From 19b24e178c4315017f17c2057d97865c1ee7a84d Mon Sep 17 00:00:00 2001
From: Daniel Waterworth <me@danielwaterworth.com>
Date: Tue, 15 Sep 2020 10:07:03 +0100
Subject: [PATCH] SECURITY: __ws shouldn't be able to override every domain in
 multisite

---
 config/initializers/200-first_middlewares.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/initializers/200-first_middlewares.rb b/config/initializers/200-first_middlewares.rb
index 2467202d6e3..47329381ad7 100644
--- a/config/initializers/200-first_middlewares.rb
+++ b/config/initializers/200-first_middlewares.rb
@@ -21,6 +21,10 @@ if Rails.env != 'development' || ENV['TRACK_REQUESTS']
 end
 
 if Rails.configuration.multisite
+  RailsMultisite::ConnectionManagement.asset_hostname =
+    GlobalSetting.cdn_origin_hostname ||
+    Discourse::Application.config.database_configuration[Rails.env]["host_names"].first
+
   # Multisite needs to be first, because the request tracker and message bus rely on it
   Rails.configuration.middleware.unshift RailsMultisite::Middleware, RailsMultisite::DiscoursePatches.config
   Rails.configuration.middleware.delete ActionDispatch::Executor