Adam Majer
c9b44edd37
- CVE-2021-44907.patch: fix insuficient sanitation in npm dependency (bsc#1197283, CVE-2021-44907) - CVE-2022-0235.patch: fix passing of cookie data and sensitive headers to different hostnames in node-fetch-npm (bsc#1194819, CVE-2022-0235) OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs8?expand=0&rev=184
15 lines
749 B
Diff
15 lines
749 B
Diff
Index: node-v8.17.0/deps/npm/node_modules/node-fetch-npm/src/index.js
|
|
===================================================================
|
|
--- node-v8.17.0.orig/deps/npm/node_modules/node-fetch-npm/src/index.js
|
|
+++ node-v8.17.0/deps/npm/node_modules/node-fetch-npm/src/index.js
|
|
@@ -99,6 +99,9 @@ function fetch (uri, opts) {
|
|
}
|
|
if (url.parse(request.url).hostname !== redirectURL.hostname) {
|
|
request.headers.delete('authorization')
|
|
+ request.headers.delete('www-authenticate')
|
|
+ request.headers.delete('cookie')
|
|
+ request.headers.delete('cookie2')
|
|
}
|
|
|
|
// per fetch spec, for POST request with 301/302 response, or any request with 303 response, use GET when following redirect
|