python3-flask-cors: upgrade 4.0.0 -> 5.0.0

Contains fix for CVE-2024-6221 and CVE-2024-1681 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-05 12:53:45 +0100
committer: Khem Raj <raj.khem@gmail.com> 2026-01-05 18:16:19 -0800
commit: c6ac2c467df79a3b3a8d698537d64f5dc34b10a1 (patch)
tree: 8cd5c6c077f3df2e795a11f2daa7fe6d58770a5d /meta-python/recipes-devtools/python
parent: cbb4f9d4e0f737b552e9e6cb8488b80b324611d8 (diff)
download: meta-openembedded-c6ac2c467df79a3b3a8d698537d64f5dc34b10a1.tar.gz
2 files changed, 2 insertions, 117 deletions
diff --git a/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch b/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch
deleted file mode 100644
index 9049b2ffe6..0000000000
--- a/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From 7ae310c56ac30e0b94fb42129aa377bf633256ec Mon Sep 17 00:00:00 2001
-From: Adriano Sela Aviles <adriano.selaviles@gmail.com>
-Date: Fri, 30 Aug 2024 12:14:31 -0400
-Subject: [PATCH] Backwards Compatible Fix for CVE-2024-6221 (#363)
-CVE: CVE-2024-6221
-Upstream-Status: Backport [https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec]
-Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
- docs/configuration.rst  | 14 ++++++++++++++
- flask_cors/core.py      |  8 +++++---
- flask_cors/extension.py | 16 ++++++++++++++++
- 3 files changed, 35 insertions(+), 3 deletions(-)
-diff --git a/docs/configuration.rst b/docs/configuration.rst
-index 91282d3..c750cf4 100644
--- a/docs/configuration.rst
-+++ b/docs/configuration.rst
-@@ -23,6 +23,19 @@ CORS_ALLOW_HEADERS (:py:class:`~typing.List` or :py:class:`str`)
-    Headers to accept from the client.
-    Headers in the :http:header:`Access-Control-Request-Headers` request header (usually part of the preflight OPTIONS request) matching headers in this list will be included in the :http:header:`Access-Control-Allow-Headers` response header.
-+CORS_ALLOW_PRIVATE_NETWORK (:py:class:`bool`)
-+   If True, the response header :http:header:`Access-Control-Allow-Private-Network`
-+   will be set with the value 'true' whenever the request header
-+   :http:header:`Access-Control-Request-Private-Network` has a value 'true'.
-+
-+   If False, the reponse header :http:header:`Access-Control-Allow-Private-Network`
-+   will be set with the value 'false' whenever the request header
-+   :http:header:`Access-Control-Request-Private-Network` has a value of 'true'.
-+
-+   If the request header :http:header:`Access-Control-Request-Private-Network` is
-+   not present or has a value other than 'true', the response header
-+   :http:header:`Access-Control-Allow-Private-Network` will not be set.
-+
- CORS_ALWAYS_SEND (:py:class:`bool`)
-    Usually, if a request doesn't include an :http:header:`Origin` header, the client did not request CORS.
-    This means we can ignore this request.
-@@ -83,6 +96,7 @@ Default values
- ~~~~~~~~~~~~~~
- * CORS_ALLOW_HEADERS: "*"
-+* CORS_ALLOW_PRIVATE_NETWORK: True
- * CORS_ALWAYS_SEND: True
- * CORS_AUTOMATIC_OPTIONS: True
- * CORS_EXPOSE_HEADERS: None
-diff --git a/flask_cors/core.py b/flask_cors/core.py
-index 5358036..bd011f4 100644
--- a/flask_cors/core.py
-+++ b/flask_cors/core.py
-@@ -36,7 +36,7 @@ CONFIG_OPTIONS = ['CORS_ORIGINS', 'CORS_METHODS', 'CORS_ALLOW_HEADERS',
-                   'CORS_MAX_AGE', 'CORS_SEND_WILDCARD',
-                   'CORS_AUTOMATIC_OPTIONS', 'CORS_VARY_HEADER',
-                   'CORS_RESOURCES', 'CORS_INTERCEPT_EXCEPTIONS',
-                  'CORS_ALWAYS_SEND']
-+                  'CORS_ALWAYS_SEND', 'CORS_ALLOW_PRIVATE_NETWORK']
- # Attribute added to request object by decorator to indicate that CORS
- # was evaluated, in case the decorator and extension are both applied
- # to a view.
