Bug#1108508: bookworm-pu: package python-flask-cors/3.0.10-2+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: python-flask-cors@packages.debian.org
Control: affects -1 + src:python-flask-cors
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
[ Reason ]
There are multiple vulnerabilities in python-flask-cors which have been fixed
in Sid/Trixie and in LTS, but not in Bookworm yet. This upload attempts to
close them for stable as well, and to offer a clean upgrade path for LTS users.
[ Impact ]
If the issues are not fixed, users of Debian Bookworm will continue to be
vulnerable. And users of LTS might become vulnerable when upgrading to
Bookworm.
[ Tests ]
The package uses autopkgtest to run the upstream testsuite. The tests are
successful.
[ Risks ]
There are the usual risks of regression and unexpected behavior. However, the
upstream testuite is successful and the changes have already been applied to
LTS without issues.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The patch for CVE-2024-1681 to clean request.path before logging it is quite
trivial.
The patch for CVE-2024-6839 fixes a regex pattern matching and is covered by a
newly introduced test.
The patch for CVE-2024-6844 replaces the usage of urllib's unquote_plus to
unquote to avoid unintended behavior. New tests have been added to cover the
function.
The patch for CVE-2024-6866 changes a few functions to allow for case-sensitive
and case-insensitive matching where appropriate. New tests have been added as
well.
[ Other info ]
n/a
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmhh6A8ACgkQS80FZ8KW
0F2GIhAAlABzeYmnNksIdM//BWaXqFuxx4SUnT5mtkf09ov9Zu+kCPucoMmNsS7Z
ufIEc6DT9y+cIMshrIu+YEYb7buyDLWEEz7m2CjS6EiTxPrXLEOJLGSs7zzgkbcF
kHDcUFJw/rKREWy39Y4de/TAW0vwtQ2TSldAGtqOKLoVs9ehB0g1ABKQiWsNiXHn
45gWm6G3flVVynhcw40NMNtCvBErO/0IeiVStlckmt4nnQs0lXvohmrX1MFnS+6u
PjYJFWPyCofJhwerpBDE3ihNTD9922uieHBm8L3OffX2nApRYdY6AhToSO679I3i
4iAvLG2xEHb+ZhKciutDArN8MBuKY/Rsmza5eYyCnY9yzv+/m2tyxb8nmu7h4Pdp
HLIwWLwT9LaeYFYbMRJlpeQaBXYnYMOr7EB0GRjNAxC6+CeSFZrrNuoHtVnZuWg3
niu42V1qELeMbQJaVhVcTUr43/KAi19EyUqO0KHiJ3r+vIq7jLw47LUPDLaz1T6d
oUq+6+erdPyURYMSCHFR9SylDcu37RMQDC02hqUFuF6YlvWheMGWzsAJkQPm3cTq
VYzFZej77GPR3mNCvJkSiEzoZ+69en5vdS+YoIV2rIo7NGQH69tUT6iXeA/iJ4f5
nBdWnuHT5GLgLr6oTQiSaD3ibwOERCJkk4ldtWokS5J9nWDO5s0=
=5bkH
-----END PGP SIGNATURE-----
diff -Nru python-flask-cors-3.0.10/debian/changelog python-flask-cors-3.0.10/debian/changelog
--- python-flask-cors-3.0.10/debian/changelog 2023-01-22 09:52:05.000000000 +0100
+++ python-flask-cors-3.0.10/debian/changelog 2025-06-30 02:59:32.000000000 +0200
@@ -1,3 +1,38 @@
+python-flask-cors (3.0.10-2+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload by the Debian LTS team.
+ * d/patches/CVE-2024-1681.patch: Add to fix CVE-2024-1681 (closes: #1069764).
+ - An attacker can inject fake log entries into the log file by sending a
+ specially crafted GET request containing a CRLF sequence in the request
+ path, allowing them to corrupt log files, potentially covering tracks of
+ other attacks, confusing log post-processing tools, and forging log
+ entries.
+ * d/patches/CVE-2024-6866.patch: Add to fix CVE-2024-6866 (closes: #1100988).
+ - The request path matching is case-insensitive. This results in a mismatch
+ because paths in URLs are case-sensitive, but the regex matching treats
+ them as case-insensitive. This misconfiguration can lead to significant
+ security vulnerabilities, allowing unauthorized origins to access paths
+ meant to be restricted, resulting in data exposure and potential leaks.
