Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Backwards Compatible Fix for CVE-2024-6221 #363

Merged
merged 1 commit into from
Aug 30, 2024

Conversation

adrianosela
Copy link
Contributor

@adrianosela adrianosela commented Aug 21, 2024

Backwards Compatible Fix for CVE-2024-6221

Also tracked as:

Adds a configuration option that allows setting a custom true/false value in the response header Access-Control-Allow-Private-Network (whenever the request header Access-Control-Request-Private-Network is present and "true")

The default behavior is unchanged, allowing this change to go in as a new minor version.

However, the wording of the CVE implies that the default behavior should be changed to set the header to "false" unless setting to "true" is explicitly enabled.

Making that change means simply changing the allow_private_network=True to allow_private_network=False in the options list. This would require cutting a new major version (5.0.0) for flask-cors.

@adrianosela adrianosela mentioned this pull request Aug 21, 2024
@alexgokhale
Copy link

Original issue highlighting this vulnerability: #337

@corydolphin It would be great if you could allow this change to be merged, and as mentioned in #337 it would be ideal if this was not the default behaviour (which would presumably require a major version bump to v5.0.0).

Thanks in advance!

@Alex-ley-scrub
Copy link

if anyone is looking for a temporary fix before this gets released:

app = Flask(__name__)

def set_allow_private_network_false(response: Response):
    """Set the private network header to false to temporarily fix unpatched vulnerability found in Flask-CORS"""
    # https://github.com/advisories/GHSA-hxwh-jpp2-84pm/
    # https://github.com/corydolphin/flask-cors/pull/363
    if "Access-Control-Allow-Private-Network" in response.headers:
        response.headers["Access-Control-Allow-Private-Network"] = "false"
    return response
    
app.after_request(set_allow_private_network_false)

@corydolphin
Copy link
Owner

Thank you very much for the contribution @adrianosela and @alexgokhale, apologies for my slowness in reviewing it. Contributions like this make supporting this package possible.

I'm going to merge this as is, and then adjust the defaults to exclude private networks.

@Alex-ley-scrub
Copy link

I requested for the GitHub advisory database to be updated since it is now fixed: github/advisory-database#4749

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants