Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:python-flask-cors User: [email protected] Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [ Reason ] There are multiple vulnerabilities in python-flask-cors which have been fixed in Sid/Trixie and in LTS, but not in Bookworm yet. This upload attempts to close them for stable as well, and to offer a clean upgrade path for LTS users. [ Impact ] If the issues are not fixed, users of Debian Bookworm will continue to be vulnerable. And users of LTS might become vulnerable when upgrading to Bookworm. [ Tests ] The package uses autopkgtest to run the upstream testsuite. The tests are successful. [ Risks ] There are the usual risks of regression and unexpected behavior. However, the upstream testuite is successful and the changes have already been applied to LTS without issues. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The patch for CVE-2024-1681 to clean request.path before logging it is quite trivial. The patch for CVE-2024-6839 fixes a regex pattern matching and is covered by a newly introduced test. The patch for CVE-2024-6844 replaces the usage of urllib's unquote_plus to unquote to avoid unintended behavior. New tests have been added to cover the function. The patch for CVE-2024-6866 changes a few functions to allow for case-sensitive and case-insensitive matching where appropriate. New tests have been added as well. [ Other info ] n/a -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmhh6A8ACgkQS80FZ8KW 0F2GIhAAlABzeYmnNksIdM//BWaXqFuxx4SUnT5mtkf09ov9Zu+kCPucoMmNsS7Z ufIEc6DT9y+cIMshrIu+YEYb7buyDLWEEz7m2CjS6EiTxPrXLEOJLGSs7zzgkbcF kHDcUFJw/rKREWy39Y4de/TAW0vwtQ2TSldAGtqOKLoVs9ehB0g1ABKQiWsNiXHn 45gWm6G3flVVynhcw40NMNtCvBErO/0IeiVStlckmt4nnQs0lXvohmrX1MFnS+6u PjYJFWPyCofJhwerpBDE3ihNTD9922uieHBm8L3OffX2nApRYdY6AhToSO679I3i 4iAvLG2xEHb+ZhKciutDArN8MBuKY/Rsmza5eYyCnY9yzv+/m2tyxb8nmu7h4Pdp HLIwWLwT9LaeYFYbMRJlpeQaBXYnYMOr7EB0GRjNAxC6+CeSFZrrNuoHtVnZuWg3 niu42V1qELeMbQJaVhVcTUr43/KAi19EyUqO0KHiJ3r+vIq7jLw47LUPDLaz1T6d oUq+6+erdPyURYMSCHFR9SylDcu37RMQDC02hqUFuF6YlvWheMGWzsAJkQPm3cTq VYzFZej77GPR3mNCvJkSiEzoZ+69en5vdS+YoIV2rIo7NGQH69tUT6iXeA/iJ4f5 nBdWnuHT5GLgLr6oTQiSaD3ibwOERCJkk4ldtWokS5J9nWDO5s0= =5bkH -----END PGP SIGNATURE-----
diff -Nru python-flask-cors-3.0.10/debian/changelog python-flask-cors-3.0.10/debian/changelog --- python-flask-cors-3.0.10/debian/changelog 2023-01-22 09:52:05.000000000 +0100 +++ python-flask-cors-3.0.10/debian/changelog 2025-06-30 02:59:32.000000000 +0200 @@ -1,3 +1,38 @@ +python-flask-cors (3.0.10-2+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload by the Debian LTS team. + * d/patches/CVE-2024-1681.patch: Add to fix CVE-2024-1681 (closes: #1069764). + - An attacker can inject fake log entries into the log file by sending a + specially crafted GET request containing a CRLF sequence in the request + path, allowing them to corrupt log files, potentially covering tracks of + other attacks, confusing log post-processing tools, and forging log + entries. + * d/patches/CVE-2024-6866.patch: Add to fix CVE-2024-6866 (closes: #1100988). + - The request path matching is case-insensitive. This results in a mismatch + because paths in URLs are case-sensitive, but the regex matching treats + them as case-insensitive. This misconfiguration can lead to significant + security vulnerabilities, allowing unauthorized origins to access paths + meant to be restricted, resulting in data exposure and potential leaks. + * d/patches/CVE-2024-6839-1.patch, d/patches/CVE-2024-6839-2.patch: Add to + fix CVE-2024-6839 (closes: #1100988). + - There is an improper regex path matching vulnerability. The plugin + prioritizes longer regex