File: CVE-2024-6839-1.patch

package info (click to toggle)
python-flask-cors 3.0.10-2%2Bdeb12u1
links: PTS, VCS
area: main
in suites: bookworm-proposed-updates
size: 548 kB
sloc: python: 1,791; makefile: 138; sh: 17
file content (60 lines) | stat: -rw-r--r-- 2,572 bytes
From: Adriano Sela Aviles <adriano.selaviles@gmail.com>
Date: Wed, 14 May 2025 21:17:02 -0700
Subject: [PATCH] [CVE-2024-6839] Sort Paths by Regex Specificity (#391)

Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://github.com/corydolphin/flask-cors/commit/e970988bea563e05e8b8f53fa7bcc134b5bf5c5f
Bug: https://github.com/corydolphin/flask-cors/pull/391
Bug-Debian: https://bugs.debian.org/1100988
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-6839
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-6839
---
 flask_cors/core.py         | 21 +++++++++++----------
 tests/core/helper_tests.py |  2 +-
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/flask_cors/core.py b/flask_cors/core.py
index ac9682d..a3d2809 100644
--- a/flask_cors/core.py
+++ b/flask_cors/core.py
@@ -69,16 +69,17 @@ def parse_resources(resources):
         # resource of '*', which is not actually a valid regexp.
         resources = [(re_fix(k), v) for k, v in resources.items()]
 
-        # Sort by regex length to provide consistency of matching and
-        # to provide a proxy for specificity of match. E.G. longer
-        # regular expressions are tried first.
-        def pattern_length(pair):
-            maybe_regex, _ = pair
-            return len(get_regexp_pattern(maybe_regex))
-
-        return sorted(resources,
-                      key=pattern_length,
-                      reverse=True)
+        # Sort patterns with static (literal) paths first, then by regex specificity
+        def sort_key(pair):
+            pattern, _ = pair
+            if isinstance(pattern, RegexObject):
+                return (1, 0, pattern.pattern.count("/"), -len(pattern.pattern))
+            elif probably_regex(pattern):
+                return (1, 1, pattern.count("/"), -len(pattern))
+            else:
+                return (0, 0, pattern.count("/"), -len(pattern))
+
+        return sorted(resources, key=sort_key)
 
     elif isinstance(resources, string_types):
         return [(re_fix(resources), {})]
diff --git a/tests/core/helper_tests.py b/tests/core/helper_tests.py
index 4eedca8..3139ffc 100644
--- a/tests/core/helper_tests.py
+++ b/tests/core/helper_tests.py
@@ -81,7 +81,7 @@ class InternalsTestCase(unittest.TestCase):
 
         self.assertEqual(
             [r[0] for r in resources],
-            [re.compile(r'/api/v1/.*'), '/foo', re.compile(r'/.*')]
+            ['/foo', re.compile(r'/api/v1/.*'), re.compile(r'/.*')]
         )
 
     def test_probably_regex(self):