Host header (#5765)

* fixed host-header vulnerability with optional env var * removed testing print statement * updated env var HOST to URL_HOST * Update sample.env --------- Co-authored-by: Ahmad Farhat <[email protected]>
bigbluebutton · May 6, 2024 · e045667 · e045667
1 parent 3e846c3
commit e045667
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -19,7 +19,7 @@
 module ApplicationHelper
   def branding_image
     asset_path = SettingGetter.new(setting_name: 'BrandingImage', provider: current_provider).call
-    asset_url(asset_path)
+    asset_url(asset_path, host: ENV.fetch('URL_HOST', nil))
   end
 
   def page_title

diff --git a/sample.env b/sample.env
@@ -71,6 +71,9 @@ REDIS_URL=
 #GCS_CLIENT_ID=
 #GCS_CLIENT_CERT=
 
+# Set this to explicitly specify base hostname
+#URL_HOST=
+
 # Define the default locale language code (i.e. 'en' for English) from the following list:
 #  [en, ar, fr, es, fa_IR]
 # The DEFAULT_LOCALE setting specifies the default language, overriding the browser language which is always set.