Merge pull request from GHSA-gv7g-x59x-wf8f

* fix: do a case-insensitive comparison when checking header value * changeset * remove export * Update .changeset/happy-pots-move.md
sveltejs · Apr 6, 2023 · ba436c6 · ba436c6
1 parent 23d8327
commit ba436c6
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 3 deletions.
diff --git a/.changeset/happy-pots-move.md b/.changeset/happy-pots-move.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: address security advisory CVE-2023-29008 by doing a case-insensitive comparison when checking header value
diff --git a/packages/kit/src/utils/http.js b/packages/kit/src/utils/http.js
@@ -59,9 +59,9 @@ export function negotiate(accept, types) {
  * @param {Request} request
  * @param  {...string} types
  */
-export function is_content_type(request, ...types) {
+function is_content_type(request, ...types) {
 	const type = request.headers.get('content-type')?.split(';', 1)[0].trim() ?? '';
-	return types.includes(type);
+	return types.includes(type.toLowerCase());
 }
 
 /**

diff --git a/packages/kit/test/apps/basics/test/server.test.js b/packages/kit/test/apps/basics/test/server.test.js
@@ -61,7 +61,8 @@ test.describe('CSRF', () => {
 		const content_types = [
 			'application/x-www-form-urlencoded',
 			'multipart/form-data',
-			'text/plain'
+			'text/plain',
+			'text/plaiN'
 		];
 		const methods = ['POST', 'PUT', 'PATCH', 'DELETE'];
 		for (const method of methods) {