nodejs16/CVE-2024-24758.patch

Index: node-v16.20.2/deps/undici/src/lib/fetch/index.js
===================================================================
--- node-v16.20.2.orig/deps/undici/src/lib/fetch/index.js
+++ node-v16.20.2/deps/undici/src/lib/fetch/index.js
@@ -1200,6 +1200,13 @@ async function httpRedirectFetch (fetchP
   if (!sameOrigin(requestCurrentURL(request), locationURL)) {
     // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
     request.headersList.delete('authorization')
+
+    // https://fetch.spec.whatwg.org/#authentication-entries
+    request.headersList.delete('proxy-authorization', true)
+
+    // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement.
+    request.headersList.delete('cookie')
+    request.headersList.delete('host')
   }
 
   // 14. If request’s body is non-null, then set request’s body to the first return
Index: node-v16.20.2/deps/undici/undici.js
===================================================================
--- node-v16.20.2.orig/deps/undici/undici.js
+++ node-v16.20.2/deps/undici/undici.js
@@ -11167,6 +11167,9 @@ var require_fetch = __commonJS({
       }
       if (!sameOrigin(requestCurrentURL(request), locationURL)) {
         request.headersList.delete("authorization");
+        request.headersList.delete("proxy-authorization", true);
+        request.headersList.delete("cookie");
+        request.headersList.delete("host");
       }
       if (request.body != null) {
         assert(request.body.source != null);