From fbe5524dc822317c1a4b7aad566a6dae5657cb22 Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Fri, 23 Jan 2026 18:02:15 +0100 Subject: python3-flask-cors: upgrade 4.0.0 -> 4.0.2 Contains a fix for CVE-2024-6221 (related patch dropped) and CVE-2024-1681 Changelog: 4.0.1: - Fix Read the Docs builds - Update extension.py to clean request.path before logging it - Update CI to include Python 3.12 and flask 3.0.3 4.0.2: - Bump requests from 2.31.0 to 2.32.0 in /docs - Backwards Compatible Fix for CVE-2024-6221 - Add unit tests for Private-Network Signed-off-by: Gyorgy Sarvari Signed-off-by: Anuj Mittal --- .../python/python3-flask-cors/CVE-2024-6221.patch | 110 --------------------- .../python/python3-flask-cors_4.0.0.bb | 20 ---- .../python/python3-flask-cors_4.0.2.bb | 16 +++ 3 files changed, 16 insertions(+), 130 deletions(-) delete mode 100644 meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch delete mode 100644 meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb create mode 100644 meta-python/recipes-devtools/python/python3-flask-cors_4.0.2.bb (limited to 'meta-python/recipes-devtools/python') diff --git a/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch b/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch deleted file mode 100644 index 9049b2ffe6..0000000000 --- a/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 7ae310c56ac30e0b94fb42129aa377bf633256ec Mon Sep 17 00:00:00 2001 -From: Adriano Sela Aviles -Date: Fri, 30 Aug 2024 12:14:31 -0400 -Subject: [PATCH] Backwards Compatible Fix for CVE-2024-6221 (#363) - -CVE: CVE-2024-6221 - -Upstream-Status: Backport [https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec] - -Signed-off-by: Soumya Sambu ---- - docs/configuration.rst | 14 ++++++++++++++ - flask_cors/core.py | 8 +++++--- - flask_cors/extension.py | 16 ++++++++++++++++ - 3 files changed, 35 insertions(+), 3 deletions(-) - -diff --git a/docs/configuration.rst b/docs/configuration.rst -index 91282d3..c750cf4 100644 ---- a/docs/configuration.rst -+++ b/docs/configuration.rst -@@ -23,6 +23,19 @@ CORS_ALLOW_HEADERS (:py:class:`~typing.List` or :py:class:`str`) - Headers to accept from the client. - Headers in the :http:header:`Access-Control-Request-Headers` request header (usually part of the preflight OPTIONS request) matching headers in this list will be included in the :http:header:`Access-Control-Allow-Headers` response header. - -+CORS_ALLOW_PRIVATE_NETWORK (:py:class:`bool`) -+ If True, the response header :http:header:`Access-Control-Allow-Private-Network` -+ will be set with the value 'true' whenever the request header -+ :http:header:`Access-Control-Request-Private-Network` has a value 'true'. -+ -+ If False, the reponse header :http:header:`Access-Control-Allow-Private-Network` -+ will be set with the value 'false' whenever the request header -+ :http:header:`Access-Control-Request-Private-Network` has a value of 'true'. -+ -+ If the request header :http:header:`Access-Control-Request-Private-Network` is -+ not present or has a value other than 'true', the response header -+ :http:header:`Access-Control-Allow-Private-Network` will not be set. -+ - CORS_ALWAYS_SEND (:py:class:`bool`) - Usually, if a request doesn't include an :http:header:`Origin` header, the client did not request CORS. - This means we can ignore this request. -@@ -83,6 +96,7 @@ Default values - ~~~~~~~~~~~~~~ - - * CORS_ALLOW_HEADERS: "*" -+* CORS_ALLOW_PRIVATE_NETWORK: True - * CORS_ALWAYS_SEND: True - * CORS_AUTOMATIC_OPTIONS: True - * CORS_EXPOSE_HEADERS: None -diff --git a/flask_cors/core.py b/flask_cors/core.py -index 5358036..bd011f4 100644 ---- a/flask_cors/core.py -+++ b/flask_cors/core.py -@@ -36,7 +36,7 @@ CONFIG_OPTIONS = ['CORS_ORIGINS', 'CORS_METHODS', 'CORS_ALLOW_HEADERS', - 