Merge pull request #33145 from gsamokovarov/host-authorization

Guard against DNS rebinding attacks by whitelisting hosts
author: Eileen M. Uchitelle <eileencodes@users.noreply.github.com> 2018-12-17 11:41:15 -0500
committer: GitHub <noreply@github.com> 2018-12-17 11:41:15 -0500
commit: 528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309 (patch)
tree: 04b25f1e0daf1e3f4bf71705bd08fa5dfa51c870 /actionpack/CHANGELOG.md
parent: 048e3172f51db1fddd03b89f676d96a443539a13 (diff)
parent: 02b931c764cca4c3f67b1decfc046bfb46dc510c (diff)
download: rails-528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309.tar.gz
rails-528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309.tar.bz2
rails-528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 1bc376c0f9..13fbbafc0c 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,13 @@
+*   Introduce ActionDispatch::HostAuthorization
+
+    This is a new middleware that guards against DNS rebinding attacks by
+    white-listing the allowed hosts a request can be made to.
+
+    Each host is checked with the case operator (`#===`) to support `RegExp`,
+    `Proc`, `IPAddr` and custom objects as host allowances.
+
+    *Genadi Samokovarov*
+
 *   Allow using `parsed_body` in `ActionController::TestCase`.
 
     In addition to `ActionDispatch::IntegrationTest`, allow using
author	Eileen M. Uchitelle <eileencodes@users.noreply.github.com>	2018-12-17 11:41:15 -0500
committer	GitHub <noreply@github.com>	2018-12-17 11:41:15 -0500
commit	528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309 (patch)
tree	04b25f1e0daf1e3f4bf71705bd08fa5dfa51c870 /actionpack/CHANGELOG.md
parent	048e3172f51db1fddd03b89f676d96a443539a13 (diff)
parent	02b931c764cca4c3f67b1decfc046bfb46dc510c (diff)
download	rails-528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309.tar.gz rails-528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309.tar.bz2 rails-528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309.zip