When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session cookie to other clients. The severity depends on the application's use of the session, and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.
The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
The application does not set a Cache-Control header to indicate that a page is private or should not be cached.
This happens because vulnerable versions of Flask only set the Vary: Cookie header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.
Release Notes
pallets/flask (Flask)
### [`v2.2.5`](https://redirect.github.com/pallets/flask/blob/HEAD/CHANGES.rst#Version-225)
[Compare Source](https://redirect.github.com/pallets/flask/compare/2.2.4...2.2.5)
Released 2023-05-02
- Update for compatibility with Werkzeug 2.3.3.
- Set `Vary: Cookie` header when the session is accessed, modified, or refreshed.
### [`v2.2.4`](https://redirect.github.com/pallets/flask/blob/HEAD/CHANGES.rst#Version-224)
[Compare Source](https://redirect.github.com/pallets/flask/compare/2.2.3...2.2.4)
Released 2023-04-25
- Update for compatibility with Werkzeug 2.3.
### [`v2.2.3`](https://redirect.github.com/pallets/flask/blob/HEAD/CHANGES.rst#Version-223)
[Compare Source](https://redirect.github.com/pallets/flask/compare/2.2.2...2.2.3)
Released 2023-02-15
- Autoescape is enabled by default for `.svg` template files. :issue:`4831`
- Fix the type of `template_folder` to accept `pathlib.Path`. :issue:`4892`
- Add `--debug` option to the `flask run` command. :issue:`4777`
### [`v2.2.2`](https://redirect.github.com/pallets/flask/blob/HEAD/CHANGES.rst#Version-222)
[Compare Source](https://redirect.github.com/pallets/flask/compare/2.2.1...2.2.2)
Released 2022-08-08
- Update Werkzeug dependency to >= 2.2.2. This includes fixes related
to the new faster router, header parsing, and the development
server. :pr:`4754`
- Fix the default value for `app.env` to be `"production"`. This
attribute remains deprecated. :issue:`4740`
### [`v2.2.1`](https://redirect.github.com/pallets/flask/blob/HEAD/CHANGES.rst#Version-221)
[Compare Source](https://redirect.github.com/pallets/flask/compare/2.2.0...2.2.1)
Released 2022-08-03
- Setting or accessing `json_encoder` or `json_decoder` raises a
deprecation warning. :issue:`4732`
### [`v2.2.0`](https://redirect.github.com/pallets/flask/blob/HEAD/CHANGES.rst#Version-220)
[Compare Source](https://redirect.github.com/pallets/flask/compare/2.1.3...2.2.0)
Released 2022-08-01
- Remove previously deprecated code. :pr:`4667`
- Old names for some `send_file` parameters have been removed.
`download_name` replaces `attachment_filename`, `max_age`
replaces `cache_timeout`, and `etag` replaces `add_etags`.
Additionally, `path` replaces `filename` in
`send_from_directory`.
- The `RequestContext.g` property returning `AppContext.g` is
removed.
- Update Werkzeug dependency to >= 2.2.
- The app and request contexts are managed using Python context vars
directly rather than Werkzeug's `LocalStack`. This should result
in better performance and memory use. :pr:`4682`
- Extension maintainers, be aware that `_app_ctx_stack.top`
and `_request_ctx_stack.top` are deprecated. Store data on
`g` instead using a unique prefix, like
`g._extension_name_attr`.
- The `FLASK_ENV` environment variable and `app.env` attribute are
deprecated, removing the distinction between development and debug
mode. Debug mode should be controlled directly using the `--debug`
option or `app.run(debug=True)`. :issue:`4714`
- Some attributes that proxied config keys on `app` are deprecated:
`session_cookie_name`, `send_file_max_age_default`,
`use_x_sendfile`, `propagate_exceptions`, and
`templates_auto_reload`. Use the relevant config keys instead.
:issue:`4716`
- Add new customization points to the `Flask` app object for many
previously global behaviors.
- `flask.url_for` will call `app.url_for`. :issue:`4568`
- `flask.abort` will call `app.aborter`.
`Flask.aborter_class` and `Flask.make_aborter` can be used
to customize this aborter. :issue:`4567`
- `flask.redirect` will call `app.redirect`. :issue:`4569`
- `flask.json` is an instance of `JSONProvider`. A different
provider can be set to use a different JSON library.
`flask.jsonify` will call `app.json.response`, other
functions in `flask.json` will call corresponding functions in
`app.json`. :pr:`4692`
- JSON configuration is moved to attributes on the default
`app.json` provider. `JSON_AS_ASCII`, `JSON_SORT_KEYS`,
`JSONIFY_MIMETYPE`, and `JSONIFY_PRETTYPRINT_REGULAR` are
deprecated. :pr:`4692`
- Setting custom `json_encoder` and `json_decoder` classes on the
app or a blueprint, and the corresponding `json.JSONEncoder` and
`JSONDecoder` classes, are deprecated. JSON behavior can now be
overridden using the `app.json` provider interface. :pr:`4692`
- `json.htmlsafe_dumps` and `json.htmlsafe_dump` are deprecated,
the function is built-in to Jinja now. :pr:`4692`
- Refactor `register_error_handler` to consolidate error checking.