'CORS_MAX_AGE', 'CORS_SEND_WILDCARD', - 'CORS_AUTOMATIC_OPTIONS', 'CORS_VARY_HEADER', - 'CORS_RESOURCES', 'CORS_INTERCEPT_EXCEPTIONS', -- 'CORS_ALWAYS_SEND'] -+ 'CORS_ALWAYS_SEND', 'CORS_ALLOW_PRIVATE_NETWORK'] - # Attribute added to request object by decorator to indicate that CORS - # was evaluated, in case the decorator and extension are both applied - # to a view. -@@ -56,7 +56,8 @@ DEFAULT_OPTIONS = dict(origins='*', - vary_header=True, - resources=r'/*', - intercept_exceptions=True, -- always_send=True) -+ always_send=True, -+ allow_private_network=True) - - - def parse_resources(resources): -@@ -186,7 +187,8 @@ def get_cors_headers(options, request_headers, request_method): - - if ACL_REQUEST_HEADER_PRIVATE_NETWORK in request_headers \ - and request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true': -- headers[ACL_RESPONSE_PRIVATE_NETWORK] = 'true' -+ allow_private_network = 'true' if options.get('allow_private_network') else 'false' -+ headers[ACL_RESPONSE_PRIVATE_NETWORK] = allow_private_network - - # This is a preflight request - # http://www.w3.org/TR/cors/#resource-preflight-requests -diff --git a/flask_cors/extension.py b/flask_cors/extension.py -index c00cbff..694953f 100644 ---- a/flask_cors/extension.py -+++ b/flask_cors/extension.py -@@ -136,6 +136,22 @@ class CORS(object): - - Default : True - :type vary_header: bool -+ -+ :param allow_private_network: -+ If True, the response header `Access-Control-Allow-Private-Network` -+ will be set with the value 'true' whenever the request header -+ `Access-Control-Request-Private-Network` has a value 'true'. -+ -+ If False, the reponse header `Access-Control-Allow-Private-Network` -+ will be set with the value 'false' whenever the request header -+ `Access-Control-Request-Private-Network` has a value of 'true'. -+ -+ If the request header `Access-Control-Request-Private-Network` is -+ not present or has a value other than 'true', the response header -+ `Access-Control-Allow-Private-Network` will not be set. -+ -+ Default : True -+ :type allow_private_network: bool - """ - - def __init__(self, app=None, **kwargs): --- -2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb deleted file mode 100644 index 77b51c5515..0000000000 --- a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb +++ /dev/null @@ -1,20 +0,0 @@ -HOMEPAGE = "https://pypi.python.org/pypi/Flask-Cors/" -SUMMARY = "A Flask extension adding a decorator for CORS support" -DESCRIPTION = "\ - A Flask extension for handling Cross Origin Resource Sharing (CORS), making cross-origin AJAX possible \ - " -SECTION = "devel/python" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://LICENSE;md5=118fecaa576ab51c1520f95e98db61ce" - -PYPI_PACKAGE = "Flask-Cors" - -SRC_URI += " \ - file://CVE-2024-6221.patch \ -" - -SRC_URI[sha256sum] = "f268522fcb2f73e2ecdde1ef45e2fd5c71cc48fe03cffb4b441c6d1b40684eb0" - -inherit pypi setuptools3 - -RDEPENDS:${PN} += "python3-flask" diff --git a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.2.bb b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.2.bb new file mode 100644 index 0000000000..ca9facac46 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.2.bb @@ -0,0 +1,16 @@ +HOMEPAGE = "https://pypi.python.org/pypi/Flask-Cors/" +SUMMARY = "A Flask extension adding a decorator for CORS support" +DESCRIPTION = "\ + A Flask extension for handling Cross Origin Resource Sharing (CORS), making cross-origin AJAX possible \ + " +SECTION = "devel/python" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE;md5=118fecaa576ab51c1520f95e98db61ce" + +PYPI_PACKAGE = "flask_cors" + +SRC_URI[sha256sum] = "493b98e2d1e2f1a4720a7af25693ef2fe32fbafec09a2f72c59f3e475eda61d2" + +inherit pypi setuptools3 + +RDEPENDS:${PN} += "python3-flask" -- cgit v1.2.3-54-g00ecf