File CVE-2024-24758.patch of Package nodejs16
Index: node-v16.20.2/deps/undici/src/lib/fetch/index.js
===================================================================
--- node-v16.20.2.orig/deps/undici/src/lib/fetch/index.js
+++ node-v16.20.2/deps/undici/src/lib/fetch/index.js
@@ -1200,6 +1200,13 @@ async function httpRedirectFetch (fetchP
if (!sameOrigin(requestCurrentURL(request), locationURL)) {
// https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
request.headersList.delete('authorization')
+
+ // https://fetch.spec.whatwg.org/#authentication-entries
+ request.headersList.delete('proxy-authorization', true)
+
+ // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement.
+ request.headersList.delete('cookie')
+ request.headersList.delete('host')
}
// 14. If request’s body is non-null, then set request’s body to the first return
Index: node-v16.20.2/deps/undici/undici.js
===================================================================
--- node-v16.20.2.orig/deps/undici/undici.js
+++ node-v16.20.2/deps/undici/undici.js
@@ -11167,6 +11167,9 @@ var require_fetch = __commonJS({
}
if (!sameOrigin(requestCurrentURL(request), locationURL)) {
request.headersList.delete("authorization");
+ request.headersList.delete("proxy-authorization", true);
+ request.headersList.delete("cookie");
+ request.headersList.delete("host");
}
if (request.body != null) {
assert(request.body.source != null);