class ActionDispatch::HostAuthorization

Parent:
Object

This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to.

When a request comes to an unauthorized host, the response_app application will be executed and rendered. If no response_app is given, a default one will run, which responds with +403 Forbidden+.

Constants

DEFAULT_RESPONSE_APP

Public Class Methods

new(app, hosts, response_app = nil) Show source
# File actionpack/lib/action_dispatch/middleware/host_authorization.rb, line 70
def initialize(app, hosts, response_app = nil)
  @app = app
  @permissions = Permissions.new(hosts)
  @response_app = response_app || DEFAULT_RESPONSE_APP
end

Public Instance Methods

call(env) Show source
# File actionpack/lib/action_dispatch/middleware/host_authorization.rb, line 76
def call(env)
  return @app.call(env) if @permissions.empty?

  request = Request.new(env)

  if authorized?(request)
    mark_as_authorized(request)
    @app.call(env)
  else
    @response_app.call(env)
  end
end

© 2004–2019 David Heinemeier Hansson
Licensed under the MIT License.