1
0
mirror of https://github.com/kremalicious/metamask-extension.git synced 2024-11-22 18:00:18 +01:00
metamask-extension/.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch
legobeat c21c2bdcf0
security: patch request for CVE-2023-28155 (#18208)
* security: patch request for CVE-2023-28155

GHSA-p8p7-x288-28g6

Ported from https://github.com/request/request/pull/3444

* add iyarc exclusion
2023-03-17 11:59:39 -02:30

32 lines
1.1 KiB
Diff

diff --git a/lib/redirect.js b/lib/redirect.js
index b9150e77c73d63367845c0aec15b5684d900943f..2864f9f2abc481ecf2b2dd96b1293f5b93393efd 100644
--- a/lib/redirect.js
+++ b/lib/redirect.js
@@ -14,6 +14,7 @@ function Redirect (request) {
this.redirects = []
this.redirectsFollowed = 0
this.removeRefererHeader = false
+ this.allowInsecureRedirect = false
}
Redirect.prototype.onRequest = function (options) {
@@ -40,6 +41,9 @@ Redirect.prototype.onRequest = function (options) {
if (options.followOriginalHttpMethod !== undefined) {
self.followOriginalHttpMethod = options.followOriginalHttpMethod
}
+ if (options.allowInsecureRedirect !== undefined) {
+ self.allowInsecureRedirect = options.allowInsecureRedirect
+ }
}
Redirect.prototype.redirectTo = function (response) {
@@ -108,7 +112,7 @@ Redirect.prototype.onResponse = function (response) {
request.uri = url.parse(redirectTo)
// handle the case where we change protocol from https to http or vice versa
- if (request.uri.protocol !== uriPrev.protocol) {
+ if (request.uri.protocol !== uriPrev.protocol && self.allowInsecureRedirect) {
delete request.agent
}