Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix host display when X_FORWARDED_HOST authorized #48941

Merged
merged 1 commit into from Aug 21, 2023
Merged

Fix host display when X_FORWARDED_HOST authorized #48941

merged 1 commit into from Aug 21, 2023

Conversation

skipkayhil
Copy link
Member

Motivation / Background

Previously, when a Request had a non-authorized HTTP_HOST but an authorized HTTP_X_FORWARDED_HOST, the HTTP_X_FORWARDED_HOST value would be displayed as the one being blocked. However, this could be confusing for users since that value would already be added to config.hosts.

Detail

This commit addresses the issue by tweaking how the blocked host is displayed. Instead of always displaying Request#host (which will return X_FORWARDED_HOST when present whether or not that's the host being blocked), each host being blocked will be displayed on its own.

Additional information

Fixes #40230
Supercedes #46158

cc @Eusebius1920 I added you as a coauthor for your work on the previous PR

Checklist

Before submitting the PR make sure the following are checked:

  • This Pull Request is related to one change. Changes that are unrelated should be opened in separate PRs.
  • Commit message has a detailed description of what changed and why. If this PR fixes a related issue include it in the commit message. Ex: [Fix #issue-number]
  • Tests are added or updated if you fix a bug or add a feature.
  • CHANGELOG files are updated for the changed libraries if there is a behavior change or additional feature. Minor bug fixes and documentation changes should not be included.

@skipkayhil @Eusebius1920
Fix host display when X_FORWARDED_HOST authorized
11ef3ce 
Previously, when a Request had a non-authorized HTTP_HOST but an
authorized HTTP_X_FORWARDED_HOST, the HTTP_X_FORWARDED_HOST value would
be displayed as the one being blocked. However, this could be confusing
for users since that value would already be added to `config.hosts`.

This commit addresses the issue by tweaking how the blocked host is
displayed. Instead of always displaying Request#host (which will return
X_FORWARDED_HOST when present whether or not that's the host being
blocked), each host being blocked will be displayed on its own.

Co-authored-by: Daniel Schlosser <Eusebius1920@users.noreply.github.com>
@rails-bot rails-bot bot added the actionpack label Aug 15, 2023
skipkayhil
skipkayhil commented Aug 15, 2023
View reviewed changes
actionpack/test/dispatch/host_authorization_test.rb
@@ -284,7 +284,7 @@ class HostAuthorizationTest < ActionDispatch::IntegrationTest
}

assert_response :forbidden
assert_match "Blocked host: 127.0.0.1", response.body
assert_match "Blocked hosts: www.example.com", response.body
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This and the other test change demonstrate the issue: the displayed blocked host previously would be HTTP_X_FORWARDED_HOST even though that value was already added to config.hosts. The correct value here should be HTTP_HOST

@rafaelfranca rafaelfranca merged commit 3642668 into rails:main Aug 21, 2023
9 checks passed
rafaelfranca added a commit that referenced this pull request Aug 21, 2023
@rafaelfranca
Merge pull request #48941 from skipkayhil/hm-show-correct-blocked-hosts
de649fe 
Fix host display when X_FORWARDED_HOST authorized
@skipkayhil skipkayhil deleted the hm-show-correct-blocked-hosts branch August 21, 2023 20:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
actionpack
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

HostAuthorization: confusing error message when using multiple hostnames
2 participants
@skipkayhil @rafaelfranca