rails: HostAuthorization: confusing error message when using multiple hostnames
Steps to reproduce
Calling the application with different values for HTTP_HOST and HTTP_X_FORWARDED_HOST while HostAuthorization is enabled (i.e. config.hosts is set/active) while at least HTTP_HOST is not present in config.hosts.
Expected behavior
Error message that displays the user that both hostnames are checked and need to be added to config.hosts.
Example:
Blocked hosts: HTTP_HOST, HTTP_X_FORWARDED_HOST
---------------------------------------------------------------------------------------------
To allow requests to HTTP_HOST, HTTP_X_FORWARDED_HOST, add the following to your environment configuration:
config.hosts << "HTTP_HOST"
config.hosts << "HTTP_X_FORWARDED_HOST"
Actual behavior
Output
Blocked host: HTTP_X_FORWARDED_HOST
---------------------------------------------------------------------------------------------
To allow requests to HTTP_X_FORWARDED_HOST, add the following to your environment configuration:
config.hosts << "HTTP_X_FORWARDED_HOST"
If you then add HTTP_X_FORWARDED_HOST to config.hosts the error message is still displayed (unchanged) if HTTP_HOST is missing.
System configuration
Rails version: 6.0.3.3 (should be present since introduction of HostAuthorization in v6.0.0.beta1)
Ruby version: any
I created a commit that changes / fixes that behavior (See here) in a forked repository. I can create a pull request if needed / wanted.
Edit: Fixed wrong header name in issue description
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 18 (10 by maintainers)
Commits related to this issue
- Fix #40230 Add display of all blocked hosts second variant — committed to Eusebius1920/rails by Eusebius1920 a year ago
@skipkayhil Thanks for reopening. It was a reminder that I promised a PR. I created it: see #46158.
Sure, I can prepare a PR! I will create it and come back!