1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
From 6a64eda5948ac9cae7237a39f7f4e40ae63c566e Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Wed, 15 Dec 2021 11:48:32 -0800
Subject: [PATCH] Merge pull request #43871 from rails/rm-fix-hosts-with-port
Allow any allowed host with port
---
.../action_dispatch/middleware/host_authorization.rb | 9 +++++----
actionpack/test/dispatch/host_authorization_test.rb | 12 ++++++++++++
railties/lib/rails/application/configuration.rb | 6 +++++-
3 files changed, 22 insertions(+), 5 deletions(-)
Index: rails/actionpack/lib/action_dispatch/middleware/host_authorization.rb
===================================================================
--- rails.orig/actionpack/lib/action_dispatch/middleware/host_authorization.rb
+++ rails/actionpack/lib/action_dispatch/middleware/host_authorization.rb
@@ -10,7 +10,8 @@ module ActionDispatch
# application will be executed and rendered. If no +response_app+ is given, a
# default one will run, which responds with +403 Forbidden+.
class HostAuthorization
- ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", /\A([a-z0-9-]+\.)?localhost:\d+\z/, IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
+ ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
+ PORT_REGEX = /(?::\d+)?/.freeze
class Permissions # :nodoc:
def initialize(hosts)
@@ -43,14 +44,14 @@ module ActionDispatch
end
def sanitize_regexp(host)
- /\A#{host}\z/
+ /\A#{host}#{PORT_REGEX}\z/
end
def sanitize_string(host)
if host.start_with?(".")
- /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}\z/i
+ /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}\z/i
else
- host
+ /\A#{Regexp.escape host}#{PORT_REGEX}\z/i
end
end
end
Index: rails/actionpack/test/dispatch/host_authorization_test.rb
===================================================================
--- rails.orig/actionpack/test/dispatch/host_authorization_test.rb
+++ rails/actionpack/test/dispatch/host_authorization_test.rb
@@ -111,6 +111,18 @@ class HostAuthorizationTest < ActionDisp
assert_match "Success", response.body
end
+ test "hosts with port works" do
+ @app = ActionDispatch::HostAuthorization.new(App, ["host.test"])
+
+ get "/", env: {
+ "HOST" => "host.test:3000",
+ "action_dispatch.show_detailed_exceptions" => true
+ }
+
+ assert_response :ok
+ assert_match "Success", response.body
+ end
+
test "blocks requests with spoofed X-FORWARDED-HOST" do
@app = ActionDispatch::HostAuthorization.new(App, [IPAddr.new("127.0.0.1")])
Index: rails/railties/lib/rails/application/configuration.rb
===================================================================
--- rails.orig/railties/lib/rails/application/configuration.rb
+++ rails/railties/lib/rails/application/configuration.rb
@@ -31,7 +31,11 @@ module Rails
@filter_parameters = []
@filter_redirect = []
@helpers_paths = []
- @hosts = Rails.env.development? ? ActionDispatch::HostAuthorization::ALLOWED_HOSTS_IN_DEVELOPMENT : []
+ if Rails.env.development?
+ @hosts = ActionDispatch::HostAuthorization::ALLOWED_HOSTS_IN_DEVELOPMENT.dup
+ else
+ @hosts = []
+ end
@public_file_server = ActiveSupport::OrderedOptions.new
@public_file_server.enabled = true
@public_file_server.index_name = "index"
|
