From ef2eb684a4607fd4d4b4b3ea64aa9ce9b06056b4 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Tue, 28 May 2024 15:16:51 +0800
Subject: [PATCH] Fix CVE-2024-1681

(cherry picked from commit 9c2bd2fd623ad4794bb5c103ffb99cd3c9e3bdd7)
---
 CVE-2024-1681.patch | 24 ++++++++++++++++++++++++
 flask-cors.spec     |  9 +++++++--
 2 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2024-1681.patch

diff --git a/CVE-2024-1681.patch b/CVE-2024-1681.patch
new file mode 100644
index 0000000..3057d8c
--- /dev/null
+++ b/CVE-2024-1681.patch
@@ -0,0 +1,24 @@
+From 6172c2000dba965fedb8e9a8a916ad56f0fb2630 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Anes=20Hujevi=C4=87?= <anes1996_h@hotmail.com>
+Date: Sat, 4 May 2024 21:28:47 +0200
+Subject: [PATCH] Update extension.py to clean request.path before logging it
+ (#351)
+
+* Update extension.py to use string format specifier for cleaning request.path
+---
+ flask_cors/extension.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/flask_cors/extension.py b/flask_cors/extension.py
+index 6f76995..6361dcc 100644
+--- a/flask_cors/extension.py
++++ b/flask_cors/extension.py
+@@ -193,7 +193,7 @@ def cors_after_request(resp):
+         normalized_path = unquote_plus(request.path)
+         for res_regex, res_options in resources:
+             if try_match(normalized_path, res_regex):
+-                LOG.debug("Request to '%s' matches CORS resource '%s'. Using options: %s",
++                LOG.debug("Request to '%r' matches CORS resource '%s'. Using options: %s",
+                       request.path, get_regexp_pattern(res_regex), res_options)
+                 set_cors_headers(resp, res_options)
+                 break
diff --git a/flask-cors.spec b/flask-cors.spec
index f23b36e..c0c232f 100755
--- a/flask-cors.spec
+++ b/flask-cors.spec
@@ -1,11 +1,13 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-Flask-Cors
 Version:	4.0.0
-Release:	1
+Release:	2
 Summary:	A Flask extension adding a decorator for CORS support
 License:	MIT
 URL:		https://github.com/corydolphin/flask-cors
 Source0:	https://files.pythonhosted.org/packages/c8/b0/bd7130837a921497520f62023c7ba754e441dcedf959a43e6d1fd86e5451/Flask-Cors-4.0.0.tar.gz
+# https://github.com/corydolphin/flask-cors/commit/6172c2000dba965fedb8e9a8a916ad56f0fb2630
+Patch0: 	CVE-2024-1681.patch
 BuildArch:	noarch
 
 Requires:	python3-Flask
@@ -30,7 +32,7 @@ Provides:	python3-Flask-Cors-doc
 A Flask extension for handling Cross Origin Resource Sharing (CORS), making cross-origin AJAX possible.
 
 %prep
-%autosetup -n Flask-Cors-4.0.0
+%autosetup -n Flask-Cors-4.0.0 -p1
 
 %build
 %py3_build
@@ -70,6 +72,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Tue May 28 2024 yaoxin <yao_xin001@hoperun.com> - 4.0.0-2
+- Fix CVE-2024-1681
+
 * Tue Jul 11 2023 chenzixuan <chenzixuan@kylinos.cn> - 4.0.0-1
 - upgrade to 4.0.0
 
-- 
Gitee