+ * d/patches/CVE-2024-6839-1.patch, d/patches/CVE-2024-6839-2.patch: Add to
+ fix CVE-2024-6839 (closes: #1100988).
+ - There is an improper regex path matching vulnerability. The plugin
+ prioritizes longer regex patterns over more specific ones when matching
+ paths, which can lead to less restrictive CORS policies being applied to
+ sensitive endpoints. This mismatch in regex pattern priority allows
+ unauthorized cross-origin access to sensitive data or functionality,
+ potentially exposing confidential information and increasing the risk of
+ unauthorized actions by malicious actors.
+ d/patches/CVE-2024-6844.patch: Add to fix CVE-2024-6844 (closes: #1100988).
+ - The request.path is passed through the unquote_plus function, which
+ converts the '+' character to a space ' '. This behavior leads to
+ incorrect path normalization, causing potential mismatches in CORS
+ configuration. As a result, endpoints may not be matched correctly to
+ their CORS settings, leading to unexpected CORS policy application. This
+ can cause unauthorized cross-origin access or block valid requests,
+ creating security vulnerabilities and usability issues.
+
+ -- Daniel Leidert <dleidert@debian.org> Mon, 30 Jun 2025 02:59:32 +0200
+
python-flask-cors (3.0.10-2) unstable; urgency=medium
* Team upload.
diff -Nru python-flask-cors-3.0.10/debian/gbp.conf python-flask-cors-3.0.10/debian/gbp.conf
--- python-flask-cors-3.0.10/debian/gbp.conf 2022-10-31 13:06:39.000000000 +0100
+++ python-flask-cors-3.0.10/debian/gbp.conf 2025-06-30 02:59:32.000000000 +0200
@@ -1,7 +1,7 @@
[DEFAULT]
pristine-tar = True
compression = gz
-debian-branch = debian/master
+debian-branch = debian/bookworm
upstream-branch = upstream
[pq]
diff -Nru python-flask-cors-3.0.10/debian/patches/CVE-2024-1681.patch python-flask-cors-3.0.10/debian/patches/CVE-2024-1681.patch
--- python-flask-cors-3.0.10/debian/patches/CVE-2024-1681.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-flask-cors-3.0.10/debian/patches/CVE-2024-1681.patch 2025-06-30 02:59:32.000000000 +0200
@@ -0,0 +1,29 @@
+From: =?utf-8?q?Anes_Hujevi=C4=87?= <anes1996_h@hotmail.com>
+Date: Sat, 4 May 2024 21:28:47 +0200
+Subject: Update extension.py to clean request.path before logging it (#351)
+
+* Update extension.py to use string format specifier for cleaning request.path
+
+Reviewed-By: Daniel Leidert <dleidert@debian.org>
+Origin: https://github.com/corydolphin/flask-cors/commit/6172c2000dba965fedb8e9a8a916ad56f0fb2630
+Bug: https://github.com/corydolphin/flask-cors/issues/349
+Bug-Debian: https://bugs.debian.org/1069764
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-1681
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-1681
+---
+ flask_cors/extension.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/flask_cors/extension.py b/flask_cors/extension.py
+index cfeca73..77cf47d 100644
+--- a/flask_cors/extension.py
++++ b/flask_cors/extension.py
+@@ -180,7 +180,7 @@ def make_after_request_function(resources):
+ normalized_path = unquote_plus(request.path)
+ for res_regex, res_options in resources:
+ if try_match(normalized_path, res_regex):
+- LOG.debug("Request to '%s' matches CORS resource '%s'. Using options: %s",
++ LOG.debug("Request to '%r' matches CORS resource '%s'. Using options: %s",
+ request.path, get_regexp_pattern(res_regex), res_options)
+ set_cors_headers(resp, res_options)
+ break
diff -Nru python-flask-cors-3.0.10/debian/patches/CVE-2024-6839-1.patch python-flask-cors-3.0.10/debian/patches/CVE-2024-6839-1.patch
--- python-flask-cors-3.0.10/debian/patches/CVE-2024-6839-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-flask-cors-3.0.10/debian/patches/CVE-2024-6839-1.patch 2025-06-30 02:59:32.000000000 +0200
@@ -0,0 +1,60 @@
+From: Adriano Sela Aviles <adriano.selaviles@gmail.com>
+Date: Wed, 14 May 2025 21:17:02 -0700
+Subject: [PATCH] [CVE-2024-6839] Sort Paths by Regex Specificity (#391)
+
+Reviewed-By: Daniel Leidert <dleidert@debian.org>
+Origin: https://github.com/corydolphin/flask-cors/commit/e970988bea563e05e8b8f53fa7bcc134b5bf5c5f
+Bug: https://github.com/corydolphin/flask-cors/pull/391
+Bug-Debian: https://bugs.debian.org/1100988
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-6839
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-6839
+---
+ flask_cors/core.py | 21 +++++++++++----------
+ tests/core/helper_tests.py | 2 +-
+ 2 files changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/flask_cors/core.py b/flask_cors/core.py
+index ac9682d..a3d2809 100644
+--- a/flask_cors/core.py
++++ b/flask_cors/core.py
+@@ -69,16 +69,17 @@ def parse_resources(resources):
+ # resource of '*', which is not actually a valid regexp.
+ resources = [(re_fix(k), v) for k, v in resources.items()]
+
+- # Sort by regex length to provide consistency of matching and
+- # to provide a proxy for specificity of match. E.G. longer
+- # regular expressions are tried first.
+- def pattern_length(pair):
+- maybe_regex, _ = pair
+- return len(get_regexp_pattern(maybe_regex))
+-
+- return sorted(resources,
+- key=pattern_length,
+- reverse=True)
++ # Sort patterns with static (literal) paths first, then by regex specificity
++ def sort_key(pair):
++ pattern, _ = pair
++ if isinstance(pattern, RegexObject):
++ return (1, 0, pattern.pattern.count("/"), -len(pattern.pattern))
++ elif probably_regex(pattern):
++ return (1, 1, pattern.count("/"), -len(pattern))
++ else:
++ return (0, 0, pattern.count("/"), -len(pattern))
++
++ return sorted(resources, key=sort_key)
+
+ elif isinstance(resources, string_types):
+ return [(re_fix(resources), {})]
+diff --git a/tests/core/helper_tests.py b/tests/core/helper_tests.py
+index 4eedca8..3139ffc 100644
+--- a/tests/core/helper_tests.py
++++ b/tests/core/helper_tests.py
+@@ -81,7 +81,7 @@ class InternalsTestCase(unittest.TestCase):
+
+ self.assertEqual(
+ [r[0] for r in resources],
+- [re.compile(r'/api/v1/.*'), '/foo', re.compile(r'/.*')]
++ ['/foo', re.compile(r'/api/v1/.*'), re.compile(r'/.*')]
+ )
+
+ def test_probably_regex(self):
diff -Nru python-flask-cors-3.0.10/debian/patches/CVE-2024-6839-2.patch python-flask-cors-3.0.10/debian/patches/CVE-2024-6839-2.patch
--- python-flask-cors-3.0.10/debian/patches/CVE-2024-6839-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-flask-cors-3.0.10/debian/patches/CVE-2024-6839-2.patch 2025-06-30 02:59:32.000000000 +0200
@@ -0,0 +1,38 @@
+From: joshuamorton <joshuamorton@google.com>
+Date: Wed, 21 May 2025 20:53:40 +0000
+Subject: [PATCH] Sort paths longest to shortest.
+
+Previously, path sort length was inverted, with short paths before long
+ones, this led to a path like `/*` being handled *before* a path like
+`/foo/bar/baz`, which is exactly what we didn't want. This was tested,
+but the test was misnamed and so wasn't picked up by pytest.