-@@ -56,7 +56,8 @@ DEFAULT_OPTIONS = dict(origins='*',
-                        vary_header=True,
-                        resources=r'/*',
-                        intercept_exceptions=True,
-                       always_send=True)
-+                       always_send=True,
-+                       allow_private_network=True)
- def parse_resources(resources):
-@@ -186,7 +187,8 @@ def get_cors_headers(options, request_headers, request_method):
-     if ACL_REQUEST_HEADER_PRIVATE_NETWORK in request_headers \
-             and request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true':
-        headers[ACL_RESPONSE_PRIVATE_NETWORK] = 'true'
-+        allow_private_network = 'true' if options.get('allow_private_network') else 'false'
-+        headers[ACL_RESPONSE_PRIVATE_NETWORK] = allow_private_network
-     # This is a preflight request
-     # http://www.w3.org/TR/cors/#resource-preflight-requests
-diff --git a/flask_cors/extension.py b/flask_cors/extension.py
-index c00cbff..694953f 100644
--- a/flask_cors/extension.py
-+++ b/flask_cors/extension.py
-@@ -136,6 +136,22 @@ class CORS(object):
-         Default : True
-     :type vary_header: bool
-+
-+    :param allow_private_network:
-+        If True, the response header `Access-Control-Allow-Private-Network`
-+        will be set with the value 'true' whenever the request header
-+        `Access-Control-Request-Private-Network` has a value 'true'.
-+
-+        If False, the reponse header `Access-Control-Allow-Private-Network`
-+        will be set with the value 'false' whenever the request header
-+        `Access-Control-Request-Private-Network` has a value of 'true'.
-+
-+        If the request header `Access-Control-Request-Private-Network` is
-+        not present or has a value other than 'true', the response header
-+        `Access-Control-Allow-Private-Network` will not be set.
-+
-+        Default : True
-+    :type allow_private_network: bool
-     """
-     def __init__(self, app=None, **kwargs):
--
-2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb b/meta-python/recipes-devtools/python/python3-flask-cors_5.0.0.bb
index d3e97dad9b..1fead4f8d1 100644
--- a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb
+++ b/meta-python/recipes-devtools/python/python3-flask-cors_5.0.0.bb
@@ -7,17 +7,12 @@ SECTION = "devel/python"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=118fecaa576ab51c1520f95e98db61ce"
-PYPI_PACKAGE = "Flask-Cors"
+PYPI_PACKAGE = "flask_cors"
 UPSTREAM_CHECK_PYPI_PACKAGE = "${PYPI_PACKAGE}"
-SRC_URI += " \
-        file://CVE-2024-6221.patch \
-"
-SRC_URI[sha256sum] = "f268522fcb2f73e2ecdde1ef45e2fd5c71cc48fe03cffb4b441c6d1b40684eb0"
 CVE_PRODUCT = "flask-cors"
 inherit pypi setuptools3
+SRC_URI[sha256sum] = "5aadb4b950c4e93745034594d9f3ea6591f734bb3662e16e255ffbf5e89c88ef"
 RDEPENDS:${PN} += "python3-flask"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-05 12:53:45 +0100
committer	Khem Raj <raj.khem@gmail.com>	2026-01-05 18:16:19 -0800
commit	c6ac2c467df79a3b3a8d698537d64f5dc34b10a1 (patch)
tree	8cd5c6c077f3df2e795a11f2daa7fe6d58770a5d /meta-python/recipes-devtools/python
parent	cbb4f9d4e0f737b552e9e6cb8488b80b324611d8 (diff)
