kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity
rails--rails/railties
History
Genadi Samokovarov 07ec8062e6 Introduce a guard against DNS rebinding attacks 
The ActionDispatch::HostAuthorization is a new middleware that prevent
against DNS rebinding and other Host header attacks. By default it is
included only in the development environment with the following
configuration:

    Rails.application.config.hosts = [
      IPAddr.new("0.0.0.0/0"), # All IPv4 addresses.
      IPAddr.new("::/0"),      # All IPv6 addresses.
      "localhost"              # The localhost reserved domain.
    ]

In other environments, `Rails.application.config.hosts` is empty and no
Host header checks will be done. If you want to guard against header
attacks on production, you have to manually permit the allowed hosts
with:

    Rails.application.config.hosts << "product.com"

The host of a request is checked against the hosts entries with the case
operator (#===), which lets hosts support entries of type RegExp,
Proc and IPAddr to name a few. Here is an example with a regexp.

    # Allow requests from subdomains like `www.product.com` and
    # `beta1.product.com`.
    Rails.application.config.hosts << /.*\.product\.com/

A special case is supported that allows you to permit all sub-domains:

    # Allow requests from subdomains like `www.product.com` and
    # `beta1.product.com`.
    Rails.application.config.hosts << ".product.com"
2018-12-15 20:18:51 +02:00
..
bin Adding frozen_string_literal pragma to Railties. 2017-08-14 19:08:09 +02:00
exe Adding frozen_string_literal pragma to Railties. 2017-08-14 19:08:09 +02:00
lib Introduce a guard against DNS rebinding attacks 2018-12-15 20:18:51 +02:00
test Introduce a guard against DNS rebinding attacks 2018-12-15 20:18:51 +02:00
.gitignore Clean up and consolidate .gitignores 2018-02-17 14:26:19 -08:00
CHANGELOG.md Introduce a guard against DNS rebinding attacks 2018-12-15 20:18:51 +02:00
MIT-LICENSE Bump license years for 2018 2017-12-31 22:36:55 +09:00
railties.gemspec Abort early if generator command fails (#34420) 2018-12-07 15:01:32 +09:00
Rakefile Make Webpacker the default JavaScript compiler for Rails 6 (#33079) 2018-09-30 22:31:21 -07:00
RDOC_MAIN.rdoc Rails guides are now served over https 2018-07-24 11:29:31 +09:00
README.rdoc Update MIT licenses link [ci skip] 2017-08-22 08:46:02 +09:00

README.rdoc 

= Railties -- Gluing the Engine to the Rails

Railties is responsible for gluing all frameworks together. Overall, it:

* handles the bootstrapping process for a Rails application;

* manages the +rails+ command line interface;

* and provides the Rails generators core.


== Download

The latest version of Railties can be installed with RubyGems:

* gem install railties

Source code can be downloaded as part of the Rails project on GitHub

* https://github.com/rails/rails/tree/master/railties

== License

Railties is released under the MIT license:

* https://opensource.org/licenses/MIT

== Support

API documentation is at

* http://api.rubyonrails.org

Bug reports can be filed for the Ruby on Rails project here:

* https://github.com/rails/rails/issues

Feature requests should be discussed on the rails-core mailing list here:

* https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-core