Rewrite some error messages to be more consistent. :issue:`4559`
- Use Blueprint decorators and functions intended for setup after
registering the blueprint will show a warning. In the next version,
this will become an error just like the application setup methods.
:issue:`4571`
- `before_first_request` is deprecated. Run setup code when creating
the application instead. :issue:`4605`
- Added the `View.init_every_request` class attribute. If a view
subclass sets this to `False`, the view will not create a new
instance on every request. :issue:`2520`.
- A `flask.cli.FlaskGroup` Click group can be nested as a
sub-command in a custom CLI. :issue:`3263`
- Add `--app` and `--debug` options to the `flask` CLI, instead
of requiring that they are set through environment variables.
:issue:`2836`
- Add `--env-file` option to the `flask` CLI. This allows
specifying a dotenv file to load in addition to `.env` and
`.flaskenv`. :issue:`3108`
- It is no longer required to decorate custom CLI commands on
`app.cli` or `blueprint.cli` with `@with_appcontext`, an app
context will already be active at that point. :issue:`2410`
- `SessionInterface.get_expiration_time` uses a timezone-aware
value. :pr:`4645`
- View functions can return generators directly instead of wrapping
them in a `Response`. :pr:`4629`
- Add `stream_template` and `stream_template_string` functions to
render a template as a stream of pieces. :pr:`4629`
- A new implementation of context preservation during debugging and
testing. :pr:`4666`
- `request`, `g`, and other context-locals point to the
correct data when running code in the interactive debugger
console. :issue:`2836`
- Teardown functions are always run at the end of the request,
even if the context is preserved. They are also run after the
preserved context is popped.
- `stream_with_context` preserves context separately from a
`with client` block. It will be cleaned up when
`response.get_data()` or `response.close()` is called.
- Allow returning a list from a view function, to convert it to a
JSON response like a dict is. :issue:`4672`
- When type checking, allow `TypedDict` to be returned from view
functions. :pr:`4695`
- Remove the `--eager-loading/--lazy-loading` options from the
`flask run` command. The app is always eager loaded the first
time, then lazily loaded in the reloader. The reloader always prints
errors immediately but continues serving. Remove the internal
`DispatchingApp` middleware used by the previous implementation.
:issue:`4715`
Configuration
π Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
==2.1.3->==2.2.5GitHub Vulnerability Alerts
CVE-2023-30861
When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches
Set-Cookieheaders, it may send one client'ssessioncookie to other clients. The severity depends on the application's use of the session, and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.session.permanent = True.SESSION_REFRESH_EACH_REQUESTis enabled (the default).Cache-Controlheader to indicate that a page is private or should not be cached.This happens because vulnerable versions of Flask only set the
Vary: Cookieheader when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified.Release Notes
pallets/flask (Flask)
### [`v2.2.5`](https://redirect.github.com/pallets/flask/blob/HEAD/CHANGES.rst#Version-225) [Compare Source](https://redirect.github.com/pallets/flask/compare/2.2.4...2.2.5) Released 2023-05-02 - Update for compatibility with Werkzeug 2.3.3. - Set `Vary: Cookie` header when the session is accessed, modified, or refreshed. ### [`v2.2.4`](https://redirect.github.com/pallets/flask/blob/HEAD/CHANGES.rst#Version-224) [Compare Source](https://redirect.github.com/pallets/flask/compare/2.2.3...2.2.4) Released 2023-04-25 - Update for compatibility with Werkzeug 2.3. ### [`v2.2.3`](https://redirect.github.com/pallets/flask/blob/HEAD/CHANGES.rst#Version-223) [Compare Source](https://redirect.github.com/pallets/flask/compare/2.2.2...2.2.3) Released 2023-02-15 - Autoescape is enabled by default for `.svg` template files. :issue:`4831` - Fix the type of `template_folder` to accept `pathlib.Path`. :issue:`4892` - Add `--debug` option to the `flask run` command. :issue:`4777` ### [`v2.2.2`](https://redirect.github.com/pallets/flask/blob/HEAD/CHANGES.rst#Version-222) [Compare Source](https://redirect.github.com/pallets/flask/compare/2.2.1...2.2.2) Released 2022-08-08 - Update Werkzeug dependency to >= 2.2.2. This includes fixes related to the new faster router, header parsing, and the development server. :pr:`4754` - Fix the default value for `app.env` to be `"production"`. This attribute remains deprecated. :issue:`4740` ### [`v2.2.1`](https://redirect.github.com/pallets/flask/blob/HEAD/CHANGES.rst#Version-221) [Compare Source](https://redirect.github.com/pallets/flask/compare/2.2.0...2.2.1) Released 2022-08-03 - Setting or accessing `json_encoder` or `json_decoder` raises a deprecation warning. :issue:`4732` ### [`v2.2.0`](https://redirect.github.com/pallets/flask/blob/HEAD/CHANGES.rst#Version-220) [Compare Source](https://redirect.github.com/pallets/flask/compare/2.1.3...2.2.0) Released 