External/card-drop
4
0
Fork 0
Code Issues 20 Pull requests 1 Actions Packages Projects 1 Releases 24 Wiki Activity

Undici's cookie header not cleared on cross-origin redirect in fetch #60

New issue
Closed
opened 2023-10-17 17:08:05 +01:00 by Vylpes · 0 comments
Vylpes commented 2023-10-17 17:08:05 +01:00
Owner
Copy link

Package: undici (npm)
Affected versions: < 5.26.2
Patched version: 5.26.2

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Package: undici (npm) Affected versions: < 5.26.2 Patched version: 5.26.2 --- Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
Vylpes added the
type
dependencies
 label 2023-10-17 17:08:08 +01:00
Vylpes added this to the 0.1.6 milestone 2023-10-17 17:11:52 +01:00
Vylpes modified the milestone from 0.1.6 to 0.1.8 2023-10-21 17:48:47 +01:00
Vylpes started working 2023-11-04 16:03:48 +00:00
Vylpes stopped working 2023-11-04 16:09:13 +00:00
5 minutes 25 seconds
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
develop
renovate/node-20.x-lockfile
hotfix/0.6.4
v0.6.4
v0.6.3
v0.6.2
v0.6.1
v0.6.0
v0.5.2
v0.5.1
v0.5.0
v0.4.2
v0.4.1
v0.4.0
v0.3.1
v0.3.0
v0.2.1
v0.2.0
v0.1.8
v0.1.7
v0.1.6
v0.1.5
v0.1.4
v0.1.3
v0.1.2
v0.1.1
v0.1.0
Labels
Clear labels   
blocked

   
duplicate

   
question

   
requires documentation
  
type
admin

  
type
bug

  
type
change

  
type
defect

  
type
dependencies

  
type
epic

  
type
spike

  
type
story

  
type
subtask

  
won't fix
No labels
blocked
duplicate
question
requires documentation
type
admin
type
bug
type
change
type
defect
type
dependencies
type
epic
type
spike
type
story
type
subtask
won't fix
Milestone
Clear milestone
No items
No milestone
0.1.8
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Total time spent: 5 minutes 25 seconds
Vylpes
5 minutes 25 seconds
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: External/card-drop#60
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?