From 0dcff7e7c9f5dd0ab2abd09f9bb11c7ba4030d4f Mon Sep 17 00:00:00 2001
From: "deepin-community-bot[bot]"
 <156989552+deepin-community-bot[bot]@users.noreply.github.com>
Date: Wed, 6 May 2026 06:42:07 +0000
Subject: [PATCH] feat: update node-on-headers to 1.0.2-4

---
 .gitignore                         |   4 +-
 debian/changelog                   |  15 +++++
 debian/control                     |   3 +-
 debian/patches/CVE-2025-7339.patch | 102 +++++++++++++++++++++++++++++
 debian/patches/series              |   1 +
 5 files changed, 123 insertions(+), 2 deletions(-)
 create mode 100644 debian/patches/CVE-2025-7339.patch
 create mode 100644 debian/patches/series

diff --git a/.gitignore b/.gitignore
index 224e7f0..df9af16 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,3 @@
-.pc/
+coverage
+node_modules
+npm-debug.log
diff --git a/debian/changelog b/debian/changelog
index ab7cc8d..de31efa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+node-on-headers (1.0.2-4) unstable; urgency=medium
+
+  * Team upload
+  * Declare compliance with policy 4.7.2
+  * Fix array handling (Closes: #1109525, CVE-2025-7339)
+
+ -- Yadd <yadd@debian.org>  Sat, 19 Jul 2025 15:08:56 +0200
+
+node-on-headers (1.0.2-3) unstable; urgency=medium
+
+  [ Debian Janitor ]
+  * Apply multi-arch hints. + node-on-headers: Add Multi-Arch: foreign.
+
+ -- Jelmer Vernooij <jelmer@debian.org>  Tue, 22 Nov 2022 12:21:10 +0000
+
 node-on-headers (1.0.2-2) unstable; urgency=medium
 
   [ Utkarsh Gupta ]
diff --git a/debian/control b/debian/control
index 887f8d6..cba3ea6 100644
--- a/debian/control
+++ b/debian/control
@@ -9,7 +9,7 @@ Build-Depends: debhelper-compat (= 13)
  , dh-sequence-nodejs
  , mocha <!nocheck>
  , node-supertest (>= 3.4.2) <!nocheck>
-Standards-Version: 4.6.0
+Standards-Version: 4.7.2
 Homepage: https://github.com/jshttp/on-headers
 Vcs-Git: https://salsa.debian.org/js-team/node-on-headers.git
 Vcs-Browser: https://salsa.debian.org/js-team/node-on-headers
@@ -18,6 +18,7 @@ Rules-Requires-Root: no
 Package: node-on-headers
 Architecture: all
 Depends: ${misc:Depends}
+Multi-Arch: foreign
 Description: HTTP response headers listener - Node.js module
  This module tracks when headers are written to a Node.js HTTP response
  and provides a facility for calling listeners before the headers are
diff --git a/debian/patches/CVE-2025-7339.patch b/debian/patches/CVE-2025-7339.patch
new file mode 100644
index 0000000..947f84c
--- /dev/null
+++ b/debian/patches/CVE-2025-7339.patch
@@ -0,0 +1,102 @@
+Description: fix array handling
+Author: ctcpip <ctcpip@users.noreply.github.com>
+Origin: upstream, https://github.com/jshttp/on-headers/commit/c6e3849
+Bug: https://github.com/jshttp/on-headers/issues/15
+Bug-Debian: https://bugs.debian.org/1109525
+Forwarded: not-needed
+Applied-Upstream: 1.1.0, commit:c6e3849
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2025-07-19
+
+--- a/index.js
++++ b/index.js
+@@ -74,8 +74,20 @@
+  */
+ 
+ function setHeadersFromArray (res, headers) {
+-  for (var i = 0; i < headers.length; i++) {
+-    res.setHeader(headers[i][0], headers[i][1])
++  if (headers.length && Array.isArray(headers[0])) {
++    // 2D
++    for (var i = 0; i < headers.length; i++) {
++      res.setHeader(headers[i][0], headers[i][1])
++    }
++  } else {
++    if (headers.length % 2 !== 0) {
++      throw new TypeError('headers array is malformed')
++    }
++
++    // 1D
++    for (var j = 0; j < headers.length; j += 2) {
++      res.setHeader(headers[j], headers[j + 1])
++    }
+   }
+ }
+ 
+--- a/test/test.js
++++ b/test/test.js
+@@ -278,6 +278,64 @@
+         .expect(201, done)
+     })
+   })
++
++  describe('writeHead(status, flat arr)', function () {
++    it('should be available in listener', function (done) {
++      var server = createServer(listener, handler)
++
++      function handler (req, res) {
++        res.writeHead(201, ['X-Outgoing', 'test'])
++      }
++
++      function listener (req, res) {
++        this.setHeader('X-Status', this.statusCode)
++        this.setHeader('X-Outgoing-Echo', this.getHeader('X-Outgoing'))
++      }
++
++      request(server)
++        .get('/')
++        .expect('X-Status', '201')
++        .expect('X-Outgoing-Echo', 'test')
++        .expect(201, done)
++    })
++  })
++
++  describe('writeHead(status, invalid flat arr)', function () {
++    it('should throw on malformed array', function (done) {
++      var server = createServer(listener, handler)
++
++      function handler (req, res) {
++        assert.throws(function () {
++          res.writeHead(201, ['foo', 'bar', 'baz'])
++        },
++        TypeError)
++      }
++
++      function listener (req, res) {
++      }
++
++      // gets a 200 here because we caught the error via assert.throws
++      request(server)
++        .get('/')
++        .expect(200, done)
++    })
++
++    it('should return 500 on malformed array', function (done) {
++      var server = createServer(listener, handler)
++
++      function handler (req, res) {
++        res.writeHead(201, ['foo', 'bar', 'baz'])
++        res.end('no soup for you!')
++      }
++
++      function listener (req, res) {
++      }
++
++      request(server)
++        .get('/')
++        .expect(500, done)
++    })
++  })
+ })
+ 
+ function createServer (listener, handler) {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..dbdaeee
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2025-7339.patch