!42 [sync] PR-41: Fix CVE-2023-30861

From: @openeuler-sync-bot 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001

CVE-2023-30861.patch

@@ -0,0 +1,97 @@
+From 3fddbbeaa006ba299cf8e8356618a1d9043091eb Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Thu, 11 May 2023 15:46:45 +0800
+Subject: [PATCH 1/1] set `Vary: Cookie` header consistently for session
+
+Origin:
+https://github.com/pallets/flask/commit/8646edca6f47e2cd57464081b3911218d4734f8d
+
+---
+ src/flask/sessions.py | 10 ++++++----
+ tests/test_basic.py   | 23 +++++++++++++++++++++++
+ 2 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/src/flask/sessions.py b/src/flask/sessions.py
+index 4e19270..039e30c 100644
+--- a/src/flask/sessions.py
++++ b/src/flask/sessions.py
+@@ -385,6 +385,10 @@ class SecureCookieSessionInterface(SessionInterface):
+         samesite = self.get_cookie_samesite(app)
+         httponly = self.get_cookie_httponly(app)
+ 
++        # Add a "Vary: Cookie" header if the session was accessed at all.
++        if session.accessed:
++            response.vary.add("Cookie")
++
+         # If the session is modified to be empty, remove the cookie.
+         # If the session is empty, return without setting the cookie.
+         if not session:
+@@ -397,13 +401,10 @@ class SecureCookieSessionInterface(SessionInterface):
+                     samesite=samesite,
+                     httponly=httponly,
+                 )
++                response.vary.add("Cookie")
+ 
+             return
+ 
+-        # Add a "Vary: Cookie" header if the session was accessed at all.
+-        if session.accessed:
+-            response.vary.add("Cookie")
+-
+         if not self.should_set_cookie(app, session):
+             return
+ 
+@@ -419,3 +420,4 @@ class SecureCookieSessionInterface(SessionInterface):
+             secure=secure,
+             samesite=samesite,
+         )
++        response.vary.add("Cookie")
+diff --git a/tests/test_basic.py b/tests/test_basic.py
+index 3dc3a0e..6cf1496 100644
+--- a/tests/test_basic.py
++++ b/tests/test_basic.py
+@@ -555,6 +555,11 @@ def test_session_vary_cookie(app, client):
+     def setdefault():
+         return flask.session.setdefault("test", "default")
+ 
++    @app.route("/clear")
++    def clear():
++        flask.session.clear()
++        return ""
++
+     @app.route("/vary-cookie-header-set")
+     def vary_cookie_header_set():
+         response = flask.Response()
+@@ -587,11 +592,29 @@ def test_session_vary_cookie(app, client):
+     expect("/get")
+     expect("/getitem")
+     expect("/setdefault")
++    expect("/clear")
+     expect("/vary-cookie-header-set")
+     expect("/vary-header-set", "Accept-Encoding, Accept-Language, Cookie")
+     expect("/no-vary-header", None)
+ 
+ 
++def test_session_refresh_vary(app, client):
++    @app.get("/login")
++    def login():
++        flask.session["user_id"] = 1
++        flask.session.permanent = True
++        return ""
++
++    @app.get("/ignored")
++    def ignored():
++        return ""
++
++    rv = client.get("/login")
++    assert rv.headers["Vary"] == "Cookie"
++    rv = client.get("/ignored")
++    assert rv.headers["Vary"] == "Cookie"
++
++
+ def test_flashes(app, req_ctx):
+     assert not flask.session.modified
+     flask.flash("Zap")
+-- 
+2.30.0
+

Fix-incorrect-references-to-query-in-testing-doc.patch

@@ -0,0 +1,41 @@
+From 5d31ce1031e8ca24dc908c319567a76110edd87e Mon Sep 17 00:00:00 2001
+From: Nick Kocharhook <nick@kocharhook.com>
+Date: Wed, 1 Jun 2022 12:16:21 -0700
+Subject: [PATCH] Fix incorrect references to query in testing doc
+
+The [EnvironBuilder doc](https://werkzeug.palletsprojects.com/en/2.1.x/test/#werkzeug.test.EnvironBuilder) shows that the correct name for the keyword argument is `query_string`, not `query`. Using `query` results in an error.
+
+I've fixed the two places this appears in the testing doc.
+---
+ docs/testing.rst | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/docs/testing.rst b/docs/testing.rst
+index 6f9d6ee1..8545bd39 100644
+--- a/docs/testing.rst
++++ b/docs/testing.rst
+@@ -92,7 +92,7 @@ The ``client`` has methods that match the common HTTP request methods,
+ such as ``client.get()`` and ``client.post()``. They take many arguments
+ for building the request; you can find the full documentation in
+ :class:`~werkzeug.test.EnvironBuilder`. Typically you'll use ``path``,
+-``query``, ``headers``, and ``data`` or ``json``.
++``query_string``, ``headers``, and ``data`` or ``json``.
+ 
+ To make a request, call the method the request should use with the path
+ to the route to test. A :class:`~werkzeug.test.TestResponse` is returned
+@@ -108,9 +108,9 @@ provides ``response.text``, or use ``response.get_data(as_text=True)``.
+         assert b"<h2>Hello, World!</h2>" in response.data
+ 
+ 
+-Pass a dict ``query={"key": "value", ...}`` to set arguments in the
+-query string (after the ``?`` in the URL). Pass a dict ``headers={}``
+-to set request headers.
++Pass a dict ``query_string={"key": "value", ...}`` to set arguments in
++the query string (after the ``?`` in the URL). Pass a dict
++``headers={}`` to set request headers.
+ 
+ To send a request body in a POST or PUT request, pass a value to
+ ``data``. If raw bytes are passed, that exact body is used. Usually,
+-- 
+2.39.0.windows.2
+

