Ruby on Rails: HostAuthorization middleware does not suitably sanitize the Host / X-Forwarded-For header allowing redirection.

When a site is configured to use the .tkte.ch leading dot short form for domain name, ex: ruby config.hosts You are being redirected. Where the controller is simply: ruby class RedirectController ApplicationController def main redirectto action: 'main' end end The host header poisoning was report...