Hello community,
here is the log from the commit of package python-Flask-Cors for
openSUSE:Factory checked in at 2020-09-01 20:10:29
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-Flask-Cors (Old)
and /work/SRC/openSUSE:Factory/.python-Flask-Cors.new.3399 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-Flask-Cors"
Tue Sep 1 20:10:29 2020 rev:5 rq:831046 version:3.0.9
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-Flask-Cors/python-Flask-Cors.changes
2019-10-23 15:54:41.238943460 +0200
+++
/work/SRC/openSUSE:Factory/.python-Flask-Cors.new.3399/python-Flask-Cors.changes
2020-09-01 20:10:43.208686469 +0200
@@ -1,0 +2,13 @@
+Tue Sep 1 09:23:10 UTC 2020 - Antonio Larrosa <[email protected]>
+
+- Update to 3.0.9:
+ * Escape path before evaluating resource rules. Prior to this,
+ flask-cors incorrectly evaluated CORS resource matching before
+ path expansion. E.g. "/api/../foo.txt" would incorrectly match
+ resources for "/api/*" whereas the path actually expands
+ simply to "/foo.txt" (CVE-2020-25032, boo#1175986)
+- Remove patch which is no longer required when using (at least)
+ Flask 1.1, which is the case in Factory:
+ * 0001-Disable-ACL_ORIGIN-check.patch
+
+-------------------------------------------------------------------
Old:
----
0001-Disable-ACL_ORIGIN-check.patch
Flask-Cors-3.0.8.tar.gz
New:
----
Flask-Cors-3.0.9.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-Flask-Cors.spec ++++++
--- /var/tmp/diff_new_pack.jHoO0W/_old 2020-09-01 20:10:44.032686855 +0200
+++ /var/tmp/diff_new_pack.jHoO0W/_new 2020-09-01 20:10:44.036686857 +0200
@@ -1,7 +1,7 @@
#
# spec file for package python-Flask-Cors
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,15 +18,13 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-Flask-Cors
-Version: 3.0.8
+Version: 3.0.9
Release: 0
Summary: A Flask extension adding a decorator for CORS support
License: MIT
Group: Development/Languages/Python
URL: https://github.com/corydolphin/flask-cors
Source:
https://files.pythonhosted.org/packages/source/F/Flask-Cors/Flask-Cors-%{version}.tar.gz
-# PATCH-FIX-UPSTREAM 0001-Disable-ACL_ORIGIN-check.patch boo#1154808
-Patch1: 0001-Disable-ACL_ORIGIN-check.patch
BuildRequires: %{python_module Flask >= 0.9}
BuildRequires: %{python_module nose}
BuildRequires: %{python_module setuptools}
@@ -46,7 +44,6 @@
%prep
%setup -q -n Flask-Cors-%{version}
-%patch1 -p1
%build
%python_build
++++++ Flask-Cors-3.0.8.tar.gz -> Flask-Cors-3.0.9.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Cors-3.0.8/Flask_Cors.egg-info/PKG-INFO
new/Flask-Cors-3.0.9/Flask_Cors.egg-info/PKG-INFO
--- old/Flask-Cors-3.0.8/Flask_Cors.egg-info/PKG-INFO 2019-06-08
22:53:53.000000000 +0200
+++ new/Flask-Cors-3.0.9/Flask_Cors.egg-info/PKG-INFO 2020-08-30
23:48:44.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: Flask-Cors
-Version: 3.0.8
+Version: 3.0.9
Summary: A Flask extension adding a decorator for CORS support
Home-page: https://github.com/corydolphin/flask-cors
Author: Cory Dolphin
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Cors-3.0.8/PKG-INFO
new/Flask-Cors-3.0.9/PKG-INFO
--- old/Flask-Cors-3.0.8/PKG-INFO 2019-06-08 22:53:53.000000000 +0200
+++ new/Flask-Cors-3.0.9/PKG-INFO 2020-08-30 23:48:44.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: Flask-Cors
-Version: 3.0.8
+Version: 3.0.9
Summary: A Flask extension adding a decorator for CORS support
Home-page: https://github.com/corydolphin/flask-cors
Author: Cory Dolphin
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Cors-3.0.8/docs/api.rst
new/Flask-Cors-3.0.9/docs/api.rst
--- old/Flask-Cors-3.0.8/docs/api.rst 2019-06-08 22:53:18.000000000 +0200
+++ new/Flask-Cors-3.0.9/docs/api.rst 2020-08-30 23:48:21.000000000 +0200
@@ -46,6 +46,9 @@
def helloWorld():
return "Hello, %s" % session['username']
+
+The above code enables Flask backend to accept cookies to be submitted from
cross origin sites. But if you are sending Xhr requests (ajax calls) to a
