python3-flask-cors: Fix CVE-2024-6221

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions. References: https://nvd.nist.gov/vuln/detail/CVE-2024-6221 Upsteam-Patch: https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Soumya Sambu <soumya.sambu@windriver.com> 2024-09-03 12:52:59 +0000
committer: Khem Raj <raj.khem@gmail.com> 2024-09-03 07:05:13 -0700
commit: dadb8790bdf59463ab41ebb65f87e659eafa5664 (patch)
tree: 131255061e8c101394fee5c7cf52831d652618b3 /meta-python
parent: 37a9f61879b4610c5824a2dbd95b5f3391840803 (diff)
download: meta-openembedded-dadb8790bdf59463ab41ebb65f87e659eafa5664.tar.gz
2 files changed, 114 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch b/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch
new file mode 100644
index 0000000000..9049b2ffe6
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch
@@ -0,0 +1,110 @@
+From 7ae310c56ac30e0b94fb42129aa377bf633256ec Mon Sep 17 00:00:00 2001
+From: Adriano Sela Aviles <adriano.selaviles@gmail.com>
+Date: Fri, 30 Aug 2024 12:14:31 -0400
+Subject: [PATCH] Backwards Compatible Fix for CVE-2024-6221 (#363)
+CVE: CVE-2024-6221
+Upstream-Status: Backport [https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ docs/configuration.rst  | 14 ++++++++++++++
+ flask_cors/core.py      |  8 +++++---
+ flask_cors/extension.py | 16 ++++++++++++++++
+ 3 files changed, 35 insertions(+), 3 deletions(-)
+diff --git a/docs/configuration.rst b/docs/configuration.rst
+index 91282d3..c750cf4 100644
+--- a/docs/configuration.rst
+++ b/docs/configuration.rst
+@@ -23,6 +23,19 @@ CORS_ALLOW_HEADERS (:py:class:`~typing.List` or :py:class:`str`)
+    Headers to accept from the client.
+    Headers in the :http:header:`Access-Control-Request-Headers` request header (usually part of the preflight OPTIONS request) matching headers in this list will be included in the :http:header:`Access-Control-Allow-Headers` response header.
+CORS_ALLOW_PRIVATE_NETWORK (:py:class:`bool`)
+   If True, the response header :http:header:`Access-Control-Allow-Private-Network`
+   will be set with the value 'true' whenever the request header
+   :http:header:`Access-Control-Request-Private-Network` has a value 'true'.
+
+   If False, the reponse header :http:header:`Access-Control-Allow-Private-Network`
+   will be set with the value 'false' whenever the request header
+   :http:header:`Access-Control-Request-Private-Network` has a value of 'true'.
+
+   If the request header :http:header:`Access-Control-Request-Private-Network` is
+   not present or has a value other than 'true', the response header
+   :http:header:`Access-Control-Allow-Private-Network` will not be set.
+
+ CORS_ALWAYS_SEND (:py:class:`bool`)
+    Usually, if a request doesn't include an :http:header:`Origin` header, the client did not request CORS.
+    This means we can ignore this request.
+@@ -83,6 +96,7 @@ Default values
+ ~~~~~~~~~~~~~~
+ * CORS_ALLOW_HEADERS: "*"
+* CORS_ALLOW_PRIVATE_NETWORK: True
+ * CORS_ALWAYS_SEND: True
+ * CORS_AUTOMATIC_OPTIONS: True
+ * CORS_EXPOSE_HEADERS: None
+diff --git a/flask_cors/core.py b/flask_cors/core.py
+index 5358036..bd011f4 100644
+--- a/flask_cors/core.py
+++ b/flask_cors/core.py
+@@ -36,7 +36,7 @@ CONFIG_OPTIONS = ['CORS_ORIGINS', 'CORS_METHODS', 'CORS_ALLOW_HEADERS',
+                   'CORS_MAX_AGE', 'CORS_SEND_WILDCARD',
+                   'CORS_AUTOMATIC_OPTIONS', 'CORS_VARY_HEADER',
+                   'CORS_RESOURCES', 'CORS_INTERCEPT_EXCEPTIONS',
+-                  'CORS_ALWAYS_SEND']
+                  'CORS_ALWAYS_SEND', 'CORS_ALLOW_PRIVATE_NETWORK']
+ # Attribute added to request object by decorator to indicate that CORS
+ # was evaluated, in case the decorator and extension are both applied
+ # to a view.
+@@ -56,7 +56,8 @@ DEFAULT_OPTIONS = dict(origins='*',
+                        vary_header=True,
+                        resources=r'/*',
+                        intercept_exceptions=True,
+-                       always_send=True)
+                       always_send=True,
+                       allow_private_network=True)
+ def parse_resources(resources):
+@@ -186,7 +187,8 @@ def get_cors_headers(options, request_headers, request_method):
+     if ACL_REQUEST_HEADER_PRIVATE_NETWORK in request_headers \
+             and request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true':
+-        headers[ACL_RESPONSE_PRIVATE_NETWORK] = 'true'
+        allow_private_network = 'true' if options.get('allow_private_network') else 'false'
+        headers[ACL_RESPONSE_PRIVATE_NETWORK] = allow_private_network
+     # This is a preflight request
+     # http://www.w3.org/TR/cors/#resource-preflight-requests
+diff --git a/flask_cors/extension.py b/flask_cors/extension.py
+index c00cbff..694953f 100644
+--- a/flask_cors/extension.py
+++ b/flask_cors/extension.py
+@@ -136,6 +136,22 @@ class CORS(object):
+         Default : True
+     :type vary_header: bool
+
+    :param allow_private_network:
+        If True, the response header `Access-Control-Allow-Private-Network`
+        will be set with the value 'true' whenever the request header
+        `Access-Control-Request-Private-Network` has a value 'true'.
+
+        If False, the reponse header `Access-Control-Allow-Private-Network`
+        will be set with the value 'false' whenever the request header
+        `Access-Control-Request-Private-Network` has a value of 'true'.
+
+        If the request header `Access-Control-Request-Private-Network` is
+        not present or has a value other than 'true', the response header
+        `Access-Control-Allow-Private-Network` will not be set.
+
+        Default : True
+    :type allow_private_network: bool
+     """
+     def __init__(self, app=None, **kwargs):
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb
index 1d0d86b4e7..77b51c5515 100644
--- a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb
+++ b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb
@@ -9,6 +9,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=118fecaa576ab51c1520f95e98db61ce"
 PYPI_PACKAGE = "Flask-Cors"
+SRC_URI += " \
+        file://CVE-2024-6221.patch \
+"
 SRC_URI[sha256sum] = "f268522fcb2f73e2ecdde1ef45e2fd5c71cc48fe03cffb4b441c6d1b40684eb0"
 inherit pypi setuptools3
author	Soumya Sambu <soumya.sambu@windriver.com>	2024-09-03 12:52:59 +0000
committer	Khem Raj <raj.khem@gmail.com>	2024-09-03 07:05:13 -0700
commit	dadb8790bdf59463ab41ebb65f87e659eafa5664 (patch)
tree	131255061e8c101394fee5c7cf52831d652618b3 /meta-python
parent	37a9f61879b4610c5824a2dbd95b5f3391840803 (diff)
download	meta-openembedded-dadb8790bdf59463ab41ebb65f87e659eafa5664.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch b/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch new file mode 100644 index 0000000000..9049b2ffe6 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch
@@ -0,0 +1,110 @@
		1	From 7ae310c56ac30e0b94fb42129aa377bf633256ec Mon Sep 17 00:00:00 2001
		2	From: Adriano Sela Aviles <adriano.selaviles@gmail.com>
		3	Date: Fri, 30 Aug 2024 12:14:31 -0400
		4	Subject: [PATCH] Backwards Compatible Fix for CVE-2024-6221 (#363)
		5
		6	CVE: CVE-2024-6221
		7
		8	Upstream-Status: Backport [https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec]
		9
		10	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		11	---
		12	docs/configuration.rst \| 14 ++++++++++++++
		13	flask_cors/core.py \| 8 +++++---
		14	flask_cors/extension.py \| 16 ++++++++++++++++
		15	3 files changed, 35 insertions(+), 3 deletions(-)
		16
		17	diff --git a/docs/configuration.rst b/docs/configuration.rst
		18	index 91282d3..c750cf4 100644
		19	--- a/docs/configuration.rst
		20	+++ b/docs/configuration.rst
		21	@@ -23,6 +23,19 @@ CORS_ALLOW_HEADERS (:py:class:`~typing.List` or :py:class:`str`)
		22	Headers to accept from the client.
		23	Headers in the :http:header:`Access-Control-Request-Headers` request header (usually part of the preflight OPTIONS request) matching headers in this list will be included in the :http:header:`Access-Control-Allow-Headers` response header.
		24
		25	+CORS_ALLOW_PRIVATE_NETWORK (:py:class:`bool`)
		26	+ If True, the response header :http:header:`Access-Control-Allow-Private-Network`
		27	+ will be set with the value 'true' whenever the request header
		28	+ :http:header:`Access-Control-Request-Private-Network` has a value 'true'.
		29	+
		30	+ If False, the reponse header :http:header:`Access-Control-Allow-Private-Network`
		31	+ will be set with the value 'false' whenever the request header
		32	+ :http:header:`Access-Control-Request-Private-Network` has a value of 'true'.
