File CVE-2021-22884.patch of Package nodejs8.20454
From 1564752d553f582c8048ee45614f870ee2a446c9 Mon Sep 17 00:00:00 2001
From: Matteo Collina <hello@matteocollina.com>
Date: Thu, 14 Jan 2021 16:04:44 +0100
Subject: [PATCH] src: drop localhost6 as allowed host for inspector
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-ID: CVE-2021-22884
Refs: https://hackerone.com/bugs?report_id=1069487
PR-URL: https://github.com/nodejs-private/node-private/pull/244
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Mary Marchini <oss@mmarchini.me>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Michaƫl Zasso <targos@protonmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
---
src/inspector_socket.cc | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
Index: node-v8.17.0/src/inspector_socket.cc
===================================================================
--- node-v8.17.0.orig/src/inspector_socket.cc
+++ node-v8.17.0/src/inspector_socket.cc
@@ -511,8 +511,7 @@ static std::string HeaderValue(const str
static bool IsAllowedHost(const std::string& host_with_port) {
std::string host = TrimPort(host_with_port);
return host.empty() || IsIPAddress(host)
- || node::StringEqualNoCase(host.data(), "localhost")
- || node::StringEqualNoCase(host.data(), "localhost6");
+ || node::StringEqualNoCase(host.data(), "localhost");
}
static int message_complete_cb(http_parser* parser) {
