File: CVE-2024-6839-2.patch

package info (click to toggle)

python-flask-cors 3.0.10-2%2Bdeb12u1

links: PTS, VCS
area: main
in suites: bookworm-proposed-updates
size: 548 kB
sloc: python: 1,791; makefile: 138; sh: 17

file content (38 lines) | stat: -rw-r--r-- 1,704 bytes

From: joshuamorton <joshuamorton@google.com>
Date: Wed, 21 May 2025 20:53:40 +0000
Subject: [PATCH] Sort paths longest to shortest.

Previously, path sort length was inverted, with short paths before long
ones, this led to a path like `/*` being handled *before* a path like
`/foo/bar/baz`, which is exactly what we didn't want. This was tested,
but the test was misnamed and so wasn't picked up by pytest.

Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://github.com/corydolphin/flask-cors/pull/392
Bug: https://github.com/corydolphin/flask-cors/pull/391
Bug-Debian: https://bugs.debian.org/1100988
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-6839
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-6839
---
 flask_cors/core.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/flask_cors/core.py b/flask_cors/core.py
index a3d2809..cbf123a 100644
--- a/flask_cors/core.py
+++ b/flask_cors/core.py
@@ -73,11 +73,11 @@ def parse_resources(resources):
         def sort_key(pair):
             pattern, _ = pair
             if isinstance(pattern, RegexObject):
-                return (1, 0, pattern.pattern.count("/"), -len(pattern.pattern))
+                return (1, 0, -pattern.pattern.count("/"), -len(pattern.pattern))
             elif probably_regex(pattern):
-                return (1, 1, pattern.count("/"), -len(pattern))
+                return (1, 1, -pattern.count("/"), -len(pattern))
             else:
-                return (0, 0, pattern.count("/"), -len(pattern))
+                return (0, 0, -pattern.count("/"), -len(pattern))
 
         return sorted(resources, key=sort_key)