Accepting request 1166510 from home:dziobian:gulgul-ultron:19

- Add backported CVE-2024-30260-undici-clear-proxy-authorization.patch (CVE-2024-30260 bsc#1222530) OBS-URL: https://build.opensuse.org/request/show/1166510 OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs-electron?expand=0&rev=138
2024-04-09 20:17:41 +00:00
parent ee8e43b84d
commit 745a3d0d67
3 changed files with 31 additions and 0 deletions
--- a/CVE-2024-30260-undici-clear-proxy-authorization.patch
+++ b/CVE-2024-30260-undici-clear-proxy-authorization.patch
@@ -0,0 +1,25 @@
 Manual backport of https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
 --- src/third_party/electron_node/deps/undici/src/lib/handler/RedirectHandler.js.old	2024-04-04 09:55:39.696980900 +0000
 +++ src/third_party/electron_node/deps/undici/src/lib/handler/RedirectHandler.js	2024-04-09 16:52:37.888616200 +0000
@@ -188,7 +188,8 @@ function shouldRemoveHeader (header, rem
     (header.length === 4 && header.toString().toLowerCase() === 'host') ||
     (removeContent && header.toString().toLowerCase().indexOf('content-') === 0) ||
     (unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') ||
 -    (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie')
 +    (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie') ||
 +    (unknownOrigin && header.length === 19 && header.toString().toLowerCase() === 'proxy-authorization')
   )
 }
 --- src/third_party/electron_node/deps/undici/undici.js.old	2024-04-04 10:02:38.059765300 +0000
 +++ src/third_party/electron_node/deps/undici/undici.js	2024-04-09 16:51:15.754041100 +0000
@@ -7902,7 +7902,7 @@ var require_RedirectHandler = __commonJS
     }
     __name(parseLocation, "parseLocation");
     function shouldRemoveHeader(header, removeContent, unknownOrigin) {
 -      return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie";
 +      return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie" || unknownOrigin && header.length === 19 && header.toString().toLowerCase() === "proxy-authorization"
     }
     __name(shouldRemoveHeader, "shouldRemoveHeader");
     function cleanRequestHeaders(headers, removeContent, unknownOrigin) {
--- a/nodejs-electron.changes
+++ b/nodejs-electron.changes
@@ -1,3 +1,8 @@
 -------------------------------------------------------------------
 Tue Apr  9 16:58:14 UTC 2024 - Bruno Pitrus <brunopitrus@hotmail.com>
 - Add backported CVE-2024-30260-undici-clear-proxy-authorization.patch (CVE-2024-30260 bsc#1222530)
 -------------------------------------------------------------------
 Thu Apr  4 20:35:05 UTC 2024 - Bruno Pitrus <brunopitrus@hotmail.com>
--- a/nodejs-electron.spec
+++ b/nodejs-electron.spec
@@ -354,6 +354,7 @@ Patch3132:      v8-instance-type-inl-constexpr-used-before-its-definition.patch
 Patch3133:      swiftshader-llvm18-LLVMReactor-getInt8PtrTy.patch
 Patch3134:      swiftshader-llvm18-LLVMJIT-Host.patch
 Patch3135:      swiftshader-llvm18-LLVMJIT-CodeGenOptLevel.patch
 Patch3136:      CVE-2024-30260-undici-clear-proxy-authorization.patch
 BuildRequires:  brotli
 %if %{with system_cares}