cross-origin server, by default chrome or any modern browser won't send cookies
and session with the request. You should use ``withCredentials = True`` while
sending Xhr request to enable that. You should keep in mind about the necessary
security concerns. Related MDN doc:
https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
+
Using `CORS` with Blueprints
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Cors-3.0.8/examples/app_based_example.py
new/Flask-Cors-3.0.9/examples/app_based_example.py
--- old/Flask-Cors-3.0.8/examples/app_based_example.py 2019-06-08
22:53:18.000000000 +0200
+++ new/Flask-Cors-3.0.9/examples/app_based_example.py 2020-08-30
23:48:21.000000000 +0200
@@ -124,7 +124,7 @@
Browsers will first make a preflight request to verify that the
resource
allows cross-origin POSTs with a JSON Content-Type, which can be
simulated
as:
- $ curl --include -X OPTIONS http://127.0.0.1:5000/exception \
+ $ curl --include -X OPTIONS http://127.0.0.1:5000/api/exception \
--header Access-Control-Request-Method:POST \
--header Access-Control-Request-Headers:Content-Type \
--header Origin:www.examplesite.com
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Cors-3.0.8/flask_cors/core.py
new/Flask-Cors-3.0.9/flask_cors/core.py
--- old/Flask-Cors-3.0.8/flask_cors/core.py 2019-06-08 22:53:18.000000000
+0200
+++ new/Flask-Cors-3.0.9/flask_cors/core.py 2020-08-30 23:48:21.000000000
+0200
@@ -359,7 +359,7 @@
for key in opts.keys():
if key not in DEFAULT_OPTIONS:
- LOG.warning("Unknown option passed to Flask-CORS: %s", key)
+ LOG.warning("Unknown option passed to Flask-CORS: %s", key)
# Ensure origins is a list of allowed origins with at least one entry.
options['origins'] = sanitize_regex_param(options.get('origins'))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Cors-3.0.8/flask_cors/extension.py
new/Flask-Cors-3.0.9/flask_cors/extension.py
--- old/Flask-Cors-3.0.8/flask_cors/extension.py 2019-06-08
22:53:18.000000000 +0200
+++ new/Flask-Cors-3.0.9/flask_cors/extension.py 2020-08-30
23:48:21.000000000 +0200
@@ -10,6 +10,10 @@
"""
from flask import request
from .core import *
+try:
+ from urllib.parse import unquote_plus
+except ImportError:
+ from urllib import unquote_plus
LOG = logging.getLogger(__name__)
@@ -173,9 +177,9 @@
if resp.headers is not None and resp.headers.get(ACL_ORIGIN):
LOG.debug('CORS have been already evaluated, skipping')
return resp
-
+ normalized_path = unquote_plus(request.path)
for res_regex, res_options in resources:
- if try_match(request.path, res_regex):
+ if try_match(normalized_path, res_regex):
LOG.debug("Request to '%s' matches CORS resource '%s'. Using
options: %s",
request.path, get_regexp_pattern(res_regex), res_options)
set_cors_headers(resp, res_options)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Cors-3.0.8/flask_cors/version.py
new/Flask-Cors-3.0.9/flask_cors/version.py
--- old/Flask-Cors-3.0.8/flask_cors/version.py 2019-06-08 22:53:18.000000000
+0200
+++ new/Flask-Cors-3.0.9/flask_cors/version.py 2020-08-30 23:48:21.000000000
+0200
@@ -1 +1 @@
-__version__ = '3.0.8'
+__version__ = '3.0.9'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Cors-3.0.8/setup.py
new/Flask-Cors-3.0.9/setup.py
--- old/Flask-Cors-3.0.8/setup.py 2019-06-08 22:53:18.000000000 +0200
+++ new/Flask-Cors-3.0.9/setup.py 2020-08-30 23:48:21.000000000 +0200
@@ -33,7 +33,8 @@
platforms='any',
install_requires=install_requires,
tests_require=[
- 'nose'
+ 'nose',
+ 'packaging'
],
test_suite='nose.collector',
classifiers=[
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/Flask-Cors-3.0.8/tests/decorator/test_exception_interception.py
new/Flask-Cors-3.0.9/tests/decorator/test_exception_interception.py
--- old/Flask-Cors-3.0.8/tests/decorator/test_exception_interception.py
2019-06-08 22:53:18.000000000 +0200
+++ new/Flask-Cors-3.0.9/tests/decorator/test_exception_interception.py
2020-08-30 23:48:21.000000000 +0200
@@ -8,6 +8,10 @@
:copyright: (c) 2016 by Cory Dolphin.
