File CVE-2023-30861-always-vary-cookie.patch of Package python3-Flask.29613
From 8705dd39c4fa563ea0fe0bf84c85da8fcc98b88d Mon Sep 17 00:00:00 2001
From: David Lord <davidism@gmail.com>
Date: Mon, 1 May 2023 08:01:32 -0700
Subject: [PATCH] set `Vary: Cookie` header consistently for session
---
src/flask/sessions.py | 10 ++++++----
tests/test_basic.py | 23 +++++++++++++++++++++++
2 files changed, 29 insertions(+), 4 deletions(-)
Index: Flask-1.0.2/flask/sessions.py
===================================================================
--- Flask-1.0.2.orig/flask/sessions.py
+++ Flask-1.0.2/flask/sessions.py
@@ -349,6 +349,10 @@ class SecureCookieSessionInterface(Sessi
domain = self.get_cookie_domain(app)
path = self.get_cookie_path(app)
+ # Add a "Vary: Cookie" header if the session was accessed at all.
+ if session.accessed:
+ response.vary.add("Cookie")
+
# If the session is modified to be empty, remove the cookie.
# If the session is empty, return without setting the cookie.
if not session:
@@ -358,13 +362,10 @@ class SecureCookieSessionInterface(Sessi
domain=domain,
path=path
)
+ response.vary.add("Cookie")
return
- # Add a "Vary: Cookie" header if the session was accessed at all.
- if session.accessed:
- response.vary.add('Cookie')
-
if not self.should_set_cookie(app, session):
return
@@ -383,3 +384,4 @@ class SecureCookieSessionInterface(Sessi
secure=secure,
samesite=samesite
)
+ response.vary.add("Cookie")
Index: Flask-1.0.2/tests/test_basic.py
===================================================================
--- Flask-1.0.2.orig/tests/test_basic.py
+++ Flask-1.0.2/tests/test_basic.py
@@ -545,6 +545,11 @@ def test_session_vary_cookie(app, client
def setdefault():
return flask.session.setdefault('test', 'default')
+ @app.route("/clear")
+ def clear():
+ flask.session.clear()
+ return ""
+
@app.route('/vary-cookie-header-set')
def vary_cookie_header_set():
response = flask.Response()
@@ -577,11 +582,29 @@ def test_session_vary_cookie(app, client
expect('/get')
expect('/getitem')
expect('/setdefault')
+ expect('/clear')
expect('/vary-cookie-header-set')
expect('/vary-header-set', 'Accept-Encoding, Accept-Language, Cookie')
expect('/no-vary-header', None)
+def test_session_refresh_vary(app, client):
+ @app.route("/login")
+ def login():
+ flask.session["user_id"] = 1
+ flask.session.permanent = True
+ return ""
+
+ @app.route("/ignored")
+ def ignored():
+ return ""
+
+ rv = client.get("/login")
+ assert rv.headers["Vary"] == "Cookie"
+ rv = client.get("/ignored")
+ assert rv.headers["Vary"] == "Cookie"
+
+
def test_flashes(app, req_ctx):
assert not flask.session.modified
flask.flash('Zap')