File CVE-2023-45143-undici-cookie-leakage.patch of Package nodejs-electron

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2023-45143-undici-cookie-leakage.patch of Package nodejs-electron (Revision e2823fc6f75dd49340532c8a499eacf1)

Currently displaying revision e2823fc6f75dd49340532c8a499eacf1 , Show latest

From e041de359221ebeae04c469e8aff4145764e6d76 Mon Sep 17 00:00:00 2001
From: Khafra <maitken033380023@gmail.com>
Date: Wed, 11 Oct 2023 14:56:38 -0400
Subject: [PATCH] Merge pull request from GHSA-wqq4-5wpv-mx2g

* fix: delete 'cookie' and 'host' headers on cross-origin redirect

* apply suggestion
---
 lib/fetch/index.js                         |  4 ++
 test/fetch/redirect-cross-origin-header.js | 48 ++++++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 test/fetch/redirect-cross-origin-header.js

diff --git a/lib/fetch/index.js b/lib/fetch/index.js
index c89c9b7ffc..5323c30abc 100644
--- a/third_party/electron_node/deps/undici/src/lib/fetch/index.js
+++ b/third_party/electron_node/deps/undici/src/lib/fetch/index.js
@@ -1200,6 +1200,10 @@ async function httpRedirectFetch (fetchParams, response) {
   if (!sameOrigin(requestCurrentURL(request), locationURL)) {
     // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
     request.headersList.delete('authorization')
+
+    // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement.
+    request.headersList.delete('cookie')
+    request.headersList.delete('host')
   }
 
   // 14. If request’s body is non-null, then set request’s body to the first return
--- src/third_party/electron_node/deps/undici/undici.js.orig	2023-10-12 11:05:39.514426000 +0200
+++ src/third_party/electron_node/deps/undici/undici.js	2023-10-16 19:37:43.239110900 +0200
@@ -11006,6 +11006,10 @@ var require_fetch = __commonJS({
       }
       if (!sameOrigin(requestCurrentURL(request), locationURL)) {
         request.headersList.delete("authorization");
+
+        // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement.
+        request.headersList.delete('cookie')
+        request.headersList.delete('host')
       }
       if (request.body != null) {
         assert(request.body.source != null);

Places

File CVE-2023-45143-undici-cookie-leakage.patch of Package nodejs-electron (Revision e2823fc6f75dd49340532c8a499eacf1)

Places