From ba436c6685e751d968a960fbda65f24cf7a82e9f Mon Sep 17 00:00:00 2001 From: Ben McCann <322311+benmccann@users.noreply.github.com> Date: Thu, 6 Apr 2023 08:45:55 -0700 Subject: [PATCH] Merge pull request from GHSA-gv7g-x59x-wf8f * fix: do a case-insensitive comparison when checking header value * changeset * remove export * Update .changeset/happy-pots-move.md --- .changeset/happy-pots-move.md | 5 +++++ packages/kit/src/utils/http.js | 4 ++-- packages/kit/test/apps/basics/test/server.test.js | 3 ++- 3 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 .changeset/happy-pots-move.md diff --git a/.changeset/happy-pots-move.md b/.changeset/happy-pots-move.md new file mode 100644 index 000000000000..506c34b1c97a --- /dev/null +++ b/.changeset/happy-pots-move.md @@ -0,0 +1,5 @@ +--- +'@sveltejs/kit': patch +--- + +fix: address security advisory CVE-2023-29008 by doing a case-insensitive comparison when checking header value diff --git a/packages/kit/src/utils/http.js b/packages/kit/src/utils/http.js index f5bdf2ccff7c..739993449579 100644 --- a/packages/kit/src/utils/http.js +++ b/packages/kit/src/utils/http.js @@ -59,9 +59,9 @@ export function negotiate(accept, types) { * @param {Request} request * @param {...string} types */ -export function is_content_type(request, ...types) { +function is_content_type(request, ...types) { const type = request.headers.get('content-type')?.split(';', 1)[0].trim() ?? ''; - return types.includes(type); + return types.includes(type.toLowerCase()); } /** diff --git a/packages/kit/test/apps/basics/test/server.test.js b/packages/kit/test/apps/basics/test/server.test.js index ce31f520f98c..d6fc639abbbd 100644 --- a/packages/kit/test/apps/basics/test/server.test.js +++ b/packages/kit/test/apps/basics/test/server.test.js @@ -61,7 +61,8 @@ test.describe('CSRF', () => { const content_types = [ 'application/x-www-form-urlencoded', 'multipart/form-data', - 'text/plain' + 'text/plain', + 'text/plaiN' ]; const methods = ['POST', 'PUT', 'PATCH', 'DELETE']; for (const method of methods) {