6 changed files with 5 additions and 206 deletions
--- a/CVE-2023-30861.patch
+++ b/CVE-2023-30861.patch
@ -1,97 +0,0 @@
 From 3fddbbeaa006ba299cf8e8356618a1d9043091eb Mon Sep 17 00:00:00 2001
 From: starlet-dx <15929766099@163.com>
 Date: Thu, 11 May 2023 15:46:45 +0800
 Subject: [PATCH 1/1] set `Vary: Cookie` header consistently for session
 Origin:
 https://github.com/pallets/flask/commit/8646edca6f47e2cd57464081b3911218d4734f8d
 ---
 src/flask/sessions.py | 10 ++++++----
 tests/test_basic.py   | 23 +++++++++++++++++++++++
 2 files changed, 29 insertions(+), 4 deletions(-)
 diff --git a/src/flask/sessions.py b/src/flask/sessions.py
 index 4e19270..039e30c 100644
 --- a/src/flask/sessions.py
 +++ b/src/flask/sessions.py
@@ -385,6 +385,10 @@ class SecureCookieSessionInterface(SessionInterface):
         samesite = self.get_cookie_samesite(app)
         httponly = self.get_cookie_httponly(app)
 +        # Add a "Vary: Cookie" header if the session was accessed at all.
 +        if session.accessed:
 +            response.vary.add("Cookie")
 +
         # If the session is modified to be empty, remove the cookie.
         # If the session is empty, return without setting the cookie.
         if not session:
@@ -397,13 +401,10 @@ class SecureCookieSessionInterface(SessionInterface):
                     samesite=samesite,
                     httponly=httponly,
                 )
 +                response.vary.add("Cookie")
             return
 -        # Add a "Vary: Cookie" header if the session was accessed at all.
 -        if session.accessed:
 -            response.vary.add("Cookie")
 -
         if not self.should_set_cookie(app, session):
             return
@@ -419,3 +420,4 @@ class SecureCookieSessionInterface(SessionInterface):
             secure=secure,
             samesite=samesite,
         )
 +        response.vary.add("Cookie")
 diff --git a/tests/test_basic.py b/tests/test_basic.py
 index 3dc3a0e..6cf1496 100644
 --- a/tests/test_basic.py
 +++ b/tests/test_basic.py
@@ -555,6 +555,11 @@ def test_session_vary_cookie(app, client):
     def setdefault():
         return flask.session.setdefault("test", "default")
 +    @app.route("/clear")
 +    def clear():
 +        flask.session.clear()
 +        return ""
 +
     @app.route("/vary-cookie-header-set")
     def vary_cookie_header_set():
         response = flask.Response()
@@ -587,11 +592,29 @@ def test_session_vary_cookie(app, client):
     expect("/get")
     expect("/getitem")
     expect("/setdefault")
 +    expect("/clear")
     expect("/vary-cookie-header-set")
     expect("/vary-header-set", "Accept-Encoding, Accept-Language, Cookie")
     expect("/no-vary-header", None)
 +def test_session_refresh_vary(app, client):
 +    @app.get("/login")
 +    def login():
 +        flask.session["user_id"] = 1
 +        flask.session.permanent = True
 +        return ""
 +
 +    @app.get("/ignored")
 +    def ignored():
 +        return ""
 +
 +    rv = client.get("/login")
 +    assert rv.headers["Vary"] == "Cookie"
 +    rv = client.get("/ignored")
 +    assert rv.headers["Vary"] == "Cookie"
 +
 +
 def test_flashes(app, req_ctx):
     assert not flask.session.modified
     flask.flash("Zap")
 -- 
 2.30.0
--- a/Fix-incorrect-references-to-query-in-testing-doc.patch
+++ b/Fix-incorrect-references-to-query-in-testing-doc.patch
@ -1,41 +0,0 @@
 From 5d31ce1031e8ca24dc908c319567a76110edd87e Mon Sep 17 00:00:00 2001
 From: Nick Kocharhook <nick@kocharhook.com>
 Date: Wed, 1 Jun 2022 12:16:21 -0700
 Subject: [PATCH] Fix incorrect references to query in testing doc
 The [EnvironBuilder doc](https://werkzeug.palletsprojects.com/en/2.1.x/test/#werkzeug.test.EnvironBuilder) shows that the correct name for the keyword argument is `query_string`, not `query`. Using `query` results in an error.
 I've fixed the two places this appears in the testing doc.
 ---
 docs/testing.rst | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/docs/testing.rst b/docs/testing.rst
 index 6f9d6ee1..8545bd39 100644
 --- a/docs/testing.rst
 +++ b/docs/testing.rst
@@ -92,7 +92,7 @@ The ``client`` has methods that match the common HTTP request methods,
 such as ``client.get()`` and ``client.post()``. They take many arguments
 for building the request; you can find the full documentation in
 :class:`~werkzeug.test.EnvironBuilder`. Typically you'll use ``path``,
 -``query``, ``headers``, and ``data`` or ``json``.
 +``query_string``, ``headers``, and ``data`` or ``json``.
