rails
diff --git a/‎actionpack/lib/action_dispatch/middleware/host_authorization.rb
Lines changed: 8 additions & 14 deletions b/‎actionpack/lib/action_dispatch/middleware/host_authorization.rb
Lines changed: 8 additions & 14 deletions
diff --git a/‎actionpack/test/dispatch/host_authorization_test.rb
Lines changed: 3 additions & 3 deletions b/‎actionpack/test/dispatch/host_authorization_test.rb
Lines changed: 3 additions & 3 deletions
diff --git a/‎railties/test/application/middleware/remote_ip_test.rb
Lines changed: 0 additions & 1 deletion b/‎railties/test/application/middleware/remote_ip_test.rb
Lines changed: 0 additions & 1 deletion
diff --git a/‎railties/test/isolation/abstract_unit.rb
Lines changed: 1 addition & 1 deletion b/‎railties/test/isolation/abstract_unit.rb
Lines changed: 1 addition & 1 deletion
@@ -102,21 +102,15 @@ def call(env)
     end
 
     private
+      HOSTNAME = /[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\]/i
+      VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/
+      VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/
+
       def authorized?(request)
-        valid_host = /
-          \A
-          (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])
-          (:\d+)?
-          \z
-        /x
-
-        origin_host = valid_host.match(
-          request.get_header("HTTP_HOST").to_s.downcase)
-        forwarded_host = valid_host.match(
-          request.x_forwarded_host.to_s.split(/,\s?/).last)
-
-        origin_host && @permissions.allows?(origin_host[:host]) && (
-          forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
+        origin_host = request.get_header("HTTP_HOST")&.slice(VALID_ORIGIN_HOST, 1) || ""
+        forwarded_host = request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || ""
+
+        @permissions.allows?(origin_host) && (forwarded_host.blank? || @permissions.allows?(forwarded_host))
       end
 
       def excluded?(request)
 
@@ -221,15 +221,15 @@ class HostAuthorizationTest < ActionDispatch::IntegrationTest
     assert_match "Blocked host: www.example.com", response.body
   end
 
-  test "only compare to valid hostnames" do
+  test "blocks requests with invalid hostnames" do
     @app = ActionDispatch::HostAuthorization.new(App, ".example.com")
 
     get "/", env: {
-      "HOST" => "example.com#sub.example.com",
+      "HOST" => "attacker.com#x.example.com",
     }
 
     assert_response :forbidden
-    assert_match "Blocked host: example.com#sub.example.com", response.body
+    assert_match "Blocked host: attacker.com#x.example.com", response.body
   end
 
   test "blocks requests to similar host" do
 
@@ -11,7 +11,6 @@ class RemoteIpTest < ActiveSupport::TestCase
     def remote_ip(env = {})
       remote_ip = nil
       env = Rack::MockRequest.env_for("/").merge(env).merge!(
-        "HTTP_HOST" => "example.com",
         "action_dispatch.show_exceptions" => false,
         "action_dispatch.key_generator" => ActiveSupport::CachingKeyGenerator.new(
           ActiveSupport::KeyGenerator.new("b3c631c314c0bbca50c1b2843150fe33", iterations: 1000)
 
@@ -82,7 +82,7 @@ def extract_body(response)
     end
 
     def get(path)
-      @app.call(::Rack::MockRequest.env_for(path, "HTTP_HOST" => "example.com"))
+      @app.call(::Rack::MockRequest.env_for(path))
     end
 
     def assert_welcome(resp)