flask-cors Backwards Compatible Fix for CVE-2024-6221

Backwards Compatible Fix for CVE-2024-6221

Open adrianosela opened this issue 6 months ago • 1 comments

Backwards Compatible Fix for CVE-2024-6221

Also tracked as:

SNYK-PYTHON-FLASKCORS-7707876
GHSA-hxwh-jpp2-84pm

Adds a configuration option that allows setting a custom true/false value in the response header Access-Control-Allow-Private-Network (whenever the request header Access-Control-Request-Private-Network is present and "true")

The default behavior is unchanged, allowing this change to go in as a new minor version.

However, the wording of the CVE implies that the default behavior should be changed to set the header to "false" unless setting to "true" is explicitly enabled.

Making that change means simply changing the allow_private_network=True to allow_private_network=False in the options list. This would require cutting a new major version (5.0.0) for flask-cors.

Aug 21 '24 20:08 adrianosela

flask-cors flask-cors copied to clipboard

Backwards Compatible Fix for CVE-2024-6221

Backwards Compatible Fix for CVE-2024-6221

flask-cors
flask-cors copied to clipboard