Skip to content

Commit

Permalink
Backwards Compatible Fix for CVE-2024-6221 (#363)
Browse files Browse the repository at this point in the history
  • Loading branch information
adrianosela authored Aug 30, 2024
1 parent f25c6b2 commit 7ae310c
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 4 deletions.
14 changes: 14 additions & 0 deletions docs/configuration.rst
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,19 @@ CORS_ALLOW_HEADERS (:py:class:`~typing.List` or :py:class:`str`)
Headers to accept from the client.
Headers in the :http:header:`Access-Control-Request-Headers` request header (usually part of the preflight OPTIONS request) matching headers in this list will be included in the :http:header:`Access-Control-Allow-Headers` response header.

CORS_ALLOW_PRIVATE_NETWORK (:py:class:`bool`)
If True, the response header :http:header:`Access-Control-Allow-Private-Network`
will be set with the value 'true' whenever the request header
:http:header:`Access-Control-Request-Private-Network` has a value 'true'.

If False, the reponse header :http:header:`Access-Control-Allow-Private-Network`
will be set with the value 'false' whenever the request header
:http:header:`Access-Control-Request-Private-Network` has a value of 'true'.

If the request header :http:header:`Access-Control-Request-Private-Network` is
not present or has a value other than 'true', the response header
:http:header:`Access-Control-Allow-Private-Network` will not be set.

CORS_ALWAYS_SEND (:py:class:`bool`)
Usually, if a request doesn't include an :http:header:`Origin` header, the client did not request CORS.
This means we can ignore this request.
Expand Down Expand Up @@ -83,6 +96,7 @@ Default values
~~~~~~~~~~~~~~

* CORS_ALLOW_HEADERS: "*"
* CORS_ALLOW_PRIVATE_NETWORK: True
* CORS_ALWAYS_SEND: True
* CORS_AUTOMATIC_OPTIONS: True
* CORS_EXPOSE_HEADERS: None
Expand Down
8 changes: 5 additions & 3 deletions flask_cors/core.py
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
'CORS_MAX_AGE', 'CORS_SEND_WILDCARD',
'CORS_AUTOMATIC_OPTIONS', 'CORS_VARY_HEADER',
'CORS_RESOURCES', 'CORS_INTERCEPT_EXCEPTIONS',
'CORS_ALWAYS_SEND']
'CORS_ALWAYS_SEND', 'CORS_ALLOW_PRIVATE_NETWORK']
# Attribute added to request object by decorator to indicate that CORS
# was evaluated, in case the decorator and extension are both applied
# to a view.
Expand All @@ -56,7 +56,8 @@
vary_header=True,
resources=r'/*',
intercept_exceptions=True,
always_send=True)
always_send=True,
allow_private_network=True)


def parse_resources(resources):
Expand Down Expand Up @@ -186,7 +187,8 @@ def get_cors_headers(options, request_headers, request_method):

if ACL_REQUEST_HEADER_PRIVATE_NETWORK in request_headers \
and request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true':
headers[ACL_RESPONSE_PRIVATE_NETWORK] = 'true'
allow_private_network = 'true' if options.get('allow_private_network') else 'false'
headers[ACL_RESPONSE_PRIVATE_NETWORK] = allow_private_network

# This is a preflight request
# http://www.w3.org/TR/cors/#resource-preflight-requests
Expand Down
16 changes: 16 additions & 0 deletions flask_cors/extension.py
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,22 @@ class CORS(object):
Default : True
:type vary_header: bool
:param allow_private_network:
If True, the response header `Access-Control-Allow-Private-Network`
will be set with the value 'true' whenever the request header
`Access-Control-Request-Private-Network` has a value 'true'.
If False, the reponse header `Access-Control-Allow-Private-Network`
will be set with the value 'false' whenever the request header
`Access-Control-Request-Private-Network` has a value of 'true'.
If the request header `Access-Control-Request-Private-Network` is
not present or has a value other than 'true', the response header
`Access-Control-Allow-Private-Network` will not be set.
Default : True
:type allow_private_network: bool
"""

def __init__(self, app=None, **kwargs):
Expand Down
2 changes: 1 addition & 1 deletion flask_cors/version.py
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = '4.0.1'
__version__ = '4.0.2'

0 comments on commit 7ae310c

Please sign in to comment.