This repository has been archived by the owner on Jan 11, 2023. It is now read-only.
this.fetch mutates headers passed to it #528
Comments
|
From working through this with @antony, my suggested but untested fix is to replace if (!opts.headers) opts.headers = {};with opts.headers = Object.assign({}, opts.headers); |
Conduitry
added a commit
that referenced
this issue
Dec 31, 2018
Rich-Harris
added a commit
that referenced
this issue
Feb 1, 2019
avoid mutating `opts.headers` in `this.fetch` (#528)
|
released 0.25 with the fix |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Just spent a while hunting this down, but if you keep a reference to a set of
request defaults, the mutation ofopts.headersat the end of preload context'sfetchmethod can cause a security issue whereby non-authenticated clients end up getting the cookies of an authenticated user's request (And seeing privileged data).Essentially I think it's best not to mutate things that are passed into a method. There has been some effort not to do this, but headers is always nested in opts and therefore becomes a reference.
I also note that this is a potential security issue when dealing with headers which can store credentials, so I think it's worth fixing.
Line causing the issue is here:
sapper/templates/src/server/middleware/get_page_handler.ts
Line 122 in e69cb36
The text was updated successfully, but these errors were encountered: