packages/python-flask
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:c72fb3caa348895c55a01fbcb35b8ffe3890d543
Branches Tags
packages:main
..
compare: packages:905d52bb187b49d9a87b8600022a29b5649b8d38
Branches Tags
packages:main

No commits in common. "c72fb3caa348895c55a01fbcb35b8ffe3890d543" and "905d52bb187b49d9a87b8600022a29b5649b8d38" have entirely different histories.
c72fb3caa3 ... 905d52bb18

5 changed files with 3 additions and 121 deletions
Show Stats Expand all files Collapse all files

96
CVE-2023-30861.patch
View File

@ -1,96 +0,0 @@
From 8646edca6f47e2cd57464081b3911218d4734f8d Mon Sep 17 00:00:00 2001
From: David Lord <davidism@gmail.com>
Date: Mon, 1 May 2023 08:01:32 -0700
Subject: [PATCH] set `Vary: Cookie` header consistently for session
Origin:
https://github.com/pallets/flask/commit/8646edca6f47e2cd57464081b3911218d4734f8d
---
src/flask/sessions.py | 10 ++++++----
tests/test_basic.py | 23 +++++++++++++++++++++++
2 files changed, 29 insertions(+), 4 deletions(-)
diff --git a/src/flask/sessions.py b/src/flask/sessions.py
index c57ba29..127bc62 100644
--- a/src/flask/sessions.py
+++ b/src/flask/sessions.py
@@ -354,6 +354,10 @@ class SecureCookieSessionInterface(SessionInterface):
domain = self.get_cookie_domain(app)
path = self.get_cookie_path(app)
+ # Add a "Vary: Cookie" header if the session was accessed at all.
+ if session.accessed:
+ response.vary.add("Cookie")
+
# If the session is modified to be empty, remove the cookie.
# If the session is empty, return without setting the cookie.
if not session:
@@ -361,13 +365,10 @@ class SecureCookieSessionInterface(SessionInterface):
response.delete_cookie(
app.session_cookie_name, domain=domain, path=path
)
+ response.vary.add("Cookie")
return
- # Add a "Vary: Cookie" header if the session was accessed at all.
- if session.accessed:
- response.vary.add("Cookie")
-
if not self.should_set_cookie(app, session):
return
@@ -386,3 +387,4 @@ class SecureCookieSessionInterface(SessionInterface):
secure=secure,
samesite=samesite,
)
+ response.vary.add("Cookie")
diff --git a/tests/test_basic.py b/tests/test_basic.py
index 4d3b7b0..847c3f3 100644
--- a/tests/test_basic.py
+++ b/tests/test_basic.py
@@ -538,6 +538,11 @@ def test_session_vary_cookie(app, client):
def setdefault():
return flask.session.setdefault("test", "default")
+ @app.route("/clear")
+ def clear():
+ flask.session.clear()
+ return ""
+
@app.route("/vary-cookie-header-set")
def vary_cookie_header_set():
response = flask.Response()
@@ -570,11 +575,29 @@ def test_session_vary_cookie(app, client):
expect("/get")
expect("/getitem")
expect("/setdefault")
+ expect("/clear")
expect("/vary-cookie-header-set")
expect("/vary-header-set", "Accept-Encoding, Accept-Language, Cookie")
expect("/no-vary-header", None)
+def test_session_refresh_vary(app, client):
+ @app.route("/login", methods=["GET"])
+ def login():
+ flask.session["user_id"] = 1
+ flask.session.permanent = True
+ return ""
+
+ @app.route("/ignored", methods=["GET"])
+ def ignored():
+ return ""
+
+ rv = client.get("/login")
+ assert rv.headers["Vary"] == "Cookie"
+ rv = client.get("/ignored")
+ assert rv.headers["Vary"] == "Cookie"
+
+
def test_flashes(app, req_ctx):
assert not flask.session.modified
flask.flash("Zap")
--
2.30.0

BIN
Flask-1.0.4.tar.gz Normal file
View File

Binary file not shown.

BIN
Flask-1.1.2.tar.gz
View File

Binary file not shown.

24
python-flask.spec
View File

@ -1,13 +1,11 @@
Name: python-flask Name: python-flask
Version: 1.1.2 Version: 1.0.4
Release: 5 Release: 3
Epoch: 1 Epoch: 1
Summary: A lightweight WSGI web application framework Summary: A lightweight WSGI web application framework
License: BSD License: BSD
URL: https://palletsprojects.com/p/flask/ URL: https://palletsprojects.com/p/flask/
Source0: https://files.pythonhosted.org/packages/source/F/Flask/Flask-%{version}.tar.gz Source0: https://files.pythonhosted.org/packages/source/F/Flask/Flask-1.0.4.tar.gz
# https://sources.debian.org/src/flask/1.1.2-2%2Bdeb11u1/debian/patches/CVE-2023-30861.patch/
Patch0: CVE-2023-30861.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: python2-sphinx BuildRequires: python2-sphinx
@ -39,7 +37,6 @@ Python-flask for python 3 version
%prep %prep
%autosetup -n Flask-%{version} -p1 %autosetup -n Flask-%{version} -p1
rm -rf tests/test_deprecations.py
%build %build
%py2_build %py2_build
@ -79,21 +76,6 @@ PYTHONPATH=%{buildroot}%{python3_sitelib} py.test-%{python3_version} -v || :
%{python3_sitelib}/* %{python3_sitelib}/*
%changelog %changelog
* Tue Dec 12 2023 yaoxin <yao_xin001@hoperun.com> - 1:1.1.2-5
- Fix CVE-2023-30861
* Mon Oct 11 2021 Jiachen Fan<fanjiachen3@huawei.com> - 1.1.2-4
- backport add require pythonx-simplejson. details see issue #I4CGIS
* Sat Oct 9 2021 Jiachen Fan<fanjiachen3@huawei.com> - 1.1.2-3
- in openEuler LTS version, python-simple not provide python2-simplejson. then remove it
* Thu Sep 30 2021 Jiachen Fan<fanjiachen3@huawei.com> - 1.1.2-2
- add missing install Requires python2/3-simplejson
* Wed Aug 18 2021 huanghaitao <huanghaitao@huawei.com> - 1.1.2-1
- Upgrade version to 1.1.2
* Fri Jan 10 2020 yangjian<yangjian79@huawei.com> - 1.0.4-3 * Fri Jan 10 2020 yangjian<yangjian79@huawei.com> - 1.0.4-3
- Change the Source to valid address - Change the Source to valid address

4
python-flask.yaml
View File

@ -1,4 +0,0 @@
version_control: pypi
src_repo: flask
tag_prefix: "^v"
seperator: "."