Skip to content

Commit

Permalink
Merge pull request from GHSA-gv7g-x59x-wf8f
Browse files Browse the repository at this point in the history
* fix: do a case-insensitive comparison when checking header value

* changeset

* remove export

* Update .changeset/happy-pots-move.md
  • Loading branch information
benmccann authored Apr 6, 2023
1 parent 23d8327 commit ba436c6
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 3 deletions.
5 changes: 5 additions & 0 deletions .changeset/happy-pots-move.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@sveltejs/kit': patch
---

fix: address security advisory CVE-2023-29008 by doing a case-insensitive comparison when checking header value
4 changes: 2 additions & 2 deletions packages/kit/src/utils/http.js
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,9 @@ export function negotiate(accept, types) {
* @param {Request} request
* @param {...string} types
*/
export function is_content_type(request, ...types) {
function is_content_type(request, ...types) {
const type = request.headers.get('content-type')?.split(';', 1)[0].trim() ?? '';
return types.includes(type);
return types.includes(type.toLowerCase());
}

/**
Expand Down
3 changes: 2 additions & 1 deletion packages/kit/test/apps/basics/test/server.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,8 @@ test.describe('CSRF', () => {
const content_types = [
'application/x-www-form-urlencoded',
'multipart/form-data',
'text/plain'
'text/plain',
'text/plaiN'
];
const methods = ['POST', 'PUT', 'PATCH', 'DELETE'];
for (const method of methods) {
Expand Down

0 comments on commit ba436c6

Please sign in to comment.