Merge pull request from GHSA-3787-6prv-h9w3

Signed-off-by: Matteo Collina <hello@matteocollina.com>

Author: mcollina

lib/fetch/index.js

@@ -1203,6 +1203,9 @@ function httpRedirectFetch (fetchParams, response) {
     // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
     request.headersList.delete('authorization')
 
+    // https://fetch.spec.whatwg.org/#authentication-entries
+    request.headersList.delete('proxy-authorization', true)
+
     // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement.
     request.headersList.delete('cookie')
     request.headersList.delete('host')

test/fetch/redirect-cross-origin-header.js

@@ -6,11 +6,12 @@ const { once } = require('events')
 const { fetch } = require('../..')
 
 test('Cross-origin redirects clear forbidden headers', async (t) => {
-  t.plan(5)
+  t.plan(6)
 
   const server1 = createServer((req, res) => {
     t.equal(req.headers.cookie, undefined)
     t.equal(req.headers.authorization, undefined)
+    t.equal(req.headers['proxy-authorization'], undefined)
 
     res.end('redirected')
   }).listen(0)
@@ -39,7 +40,8 @@ test('Cross-origin redirects clear forbidden headers', async (t) => {
   const res = await fetch(`http://localhost:${server2.address().port}`, {
     headers: {
       Authorization: 'test',
-      Cookie: 'ddd=dddd'
+      Cookie: 'ddd=dddd',
+      'Proxy-Authorization': 'test'
     }
   })