Fix-linting-error.patch

@@ -0,0 +1,44 @@
+From 8ddbad9ccdc176b9d57a4aff0076c1c58c455318 Mon Sep 17 00:00:00 2001
+From: DailyDreaming <lblauvel@ucsc.edu>
+Date: Mon, 2 May 2022 07:46:09 -0700
+Subject: [PATCH] Fix linting error.
+
+Suppress mypy.
+
+Suppress mypy error.
+
+Suppress mypy error.
+---
+ src/flask/cli.py | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/flask/cli.py b/src/flask/cli.py
+index 36c4f1b6..efcc0f99 100644
+--- a/src/flask/cli.py
++++ b/src/flask/cli.py
+@@ -9,6 +9,8 @@ from functools import update_wrapper
+ from operator import attrgetter
+ from threading import Lock
+ from threading import Thread
++from typing import Any
++from typing import TYPE_CHECKING
+ 
+ import click
+ from werkzeug.utils import import_string
+@@ -36,7 +38,12 @@ else:
+     # We technically have importlib.metadata on 3.8+,
+     # but the API changed in 3.10, so use the backport
+     # for consistency.
+-    import importlib_metadata as metadata  # type: ignore
++    if TYPE_CHECKING:
++        metadata: Any
++    else:
++        # we do this to avoid a version dependent mypy error
++        # because importlib_metadata is not installed in python3.10+
++        import importlib_metadata as metadata
+ 
+ 
+ class NoAppException(click.UsageError):
+-- 
+2.39.0.windows.2
+

python-flask.spec

@@ -1,11 +1,15 @@
 Name:            python-flask
-Version:         1.1.2
-Release:         2
+Version:         2.1.2
+Release:         4
 Epoch:           1
 Summary:         A lightweight WSGI web application framework
-License:         BSD
+License:         BSD-3-Clause
 URL:             https://palletsprojects.com/p/flask/
 Source0:         https://files.pythonhosted.org/packages/source/F/Flask/Flask-%{version}.tar.gz
+Patch0:          Fix-linting-error.patch
+Patch1:          Fix-incorrect-references-to-query-in-testing-doc.patch
+Patch2:          CVE-2023-30861.patch
+
 BuildArch:       noarch
 
 BuildRequires:   python3-devel python3-setuptools python3-pytest python3-jinja2 python3-werkzeug python3-itsdangerous python3-click
@@ -20,13 +24,13 @@ frameworks.
 %package -n python3-flask
 Summary:         python-flask for python 3 version
 %{?python_provide:%python_provide python3-flask}
-Requires:        python3-jinja2 python3-werkzeug python3-itsdangerous python3-click python3-simplejson
+Requires:        python3-jinja2 python3-werkzeug python3-itsdangerous python3-click
 
 %description -n python3-flask
 Python-flask for python 3 version
 
 %prep
-%autosetup -n Flask-%{version}
+%autosetup -n Flask-%{version} -p1
 
 %build
 %py3_build
@@ -51,6 +55,21 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} py.test-%{python3_version} -v || :
 %{python3_sitelib}/*
 
 %changelog
+* Thu May 11 2023 yaoxin <yao_xin001@hoperun.com> - 1:2.1.2-4
+- Fix CVE-2023-30861
+
+* Fri Jan 13 2023 zhangliangpengkun<zhangliangpengkun@xfusion.com> - 1:2.1.2-3
+- Fix incorrect references to query in testing doc
+
+* Mon Jan 9 2023 zhangliangpengkun<zhangliangpengkun@xfusion.com> - 1:2.1.2-2
+- Fix linting error
+
+* Fri Oct 25 2022 Ge Wang <wangge20@h-partners.com> - 1:2.1.2-1
+- Upgrade to version 2.1.2
+
+* Wed Oct 27 2021 Haiwei Li<lihaiwei8@huawei.com> - 1.1.2-3
+- backport add require pythonx-simplejson. details see issue #I4CGIS
+
 * Thu Sep 30 2021 Jiachen Fan<fanjiachen3@huawei.com> - 1.1.2-2
 - add missing install Requires python3-simplejson