Merge pull request from GHSA-mcqj-7p29-9528

• Address host header injection vulnerability

$g_path is empty by default, and should be defined in config_inc.php.
Not doing so is a security risk, as the path will then be set based on
headers from the HTTP request, exposing the system to Host Header
injection attacks.

Document the risk in PHPDoc and Admin Guide.

Move the code that initializes $g_path's default value from
config_defaults_inc.php to a function in core.php.

Detect if $g_path was defaulted, and if yes alert the user in:

• Login Page (if $g_admin_checks == ON)
• Admin Checks

Fixes 0019381, CVE-2024-23830, GHSA-mcqj-7p29-9528

• Remove dead code

• Use OWASP as reference for host header injection

• Link to OWASP reference page from admin guide

• Invalid $g_path at install time is a hard fail

Empty $g_path remains just a warning about the security risk.
Request and set $g_path at install time

This is an improvement on the original patch for CVE-2024-23830.

The admin is now able to set $g_path when installing MantisBT. A default
value is provided, based on the URL used to perform the installation
(using the same logic that is applied when $g_path is empty).

A check of the provided URL is performed during install stage 2, and an
error is reported if it is invalid. If an empty $g_path is given, then
we only display a warning about the security risk.

The URL is then stored as $g_path in the generated config_inc.php file
at stage 5.

This greatly reduces the risk of the admin forgetting to set $g_path
manually, while still allowing them to set it to empty should they want
to.

Fixes 0019381

• Add Reset button to path input

Reuse the existing functionality implemented for database prefix/suffix,
with the following changes

• Rename reset-prefix selector class to reset to be more generic
• Add Reset functionality markup to path input including default value
• Add title attribute to Reset buttons
• Adapt initialization logic to only set the default value for the
  table-prefix fields