pi0
commented
3 months ago Thanks for report. #2553 will fix it for nightly channel and next minor release.
Closed jgitlin-nypr closed 3 months ago
pi0
commented
3 months ago Thanks for report. #2553 will fix it for nightly channel and next minor release.
https://github.com/unjs/nitro/blob/928373ccecffc7c1bf519543ffeba11bfcfeb4ea/src/runtime/renderer.ts#L26
This line of code is insufficiently defensive and caused a major issue for us. By only doing a string match, it's possible to append "favicon.ico" to a URL (ie via a query string) and get served a broken favicon instead of a page. If you are using a CDN that ignores query params, then it's a vector for cache poisoning. This Stackblitz example shows the issue.