 To make a request, call the method the request should use with the path
 to the route to test. A :class:`~werkzeug.test.TestResponse` is returned
@@ -108,9 +108,9 @@ provides ``response.text``, or use ``response.get_data(as_text=True)``.
         assert b"<h2>Hello, World!</h2>" in response.data
 -Pass a dict ``query={"key": "value", ...}`` to set arguments in the
 -query string (after the ``?`` in the URL). Pass a dict ``headers={}``
 -to set request headers.
 +Pass a dict ``query_string={"key": "value", ...}`` to set arguments in
 +the query string (after the ``?`` in the URL). Pass a dict
 +``headers={}`` to set request headers.
 To send a request body in a POST or PUT request, pass a value to
 ``data``. If raw bytes are passed, that exact body is used. Usually,
 -- 
 2.39.0.windows.2
--- a/Fix-linting-error.patch
+++ b/Fix-linting-error.patch
@ -1,44 +0,0 @@
 From 8ddbad9ccdc176b9d57a4aff0076c1c58c455318 Mon Sep 17 00:00:00 2001
 From: DailyDreaming <lblauvel@ucsc.edu>
 Date: Mon, 2 May 2022 07:46:09 -0700
 Subject: [PATCH] Fix linting error.
 Suppress mypy.
 Suppress mypy error.
 Suppress mypy error.
 ---
 src/flask/cli.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
 diff --git a/src/flask/cli.py b/src/flask/cli.py
 index 36c4f1b6..efcc0f99 100644
 --- a/src/flask/cli.py
 +++ b/src/flask/cli.py
@@ -9,6 +9,8 @@ from functools import update_wrapper
 from operator import attrgetter
 from threading import Lock
 from threading import Thread
 +from typing import Any
 +from typing import TYPE_CHECKING
 import click
 from werkzeug.utils import import_string
@@ -36,7 +38,12 @@ else:
     # We technically have importlib.metadata on 3.8+,
     # but the API changed in 3.10, so use the backport
     # for consistency.
 -    import importlib_metadata as metadata  # type: ignore
 +    if TYPE_CHECKING:
 +        metadata: Any
 +    else:
 +        # we do this to avoid a version dependent mypy error
 +        # because importlib_metadata is not installed in python3.10+
 +        import importlib_metadata as metadata
 class NoAppException(click.UsageError):
 -- 
 2.39.0.windows.2
--- a/Flask-1.1.2.tar.gz
+++ b/Flask-1.1.2.tar.gz
--- a/Flask-2.1.2.tar.gz
+++ b/Flask-2.1.2.tar.gz
--- a/python-flask.spec
+++ b/python-flask.spec
@ -1,15 +1,11 @@
 Name:            python-flask
-Version:         2.1.2
+Version:         1.1.2
-Release:         4
+Release:         2
 Epoch:           1
 Summary:         A lightweight WSGI web application framework
-License:         BSD-3-Clause
+License:         BSD
 URL:             https://palletsprojects.com/p/flask/
 Source0:         https://files.pythonhosted.org/packages/source/F/Flask/Flask-%{version}.tar.gz
 Patch0:          Fix-linting-error.patch
 Patch1:          Fix-incorrect-references-to-query-in-testing-doc.patch
 Patch2:          CVE-2023-30861.patch
 BuildArch:       noarch
 BuildRequires:   python3-devel python3-setuptools python3-pytest python3-jinja2 python3-werkzeug python3-itsdangerous python3-click
@ -24,13 +20,13 @@ frameworks.
 %package -n python3-flask
 Summary:         python-flask for python 3 version
 %{?python_provide:%python_provide python3-flask}
-Requires:        python3-jinja2 python3-werkzeug python3-itsdangerous python3-click
+Requires:        python3-jinja2 python3-werkzeug python3-itsdangerous python3-click python3-simplejson
 %description -n python3-flask
 Python-flask for python 3 version
 %prep
-%autosetup -n Flask-%{version} -p1
+%autosetup -n Flask-%{version}
 %build
 %py3_build
@ -55,21 +51,6 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} py.test-%{python3_version} -v || :
 %{python3_sitelib}/*
 %changelog
 * Thu May 11 2023 yaoxin <yao_xin001@hoperun.com> - 1:2.1.2-4
 - Fix CVE-2023-30861
 * Fri Jan 13 2023 zhangliangpengkun<zhangliangpengkun@xfusion.com> - 1:2.1.2-3
 - Fix incorrect references to query in testing doc
 * Mon Jan 9 2023 zhangliangpengkun<zhangliangpengkun@xfusion.com> - 1:2.1.2-2
 - Fix linting error
 * Fri Oct 25 2022 Ge Wang <wangge20@h-partners.com> - 1:2.1.2-1
 - Upgrade to version 2.1.2
 * Wed Oct 27 2021 Haiwei Li<lihaiwei8@huawei.com> - 1.1.2-3
 - backport add require pythonx-simplejson. details see issue #I4CGIS
 * Thu Sep 30 2021 Jiachen Fan<fanjiachen3@huawei.com> - 1.1.2-2
 - add missing install Requires python3-simplejson