:license: MIT, see LICENSE for more details.
"""
+import unittest
+
+import flask
+from packaging import version
from ..base_test import FlaskCorsTestCase
from flask import Flask, abort
from flask_cors import *
@@ -198,6 +202,9 @@
self.assertEqual(resp.status_code, 200)
self.assertFalse(ACL_ORIGIN in resp.headers)
+ @unittest.skipIf(version.parse(flask.__version__) >= version.parse("1.1"),
+ "Flask 1.1 changed interception behavior, so after
request handlers are always run. "
+ "This obviates the need for our hacky interception")
def test_acl_uncaught_exception_500(self):
'''
Uncaught exceptions will trigger Flask's internal exception
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-Cors-3.0.8/tests/decorator/test_origins.py
new/Flask-Cors-3.0.9/tests/decorator/test_origins.py
--- old/Flask-Cors-3.0.8/tests/decorator/test_origins.py 2019-06-08
22:53:18.000000000 +0200
+++ new/Flask-Cors-3.0.9/tests/decorator/test_origins.py 2020-08-30
23:48:21.000000000 +0200
@@ -140,7 +140,7 @@
resp = self.get('/test_set', origin='http://bar.com')
allowed = resp.headers.get(ACL_ORIGIN)
- # Order is not garaunteed
+ # Order is not guaranteed
self.assertEqual(allowed, 'http://bar.com')
def test_not_matching_origins(self):
@@ -180,7 +180,7 @@
or '?') will be skipped.
Thus, the list of returned Access-Control-Allow-Origin header
- is garaunteed to be 'null', the origin or "*", as per the w3
+ is guaranteed to be 'null', the origin or "*", as per the w3
http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
'''
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/Flask-Cors-3.0.8/tests/extension/test_app_extension.py
new/Flask-Cors-3.0.9/tests/extension/test_app_extension.py
--- old/Flask-Cors-3.0.8/tests/extension/test_app_extension.py 2019-06-08
22:53:18.000000000 +0200
+++ new/Flask-Cors-3.0.9/tests/extension/test_app_extension.py 2020-08-30
23:48:21.000000000 +0200
@@ -109,7 +109,7 @@
resp = self.get('/test_set', origin='http://bar.com')
allowed = resp.headers.get(ACL_ORIGIN)
- # Order is not garaunteed
+ # Order is not guaranteed
self.assertEqual(allowed, 'http://bar.com')
def test_not_matching_origins(self):
@@ -152,7 +152,7 @@
or '?') will be skipped.
Thus, the list of returned Access-Control-Allow-Origin header
- is garaunteed to be 'null', the origin or "*", as per the w3
+ is guaranteed to be 'null', the origin or "*", as per the w3
http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
'''
@@ -204,7 +204,7 @@
def setUp(self):
self.app = Flask(__name__)
CORS(self.app, resources=r'/api/*',
- headers='Content-Type',
+ allow_headers='Content-Type',
expose_headers='X-Total-Count',
origins='http://bar.com')
@@ -225,6 +225,10 @@
def index():
return 'Welcome'
+ @self.app.route('/foo.txt')
+ def foo_txt():
+ return 'Welcome'
+
def test_exposed(self):
for path in '/api/v1/foo', '/api/v1/bar':
for resp in self.iter_responses(path, origin='http://bar.com'):