+
+Reviewed-By: Daniel Leidert <dleidert@debian.org>
+Origin: https://github.com/corydolphin/flask-cors/pull/392
+Bug: https://github.com/corydolphin/flask-cors/pull/391
+Bug-Debian: https://bugs.debian.org/1100988
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-6839
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-6839
+---
+ flask_cors/core.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/flask_cors/core.py b/flask_cors/core.py
+index a3d2809..cbf123a 100644
+--- a/flask_cors/core.py
++++ b/flask_cors/core.py
+@@ -73,11 +73,11 @@ def parse_resources(resources):
+ def sort_key(pair):
+ pattern, _ = pair
+ if isinstance(pattern, RegexObject):
+- return (1, 0, pattern.pattern.count("/"), -len(pattern.pattern))
++ return (1, 0, -pattern.pattern.count("/"), -len(pattern.pattern))
+ elif probably_regex(pattern):
+- return (1, 1, pattern.count("/"), -len(pattern))
++ return (1, 1, -pattern.count("/"), -len(pattern))
+ else:
+- return (0, 0, pattern.count("/"), -len(pattern))
++ return (0, 0, -pattern.count("/"), -len(pattern))
+
+ return sorted(resources, key=sort_key)
+
diff -Nru python-flask-cors-3.0.10/debian/patches/CVE-2024-6844.patch python-flask-cors-3.0.10/debian/patches/CVE-2024-6844.patch
--- python-flask-cors-3.0.10/debian/patches/CVE-2024-6844.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-flask-cors-3.0.10/debian/patches/CVE-2024-6844.patch 2025-06-30 02:59:32.000000000 +0200
@@ -0,0 +1,107 @@
+From: Adriano Sela Aviles <adriano.selaviles@gmail.com>
+Date: Sat, 17 May 2025 07:32:23 -0700
+Subject: [PATCH] [CVE-2024-6844] Replace use of (urllib) unquote_plus with
+ unquote for paths (#389)
+
+Reviewed-By: Daniel Leidert <dleidert@debian.org>
+Origin: https://github.com/corydolphin/flask-cors/commit/35d875319621bd129a38b2b823abf4a2f6cda536
+Bug: https://github.com/corydolphin/flask-cors/pull/389
+Bug-Debian: https://bugs.debian.org/1100988
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-6844
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-6844
+---
+ flask_cors/extension.py | 6 ++--
+ tests/extension/test_app_extension.py | 56 +++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+), 3 deletions(-)
+
+diff --git a/flask_cors/extension.py b/flask_cors/extension.py
+index 44b0a09..f3041c5 100644
+--- a/flask_cors/extension.py
++++ b/flask_cors/extension.py
+@@ -11,9 +11,9 @@
+ from flask import request
+ from .core import *
+ try:
+- from urllib.parse import unquote_plus
++ from urllib.parse import unquote
+ except ImportError:
+- from urllib import unquote_plus
++ from urllib import unquote
+
+ LOG = logging.getLogger(__name__)
+
+@@ -177,7 +177,7 @@ def make_after_request_function(resources):
+ if resp.headers is not None and resp.headers.get(ACL_ORIGIN):
+ LOG.debug('CORS have been already evaluated, skipping')
+ return resp
+- normalized_path = unquote_plus(request.path)
++ normalized_path = unquote(request.path)
+ for res_regex, res_options in resources:
+ if try_match_pattern(normalized_path, res_regex, caseSensitive=True):
+ LOG.debug("Request to '%r' matches CORS resource '%s'. Using options: %s",
+diff --git a/tests/extension/test_app_extension.py b/tests/extension/test_app_extension.py
+index 597b744..b836eb7 100644
+--- a/tests/extension/test_app_extension.py
++++ b/tests/extension/test_app_extension.py
+@@ -378,5 +378,61 @@ class AppExtensionBadRegexp(FlaskCorsTestCase):
+ self.assertEqual(resp.status_code, 200)
+
+
++class AppExtensionPlusInPath(FlaskCorsTestCase):
++ '''
++ Regression test for CVE-2024-6844:
++ Ensures that we correctly differentiate '+' from ' ' in URL paths.
