mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Adds a fix to whitelist hostnames with case-insensitive matching
This commit is contained in:
parent
601006c56d
commit
9bc7ea5dab
2 changed files with 46 additions and 2 deletions
|
@ -46,9 +46,9 @@ module ActionDispatch
|
||||||
|
|
||||||
def sanitize_string(host)
|
def sanitize_string(host)
|
||||||
if host.start_with?(".")
|
if host.start_with?(".")
|
||||||
/\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/
|
/\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
|
||||||
else
|
else
|
||||||
host
|
/\A#{host}\z/i
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -42,6 +42,50 @@ class HostAuthorizationTest < ActionDispatch::IntegrationTest
|
||||||
assert_equal "Success", body
|
assert_equal "Success", body
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "hosts are matched case insensitive" do
|
||||||
|
@app = ActionDispatch::HostAuthorization.new(App, "Example.local")
|
||||||
|
|
||||||
|
get "/", env: {
|
||||||
|
"HOST" => "example.local",
|
||||||
|
}
|
||||||
|
|
||||||
|
assert_response :ok
|
||||||
|
assert_equal "Success", body
|
||||||
|
end
|
||||||
|
|
||||||
|
test "hosts are matched case insensitive with titlecased host" do
|
||||||
|
@app = ActionDispatch::HostAuthorization.new(App, "example.local")
|
||||||
|
|
||||||
|
get "/", env: {
|
||||||
|
"HOST" => "Example.local",
|
||||||
|
}
|
||||||
|
|
||||||
|
assert_response :ok
|
||||||
|
assert_equal "Success", body
|
||||||
|
end
|
||||||
|
|
||||||
|
test "hosts are matched case insensitive with hosts array" do
|
||||||
|
@app = ActionDispatch::HostAuthorization.new(App, ["Example.local"])
|
||||||
|
|
||||||
|
get "/", env: {
|
||||||
|
"HOST" => "example.local",
|
||||||
|
}
|
||||||
|
|
||||||
|
assert_response :ok
|
||||||
|
assert_equal "Success", body
|
||||||
|
end
|
||||||
|
|
||||||
|
test "regex matches are not title cased" do
|
||||||
|
@app = ActionDispatch::HostAuthorization.new(App, [/www.Example.local/])
|
||||||
|
|
||||||
|
get "/", env: {
|
||||||
|
"HOST" => "www.example.local",
|
||||||
|
}
|
||||||
|
|
||||||
|
assert_response :forbidden
|
||||||
|
assert_match "Blocked host: www.example.local", response.body
|
||||||
|
end
|
||||||
|
|
||||||
test "passes requests to allowed hosts with domain name notation" do
|
test "passes requests to allowed hosts with domain name notation" do
|
||||||
@app = ActionDispatch::HostAuthorization.new(App, ".example.com")
|
@app = ActionDispatch::HostAuthorization.new(App, ".example.com")
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue