1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
From 7ae310c56ac30e0b94fb42129aa377bf633256ec Mon Sep 17 00:00:00 2001
From: Adriano Sela Aviles <adriano.selaviles@gmail.com>
Date: Fri, 30 Aug 2024 12:14:31 -0400
Subject: [PATCH] Backwards Compatible Fix for CVE-2024-6221 (#363)
CVE: CVE-2024-6221
Upstream-Status: Backport [https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec]
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
docs/configuration.rst | 14 ++++++++++++++
flask_cors/core.py | 8 +++++---
flask_cors/extension.py | 16 ++++++++++++++++
3 files changed, 35 insertions(+), 3 deletions(-)
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 91282d3..c750cf4 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -23,6 +23,19 @@ CORS_ALLOW_HEADERS (:py:class:`~typing.List` or :py:class:`str`)
Headers to accept from the client.
Headers in the :http:header:`Access-Control-Request-Headers` request header (usually part of the preflight OPTIONS request) matching headers in this list will be included in the :http:header:`Access-Control-Allow-Headers` response header.
+CORS_ALLOW_PRIVATE_NETWORK (:py:class:`bool`)
+ If True, the response header :http:header:`Access-Control-Allow-Private-Network`
+ will be set with the value 'true' whenever the request header
+ :http:header:`Access-Control-Request-Private-Network` has a value 'true'.
+
+ If False, the reponse header :http:header:`Access-Control-Allow-Private-Network`
+ will be set with the value 'false' whenever the request header
+ :http:header:`Access-Control-Request-Private-Network` has a value of 'true'.
+
+ If the request header :http:header:`Access-Control-Request-Private-Network` is
+ not present or has a value other than 'true', the response header
+ :http:header:`Access-Control-Allow-Private-Network` will not be set.
+
CORS_ALWAYS_SEND (:py:class:`bool`)
Usually, if a request doesn't include an :http:header:`Origin` header, the client did not request CORS.
This means we can ignore this request.
@@ -83,6 +96,7 @@ Default values
~~~~~~~~~~~~~~
* CORS_ALLOW_HEADERS: "*"
+* CORS_ALLOW_PRIVATE_NETWORK: True
* CORS_ALWAYS_SEND: True
* CORS_AUTOMATIC_OPTIONS: True
* CORS_EXPOSE_HEADERS: None
diff --git a/flask_cors/core.py b/flask_cors/core.py
index 5358036..bd011f4 100644
--- a/flask_cors/core.py
+++ b/flask_cors/core.py
@@ -36,7 +36,7 @@ CONFIG_OPTIONS = ['CORS_ORIGINS', 'CORS_METHODS', 'CORS_ALLOW_HEADERS',
'CORS_MAX_AGE', 'CORS_SEND_WILDCARD',
'CORS_AUTOMATIC_OPTIONS', 'CORS_VARY_HEADER',
'CORS_RESOURCES', 'CORS_INTERCEPT_EXCEPTIONS',
- 'CORS_ALWAYS_SEND']
+ 'CORS_ALWAYS_SEND', 'CORS_ALLOW_PRIVATE_NETWORK']
# Attribute added to request object by decorator to indicate that CORS
# was evaluated, in case the decorator and extension are both applied
# to a view.
@@ -56,7 +56,8 @@ DEFAULT_OPTIONS = dict(origins='*',
vary_header=True,
resources=r'/*',
intercept_exceptions=True,
- always_send=True)
+ always_send=True,
+ allow_private_network=True)
def parse_resources(resources):
@@ -186,7 +187,8 @@ def get_cors_headers(options, request_headers, request_method):
if ACL_REQUEST_HEADER_PRIVATE_NETWORK in request_headers \
and request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true':
- headers[ACL_RESPONSE_PRIVATE_NETWORK] = 'true'
+ allow_private_network = 'true' if options.get('allow_private_network') else 'false'
+ headers[ACL_RESPONSE_PRIVATE_NETWORK] = allow_private_network
# This is a preflight request
# http://www.w3.org/TR/cors/#resource-preflight-requests
diff --git a/flask_cors/extension.py b/flask_cors/extension.py
index c00cbff..694953f 100644
--- a/flask_cors/extension.py
+++ b/flask_cors/extension.py
@@ -136,6 +136,22 @@ class CORS(object):
Default : True
:type vary_header: bool
+
+ :param allow_private_network:
+ If True, the response header `Access-Control-Allow-Private-Network`
+ will be set with the value 'true' whenever the request header
+ `Access-Control-Request-Private-Network` has a value 'true'.
+
+ If False, the reponse header `Access-Control-Allow-Private-Network`
+ will be set with the value 'false' whenever the request header
+ `Access-Control-Request-Private-Network` has a value of 'true'.
+
+ If the request header `Access-Control-Request-Private-Network` is
+ not present or has a value other than 'true', the response header
+ `Access-Control-Allow-Private-Network` will not be set.
+
+ Default : True
+ :type allow_private_network: bool
"""
def __init__(self, app=None, **kwargs):
--
2.40.0
|
