1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
From 32cc429640d7307caa2075d15b0634fd886c6381 Mon Sep 17 00:00:00 2001
From: David Lord <davidism@gmail.com>
Date: Mon, 1 May 2023 08:01:32 -0700
Subject: [PATCH] set `Vary: Cookie` header consistently for session
CVE: CVE-2023-30861
Upstream-Status: Backport [https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
src/flask/sessions.py | 10 ++++++----
tests/test_basic.py | 23 +++++++++++++++++++++++
2 files changed, 29 insertions(+), 4 deletions(-)
diff --git a/src/flask/sessions.py b/src/flask/sessions.py
index 4e19270..039e30c 100644
--- a/src/flask/sessions.py
+++ b/src/flask/sessions.py
@@ -385,6 +385,10 @@ class SecureCookieSessionInterface(SessionInterface):
samesite = self.get_cookie_samesite(app)
httponly = self.get_cookie_httponly(app)
+ # Add a "Vary: Cookie" header if the session was accessed at all.
+ if session.accessed:
+ response.vary.add("Cookie")
+
# If the session is modified to be empty, remove the cookie.
# If the session is empty, return without setting the cookie.
if not session:
@@ -397,13 +401,10 @@ class SecureCookieSessionInterface(SessionInterface):
samesite=samesite,
httponly=httponly,
)
+ response.vary.add("Cookie")
return
- # Add a "Vary: Cookie" header if the session was accessed at all.
- if session.accessed:
- response.vary.add("Cookie")
-
if not self.should_set_cookie(app, session):
return
@@ -419,3 +420,4 @@ class SecureCookieSessionInterface(SessionInterface):
secure=secure,
samesite=samesite,
)
+ response.vary.add("Cookie")
diff --git a/tests/test_basic.py b/tests/test_basic.py
index 2a177e9..2da7699 100644
--- a/tests/test_basic.py
+++ b/tests/test_basic.py
@@ -558,6 +558,11 @@ def test_session_vary_cookie(app, client):
def setdefault():
return flask.session.setdefault("test", "default")
+ @app.route("/clear")
+ def clear():
+ flask.session.clear()
+ return ""
+
@app.route("/vary-cookie-header-set")
def vary_cookie_header_set():
response = flask.Response()
@@ -590,11 +595,29 @@ def test_session_vary_cookie(app, client):
expect("/get")
expect("/getitem")
expect("/setdefault")
+ expect("/clear")
expect("/vary-cookie-header-set")
expect("/vary-header-set", "Accept-Encoding, Accept-Language, Cookie")
expect("/no-vary-header", None)
+def test_session_refresh_vary(app, client):
+ @app.get("/login")
+ def login():
+ flask.session["user_id"] = 1
+ flask.session.permanent = True
+ return ""
+
+ @app.get("/ignored")
+ def ignored():
+ return ""
+
+ rv = client.get("/login")
+ assert rv.headers["Vary"] == "Cookie"
+ rv = client.get("/ignored")
+ assert rv.headers["Vary"] == "Cookie"
+
+
def test_flashes(app, req_ctx):
assert not flask.session.modified
flask.flash("Zap")
|
