!42 [sync] PR-41: Fix CVE-2023-30861

From: @openeuler-sync-bot Reviewed-by: @lyn1001 Signed-off-by: @lyn1001
2023-12-12 03:46:51 +00:00 · 2023-12-12 03:46:51 +00:00 · e506dd5f31
commit e506dd5f31
parent c6502e0cb0 25f322b2e0
2 changed files with 102 additions and 1 deletions
--- a/CVE-2023-30861.patch
+++ b/CVE-2023-30861.patch
@ -0,0 +1,97 @@
 From 3fddbbeaa006ba299cf8e8356618a1d9043091eb Mon Sep 17 00:00:00 2001
 From: starlet-dx <15929766099@163.com>
 Date: Thu, 11 May 2023 15:46:45 +0800
 Subject: [PATCH 1/1] set `Vary: Cookie` header consistently for session
 Origin:
 https://github.com/pallets/flask/commit/8646edca6f47e2cd57464081b3911218d4734f8d
 ---
 src/flask/sessions.py | 10 ++++++----
 tests/test_basic.py   | 23 +++++++++++++++++++++++
 2 files changed, 29 insertions(+), 4 deletions(-)
 diff --git a/src/flask/sessions.py b/src/flask/sessions.py
 index 4e19270..039e30c 100644
 --- a/src/flask/sessions.py
 +++ b/src/flask/sessions.py
@@ -385,6 +385,10 @@ class SecureCookieSessionInterface(SessionInterface):
         samesite = self.get_cookie_samesite(app)
         httponly = self.get_cookie_httponly(app)
 +        # Add a "Vary: Cookie" header if the session was accessed at all.
 +        if session.accessed:
 +            response.vary.add("Cookie")
 +
         # If the session is modified to be empty, remove the cookie.
         # If the session is empty, return without setting the cookie.
         if not session:
@@ -397,13 +401,10 @@ class SecureCookieSessionInterface(SessionInterface):
                     samesite=samesite,
                     httponly=httponly,
                 )
 +                response.vary.add("Cookie")
             return
 -        # Add a "Vary: Cookie" header if the session was accessed at all.
 -        if session.accessed:
 -            response.vary.add("Cookie")
 -
         if not self.should_set_cookie(app, session):
             return
@@ -419,3 +420,4 @@ class SecureCookieSessionInterface(SessionInterface):
             secure=secure,
             samesite=samesite,
         )
 +        response.vary.add("Cookie")
 diff --git a/tests/test_basic.py b/tests/test_basic.py
 index 3dc3a0e..6cf1496 100644
 --- a/tests/test_basic.py
 +++ b/tests/test_basic.py
@@ -555,6 +555,11 @@ def test_session_vary_cookie(app, client):
     def setdefault():
         return flask.session.setdefault("test", "default")
 +    @app.route("/clear")
 +    def clear():
 +        flask.session.clear()
 +        return ""
 +
     @app.route("/vary-cookie-header-set")
     def vary_cookie_header_set():
         response = flask.Response()
@@ -587,11 +592,29 @@ def test_session_vary_cookie(app, client):
     expect("/get")
     expect("/getitem")
     expect("/setdefault")
 +    expect("/clear")
     expect("/vary-cookie-header-set")
     expect("/vary-header-set", "Accept-Encoding, Accept-Language, Cookie")
     expect("/no-vary-header", None)
 +def test_session_refresh_vary(app, client):
 +    @app.get("/login")
 +    def login():
 +        flask.session["user_id"] = 1
 +        flask.session.permanent = True
 +        return ""
 +
 +    @app.get("/ignored")
 +    def ignored():
 +        return ""
 +
 +    rv = client.get("/login")
 +    assert rv.headers["Vary"] == "Cookie"
 +    rv = client.get("/ignored")
 +    assert rv.headers["Vary"] == "Cookie"
 +
 +
 def test_flashes(app, req_ctx):
     assert not flask.session.modified
     flask.flash("Zap")
 -- 
 2.30.0
--- a/python-flask.spec
+++ b/python-flask.spec
@ -1,6 +1,6 @@
 Name:            python-flask
 Version:         2.1.2
-Release:         3
+Release:         4
 Epoch:           1
 Summary:         A lightweight WSGI web application framework
 License:         BSD-3-Clause
@ -8,6 +8,7 @@ URL:             https://palletsprojects.com/p/flask/
 Source0:         https://files.pythonhosted.org/packages/source/F/Flask/Flask-%{version}.tar.gz
 Patch0:          Fix-linting-error.patch
 Patch1:          Fix-incorrect-references-to-query-in-testing-doc.patch
 Patch2:          CVE-2023-30861.patch
 BuildArch:       noarch
@ -54,6 +55,9 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} py.test-%{python3_version} -v || :
 %{python3_sitelib}/*
 %changelog
 * Thu May 11 2023 yaoxin <yao_xin001@hoperun.com> - 1:2.1.2-4
 - Fix CVE-2023-30861
 * Fri Jan 13 2023 zhangliangpengkun<zhangliangpengkun@xfusion.com> - 1:2.1.2-3
 - Fix incorrect references to query in testing doc