File CVE-2024-30260-undici-clear-proxy-authorization.patch of Package nodejs-electron
Manual backport of https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
--- src/third_party/electron_node/deps/undici/src/lib/handler/RedirectHandler.js.old 2024-04-04 09:55:39.696980900 +0000
+++ src/third_party/electron_node/deps/undici/src/lib/handler/RedirectHandler.js 2024-04-09 16:52:37.888616200 +0000
@@ -188,7 +188,8 @@ function shouldRemoveHeader (header, rem
(header.length === 4 && header.toString().toLowerCase() === 'host') ||
(removeContent && header.toString().toLowerCase().indexOf('content-') === 0) ||
(unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') ||
- (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie')
+ (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie') ||
+ (unknownOrigin && header.length === 19 && header.toString().toLowerCase() === 'proxy-authorization')
)
}
--- src/third_party/electron_node/deps/undici/undici.js.old 2024-04-04 10:02:38.059765300 +0000
+++ src/third_party/electron_node/deps/undici/undici.js 2024-04-09 16:51:15.754041100 +0000
@@ -7902,7 +7902,7 @@ var require_RedirectHandler = __commonJS
}
__name(parseLocation, "parseLocation");
function shouldRemoveHeader(header, removeContent, unknownOrigin) {
- return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie";
+ return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie" || unknownOrigin && header.length === 19 && header.toString().toLowerCase() === "proxy-authorization"
}
__name(shouldRemoveHeader, "shouldRemoveHeader");
function cleanRequestHeaders(headers, removeContent, unknownOrigin) {