Hi, I was reading the readme and wasn't quite sure what it would require to "whitelist requests to the allowed domain name". Do you have an example of what that would look like? I think that would involve adding a check against a whitelist inside this function? Thank you 👪

https://github.com/sunny/action_mailer_auto_url_options/blob/master/lib/action_mailer_auto_url_options/controller.rb#L14-L17

Hi @ratbeard! This expoit depends on your HTTP server, so you might not need to prevent against it. It might also have been fixed by Rails by now, actually.

If you would still like to ensure that only your production domain is ever used for your website. You can add to your routes.rb a constraint around all routes that allows only the production domain and localhost. Or you could add to your application controller something like this:

before_filter :ensure_correct_domain

private

def ensure_correct_domain
  if Rails.env.production?
    redirect_to 'https://mydomain.com' unless request.domain == 'mydomain.com'
  end
end

Note that I have just written this code out of the top of my head, so please test it beforehand ;)

Ah, yea a constraint would be an easy place to do it, or a separate filter like your snippet to keep concerns separate. Thank you for taking the time to write this response!

My pleasure! I'll link towards this issue in the README so that other people know how to work around this exploit.

Thank you for submitting the issue @ratbeard!