!12 Update to 5.0.0 for fix CVE-2024-6221

From: @starlet-dx Reviewed-by: @cherry530 Signed-off-by: @cherry530
2024-09-18 09:18:59 +00:00 · 2024-09-18 09:18:59 +00:00 · dd674e5644
commit dd674e5644
parent 5a5222346b cc4bee1a71
4 changed files with 9 additions and 30 deletions
--- a/CVE-2024-1681.patch
+++ b/CVE-2024-1681.patch
@ -1,24 +0,0 @@
-From 6172c2000dba965fedb8e9a8a916ad56f0fb2630 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Anes=20Hujevi=C4=87?= <anes1996_h@hotmail.com>
-Date: Sat, 4 May 2024 21:28:47 +0200
-Subject: [PATCH] Update extension.py to clean request.path before logging it
- (#351)
-
-* Update extension.py to use string format specifier for cleaning request.path
---
- flask_cors/extension.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/flask_cors/extension.py b/flask_cors/extension.py
-index 6f76995..6361dcc 100644
--- a/flask_cors/extension.py
-+++ b/flask_cors/extension.py
-@@ -193,7 +193,7 @@ def cors_after_request(resp):
-         normalized_path = unquote_plus(request.path)
-         for res_regex, res_options in resources:
-             if try_match(normalized_path, res_regex):
-                LOG.debug("Request to '%s' matches CORS resource '%s'. Using options: %s",
-+                LOG.debug("Request to '%r' matches CORS resource '%s'. Using options: %s",
-                       request.path, get_regexp_pattern(res_regex), res_options)
-                 set_cors_headers(resp, res_options)
-                 break
--- a/Flask-Cors-4.0.0.tar.gz
+++ b/Flask-Cors-4.0.0.tar.gz
--- a/flask-cors.spec
+++ b/flask-cors.spec
@ -1,13 +1,11 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-Flask-Cors
-Version:	4.0.0
-Release:	2
+Version:	5.0.0
+Release:	1
 Summary:	A Flask extension adding a decorator for CORS support
 License:	MIT
 URL:		https://github.com/corydolphin/flask-cors
-Source0:	https://files.pythonhosted.org/packages/c8/b0/bd7130837a921497520f62023c7ba754e441dcedf959a43e6d1fd86e5451/Flask-Cors-4.0.0.tar.gz
-# https://github.com/corydolphin/flask-cors/commit/6172c2000dba965fedb8e9a8a916ad56f0fb2630
-Patch0: 	CVE-2024-1681.patch
+Source0:	https://files.pythonhosted.org/packages/source/F/Flask-Cors/flask_cors-%{version}.tar.gz
 BuildArch:	noarch

 Requires:	python3-Flask
@ -32,7 +30,7 @@ Provides:	python3-Flask-Cors-doc
 A Flask extension for handling Cross Origin Resource Sharing (CORS), making cross-origin AJAX possible.

 %prep
-%autosetup -n Flask-Cors-4.0.0 -p1
+%autosetup -n flask_cors-%{version} -p1

 %build
 %py3_build
@ -72,6 +70,11 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Wed Sep 18 2024 yaoxin <yao_xin001@hoperun.com> - 5.0.0-1
+- Update to 5.0.0:
+  * Breaking: Change default to disable private network access
+    This effectively resolves GHSA-hxwh-jpp2-84pm https://osv.dev/vulnerability/PYSEC-2024-71
+
 * Tue May 28 2024 yaoxin <yao_xin001@hoperun.com> - 4.0.0-2
 - Fix CVE-2024-1681

--- a/flask_cors-5.0.0.tar.gz
+++ b/flask_cors-5.0.0.tar.gz