nodejs/nodejs-electron
SHA256
7
0
Fork 0
forked from pool/nodejs-electron
Code Pull Requests Activity

Accepting request 1166510 from home:dziobian:gulgul-ultron:19

Browse Source 
- Add backported CVE-2024-30260-undici-clear-proxy-authorization.patch (CVE-2024-30260 bsc#1222530)

OBS-URL: https://build.opensuse.org/request/show/1166510
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs-electron?expand=0&rev=138
This commit is contained in:
dziobian
2024-04-09 20:17:41 +00:00
committed by Git OBS Bridge
parent ee8e43b84d
commit 745a3d0d67
3 changed files with 31 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
CVE-2024-30260-undici-clear-proxy-authorization.patch Normal file
View File

@@ -0,0 +1,25 @@
Manual backport of https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
--- src/third_party/electron_node/deps/undici/src/lib/handler/RedirectHandler.js.old 2024-04-04 09:55:39.696980900 +0000
+++ src/third_party/electron_node/deps/undici/src/lib/handler/RedirectHandler.js 2024-04-09 16:52:37.888616200 +0000
@@ -188,7 +188,8 @@ function shouldRemoveHeader (header, rem
(header.length === 4 && header.toString().toLowerCase() === 'host') ||
(removeContent && header.toString().toLowerCase().indexOf('content-') === 0) ||
(unknownOrigin && header.length === 13 && header.toString().toLowerCase() === 'authorization') ||
- (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie')
+ (unknownOrigin && header.length === 6 && header.toString().toLowerCase() === 'cookie') ||
+ (unknownOrigin && header.length === 19 && header.toString().toLowerCase() === 'proxy-authorization')
)
}
--- src/third_party/electron_node/deps/undici/undici.js.old 2024-04-04 10:02:38.059765300 +0000
+++ src/third_party/electron_node/deps/undici/undici.js 2024-04-09 16:51:15.754041100 +0000
@@ -7902,7 +7902,7 @@ var require_RedirectHandler = __commonJS
}
__name(parseLocation, "parseLocation");
function shouldRemoveHeader(header, removeContent, unknownOrigin) {
- return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie";
+ return header.length === 4 && header.toString().toLowerCase() === "host" || removeContent && header.toString().toLowerCase().indexOf("content-") === 0 || unknownOrigin && header.length === 13 && header.toString().toLowerCase() === "authorization" || unknownOrigin && header.length === 6 && header.toString().toLowerCase() === "cookie" || unknownOrigin && header.length === 19 && header.toString().toLowerCase() === "proxy-authorization"
}
__name(shouldRemoveHeader, "shouldRemoveHeader");
function cleanRequestHeaders(headers, removeContent, unknownOrigin) {

5
nodejs-electron.changes
View File

@@ -1,3 +1,8 @@
-------------------------------------------------------------------
Tue Apr 9 16:58:14 UTC 2024 - Bruno Pitrus <brunopitrus@hotmail.com>
- Add backported CVE-2024-30260-undici-clear-proxy-authorization.patch (CVE-2024-30260 bsc#1222530)
-------------------------------------------------------------------
Thu Apr 4 20:35:05 UTC 2024 - Bruno Pitrus <brunopitrus@hotmail.com>

1
nodejs-electron.spec
View File

@@ -354,6 +354,7 @@ Patch3132: v8-instance-type-inl-constexpr-used-before-its-definition.patch
Patch3133: swiftshader-llvm18-LLVMReactor-getInt8PtrTy.patch
Patch3134: swiftshader-llvm18-LLVMJIT-Host.patch
Patch3135: swiftshader-llvm18-LLVMJIT-CodeGenOptLevel.patch
Patch3136: CVE-2024-30260-undici-clear-proxy-authorization.patch
BuildRequires: brotli
%if %{with system_cares}