Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:Update
nodejs16
CVE-2024-24758.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2024-24758.patch of Package nodejs16
Index: node-v16.20.2/deps/undici/src/lib/fetch/index.js =================================================================== --- node-v16.20.2.orig/deps/undici/src/lib/fetch/index.js +++ node-v16.20.2/deps/undici/src/lib/fetch/index.js @@ -1200,6 +1200,13 @@ async function httpRedirectFetch (fetchP if (!sameOrigin(requestCurrentURL(request), locationURL)) { // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name request.headersList.delete('authorization') + + // https://fetch.spec.whatwg.org/#authentication-entries + request.headersList.delete('proxy-authorization', true) + + // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement. + request.headersList.delete('cookie') + request.headersList.delete('host') } // 14. If request’s body is non-null, then set request’s body to the first return Index: node-v16.20.2/deps/undici/undici.js =================================================================== --- node-v16.20.2.orig/deps/undici/undici.js +++ node-v16.20.2/deps/undici/undici.js @@ -11167,6 +11167,9 @@ var require_fetch = __commonJS({ } if (!sameOrigin(requestCurrentURL(request), locationURL)) { request.headersList.delete("authorization"); + request.headersList.delete("proxy-authorization", true); + request.headersList.delete("cookie"); + request.headersList.delete("host"); } if (request.body != null) { assert(request.body.source != null);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor