SECURITY: enforce hostname to match discourse hostname

This ensures that the hostname rails uses for various helpers always matches
the Discourse hostname

# Conflicts:
#	config/application.rb
#	spec/requests/application_controller_spec.rb

config/application.rb

@@ -186,6 +186,8 @@ module Discourse
     # supports etags (post 1.7)
     config.middleware.delete Rack::ETag
 
+    require 'middleware/enforce_hostname'
+    config.middleware.insert_after Rack::MethodOverride, Middleware::EnforceHostname
     require 'middleware/discourse_public_exceptions'
     config.exceptions_app = Middleware::DiscoursePublicExceptions.new(Rails.public_path)
 

lib/middleware/enforce_hostname.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Middleware
+  class EnforceHostname
+    def initialize(app, settings = nil)
+      @app = app
+    end
+
+    def call(env)
+      # enforces hostname to match the hostname of our connection
+      # this middleware lives after rails multisite so at this point
+      # Discourse.current_hostname MUST be canonical, enforce it so
+      # all Rails helpers are guarenteed to use it unconditionally and
+      # never generate incorrect links
+      env[Rack::Request::HTTP_X_FORWARDED_HOST] = nil
+      env[Rack::HTTP_HOST] = Discourse.current_hostname
+      @app.call(env)
+    end
+  end
+end

spec/requests/application_controller_spec.rb

@@ -169,4 +169,18 @@ RSpec.describe ApplicationController do
       expect(controller.theme_ids).to eq([theme.id])
     end
   end
+
+  describe 'Custom hostname' do
+
+    it 'does not allow arbitrary host injection' do
+      get("/latest",
+        headers: {
+          "X-Forwarded-Host" => "test123.com"
+        }
+      )
+
+      expect(response.body).not_to include("test123")
+    end
+  end
+
 end