++ '''
++
++ def setUp(self):
++ self.app = Flask(__name__)
++ CORS(self.app, resources={
++ r'/service\+path': {'origins': ['http://foo.com']},
++ r'/service path': {'origins': ['http://bar.com']},
++ })
++
++ @self.app.route('/service+path')
++ def plus_path():
++ return 'plus'
++
++ @self.app.route('/service path')
++ def space_path():
++ return 'space'
++
++ self.client = self.app.test_client()
++
++ def test_plus_path_origin_allowed(self):
++ '''
++ Ensure that CORS matches + literally and allows the correct origin
++ '''
++ response = self.client.get('/service+path', headers={'Origin': 'http://foo.com'})
++ self.assertEqual(response.status_code, 200)
++ self.assertEqual(response.headers.get(ACL_ORIGIN), 'http://foo.com')
++
++ def test_space_path_origin_allowed(self):
++ '''
++ Ensure that CORS treats /service path differently and allows correct origin
++ '''
++ response = self.client.get('/service%20path', headers={'Origin': 'http://bar.com'})
++ self.assertEqual(response.status_code, 200)
++ self.assertEqual(response.headers.get(ACL_ORIGIN), 'http://bar.com')
++
++ def test_plus_path_rejects_other_origin(self):
++ '''
++ Origin not allowed for + path should be rejected
++ '''
++ response = self.client.get('/service+path', headers={'Origin': 'http://bar.com'})
++ self.assertEqual(response.status_code, 200)
++ self.assertIsNone(response.headers.get(ACL_ORIGIN))
++
++ def test_space_path_rejects_other_origin(self):
++ '''
++ Origin not allowed for space path should be rejected
++ '''
++ response = self.client.get('/service%20path', headers={'Origin': 'http://foo.com'})
++ self.assertEqual(response.status_code, 200)
++ self.assertIsNone(response.headers.get(ACL_ORIGIN))
++
++
+ if __name__ == "__main__":
+ unittest.main()
diff -Nru python-flask-cors-3.0.10/debian/patches/CVE-2024-6866.patch python-flask-cors-3.0.10/debian/patches/CVE-2024-6866.patch
--- python-flask-cors-3.0.10/debian/patches/CVE-2024-6866.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-flask-cors-3.0.10/debian/patches/CVE-2024-6866.patch 2025-06-30 02:59:32.000000000 +0200
@@ -0,0 +1,130 @@
+From: Adriano Sela Aviles <adriano.selaviles@gmail.com>
+Date: Wed, 14 May 2025 21:13:34 -0700
+Subject: [PATCH] [CVE-2024-6866] Case Sensitive Request Path Matching (#390)
+
+* [CVE-2024-6866] Case Sensitive Request Path Matching
+
+* Update flask_cors/core.py
+
+Co-authored-by: Cory Dolphin <corydolphin@gmail.com>
+
+Reviewed-By: Daniel Leidert <dleidert@debian.org>
+Origin: https://github.com/corydolphin/flask-cors/commit/eb39516a3c96b90d0ae5f51293972395ec3ef358
+Bug: https://github.com/corydolphin/flask-cors/pull/390
+Bug-Debian: https://bugs.debian.org/1100988
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-6866
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-6866
+---
+ flask_cors/core.py | 47 +++++++++++++++++++++++++++-------------------
+ flask_cors/extension.py | 2 +-
+ tests/core/helper_tests.py | 9 ++++++---
+ 3 files changed, 35 insertions(+), 23 deletions(-)
+
+diff --git a/flask_cors/core.py b/flask_cors/core.py
+index 7654cb1..ac9682d 100644
+--- a/flask_cors/core.py
++++ b/flask_cors/core.py
+@@ -123,9 +123,10 @@ def get_cors_origins(options, request_origin):
+ if wildcard and options.get('send_wildcard'):
+ LOG.debug("Allowed origins are set to '*'. Sending wildcard CORS header.")
+ return ['*']
+- # If the value of the Origin header is a case-sensitive match
+- # for any of the values in list of origins
+- elif try_match_any(request_origin, origins):
++ # If the value of the Origin header is a case-insensitive match
++ # for any of the values in list of origins.
++ # NOTE: Per RFC 1035 and RFC 4343 schemes and hostnames are case insensitive.
++ elif try_match_any_pattern(request_origin, origins, caseSensitive=False):
+ LOG.debug("The request's Origin header matches. Sending CORS headers.", )
+ # Add a single Access-Control-Allow-Origin header, with either
+ # the value of the Origin header or the string "*" as value.
+@@ -163,10 +164,7 @@ def get_allow_headers(options, acl_request_headers):
+ request_headers = [h.strip() for h in acl_request_headers.split(',')]
+
+ # any header that matches in the allow_headers
+- matching_headers = filter(
+- lambda h: try_match_any(h, options.get('allow_headers')),
+- request_headers
+- )
++ matching_headers = filter(lambda h: try_match_any_pattern(h, options.get("allow_headers"), caseSensitive=False), request_headers)
+
+ return ', '.join(sorted(matching_headers))
+
+@@ -268,21 +266,32 @@ def re_fix(reg):
+ return r'.*' if reg == r'*' else reg
+
+
+-def try_match_any(inst, patterns):
+- return any(try_match(inst, pattern) for pattern in patterns)
++def try_match_any_pattern(inst, patterns, caseSensitive=True):
++ return any(try_match_pattern(inst, pattern, caseSensitive) for pattern in patterns)
+
+
+-def try_match(request_origin, maybe_regex):
+- """Safely attempts to match a pattern or string to a request origin."""
