From 1439db50581392508a1691504778ad8949d0b045 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron@rubyonrails.org>
Date: Tue, 4 May 2021 15:23:36 -0700
Subject: [PATCH] Escape allow list hosts correctly

[CVE-2021-22903]
---
 .../action_dispatch/middleware/host_authorization.rb  |  2 +-
 actionpack/test/dispatch/host_authorization_test.rb   | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/actionpack/lib/action_dispatch/middleware/host_authorization.rb b/actionpack/lib/action_dispatch/middleware/host_authorization.rb
index bf202cb4e0..e0fe9b33a0 100644
--- a/actionpack/lib/action_dispatch/middleware/host_authorization.rb
+++ b/actionpack/lib/action_dispatch/middleware/host_authorization.rb
@@ -53,7 +53,7 @@ def sanitize_string(host)
           if host.start_with?(".")
             /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
           else
-            /\A#{host}\z/i
+            /\A#{Regexp.escape host}\z/i
           end
         end
     end
diff --git a/actionpack/test/dispatch/host_authorization_test.rb b/actionpack/test/dispatch/host_authorization_test.rb
index 3cf1410a31..ba5a443b5b 100644
--- a/actionpack/test/dispatch/host_authorization_test.rb
+++ b/actionpack/test/dispatch/host_authorization_test.rb
@@ -232,6 +232,17 @@ class HostAuthorizationTest < ActionDispatch::IntegrationTest
     assert_match "Blocked host: example.com#sub.example.com", response.body
   end
 
+  test "blocks requests to similar host" do
+    @app = ActionDispatch::HostAuthorization.new(App, "sub.example.com")
+
+    get "/", env: {
+      "HOST" => "sub-example.com",
+    }
+
+    assert_response :forbidden
+    assert_match "Blocked host: sub-example.com", response.body
+  end
+
   test "config setting action_dispatch.hosts_response_app is deprecated" do
     assert_deprecated do
       ActionDispatch::HostAuthorization.new(App, "example.com", ->(env) { true })
-- 
2.30.0