diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2026-01-05 09:32:01 +0100 |
|---|---|---|
| committer | Gyorgy Sarvari <skandigraun@gmail.com> | 2026-01-08 22:03:03 +0100 |
| commit | 292baf6ad8b65988e8820ec4e988bfa0220b39ae (patch) | |
| tree | 388e718d732960f97e77102dfd4bab630d2d4881 /meta-python/recipes-devtools | |
| parent | 2e557033bddcd52d5bee404d3cc9cf692fd94887 (diff) | |
| download | meta-openembedded-292baf6ad8b65988e8820ec4e988bfa0220b39ae.tar.gz | |
python3-flask: patch CVE-2023-30861
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30861
Pick the patch referenced by the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Diffstat (limited to 'meta-python/recipes-devtools')
| -rw-r--r-- | meta-python/recipes-devtools/python/python3-flask/CVE-2023-30861.patch | 94 | ||||
| -rw-r--r-- | meta-python/recipes-devtools/python/python3-flask_2.1.1.bb | 1 |
2 files changed, 95 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-flask/CVE-2023-30861.patch b/meta-python/recipes-devtools/python/python3-flask/CVE-2023-30861.patch new file mode 100644 index 0000000000..370f17bb7f --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-flask/CVE-2023-30861.patch | |||
| @@ -0,0 +1,94 @@ | |||
| 1 | From 32cc429640d7307caa2075d15b0634fd886c6381 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: David Lord <davidism@gmail.com> | ||
| 3 | Date: Mon, 1 May 2023 08:01:32 -0700 | ||
| 4 | Subject: [PATCH] set `Vary: Cookie` header consistently for session | ||
| 5 | |||
| 6 | CVE: CVE-2023-30861 | ||
| 7 | Upstream-Status: Backport [https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965] | ||
| 8 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 9 | --- | ||
| 10 | src/flask/sessions.py | 10 ++++++---- | ||
| 11 | tests/test_basic.py | 23 +++++++++++++++++++++++ | ||
| 12 | 2 files changed, 29 insertions(+), 4 deletions(-) | ||
| 13 | |||
| 14 | diff --git a/src/flask/sessions.py b/src/flask/sessions.py | ||
| 15 | index 4e19270..039e30c 100644 | ||
| 16 | --- a/src/flask/sessions.py | ||
| 17 | +++ b/src/flask/sessions.py | ||
| 18 | @@ -385,6 +385,10 @@ class SecureCookieSessionInterface(SessionInterface): | ||
| 19 | samesite = self.get_cookie_samesite(app) | ||
| 20 | httponly = self.get_cookie_httponly(app) | ||
| 21 | |||
| 22 | + # Add a "Vary: Cookie" header if the session was accessed at all. | ||
| 23 | + if session.accessed: | ||
| 24 | + response.vary.add("Cookie") | ||
| 25 | + | ||
| 26 | # If the session is modified to be empty, remove the cookie. | ||
| 27 | # If the session is empty, return without setting the cookie. | ||
| 28 | if not session: | ||
| 29 | @@ -397,13 +401,10 @@ class SecureCookieSessionInterface(SessionInterface): | ||
| 30 | samesite=samesite, | ||
| 31 | httponly=httponly, | ||
| 32 | ) | ||
| 33 | + response.vary.add("Cookie") | ||
| 34 | |||
| 35 | return | ||
| 36 | |||
| 37 | - # Add a "Vary: Cookie" header if the session was accessed at all. | ||
| 38 | - if session.accessed: | ||
| 39 | - response.vary.add("Cookie") | ||
| 40 | - | ||
| 41 | if not self.should_set_cookie(app, session): | ||
| 42 | return | ||
| 43 | |||
| 44 | @@ -419,3 +420,4 @@ class SecureCookieSessionInterface(SessionInterface): | ||
| 45 | secure=secure, | ||
| 46 | samesite=samesite, | ||
| 47 | ) | ||
| 48 | + response.vary.add("Cookie") | ||
| 49 | diff --git a/tests/test_basic.py b/tests/test_basic.py | ||
| 50 | index 2a177e9..2da7699 100644 | ||
| 51 | --- a/tests/test_basic.py | ||
| 52 | +++ b/tests/test_basic.py | ||
| 53 | @@ -558,6 +558,11 @@ def test_session_vary_cookie(app, client): | ||
| 54 | def setdefault(): | ||
| 55 | return flask.session.setdefault("test", "default") | ||
| 56 | |||
| 57 | + @app.route("/clear") | ||
| 58 | + def clear(): | ||
| 59 | + flask.session.clear() | ||
| 60 | + return "" | ||
| 61 | + | ||
| 62 | @app.route("/vary-cookie-header-set") | ||
| 63 | def vary_cookie_header_set(): | ||
| 64 | response = flask.Response() | ||
| 65 | @@ -590,11 +595,29 @@ def test_session_vary_cookie(app, client): | ||
| 66 | expect("/get") | ||
| 67 | expect("/getitem") | ||
| 68 | expect("/setdefault") | ||
| 69 | + expect("/clear") | ||
| 70 | expect("/vary-cookie-header-set") | ||
| 71 | expect("/vary-header-set", "Accept-Encoding, Accept-Language, Cookie") | ||
| 72 | expect("/no-vary-header", None) | ||
| 73 | |||
| 74 | |||
| 75 | +def test_session_refresh_vary(app, client): | ||
| 76 | + @app.get("/login") | ||
| 77 | + def login(): | ||
| 78 | + flask.session["user_id"] = 1 | ||
| 79 | + flask.session.permanent = True | ||
| 80 | + return "" | ||
| 81 | + | ||
| 82 | + @app.get("/ignored") | ||
| 83 | + def ignored(): | ||
| 84 | + return "" | ||
| 85 | + | ||
| 86 | + rv = client.get("/login") | ||
| 87 | + assert rv.headers["Vary"] == "Cookie" | ||
| 88 | + rv = client.get("/ignored") | ||
| 89 | + assert rv.headers["Vary"] == "Cookie" | ||
| 90 | + | ||
| 91 | + | ||
| 92 | def test_flashes(app, req_ctx): | ||
| 93 | assert not flask.session.modified | ||
| 94 | flask.flash("Zap") | ||
diff --git a/meta-python/recipes-devtools/python/python3-flask_2.1.1.bb b/meta-python/recipes-devtools/python/python3-flask_2.1.1.bb index 24a7047703..edf9f628d2 100644 --- a/meta-python/recipes-devtools/python/python3-flask_2.1.1.bb +++ b/meta-python/recipes-devtools/python/python3-flask_2.1.1.bb | |||
| @@ -6,6 +6,7 @@ HOMEPAGE = "https://github.com/mitsuhiko/flask/" | |||
| 6 | LICENSE = "BSD-3-Clause" | 6 | LICENSE = "BSD-3-Clause" |
| 7 | LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=ffeffa59c90c9c4a033c7574f8f3fb75" | 7 | LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=ffeffa59c90c9c4a033c7574f8f3fb75" |
| 8 | 8 | ||
| 9 | SRC_URI += "file://CVE-2023-30861.patch" | ||
| 9 | SRC_URI[sha256sum] = "a8c9bd3e558ec99646d177a9739c41df1ded0629480b4c8d2975412f3c9519c8" | 10 | SRC_URI[sha256sum] = "a8c9bd3e558ec99646d177a9739c41df1ded0629480b4c8d2975412f3c9519c8" |
| 10 | 11 | ||
| 11 | PYPI_PACKAGE = "Flask" | 12 | PYPI_PACKAGE = "Flask" |