+- if isinstance(maybe_regex, RegexObject):
+- return re.match(maybe_regex, request_origin)
+- elif probably_regex(maybe_regex):
+- return re.match(maybe_regex, request_origin, flags=re.IGNORECASE)
+- else:
++def try_match_pattern(value, pattern, caseSensitive=True):
++ """
++ Safely attempts to match a pattern or string to a value. This
++ function can be used to match request origins, headers, or paths.
++ The value of caseSensitive should be set in accordance to the
++ data being compared e.g. origins and headers are case insensitive
++ whereas paths are case-sensitive
++ """
++ if isinstance(pattern, RegexObject):
++ return re.match(pattern, value)
++ if probably_regex(pattern):
++ flags = 0 if caseSensitive else re.IGNORECASE
+ try:
+- return request_origin.lower() == maybe_regex.lower()
+- except AttributeError:
+- return request_origin == maybe_regex
++ return re.match(pattern, value, flags=flags)
++ except re.error:
++ return False
++ try:
++ v = str(value)
++ p = str(pattern)
++ return v == p if caseSensitive else v.casefold() == p.casefold()
++ except Exception:
++ return value == pattern
+
+
+ def get_cors_options(appInstance, *dicts):
+diff --git a/flask_cors/extension.py b/flask_cors/extension.py
+index 77cf47d..44b0a09 100644
+--- a/flask_cors/extension.py
++++ b/flask_cors/extension.py
+@@ -179,7 +179,7 @@ def make_after_request_function(resources):
+ return resp
+ normalized_path = unquote_plus(request.path)
+ for res_regex, res_options in resources:
+- if try_match(normalized_path, res_regex):
++ if try_match_pattern(normalized_path, res_regex, caseSensitive=True):
+ LOG.debug("Request to '%r' matches CORS resource '%s'. Using options: %s",
+ request.path, get_regexp_pattern(res_regex), res_options)
+ set_cors_headers(resp, res_options)
+diff --git a/tests/core/helper_tests.py b/tests/core/helper_tests.py
+index d7811da..4eedca8 100644
+--- a/tests/core/helper_tests.py
++++ b/tests/core/helper_tests.py
+@@ -17,9 +17,12 @@ from flask_cors.core import *
+
+
+ class InternalsTestCase(unittest.TestCase):
+- def test_try_match(self):
+- self.assertFalse(try_match('www.com/foo', 'www.com/fo'))
+- self.assertTrue(try_match('www.com/foo', 'www.com/fo*'))
++ def test_try_match_pattern(self):
++ self.assertFalse(try_match_pattern('www.com/foo', 'www.com/fo', caseSensitive=True))
++ self.assertTrue(try_match_pattern('www.com/foo', 'www.com/fo*', caseSensitive=True))
++ self.assertTrue(try_match_pattern('www.com', 'WwW.CoM', caseSensitive=False))
++ self.assertTrue(try_match_pattern('/foo', '/fo*', caseSensitive=True))
++ self.assertFalse(try_match_pattern('/foo', '/Fo*', caseSensitive=True))
+
+ def test_flexible_str_str(self):
+ self.assertEquals(flexible_str('Bar, Foo, Qux'), 'Bar, Foo, Qux')
diff -Nru python-flask-cors-3.0.10/debian/patches/series python-flask-cors-3.0.10/debian/patches/series
--- python-flask-cors-3.0.10/debian/patches/series 2022-11-01 08:15:06.000000000 +0100
+++ python-flask-cors-3.0.10/debian/patches/series 2025-06-30 02:59:32.000000000 +0200
@@ -3,3 +3,8 @@
upstream/Spelling-Fix-misspelled-word-conjuction.patch
upstream/Spelling-Fix-misspelled-word-maching.patch
debian-hacks/docs-Use-local-inventory-for-Python3.patch
+CVE-2024-1681.patch
+CVE-2024-6866.patch
+CVE-2024-6839-1.patch
+CVE-2024-6839-2.patch
+CVE-2024-6844.patch
Reply to: