new file mode 100644
@@ -0,0 +1,94 @@
+From 32cc429640d7307caa2075d15b0634fd886c6381 Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Mon, 1 May 2023 08:01:32 -0700
+Subject: [PATCH] set `Vary: Cookie` header consistently for session
+
+CVE: CVE-2023-30861
+Upstream-Status: Backport [https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/flask/sessions.py | 10 ++++++----
+ tests/test_basic.py | 23 +++++++++++++++++++++++
+ 2 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/src/flask/sessions.py b/src/flask/sessions.py
+index 4e19270..039e30c 100644
+--- a/src/flask/sessions.py
++++ b/src/flask/sessions.py
+@@ -385,6 +385,10 @@ class SecureCookieSessionInterface(SessionInterface):
+ samesite = self.get_cookie_samesite(app)
+ httponly = self.get_cookie_httponly(app)
+
++ # Add a "Vary: Cookie" header if the session was accessed at all.
++ if session.accessed:
++ response.vary.add("Cookie")
++
+ # If the session is modified to be empty, remove the cookie.
+ # If the session is empty, return without setting the cookie.
+ if not session:
+@@ -397,13 +401,10 @@ class SecureCookieSessionInterface(SessionInterface):
+ samesite=samesite,
+ httponly=httponly,
+ )
++ response.vary.add("Cookie")
+
+ return
+
+- # Add a "Vary: Cookie" header if the session was accessed at all.
+- if session.accessed:
+- response.vary.add("Cookie")
+-
+ if not self.should_set_cookie(app, session):
+ return
+
+@@ -419,3 +420,4 @@ class SecureCookieSessionInterface(SessionInterface):
+ secure=secure,
+ samesite=samesite,
+ )
++ response.vary.add("Cookie")
+diff --git a/tests/test_basic.py b/tests/test_basic.py
+index 2a177e9..2da7699 100644
+--- a/tests/test_basic.py
++++ b/tests/test_basic.py
+@@ -558,6 +558,11 @@ def test_session_vary_cookie(app, client):
+ def setdefault():
+ return flask.session.setdefault("test", "default")
+
++ @app.route("/clear")
++ def clear():
++ flask.session.clear()
++ return ""
++
+ @app.route("/vary-cookie-header-set")
+ def vary_cookie_header_set():
+ response = flask.Response()
+@@ -590,11 +595,29 @@ def test_session_vary_cookie(app, client):
+ expect("/get")
+ expect("/getitem")
+ expect("/setdefault")
++ expect("/clear")
+ expect("/vary-cookie-header-set")
+ expect("/vary-header-set", "Accept-Encoding, Accept-Language, Cookie")
+ expect("/no-vary-header", None)
+
+
++def test_session_refresh_vary(app, client):
++ @app.get("/login")
++ def login():
++ flask.session["user_id"] = 1
++ flask.session.permanent = True
++ return ""
++
++ @app.get("/ignored")
++ def ignored():
++ return ""
++
++ rv = client.get("/login")
++ assert rv.headers["Vary"] == "Cookie"
++ rv = client.get("/ignored")
++ assert rv.headers["Vary"] == "Cookie"
++
++
+ def test_flashes(app, req_ctx):
+ assert not flask.session.modified
+ flask.flash("Zap")
@@ -6,6 +6,7 @@ HOMEPAGE = "https://github.com/mitsuhiko/flask/"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=ffeffa59c90c9c4a033c7574f8f3fb75"
+SRC_URI += "file://CVE-2023-30861.patch"
SRC_URI[sha256sum] = "a8c9bd3e558ec99646d177a9739c41df1ded0629480b4c8d2975412f3c9519c8"
PYPI_PACKAGE = "Flask"
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30861 Pick the patch referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../python/python3-flask/CVE-2023-30861.patch | 94 +++++++++++++++++++ .../python/python3-flask_2.1.1.bb | 1 + 2 files changed, 95 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-flask/CVE-2023-30861.patch