patterns over more specific ones when matching + paths, which can lead to less restrictive CORS policies being applied to + sensitive endpoints. This mismatch in regex pattern priority allows + unauthorized cross-origin access to sensitive data or functionality, + potentially exposing confidential information and increasing the risk of + unauthorized actions by malicious actors. + d/patches/CVE-2024-6844.patch: Add to fix CVE-2024-6844 (closes: #1100988). + - The request.path is passed through the unquote_plus function, which + converts the '+' character to a space ' '. This behavior leads to + incorrect path normalization, causing potential mismatches in CORS + configuration. As a result, endpoints may not be matched correctly to + their CORS settings, leading to unexpected CORS policy application. This + can cause unauthorized cross-origin access or block valid requests, + creating security vulnerabilities and usability issues. + + -- Daniel Leidert <[email protected]> Mon, 30 Jun 2025 02:59:32 +0200 + python-flask-cors (3.0.10-2) unstable; urgency=medium * Team upload. diff -Nru python-flask-cors-3.0.10/debian/gbp.conf python-flask-cors-3.0.10/debian/gbp.conf --- python-flask-cors-3.0.10/debian/gbp.conf 2022-10-31 13:06:39.000000000 +0100 +++ python-flask-cors-3.0.10/debian/gbp.conf 2025-06-30 02:59:32.000000000 +0200 @@ -1,7 +1,7 @@ [DEFAULT] pristine-tar = True compression = gz -debian-branch = debian/master +debian-branch = debian/bookworm upstream-branch = upstream [pq] diff -Nru python-flask-cors-3.0.10/debian/patches/CVE-2024-1681.patch python-flask-cors-3.0.10/debian/patches/CVE-2024-1681.patch --- python-flask-cors-3.0.10/debian/patches/CVE-2024-1681.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-flask-cors-3.0.10/debian/patches/CVE-2024-1681.patch 2025-06-30 02:59:32.000000000 +0200 @@ -0,0 +1,29 @@ +From: =?utf-8?q?Anes_Hujevi=C4=87?= <[email protected]> +Date: Sat, 4 May 2024 21:28:47 +0200 +Subject: Update extension.py to clean request.path before logging it (#351) + +* Update extension.py to use string format specifier for cleaning request.path + +Reviewed-By: Daniel Leidert <[email protected]> +Origin: https://github.com/corydolphin/flask-cors/commit/6172c2000dba965fedb8e9a8a916ad56f0fb2630 +Bug: https://github.com/corydolphin/flask-cors/issues/349 +Bug-Debian: https://bugs.debian.org/1069764 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-1681 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-1681 +--- + flask_cors/extension.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/flask_cors/extension.py b/flask_cors/extension.py +index cfeca73..77cf47d 100644 +--- a/flask_cors/extension.py ++++ b/flask_cors/extension.py +@@ -180,7 +180,7 @@ def make_after_request_function(resources): + normalized_path = unquote_plus(request.path) + for res_regex, res_options in resources: + if try_match(normalized_path, res_regex): +- LOG.debug("Request to '%s' matches CORS resource '%s'. Using options: %s", ++ LOG.debug("Request to '%r' matches CORS resource '%s'. Using options: %s", + request.path, get_regexp_pattern(res_regex), res_options) + set_cors_headers(resp, res_options) + break diff -Nru python-flask-cors-3.0.10/debian/patches/CVE-2024-6839-1.patch python-flask-cors-3.0.10/debian/patches/CVE-2024-6839-1.patch --- python-flask-cors-3.0.10/debian/patches/CVE-2024-6839-1.