From bdf6872ec4d47bfe928dbed1a342abe107ec1683 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Tue, 12 Dec 2023 10:55:17 +0800
Subject: [PATCH] Fix CVE-2023-30861

(cherry picked from commit a2a8936cdceaae22392d357c6a5e6aa14b350a51)
---
 CVE-2023-30861.patch | 96 ++++++++++++++++++++++++++++++++++++++++++++
 python-flask.spec    |  7 +++-
 2 files changed, 102 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-30861.patch

diff --git a/CVE-2023-30861.patch b/CVE-2023-30861.patch
new file mode 100644
index 0000000..adeeba0
--- /dev/null
+++ b/CVE-2023-30861.patch
@@ -0,0 +1,96 @@
+From 8646edca6f47e2cd57464081b3911218d4734f8d Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Mon, 1 May 2023 08:01:32 -0700
+Subject: [PATCH] set `Vary: Cookie` header consistently for session
+
+Origin:
+https://github.com/pallets/flask/commit/8646edca6f47e2cd57464081b3911218d4734f8d
+---
+ src/flask/sessions.py | 10 ++++++----
+ tests/test_basic.py   | 23 +++++++++++++++++++++++
+ 2 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/src/flask/sessions.py b/src/flask/sessions.py
+index c57ba29..127bc62 100644
+--- a/src/flask/sessions.py
++++ b/src/flask/sessions.py
+@@ -354,6 +354,10 @@ class SecureCookieSessionInterface(SessionInterface):
+         domain = self.get_cookie_domain(app)
+         path = self.get_cookie_path(app)
+ 
++        # Add a "Vary: Cookie" header if the session was accessed at all.
++        if session.accessed:
++            response.vary.add("Cookie")
++
+         # If the session is modified to be empty, remove the cookie.
+         # If the session is empty, return without setting the cookie.
+         if not session:
+@@ -361,13 +365,10 @@ class SecureCookieSessionInterface(SessionInterface):
+                 response.delete_cookie(
+                     app.session_cookie_name, domain=domain, path=path
+                 )
++                response.vary.add("Cookie")
+ 
+             return
+ 
+-        # Add a "Vary: Cookie" header if the session was accessed at all.
+-        if session.accessed:
+-            response.vary.add("Cookie")
+-
+         if not self.should_set_cookie(app, session):
+             return
+ 
+@@ -386,3 +387,4 @@ class SecureCookieSessionInterface(SessionInterface):
+             secure=secure,
+             samesite=samesite,
+         )
++        response.vary.add("Cookie")
+diff --git a/tests/test_basic.py b/tests/test_basic.py
+index 4d3b7b0..847c3f3 100644
+--- a/tests/test_basic.py
++++ b/tests/test_basic.py
+@@ -538,6 +538,11 @@ def test_session_vary_cookie(app, client):
+     def setdefault():
+         return flask.session.setdefault("test", "default")
+ 
++    @app.route("/clear")
++    def clear():
++        flask.session.clear()
++        return ""
++
+     @app.route("/vary-cookie-header-set")
+     def vary_cookie_header_set():
+         response = flask.Response()
+@@ -570,11 +575,29 @@ def test_session_vary_cookie(app, client):
+     expect("/get")
+     expect("/getitem")
+     expect("/setdefault")
++    expect("/clear")
+     expect("/vary-cookie-header-set")
+     expect("/vary-header-set", "Accept-Encoding, Accept-Language, Cookie")
+     expect("/no-vary-header", None)
+ 
+ 
++def test_session_refresh_vary(app, client):
++    @app.route("/login", methods=["GET"])
++    def login():
++        flask.session["user_id"] = 1
++        flask.session.permanent = True
++        return ""
++
++    @app.route("/ignored", methods=["GET"])
++    def ignored():
++        return ""
++
++    rv = client.get("/login")
++    assert rv.headers["Vary"] == "Cookie"
++    rv = client.get("/ignored")
++    assert rv.headers["Vary"] == "Cookie"
++
++
+ def test_flashes(app, req_ctx):
+     assert not flask.session.modified
+     flask.flash("Zap")
+-- 
+2.30.0
+
diff --git a/python-flask.spec b/python-flask.spec
index 9ea5041..ab1a293 100644
--- a/python-flask.spec
+++ b/python-flask.spec
@@ -1,11 +1,13 @@
 Name:            python-flask
 Version:         1.1.2
-Release:         4
+Release:         5
 Epoch:           1
 Summary:         A lightweight WSGI web application framework
 License:         BSD
 URL:             https://palletsprojects.com/p/flask/
 Source0:         https://files.pythonhosted.org/packages/source/F/Flask/Flask-%{version}.tar.gz
+# https://sources.debian.org/src/flask/1.1.2-2%2Bdeb11u1/debian/patches/CVE-2023-30861.patch/
+Patch0:          CVE-2023-30861.patch
 BuildArch:       noarch
 
 BuildRequires:   python2-sphinx
@@ -77,6 +79,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} py.test-%{python3_version} -v || :
 %{python3_sitelib}/*
 
 %changelog
+* Tue Dec 12 2023 yaoxin <yao_xin001@hoperun.com> - 1:1.1.2-5
+- Fix CVE-2023-30861
+
 * Mon Oct 11 2021 Jiachen Fan<fanjiachen3@huawei.com> - 1.1.2-4
 - backport add require pythonx-simplejson. details see issue #I4CGIS
 
-- 
Gitee