		33	+
		34	+ If the request header :http:header:`Access-Control-Request-Private-Network` is
		35	+ not present or has a value other than 'true', the response header
		36	+ :http:header:`Access-Control-Allow-Private-Network` will not be set.
		37	+
		38	CORS_ALWAYS_SEND (:py:class:`bool`)
		39	Usually, if a request doesn't include an :http:header:`Origin` header, the client did not request CORS.
		40	This means we can ignore this request.
		41	@@ -83,6 +96,7 @@ Default values
		42	~~~~~~~~~~~~~~
		43
		44	* CORS_ALLOW_HEADERS: "*"
		45	+* CORS_ALLOW_PRIVATE_NETWORK: True
		46	* CORS_ALWAYS_SEND: True
		47	* CORS_AUTOMATIC_OPTIONS: True
		48	* CORS_EXPOSE_HEADERS: None
		49	diff --git a/flask_cors/core.py b/flask_cors/core.py
		50	index 5358036..bd011f4 100644
		51	--- a/flask_cors/core.py
		52	+++ b/flask_cors/core.py
		53	@@ -36,7 +36,7 @@ CONFIG_OPTIONS = ['CORS_ORIGINS', 'CORS_METHODS', 'CORS_ALLOW_HEADERS',
		54	'CORS_MAX_AGE', 'CORS_SEND_WILDCARD',
		55	'CORS_AUTOMATIC_OPTIONS', 'CORS_VARY_HEADER',
		56	'CORS_RESOURCES', 'CORS_INTERCEPT_EXCEPTIONS',
		57	- 'CORS_ALWAYS_SEND']
		58	+ 'CORS_ALWAYS_SEND', 'CORS_ALLOW_PRIVATE_NETWORK']
		59	# Attribute added to request object by decorator to indicate that CORS
		60	# was evaluated, in case the decorator and extension are both applied
		61	# to a view.
		62	@@ -56,7 +56,8 @@ DEFAULT_OPTIONS = dict(origins='*',
		63	vary_header=True,
		64	resources=r'/*',
		65	intercept_exceptions=True,
		66	- always_send=True)
		67	+ always_send=True,
		68	+ allow_private_network=True)
		69
		70
		71	def parse_resources(resources):
		72	@@ -186,7 +187,8 @@ def get_cors_headers(options, request_headers, request_method):
		73
		74	if ACL_REQUEST_HEADER_PRIVATE_NETWORK in request_headers \
		75	and request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true':
		76	- headers[ACL_RESPONSE_PRIVATE_NETWORK] = 'true'
		77	+ allow_private_network = 'true' if options.get('allow_private_network') else 'false'
		78	+ headers[ACL_RESPONSE_PRIVATE_NETWORK] = allow_private_network
		79
		80	# This is a preflight request
		81	# http://www.w3.org/TR/cors/#resource-preflight-requests
		82	diff --git a/flask_cors/extension.py b/flask_cors/extension.py
		83	index c00cbff..694953f 100644
		84	--- a/flask_cors/extension.py
		85	+++ b/flask_cors/extension.py
		86	@@ -136,6 +136,22 @@ class CORS(object):
		87
		88	Default : True
		89	:type vary_header: bool
		90	+
		91	+ :param allow_private_network:
		92	+ If True, the response header `Access-Control-Allow-Private-Network`
		93	+ will be set with the value 'true' whenever the request header
		94	+ `Access-Control-Request-Private-Network` has a value 'true'.
		95	+
		96	+ If False, the reponse header `Access-Control-Allow-Private-Network`
		97	+ will be set with the value 'false' whenever the request header
		98	+ `Access-Control-Request-Private-Network` has a value of 'true'.
		99	+
		100	+ If the request header `Access-Control-Request-Private-Network` is
		101	+ not present or has a value other than 'true', the response header
		102	+ `Access-Control-Allow-Private-Network` will not be set.
		103	+
		104	+ Default : True
		105	+ :type allow_private_network: bool
		106	"""
		107
		108	def __init__(self, app=None, **kwargs):
		109	--
		110	2.40.0


diff --git a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb index 1d0d86b4e7..77b51c5515 100644 --- a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb +++ b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb
@@ -9,6 +9,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=118fecaa576ab51c1520f95e98db61ce"
9		9
10	PYPI_PACKAGE = "Flask-Cors"	10	PYPI_PACKAGE = "Flask-Cors"
11		11
		12	SRC_URI += " \
		13	file://CVE-2024-6221.patch \
		14	"
		15
12	SRC_URI[sha256sum] = "f268522fcb2f73e2ecdde1ef45e2fd5c71cc48fe03cffb4b441c6d1b40684eb0"	16	SRC_URI[sha256sum] = "f268522fcb2f73e2ecdde1ef45e2fd5c71cc48fe03cffb4b441c6d1b40684eb0"
13		17
14	inherit pypi setuptools3	18	inherit pypi setuptools3