From dadb8790bdf59463ab41ebb65f87e659eafa5664 Mon Sep 17 00:00:00 2001 From: Soumya Sambu Date: Tue, 3 Sep 2024 12:52:59 +0000 Subject: python3-flask-cors: Fix CVE-2024-6221 A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions. References: https://nvd.nist.gov/vuln/detail/CVE-2024-6221 Upsteam-Patch: https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec Signed-off-by: Soumya Sambu Signed-off-by: Khem Raj --- .../python/python3-flask-cors/CVE-2024-6221.patch | 110 +++++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch (limited to 'meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch') diff --git a/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch b/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch new file mode 100644 index 0000000000..9049b2ffe6 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch @@ -0,0 +1,110 @@ +From 7ae310c56ac30e0b94fb42129aa377bf633256ec Mon Sep 17 00:00:00 2001 +From: Adriano Sela Aviles +Date: Fri, 30 Aug 2024 12:14:31 -0400 +Subject: [PATCH] Backwards Compatible Fix for CVE-2024-6221 (#363) + +CVE: CVE-2024-6221 + +Upstream-Status: Backport [https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec] + +Signed-off-by: Soumya Sambu +--- + docs/configuration.rst | 14 ++++++++++++++ + flask_cors/core.py | 8 +++++--- + flask_cors/extension.py | 16 ++++++++++++++++ + 3 files changed, 35 insertions(+), 3 deletions(-) + +diff --git a/docs/configuration.rst b/docs/configuration.rst +index 91282d3..c750cf4 100644 +--- a/docs/configuration.rst ++++ b/docs/configuration.rst +@@ -23,6 +23,19 @@ CORS_ALLOW_HEADERS (:py:class:`~typing.List` or :py:class:`str`) + Headers to accept from the client. + Headers in the :http:header:`Access-Control-Request-Headers` request header (usually part of the preflight OPTIONS request) matching headers in this list will be included in the :http:header:`Access-Control-Allow-Headers` response header. + ++CORS_ALLOW_PRIVATE_NETWORK (:py:class:`bool`) ++ If True, the response header :http:header:`Access-Control-Allow-Private-Network` ++ will be set with the value 'true' whenever the request header ++ :http:header:`Access-Control-Request-Private-Network` has a value 'true'. ++ ++ If False, the reponse header :http:header:`Access-Control-Allow-Private-Network` ++ will be set with the value 'false' whenever the request header ++ :http:header:`Access-Control-Request-Private-Network` has a value of 'true'. ++ ++ If the request header :http:header:`Access-Control-Request-Private-Network` is ++ not present or has a value other than 'true', the response header ++ :http:header:`Access-Control-Allow-Private-Network` will not be set. ++ + CORS_ALWAYS_SEND (:py:class:`bool`) + Usually, if a request doesn't include an :http:header:`Origin` header, the client did not request CORS. + This means we can ignore this request. +@@ -83,6 +96,7 @@ Default values + ~~~~~~~~~~~~~~ + + * CORS_ALLOW_HEADERS: "*" ++* CORS_ALLOW_PRIVATE_NETWORK: True + * CORS_ALWAYS_SEND: True + * CORS_AUTOMATIC_OPTIONS: True + * CORS_EXPOSE_HEADERS: None +diff --git a/flask_cors/core.py b/flask_cors/core.py +index 5358036..bd011f4 100644 +--- a/flask_cors/core.py ++++ b/flask_cors/core.py +@@ -36,7 +36,7 @@ CONFIG_OPTIONS = ['CORS_ORIGINS', 'CORS_METHODS', 'CORS_ALLOW_HEADERS', + 'CORS_MAX_AGE', 'CORS_SEND_WILDCARD', + 'CORS_AUTOMATIC_OPTIONS', 'CORS_VARY_HEADER', + 'CORS_RESOURCES', 'CORS_INTERCEPT_EXCEPTIONS', +- 'CORS_ALWAYS_SEND'] ++ 'CORS_ALWAYS_SEND', 'CORS_ALLOW_PRIVATE_NETWORK'] + # Attribute added to request object by decorator to indicate that CORS + # was evaluated, in case the decorator and extension are both applied + # to a view. +@@ -56,7 +56,8 @@ DEFAULT_OPTIONS = dict(origins='*', + vary_header=True, + resources=r'/*', + intercept_exceptions=True, +- always_send=True) ++ always_send=True, ++ allow_private_network=True) + + + def parse_resources(resources): +@@ -186,7 +187,8 @@ def get_cors_headers(options, request_headers, request_method): + + if ACL_REQUEST_HEADER_PRIVATE_NETWORK in request_headers \ + and request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true': +- headers[ACL_RESPONSE_PRIVATE_NETWORK] = 'true' ++ allow_private_network = 'true' if options.get('allow_private_network') else 'false' ++ headers[ACL_RESPONSE_PRIVATE_NETWORK] = allow_private_network + + # This is a preflight request + # http://www.w3.org/TR/cors/#resource-preflight-requests +diff --git a/flask_cors/extension.py b/flask_cors/extension.py +index c00cbff..694953f 100644 +--- a/flask_cors/extension.py ++++ b/flask_cors/extension.py +@@ -136,6 +136,22 @@ class CORS(object): + + Default : True + :type vary_header: bool ++ ++ :param allow_private_network: ++ If True, the response header `Access-Control-Allow-Private-Network` ++ will be set with the value 'true' whenever the request header ++ `Access-Control-Request-Private-Network` has a value 'true'. ++ ++ If False, the reponse header `Access-Control-Allow-Private-Network` ++ will be set with the value 'false' whenever the request header ++ `Access-Control-Request-Private-Network` has a value of 'true'. ++ ++ If the request header `Access-Control-Request-Private-Network` is ++ not present or has a value other than 'true', the response header ++ `Access-Control-Allow-Private-Network` will not be set. ++ ++ Default : True ++ :type allow_private_network: bool + """ + + def __init__(self, app=None, **kwargs): +-- +2.40.0 -- cgit v1.2.3-54-g00ecf