Fix CVE-2023-30861
(cherry picked from commit ad56f8a15678e24003ed2c9bf7dad79845e7d6a5)
This commit is contained in:
starlet-dx
openeuler-sync-bot
parent
c6502e0cb0
commit
25f322b2e0
97
CVE-2023-30861.patch
Normal file
97
CVE-2023-30861.patch
Normal file
@ -0,0 +1,97 @@
|
|||||||
|
From 3fddbbeaa006ba299cf8e8356618a1d9043091eb Mon Sep 17 00:00:00 2001
|
||||||
|
From: starlet-dx <15929766099@163.com>
|
||||||
|
Date: Thu, 11 May 2023 15:46:45 +0800
|
||||||
|
Subject: [PATCH 1/1] set `Vary: Cookie` header consistently for session
|
||||||
|
|
||||||
|
Origin:
|
||||||
|
https://github.com/pallets/flask/commit/8646edca6f47e2cd57464081b3911218d4734f8d
|
||||||
|
|
||||||
|
---
|
||||||
|
src/flask/sessions.py | 10 ++++++----
|
||||||
|
tests/test_basic.py | 23 +++++++++++++++++++++++
|
||||||
|
2 files changed, 29 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/flask/sessions.py b/src/flask/sessions.py
|
||||||
|
index 4e19270..039e30c 100644
|
||||||
|
--- a/src/flask/sessions.py
|
||||||
|
+++ b/src/flask/sessions.py
|
||||||
|
@@ -385,6 +385,10 @@ class SecureCookieSessionInterface(SessionInterface):
|
||||||
|
samesite = self.get_cookie_samesite(app)
|
||||||
|
httponly = self.get_cookie_httponly(app)
|
||||||
|
|
||||||
|
+ # Add a "Vary: Cookie" header if the session was accessed at all.
|
||||||
|
+ if session.accessed:
|
||||||
|
+ response.vary.add("Cookie")
|
||||||
|
+
|
||||||
|
# If the session is modified to be empty, remove the cookie.
|
||||||
|
# If the session is empty, return without setting the cookie.
|
||||||
|
if not session:
|
||||||
|
@@ -397,13 +401,10 @@ class SecureCookieSessionInterface(SessionInterface):
|
||||||
|
samesite=samesite,
|
||||||
|
httponly=httponly,
|
||||||
|
)
|
||||||
|
+ response.vary.add("Cookie")
|
||||||
|
|
||||||
|
return
|
||||||
|
|
||||||
|
- # Add a "Vary: Cookie" header if the session was accessed at all.
|
||||||
|
- if session.accessed:
|
||||||
|
- response.vary.add("Cookie")
|
||||||
|
-
|
||||||
|
if not self.should_set_cookie(app, session):
|
||||||
|
return
|
||||||
|
|
||||||
|
@@ -419,3 +420,4 @@ class SecureCookieSessionInterface(SessionInterface):
|
||||||
|
secure=secure,
|
||||||
|
samesite=samesite,
|
||||||
|
)
|
||||||
|
+ response.vary.add("Cookie")
|
||||||
|
diff --git a/tests/test_basic.py b/tests/test_basic.py
|
||||||
|
index 3dc3a0e..6cf1496 100644
|
||||||
|
--- a/tests/test_basic.py
|
||||||
|
+++ b/tests/test_basic.py
|
||||||
|
@@ -555,6 +555,11 @@ def test_session_vary_cookie(app, client):
|
||||||
|
def setdefault():
|
||||||
|
return flask.session.setdefault("test", "default")
|
||||||
|
|
||||||
|
+ @app.route("/clear")
|
||||||
|
+ def clear():
|
||||||
|
+ flask.session.clear()
|
||||||
|
+ return ""
|
||||||
|
+
|
||||||
|
@app.route("/vary-cookie-header-set")
|
||||||
|
def vary_cookie_header_set():
|
||||||
|
response = flask.Response()
|
||||||
|
@@ -587,11 +592,29 @@ def test_session_vary_cookie(app, client):
|
||||||
|
expect("/get")
|
||||||
|
expect("/getitem")
|
||||||
|
expect("/setdefault")
|
||||||
|
+ expect("/clear")
|
||||||
|
expect("/vary-cookie-header-set")
|
||||||
|
expect("/vary-header-set", "Accept-Encoding, Accept-Language, Cookie")
|
||||||
|
expect("/no-vary-header", None)
|
||||||
|
|
||||||
|
|
||||||
|
+def test_session_refresh_vary(app, client):
|
||||||
|
+ @app.get("/login")
|
||||||
|
+ def login():
|
||||||
|
+ flask.session["user_id"] = 1
|
||||||
|
+ flask.session.permanent = True
|
||||||
|
+ return ""
|
||||||
|
+
|
||||||
|
+ @app.get("/ignored")
|
||||||
|
+ def ignored():
|
||||||
|
+ return ""
|
||||||
|
+
|
||||||
|
+ rv = client.get("/login")
|
||||||
|
+ assert rv.headers["Vary"] == "Cookie"
|
||||||
|
+ rv = client.get("/ignored")
|
||||||
|
+ assert rv.headers["Vary"] == "Cookie"
|
||||||
|
+
|
||||||
|
+
|
||||||
|
def test_flashes(app, req_ctx):
|
||||||
|
assert not flask.session.modified
|
||||||
|
flask.flash("Zap")
|
||||||
|
--
|
||||||
|
2.30.0
|
||||||
|
|
||||||
@ -1,6 +1,6 @@
|
|||||||
Name: python-flask
|
Name: python-flask
|
||||||
Version: 2.1.2
|
Version: 2.1.2
|
||||||
Release: 3
|
Release: 4
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Summary: A lightweight WSGI web application framework
|
Summary: A lightweight WSGI web application framework
|
||||||
License: BSD-3-Clause
|
License: BSD-3-Clause
|
||||||
@ -8,6 +8,7 @@ URL: https://palletsprojects.com/p/flask/
|
|||||||
Source0: https://files.pythonhosted.org/packages/source/F/Flask/Flask-%{version}.tar.gz
|
Source0: https://files.pythonhosted.org/packages/source/F/Flask/Flask-%{version}.tar.gz
|
||||||
Patch0: Fix-linting-error.patch
|
Patch0: Fix-linting-error.patch
|
||||||
Patch1: Fix-incorrect-references-to-query-in-testing-doc.patch
|
Patch1: Fix-incorrect-references-to-query-in-testing-doc.patch
|
||||||
|
Patch2: CVE-2023-30861.patch
|
||||||
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
@ -54,6 +55,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} py.test-%{python3_version} -v || :
|
|||||||
%{python3_sitelib}/*
|
%{python3_sitelib}/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu May 11 2023 yaoxin <yao_xin001@hoperun.com> - 1:2.1.2-4
|
||||||
|
- Fix CVE-2023-30861
|
||||||
|
|
||||||
* Fri Jan 13 2023 zhangliangpengkun<zhangliangpengkun@xfusion.com> - 1:2.1.2-3
|
* Fri Jan 13 2023 zhangliangpengkun<zhangliangpengkun@xfusion.com> - 1:2.1.2-3
|
||||||
- Fix incorrect references to query in testing doc
|
- Fix incorrect references to query in testing doc
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user