From 4dfb1a39611d97f83dd7431261128def7dbca5fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20Sch=C3=BCtz?= Date: Sun, 20 Jan 2019 12:55:31 +0100 Subject: Subdomains of localhost are safe against DNS rebinding --- railties/lib/rails/application/configuration.rb | 2 +- railties/test/application/configuration_test.rb | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb index d5a66b6ec1..b7838f7e32 100644 --- a/railties/lib/rails/application/configuration.rb +++ b/railties/lib/rails/application/configuration.rb @@ -30,7 +30,7 @@ module Rails @filter_parameters = [] @filter_redirect = [] @helpers_paths = [] - @hosts = Array(([IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0"), "localhost"] if Rails.env.development?)) + @hosts = Array(([IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0"), ".localhost"] if Rails.env.development?)) @public_file_server = ActiveSupport::OrderedOptions.new @public_file_server.enabled = true @public_file_server.index_name = "index" diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb index 3e979ea20d..9da3956dda 100644 --- a/railties/test/application/configuration_test.rb +++ b/railties/test/application/configuration_test.rb @@ -2289,6 +2289,11 @@ module ApplicationTests MESSAGE end + test "the host whitelist includes .localhost in development" do + app "development" + assert_includes Rails.application.config.hosts, ".localhost" + end + private def force_lazy_load_hooks yield # Tasty clarifying sugar, homie! We only need to reference a constant to load it. -- cgit v1.2.3