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-flask-cors-3.0.10/debian/patches/CVE-2024-6839-1.patch 2025-06-30 02:59:32.000000000 +0200 @@ -0,0 +1,60 @@ +From: Adriano Sela Aviles <[email protected]> +Date: Wed, 14 May 2025 21:17:02 -0700 +Subject: [PATCH] [CVE-2024-6839] Sort Paths by Regex Specificity (#391) + +Reviewed-By: Daniel Leidert <[email protected]> +Origin: https://github.com/corydolphin/flask-cors/commit/e970988bea563e05e8b8f53fa7bcc134b5bf5c5f +Bug: https://github.com/corydolphin/flask-cors/pull/391 +Bug-Debian: https://bugs.debian.org/1100988 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-6839 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-6839 +--- + flask_cors/core.py | 21 +++++++++++---------- + tests/core/helper_tests.py | 2 +- + 2 files changed, 12 insertions(+), 11 deletions(-) + +diff --git a/flask_cors/core.py b/flask_cors/core.py +index ac9682d..a3d2809 100644 +--- a/flask_cors/core.py ++++ b/flask_cors/core.py +@@ -69,16 +69,17 @@ def parse_resources(resources): + # resource of '*', which is not actually a valid regexp. + resources = [(re_fix(k), v) for k, v in resources.items()] + +- # Sort by regex length to provide consistency of matching and +- # to provide a proxy for specificity of match. E.G. longer +- # regular expressions are tried first. +- def pattern_length(pair): +- maybe_regex, _ = pair +- return len(get_regexp_pattern(maybe_regex)) +- +- return sorted(resources, +- key=pattern_length, +- reverse=True) ++ # Sort patterns with static (literal) paths first, then by regex specificity ++ def sort_key(pair): ++ pattern, _ = pair ++ if isinstance(pattern, RegexObject): ++ return (1, 0, pattern.pattern.count("/"), -len(pattern.pattern)) ++ elif probably_regex(pattern): ++ return (1, 1, pattern.count("/"), -len(pattern)) ++ else: ++ return (0, 0, pattern.count("/"), -len(pattern)) ++ ++ return sorted(resources, key=sort_key) + + elif isinstance(resources, string_types): + return [(re_fix(resources), {})] +diff --git a/tests/core/helper_tests.py b/tests/core/helper_tests.py +index 4eedca8..3139ffc 100644 +--- a/tests/core/helper_tests.py ++++ b/tests/core/helper_tests.py +@@ -81,7 +81,7 @@ class InternalsTestCase(unittest.TestCase): + + self.assertEqual( + [r[0] for r in resources], +- [re.compile(r'/api/v1/.*'), '/foo', re.compile(r'/.*')] ++ ['/foo', re.compile(r'/api/v1/.*'), re.compile(r'/.*')] + ) + + def test_probably_regex(self): diff -Nru python-flask-cors-3.0.10/debian/patches/CVE-2024-6839-2.patch python-flask-cors-3.0.10/debian/patches/CVE-2024-6839-2.patch --- python-flask-cors-3.0.10/debian/patches/CVE-2024-6839-2.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-flask-cors-3.0.10/debian/patches/CVE-2024-6839-2.patch 2025-06-30 02:59:32.000000000 +0200 @@ -0,0 +1,38 @@ +From: joshuamorton <[email protected]> +Date: Wed, 21 May 2025 20:53:40 +0000 +Subject: [PATCH] Sort paths longest to shortest. + +Previously, path sort length was inverted, with short paths before long +ones, this led to a path like `/*` being handled *before* a path like +`/foo/bar/baz`, which is exactly what we didn't want. This was tested, +but the test was misnamed and so wasn't picked up by pytest. + +Reviewed-By: Daniel Leidert <[email protected]> +Origin: https://github.com/corydolphin/flask-cors/pull/392 +Bug: https://github.com/corydolphin/flask-cors/pull/391 +Bug-Debian: https://bugs.debian.org/1100988 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-6839 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-6839 +--- + flask_cors/core.