] ) ) {
-		$same_host = ( strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] ) || 'localhost' === strtolower( $parsed_url['host'] ) );
+		$same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
 	} else {
 		$same_host = false;
 	}