download	meta-openembedded-c6ac2c467df79a3b3a8d698537d64f5dc34b10a1.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch b/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch deleted file mode 100644 index 9049b2ffe6..0000000000 --- a/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch +++ /dev/null
@@ -1,110 +0,0 @@
1	From 7ae310c56ac30e0b94fb42129aa377bf633256ec Mon Sep 17 00:00:00 2001
2	From: Adriano Sela Aviles <adriano.selaviles@gmail.com>
3	Date: Fri, 30 Aug 2024 12:14:31 -0400
4	Subject: [PATCH] Backwards Compatible Fix for CVE-2024-6221 (#363)
5
6	CVE: CVE-2024-6221
7
8	Upstream-Status: Backport [https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec]
9
10	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
11	---
12	docs/configuration.rst \| 14 ++++++++++++++
13	flask_cors/core.py \| 8 +++++---
14	flask_cors/extension.py \| 16 ++++++++++++++++
15	3 files changed, 35 insertions(+), 3 deletions(-)
16
17	diff --git a/docs/configuration.rst b/docs/configuration.rst
18	index 91282d3..c750cf4 100644
19	--- a/docs/configuration.rst
20	+++ b/docs/configuration.rst
21	@@ -23,6 +23,19 @@ CORS_ALLOW_HEADERS (:py:class:`~typing.List` or :py:class:`str`)
22	Headers to accept from the client.
23	Headers in the :http:header:`Access-Control-Request-Headers` request header (usually part of the preflight OPTIONS request) matching headers in this list will be included in the :http:header:`Access-Control-Allow-Headers` response header.
24
25	+CORS_ALLOW_PRIVATE_NETWORK (:py:class:`bool`)
26	+ If True, the response header :http:header:`Access-Control-Allow-Private-Network`
27	+ will be set with the value 'true' whenever the request header
28	+ :http:header:`Access-Control-Request-Private-Network` has a value 'true'.
29	+
30	+ If False, the reponse header :http:header:`Access-Control-Allow-Private-Network`
31	+ will be set with the value 'false' whenever the request header
32	+ :http:header:`Access-Control-Request-Private-Network` has a value of 'true'.
33	+
34	+ If the request header :http:header:`Access-Control-Request-Private-Network` is
35	+ not present or has a value other than 'true', the response header
36	+ :http:header:`Access-Control-Allow-Private-Network` will not be set.
37	+
38	CORS_ALWAYS_SEND (:py:class:`bool`)
39	Usually, if a request doesn't include an :http:header:`Origin` header, the client did not request CORS.
40	This means we can ignore this request.
41	@@ -83,6 +96,7 @@ Default values
42	~~~~~~~~~~~~~~
43
44	* CORS_ALLOW_HEADERS: "*"
45	+* CORS_ALLOW_PRIVATE_NETWORK: True
46	* CORS_ALWAYS_SEND: True
47	* CORS_AUTOMATIC_OPTIONS: True
48	* CORS_EXPOSE_HEADERS: None
49	diff --git a/flask_cors/core.py b/flask_cors/core.py
50	index 5358036..bd011f4 100644
51	--- a/flask_cors/core.py
52	+++ b/flask_cors/core.py
53	@@ -36,7 +36,7 @@ CONFIG_OPTIONS = ['CORS_ORIGINS', 'CORS_METHODS', 'CORS_ALLOW_HEADERS',
54	'CORS_MAX_AGE', 'CORS_SEND_WILDCARD',
55	'CORS_AUTOMATIC_OPTIONS', 'CORS_VARY_HEADER',
56	'CORS_RESOURCES', 'CORS_INTERCEPT_EXCEPTIONS',
57	- 'CORS_ALWAYS_SEND']
58	+ 'CORS_ALWAYS_SEND', 'CORS_ALLOW_PRIVATE_NETWORK']
59	# Attribute added to request object by decorator to indicate that CORS
60	# was evaluated, in case the decorator and extension are both applied
61	# to a view.
