Backwards Compatible Fix for CVE-2024-6221 #363
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Closed
|
Original issue highlighting this vulnerability: #337 @corydolphin It would be great if you could allow this change to be merged, and as mentioned in #337 it would be ideal if this was not the default behaviour (which would presumably require a major version bump to v5.0.0). Thanks in advance! |
This was referenced Aug 28, 2024
|
if anyone is looking for a temporary fix before this gets released: app = Flask(__name__)
def set_allow_private_network_false(response: Response):
"""Set the private network header to false to temporarily fix unpatched vulnerability found in Flask-CORS"""
# https://github.com/advisories/GHSA-hxwh-jpp2-84pm/
# https://github.com/corydolphin/flask-cors/pull/363
if "Access-Control-Allow-Private-Network" in response.headers:
response.headers["Access-Control-Allow-Private-Network"] = "false"
return response
app.after_request(set_allow_private_network_false) |
|
Thank you very much for the contribution @adrianosela and @alexgokhale, apologies for my slowness in reviewing it. Contributions like this make supporting this package possible. I'm going to merge this as is, and then adjust the defaults to exclude private networks. |
|
I requested for the GitHub advisory database to be updated since it is now fixed: github/advisory-database#4749 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backwards Compatible Fix for CVE-2024-6221
Also tracked as:
Adds a configuration option that allows setting a custom true/false value in the response header
Access-Control-Allow-Private-Network(whenever the request headerAccess-Control-Request-Private-Networkis present and"true")The default behavior is unchanged, allowing this change to go in as a new minor version.
However, the wording of the CVE implies that the default behavior should be changed to set the header to
"false"unless setting to"true"is explicitly enabled.Making that change means simply changing the
allow_private_network=Truetoallow_private_network=Falsein the options list. This would require cutting a new major version (5.0.0) forflask-cors.