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/flask_cors/core.py b/flask_cors/core.py +index a3d2809..cbf123a 100644 +--- a/flask_cors/core.py ++++ b/flask_cors/core.py +@@ -73,11 +73,11 @@ def parse_resources(resources): + def sort_key(pair): + pattern, _ = pair + if isinstance(pattern, RegexObject): +- return (1, 0, pattern.pattern.count("/"), -len(pattern.pattern)) ++ return (1, 0, -pattern.pattern.count("/"), -len(pattern.pattern)) + elif probably_regex(pattern): +- return (1, 1, pattern.count("/"), -len(pattern)) ++ return (1, 1, -pattern.count("/"), -len(pattern)) + else: +- return (0, 0, pattern.count("/"), -len(pattern)) ++ return (0, 0, -pattern.count("/"), -len(pattern)) + + return sorted(resources, key=sort_key) + diff -Nru python-flask-cors-3.0.10/debian/patches/CVE-2024-6844.patch python-flask-cors-3.0.10/debian/patches/CVE-2024-6844.patch --- python-flask-cors-3.0.10/debian/patches/CVE-2024-6844.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-flask-cors-3.0.10/debian/patches/CVE-2024-6844.patch 2025-06-30 02:59:32.000000000 +0200 @@ -0,0 +1,107 @@ +From: Adriano Sela Aviles <[email protected]> +Date: Sat, 17 May 2025 07:32:23 -0700 +Subject: [PATCH] [CVE-2024-6844] Replace use of (urllib) unquote_plus with + unquote for paths (#389) + +Reviewed-By: Daniel Leidert <[email protected]> +Origin: https://github.com/corydolphin/flask-cors/commit/35d875319621bd129a38b2b823abf4a2f6cda536 +Bug: https://github.com/corydolphin/flask-cors/pull/389 +Bug-Debian: https://bugs.debian.org/1100988 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-6844 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-6844 +--- + flask_cors/extension.py | 6 ++-- + tests/extension/test_app_extension.py | 56 +++++++++++++++++++++++++++++++++++ + 2 files changed, 59 insertions(+), 3 deletions(-) + +diff --git a/flask_cors/extension.py b/flask_cors/extension.py +index 44b0a09..f3041c5 100644 +--- a/flask_cors/extension.py ++++ b/flask_cors/extension.py +@@ -11,9 +11,9 @@ + from flask import request + from .core import * + try: +- from urllib.parse import unquote_plus ++ from urllib.parse import unquote + except ImportError: +- from urllib import unquote_plus ++ from urllib import unquote + + LOG = logging.getLogger(__name__) + +@@ -177,7 +177,7 @@ def make_after_request_function(resources): + if resp.headers is not None and resp.headers.get(ACL_ORIGIN): + LOG.debug('CORS have been already evaluated, skipping') + return resp +- normalized_path = unquote_plus(request.path) ++ normalized_path = unquote(request.path) + for res_regex, res_options in resources: + if try_match_pattern(normalized_path, res_regex, caseSensitive=True): + LOG.debug("Request to '%r' matches CORS resource '%s'. Using options: %s", +diff --git a/tests/extension/test_app_extension.py b/tests/extension/test_app_extension.py +index 597b744..b836eb7 100644 +--- a/tests/extension/test_app_extension.py ++++ b/tests/extension/test_app_extension.py +@@ -378,5 +378,61 @@ class AppExtensionBadRegexp(FlaskCorsTestCase): + self.assertEqual(resp.status_code, 200) + + ++class AppExtensionPlusInPath(FlaskCorsTestCase): ++ ''' ++ Regression test for CVE-2024-6844: ++ Ensures that we correctly differentiate '+' from ' ' in URL paths. ++ ''' ++ ++ def setUp(self): ++ self.app = Flask(__name__) ++ CORS(self.app, resources={ ++ r'/service\+path': {'origins': ['http://foo.com']}, ++ r'/service path': {'origins': ['http://bar.com']}, ++ }) ++ ++ @self.app.route('/service+path') ++ def plus_path(): ++ return 'plus' ++ ++ @self.app.route('/service path') ++ def space_path(): ++ return 'space' ++ ++ self.client = self.app.test_client() ++ ++ def test_plus_path_origin_allowed(self): ++ ''' ++ Ensure that CORS matches + literally and allows the correct origin ++ ''' ++ response = self.client.get('/service+path', headers={'Origin': 'http://foo.com'}) ++ self.assertEqual(response.status_code, 200) ++ self.assertEqual(response.headers.get(ACL_ORIGIN), 'http://foo.com') ++ ++ def test_space_path_origin_allowed(self): ++ ''' ++ Ensure that CORS treats /service path differently and allows correct origin ++ ''' ++ response = self.client.get('/service%20path', headers={'Origin': 'http://bar.com'}) ++ self.assertEqual(response.status_code, 200) ++ self.assertEqual(response.headers.get(ACL_ORIGIN), 'http://bar.com') ++ ++ def test_plus_path_rejects_other_origin(self): ++ ''' ++ Origin not allowed for + path should be rejected ++ ''' ++ response = self.client.get('/service+path', headers={'Origin': 'http://bar.com'}) ++ self.assertEqual(response.status_code, 200) ++ self.assertIsNone(response.headers.get(ACL_ORIGIN)) ++ ++ def test_space_path_rejects_other_origin(self): ++ ''' ++ Origin not allowed for space path should be rejected ++ ''' ++ response = self.client.get('/service%20path', headers={'Origin': 'http://foo.com'}) ++ self.assertEqual(response.status_code, 200) ++ self.assertIsNone(response.headers.get(ACL_ORIGIN)) ++ ++ + if __name__ == "__main__": + unittest.main() diff -Nru python-flask-cors-3.0.10/debian/patches/CVE-2024-6866.patch python-flask-cors-3.0.10/debian/patches/CVE-2024-6866.patch --- python-flask-cors-3.0.10/debian/patches/CVE-2024-6866.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-flask-cors-3.0.10/debian/patches/CVE-2024-6866.patch 2025-06-30 02:59:32.000000000 +0200 @@ -0,0 +1,130 @@ +From: Adriano Sela Aviles <[email protected]> +Date: Wed, 14 May 2025 21:13:34 -0700 +Subject: [PATCH] [CVE-2024-6866] Case Sensitive Request Path Matching (#390) + +* [CVE-2024-6866] Case Sensitive Request Path Matching + +* Update flask_cors/core.py + +Co-authored-by: Cory Dolphin <[email protected]> + +Reviewed-By: Daniel Leidert <[email protected]> +Origin: https://github.com/corydolphin/flask-cors/commit/eb39516a3c96b90d0ae5f51293972395ec3ef358 +Bug: https://github.com/corydolphin/flask-cors/pull/390 +Bug-Debian: https://bugs.debian.org/1100988 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-6866 +Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-6866 +--- + flask_cors/core.py | 47 +++++++++++++++++++++++++++------------------- + flask_cors/extension.py | 2 +- + tests/core/helper_tests.py | 9 ++++++--- + 3 files changed, 35 insertions(+), 23 deletions(-) + +diff --git a/flask_cors/core.py b/flask_cors/core.py +index 7654cb1..ac9682d 100644 +--- a/flask_cors/core.py ++++ b/flask_cors/core.py +@@ -123,9 +123,10 @@ def get_cors_origins(options, request_origin): + if wildcard and options.get('send_wildcard'): + LOG.debug("Allowed origins are set to '*'. Sending wildcard CORS header.") + return ['*'] +- # If the value of the Origin header is a case-sensitive match +- # for any of the values in list of origins +- elif try_match_any(request_origin, origins): ++ # If the value of the Origin header is a case-insensitive match ++ # for any of the values in list of origins. ++ # NOTE: Per RFC 1035 and RFC 4343 schemes and hostnames are case insensitive. ++ elif try_match_any_pattern(request_origin, origins, caseSensitive=False): + LOG.debug("The request's Origin header matches. Sending CORS headers.", ) + # Add a single Access-Control-Allow-Origin header, with either + # the value of the Origin header or the string "*" as value. +@@ -163,10 +164,7 @@ def get_allow_headers(options, acl_request_headers): + request_headers = [h.strip() for h in acl_request_headers.split(',')] + + # any header that matches in the allow_headers +- matching_headers = filter( +- lambda h: try_match_any(h, options.get('allow_headers')), +- request_headers +- ) ++ matching_headers = filter(lambda h: try_match_any_pattern(h, options.get("allow_headers"), caseSensitive=False), request_headers) + + return ', '.join(sorted(matching_headers)) + +@@ -268,21 +266,32 @@ def re_fix(reg): + return r'.