62	@@ -56,7 +56,8 @@ DEFAULT_OPTIONS = dict(origins='*',
63	vary_header=True,
64	resources=r'/*',
65	intercept_exceptions=True,
66	- always_send=True)
67	+ always_send=True,
68	+ allow_private_network=True)
69
70
71	def parse_resources(resources):
72	@@ -186,7 +187,8 @@ def get_cors_headers(options, request_headers, request_method):
73
74	if ACL_REQUEST_HEADER_PRIVATE_NETWORK in request_headers \
75	and request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true':
76	- headers[ACL_RESPONSE_PRIVATE_NETWORK] = 'true'
77	+ allow_private_network = 'true' if options.get('allow_private_network') else 'false'
78	+ headers[ACL_RESPONSE_PRIVATE_NETWORK] = allow_private_network
79
80	# This is a preflight request
81	# http://www.w3.org/TR/cors/#resource-preflight-requests
82	diff --git a/flask_cors/extension.py b/flask_cors/extension.py
83	index c00cbff..694953f 100644
84	--- a/flask_cors/extension.py
85	+++ b/flask_cors/extension.py
86	@@ -136,6 +136,22 @@ class CORS(object):
87
88	Default : True
89	:type vary_header: bool
90	+
91	+ :param allow_private_network:
92	+ If True, the response header `Access-Control-Allow-Private-Network`
93	+ will be set with the value 'true' whenever the request header
94	+ `Access-Control-Request-Private-Network` has a value 'true'.
95	+
96	+ If False, the reponse header `Access-Control-Allow-Private-Network`
97	+ will be set with the value 'false' whenever the request header
98	+ `Access-Control-Request-Private-Network` has a value of 'true'.
99	+
100	+ If the request header `Access-Control-Request-Private-Network` is
101	+ not present or has a value other than 'true', the response header
102	+ `Access-Control-Allow-Private-Network` will not be set.
103	+
104	+ Default : True
105	+ :type allow_private_network: bool
106	"""
107
108	def __init__(self, app=None, **kwargs):
109	--
110	2.40.0


diff --git a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb b/meta-python/recipes-devtools/python/python3-flask-cors_5.0.0.bb index d3e97dad9b..1fead4f8d1 100644 --- a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb +++ b/meta-python/recipes-devtools/python/python3-flask-cors_5.0.0.bb
@@ -7,17 +7,12 @@ SECTION = "devel/python"
7	LICENSE = "MIT"	7	LICENSE = "MIT"
8	LIC_FILES_CHKSUM = "file://LICENSE;md5=118fecaa576ab51c1520f95e98db61ce"	8	LIC_FILES_CHKSUM = "file://LICENSE;md5=118fecaa576ab51c1520f95e98db61ce"
9		9
10	PYPI_PACKAGE = "Flask-Cors"	10	PYPI_PACKAGE = "flask_cors"
11	UPSTREAM_CHECK_PYPI_PACKAGE = "${PYPI_PACKAGE}"	11	UPSTREAM_CHECK_PYPI_PACKAGE = "${PYPI_PACKAGE}"
12		12
13	SRC_URI += " \
14	file://CVE-2024-6221.patch \
15	"
16
17	SRC_URI[sha256sum] = "f268522fcb2f73e2ecdde1ef45e2fd5c71cc48fe03cffb4b441c6d1b40684eb0"
18
19	CVE_PRODUCT = "flask-cors"	13	CVE_PRODUCT = "flask-cors"
20		14
21	inherit pypi setuptools3	15	inherit pypi setuptools3
		16	SRC_URI[sha256sum] = "5aadb4b950c4e93745034594d9f3ea6591f734bb3662e16e255ffbf5e89c88ef"
22		17
23	RDEPENDS:${PN} += "python3-flask"	18	RDEPENDS:${PN} += "python3-flask"