2022-08-01 - Remove previously deprecated code. :pr:`4667` - Old names for some `send_file` parameters have been removed. `download_name` replaces `attachment_filename`, `max_age` replaces `cache_timeout`, and `etag` replaces `add_etags`. Additionally, `path` replaces `filename` in `send_from_directory`. - The `RequestContext.g` property returning `AppContext.g` is removed. - Update Werkzeug dependency to >= 2.2. - The app and request contexts are managed using Python context vars directly rather than Werkzeug's `LocalStack`. This should result in better performance and memory use. :pr:`4682` - Extension maintainers, be aware that `_app_ctx_stack.top` and `_request_ctx_stack.top` are deprecated. Store data on `g` instead using a unique prefix, like `g._extension_name_attr`. - The `FLASK_ENV` environment variable and `app.env` attribute are deprecated, removing the distinction between development and debug mode. Debug mode should be controlled directly using the `--debug` option or `app.run(debug=True)`. :issue:`4714` - Some attributes that proxied config keys on `app` are deprecated: `session_cookie_name`, `send_file_max_age_default`, `use_x_sendfile`, `propagate_exceptions`, and `templates_auto_reload`. Use the relevant config keys instead. :issue:`4716` - Add new customization points to the `Flask` app object for many previously global behaviors. - `flask.url_for` will call `app.url_for`. :issue:`4568` - `flask.abort` will call `app.aborter`. `Flask.aborter_class` and `Flask.make_aborter` can be used to customize this aborter. :issue:`4567` - `flask.redirect` will call `app.redirect`. :issue:`4569` - `flask.json` is an instance of `JSONProvider`. A different provider can be set to use a different JSON library. `flask.jsonify` will call `app.json.response`, other functions in `flask.json` will call corresponding functions in `app.json`. :pr:`4692` - JSON configuration is moved to attributes on the default `app.json` provider. `JSON_AS_ASCII`, `JSON_SORT_KEYS`, `JSONIFY_MIMETYPE`, and `JSONIFY_PRETTYPRINT_REGULAR` are deprecated. :pr:`4692` - Setting custom `json_encoder` and `json_decoder` classes on the app or a blueprint, and the corresponding `json.JSONEncoder` and `JSONDecoder` classes, are deprecated. JSON behavior can now be overridden using the `app.json` provider interface. :pr:`4692` - `json.htmlsafe_dumps` and `json.htmlsafe_dump` are deprecated, the function is built-in to Jinja now. :pr:`4692` - Refactor `register_error_handler` to consolidate error checking. Rewrite some error messages to be more consistent. :issue:`4559` - Use Blueprint decorators and functions intended for setup after registering the blueprint will show a warning. In the next version, this will become an error just like the application setup methods. :issue:`4571` - `before_first_request` is deprecated. Run setup code when creating the application instead. :issue:`4605` - Added the `View.init_every_request` class attribute. If a view subclass sets this to `False`, the view will not create a new instance on every request. :issue:`2520`. - A `flask.cli.FlaskGroup` Click group can be nested as a sub-command in a custom CLI. :issue:`3263` - Add `--app` and `--debug` options to the `flask` CLI, instead of requiring that they are set through environment variables. :issue:`2836` - Add `--env-file` option to the `flask` CLI. This allows specifying a dotenv file to load in addition to `.env` and `.flaskenv`. :issue:`3108` - It is no longer required to decorate custom CLI commands on `app.cli` or `blueprint.cli` with `@with_appcontext`, an app context will already be active at that point. :issue:`2410` - `SessionInterface.get_expiration_time` uses a timezone-aware value. :pr:`4645` - View functions can return generators directly instead of wrapping them in a `Response`. :pr:`4629` - Add `stream_template` and `stream_template_string` functions to render a template as a stream of pieces. :pr:`4629` - A new implementation of context preservation during debugging and testing. :pr:`4666` - `request`, `g`, and other context-locals point to the correct data when running code in the interactive debugger console. :issue:`2836` - Teardown functions are always run at the end of the request, even if the context is preserved. They are also run after the preserved context is popped. - `stream_with_context` preserves context separately from a `with client` block. It will be cleaned up when `response.get_data()` or `response.close()` is called. - Allow returning a list from a view function, to convert it to a JSON response like a dict is. :issue:`4672` - When type checking, allow `TypedDict` to be returned from view functions. :pr:`4695` - Remove the `--eager-loading/--lazy-loading` options from the `flask run` command. The app is always eager loaded the first time, then lazily loaded in the reloader. The reloader always prints errors immediately but continues serving. Remove the internal `DispatchingApp` middleware used by the previous implementation. :issue:`4715`Configuration
π Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.