I noticed that there is no validation for a Domain name created by an administrator.
I think this is not an actual problem because the system administrator is trusted and I see that the path name is validated before every usage but... anyway It should be better to apply some validations. Isn't it?
I think about PHP's FILTER_VALIDATE_DOMAIN and/or your function require_safe_dirname that I see defined in include/functions.php