Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:obsgeek0:branches:devel:tools:ide:vscode:dev
nodejs-electron
CVE-2023-45143-undici-cookie-leakage.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-45143-undici-cookie-leakage.patch of Package nodejs-electron
From e041de359221ebeae04c469e8aff4145764e6d76 Mon Sep 17 00:00:00 2001 From: Khafra <maitken033380023@gmail.com> Date: Wed, 11 Oct 2023 14:56:38 -0400 Subject: [PATCH] Merge pull request from GHSA-wqq4-5wpv-mx2g * fix: delete 'cookie' and 'host' headers on cross-origin redirect * apply suggestion --- lib/fetch/index.js | 4 ++ test/fetch/redirect-cross-origin-header.js | 48 ++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 test/fetch/redirect-cross-origin-header.js diff --git a/lib/fetch/index.js b/lib/fetch/index.js index c89c9b7ffc..5323c30abc 100644 --- a/third_party/electron_node/deps/undici/src/lib/fetch/index.js +++ b/third_party/electron_node/deps/undici/src/lib/fetch/index.js @@ -1200,6 +1200,10 @@ async function httpRedirectFetch (fetchParams, response) { if (!sameOrigin(requestCurrentURL(request), locationURL)) { // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name request.headersList.delete('authorization') + + // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement. + request.headersList.delete('cookie') + request.headersList.delete('host') } // 14. If request’s body is non-null, then set request’s body to the first return --- src/third_party/electron_node/deps/undici/undici.js.orig 2023-10-12 11:05:39.514426000 +0200 +++ src/third_party/electron_node/deps/undici/undici.js 2023-10-16 19:37:43.239110900 +0200 @@ -11006,6 +11006,10 @@ var require_fetch = __commonJS({ } if (!sameOrigin(requestCurrentURL(request), locationURL)) { request.headersList.delete("authorization"); + + // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement. + request.headersList.delete('cookie') + request.headersList.delete('host') } if (request.body != null) { assert(request.body.source != null);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor