Merge pull request from GHSA-gv7g-x59x-wf8f

benmccann · web-flow · commit ba436c6685e7 · 2023-04-06T08:45:55.000-07:00
* fix: do a case-insensitive comparison when checking header value

* changeset

* remove export

* Update .changeset/happy-pots-move.md
diff --git a/.changeset/happy-pots-move.md b/.changeset/happy-pots-move.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: address security advisory CVE-2023-29008 by doing a case-insensitive comparison when checking header value
diff --git a/packages/kit/src/utils/http.js b/packages/kit/src/utils/http.js
@@ -59,9 +59,9 @@ export function negotiate(accept, types) {
  * @param {Request} request
  * @param  {...string} types
  */
-export function is_content_type(request, ...types) {
+function is_content_type(request, ...types) {
 	const type = request.headers.get('content-type')?.split(';', 1)[0].trim() ?? '';
-	return types.includes(type);
+	return types.includes(type.toLowerCase());
 }
 
 /**
diff --git a/packages/kit/test/apps/basics/test/server.test.js b/packages/kit/test/apps/basics/test/server.test.js
@@ -61,7 +61,8 @@ test.describe('CSRF', () => {
 		const content_types = [
 			'application/x-www-form-urlencoded',
 			'multipart/form-data',
-			'text/plain'
+			'text/plain',
+			'text/plaiN'
 		];
 		const methods = ['POST', 'PUT', 'PATCH', 'DELETE'];
 		for (const method of methods) {
