Merge pull request #33145 from gsamokovarov/host-authorization

Guard against DNS rebinding attacks by whitelisting hosts
author: Eileen M. Uchitelle <eileencodes@users.noreply.github.com> 2018-12-17 11:41:15 -0500
committer: GitHub <noreply@github.com> 2018-12-17 11:41:15 -0500
commit: 528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309 (patch)
tree: 04b25f1e0daf1e3f4bf71705bd08fa5dfa51c870 /railties/lib/rails/application
parent: 048e3172f51db1fddd03b89f676d96a443539a13 (diff)
parent: 02b931c764cca4c3f67b1decfc046bfb46dc510c (diff)
download: rails-528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309.tar.gz
rails-528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309.tar.bz2
rails-528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309.zip
2 files changed, 5 insertions, 1 deletions
diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
index f30e5d2a0f..22a82c051d 100644
--- a/railties/lib/rails/application/configuration.rb
+++ b/railties/lib/rails/application/configuration.rb
@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "ipaddr"
 require "active_support/core_ext/kernel/reporting"
 require "active_support/file_update_checker"
 require "rails/engine/configuration"
@@ -11,7 +12,7 @@ module Rails
       attr_accessor :allow_concurrency, :asset_host, :autoflush_log,
                     :cache_classes, :cache_store, :consider_all_requests_local, :console,
                     :eager_load, :exceptions_app, :file_watcher, :filter_parameters,
-                    :force_ssl, :helpers_paths, :logger, :log_formatter, :log_tags,
+                    :force_ssl, :helpers_paths, :hosts, :logger, :log_formatter, :log_tags,
                     :railties_order, :relative_url_root, :secret_key_base, :secret_token,
                     :ssl_options, :public_file_server,
                     :session_options, :time_zone, :reload_classes_only_on_change,
@@ -29,6 +30,7 @@ module Rails
         @filter_parameters                       = []
         @filter_redirect                         = []
         @helpers_paths                           = []
+        @hosts                                   = Array(([IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0"), "localhost"] if Rails.env.development?))
         @public_file_server                      = ActiveSupport::OrderedOptions.new
         @public_file_server.enabled              = true
         @public_file_server.index_name           = "index"
diff --git a/railties/lib/rails/application/default_middleware_stack.rb b/railties/lib/rails/application/default_middleware_stack.rb
index 433a7ab41f..193cc59f3a 100644
--- a/railties/lib/rails/application/default_middleware_stack.rb
+++ b/railties/lib/rails/application/default_middleware_stack.rb
@@ -13,6 +13,8 @@ module Rails
 
       def build_stack
         ActionDispatch::MiddlewareStack.new do |middleware|
+          middleware.use ::ActionDispatch::HostAuthorization, config.hosts, config.action_dispatch.hosts_response_app
+
           if config.force_ssl
             middleware.use ::ActionDispatch::SSL, config.ssl_options
           end
author	Eileen M. Uchitelle <eileencodes@users.noreply.github.com>	2018-12-17 11:41:15 -0500
committer	GitHub <noreply@github.com>	2018-12-17 11:41:15 -0500
commit	528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309 (patch)
tree	04b25f1e0daf1e3f4bf71705bd08fa5dfa51c870 /railties/lib/rails/application
parent	048e3172f51db1fddd03b89f676d96a443539a13 (diff)
parent	02b931c764cca4c3f67b1decfc046bfb46dc510c (diff)
download	rails-528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309.tar.gz rails-528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309.tar.bz2 rails-528c5bb224a2f9ea6eee7b15ef5de5e9d17bf309.zip