diff --git a/CVE-2023-30861.patch b/CVE-2023-30861.patch new file mode 100644 index 0000000000000000000000000000000000000000..6459f755d34eb99e380fc079171f491de34db54f --- /dev/null +++ b/CVE-2023-30861.patch @@ -0,0 +1,97 @@ +From 3fddbbeaa006ba299cf8e8356618a1d9043091eb Mon Sep 17 00:00:00 2001 +From: starlet-dx <15929766099@163.com> +Date: Thu, 11 May 2023 15:46:45 +0800 +Subject: [PATCH 1/1] set `Vary: Cookie` header consistently for session + +Origin: +https://github.com/pallets/flask/commit/8646edca6f47e2cd57464081b3911218d4734f8d + +--- + src/flask/sessions.py | 10 ++++++---- + tests/test_basic.py | 23 +++++++++++++++++++++++ + 2 files changed, 29 insertions(+), 4 deletions(-) + +diff --git a/src/flask/sessions.py b/src/flask/sessions.py +index 4e19270..039e30c 100644 +--- a/src/flask/sessions.py ++++ b/src/flask/sessions.py +@@ -385,6 +385,10 @@ class SecureCookieSessionInterface(SessionInterface): + samesite = self.get_cookie_samesite(app) + httponly = self.get_cookie_httponly(app) + ++ # Add a "Vary: Cookie" header if the session was accessed at all. ++ if session.accessed: ++ response.vary.add("Cookie") ++ + # If the session is modified to be empty, remove the cookie. + # If the session is empty, return without setting the cookie. + if not session: +@@ -397,13 +401,10 @@ class SecureCookieSessionInterface(SessionInterface): + samesite=samesite, + httponly=httponly, + ) ++ response.vary.add("Cookie") + + return + +- # Add a "Vary: Cookie" header if the session was accessed at all. +- if session.accessed: +- response.vary.add("Cookie") +- + if not self.should_set_cookie(app, session): + return + +@@ -419,3 +420,4 @@ class SecureCookieSessionInterface(SessionInterface): + secure=secure, + samesite=samesite, + ) ++ response.vary.add("Cookie") +diff --git a/tests/test_basic.py b/tests/test_basic.py +index 3dc3a0e..6cf1496 100644 +--- a/tests/test_basic.py ++++ b/tests/test_basic.py +@@ -555,6 +555,11 @@ def test_session_vary_cookie(app, client): + def setdefault(): + return flask.session.setdefault("test", "default") + ++ @app.route("/clear") ++ def clear(): ++ flask.session.clear() ++ return "" ++ + @app.route("/vary-cookie-header-set") + def vary_cookie_header_set(): + response = flask.Response() +@@ -587,11 +592,29 @@ def test_session_vary_cookie(app, client): + expect("/get") + expect("/getitem") + expect("/setdefault") ++ expect("/clear") + expect("/vary-cookie-header-set") + expect("/vary-header-set", "Accept-Encoding, Accept-Language, Cookie") + expect("/no-vary-header", None) + + ++def test_session_refresh_vary(app, client): ++ @app.get("/login") ++ def login(): ++ flask.session["user_id"] = 1 ++ flask.session.permanent = True ++ return "" ++ ++ @app.get("/ignored") ++ def ignored(): ++ return "" ++ ++ rv = client.get("/login") ++ assert rv.headers["Vary"] == "Cookie" ++ rv = client.get("/ignored") ++ assert rv.headers["Vary"] == "Cookie" ++ ++ + def test_flashes(app, req_ctx): + assert not flask.session.modified + flask.flash("Zap") +-- +2.30.0 + diff --git a/python-flask.spec b/python-flask.spec index c898763dad393a68b9ad352c6a12776f62ef95f3..8c13a193d180e916b3a0a52e304b0c2e17404986 100644 --- a/python-flask.spec +++ b/python-flask.spec @@ -1,6 +1,6 @@ Name: python-flask Version: 2.1.2 -Release: 3 +Release: 4 Epoch: 1 Summary: A lightweight WSGI web application framework License: BSD-3-Clause @@ -8,6 +8,7 @@ URL: https://palletsprojects.com/p/flask/ Source0: https://files.pythonhosted.org/packages/source/F/Flask/Flask-%{version}.tar.gz Patch0: Fix-linting-error.patch Patch1: Fix-incorrect-references-to-query-in-testing-doc.patch +Patch2: CVE-2023-30861.patch BuildArch: noarch @@ -54,6 +55,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} py.test-%{python3_version} -v || : %{python3_sitelib}/* %changelog +* Thu May 11 2023 yaoxin - 1:2.1.2-4 +- Fix CVE-2023-30861 + * Fri Jan 13 2023 zhangliangpengkun - 1:2.1.2-3 - Fix incorrect references to query in testing doc