*' if reg == r'*' else reg + + +-def try_match_any(inst, patterns): +- return any(try_match(inst, pattern) for pattern in patterns) ++def try_match_any_pattern(inst, patterns, caseSensitive=True): ++ return any(try_match_pattern(inst, pattern, caseSensitive) for pattern in patterns) + + +-def try_match(request_origin, maybe_regex): +- """Safely attempts to match a pattern or string to a request origin.""" +- if isinstance(maybe_regex, RegexObject): +- return re.match(maybe_regex, request_origin) +- elif probably_regex(maybe_regex): +- return re.match(maybe_regex, request_origin, flags=re.IGNORECASE) +- else: ++def try_match_pattern(value, pattern, caseSensitive=True): ++ """ ++ Safely attempts to match a pattern or string to a value. This ++ function can be used to match request origins, headers, or paths. ++ The value of caseSensitive should be set in accordance to the ++ data being compared e.g. origins and headers are case insensitive ++ whereas paths are case-sensitive ++ """ ++ if isinstance(pattern, RegexObject): ++ return re.match(pattern, value) ++ if probably_regex(pattern): ++ flags = 0 if caseSensitive else re.IGNORECASE + try: +- return request_origin.lower() == maybe_regex.lower() +- except AttributeError: +- return request_origin == maybe_regex ++ return re.match(pattern, value, flags=flags) ++ except re.error: ++ return False ++ try: ++ v = str(value) ++ p = str(pattern) ++ return v == p if caseSensitive else v.casefold() == p.casefold() ++ except Exception: ++ return value == pattern + + + def get_cors_options(appInstance, *dicts): +diff --git a/flask_cors/extension.py b/flask_cors/extension.py +index 77cf47d..44b0a09 100644 +--- a/flask_cors/extension.py ++++ b/flask_cors/extension.py +@@ -179,7 +179,7 @@ def make_after_request_function(resources): + return resp + normalized_path = unquote_plus(request.path) + for res_regex, res_options in resources: +- if try_match(normalized_path, res_regex): ++ if try_match_pattern(normalized_path, res_regex, caseSensitive=True): + LOG.debug("Request to '%r' matches CORS resource '%s'. Using options: %s", + request.path, get_regexp_pattern(res_regex), res_options) + set_cors_headers(resp, res_options) +diff --git a/tests/core/helper_tests.py b/tests/core/helper_tests.py +index d7811da..4eedca8 100644 +--- a/tests/core/helper_tests.py ++++ b/tests/core/helper_tests.py +@@ -17,9 +17,12 @@ from flask_cors.core import * + + + class InternalsTestCase(unittest.TestCase): +- def test_try_match(self): +- self.assertFalse(try_match('www.com/foo', 'www.com/fo')) +- self.assertTrue(try_match('www.com/foo', 'www.com/fo*')) ++ def test_try_match_pattern(self): ++ self.assertFalse(try_match_pattern('www.com/foo', 'www.com/fo', caseSensitive=True)) ++ self.assertTrue(try_match_pattern('www.com/foo', 'www.com/fo*', caseSensitive=True)) ++ self.assertTrue(try_match_pattern('www.com', 'WwW.CoM', caseSensitive=False)) ++ self.assertTrue(try_match_pattern('/foo', '/fo*', caseSensitive=True)) ++ self.assertFalse(try_match_pattern('/foo', '/Fo*', caseSensitive=True)) + + def test_flexible_str_str(self): + self.assertEquals(flexible_str('Bar, Foo, Qux'), 'Bar, Foo, Qux') diff -Nru python-flask-cors-3.0.10/debian/patches/series python-flask-cors-3.0.10/debian/patches/series --- python-flask-cors-3.0.10/debian/patches/series 2022-11-01 08:15:06.000000000 +0100 +++ python-flask-cors-3.0.10/debian/patches/series 2025-06-30 02:59:32.000000000 +0200 @@ -3,3 +3,8 @@ upstream/Spelling-Fix-misspelled-word-conjuction.patch upstream/Spelling-Fix-misspelled-word-maching.patch debian-hacks/docs-Use-local-inventory-for-Python3.patch +CVE-2024-1681.patch +CVE-2024-6866.patch +CVE-2024-6839-1.patch +CVE-2024-6839-2.patch +CVE-2024-6844.patch
