Intermediate changes

commit_hash:6a081c0dfeb90c941bc82c3c6f19a684815145bb

5 files changed, 46 insertions, 33 deletions

diff --git a/contrib/python/Flask-Cors/py3/.dist-info/METADATA b/contrib/python/Flask-Cors/py3/.dist-info/METADATA
index 39f042019ad..4f796aaabed 100644
--- a/contrib/python/Flask-Cors/py3/.dist-info/METADATA
+++ b/contrib/python/Flask-Cors/py3/.dist-info/METADATA
@@ -1,6 +1,6 @@
-Metadata-Version: 2.2
+Metadata-Version: 2.4
 Name: flask-cors
-Version: 5.0.1
+Version: 6.0.0
 Summary: A Flask extension simplifying CORS support
 Author-email: Cory Dolphin <[email protected]>
 Project-URL: Homepage, https://corydolphin.github.io/flask-cors/
diff --git a/contrib/python/Flask-Cors/py3/flask_cors/core.py b/contrib/python/Flask-Cors/py3/flask_cors/core.py
index 0ad0d1da629..5773b0beb8b 100644
--- a/contrib/python/Flask-Cors/py3/flask_cors/core.py
+++ b/contrib/python/Flask-Cors/py3/flask_cors/core.py
@@ -69,14 +69,17 @@ def parse_resources(resources):
         # resource of '*', which is not actually a valid regexp.
         resources = [(re_fix(k), v) for k, v in resources.items()]
 
-        # Sort by regex length to provide consistency of matching and
-        # to provide a proxy for specificity of match. E.G. longer
-        # regular expressions are tried first.
-        def pattern_length(pair):
-            maybe_regex, _ = pair
-            return len(get_regexp_pattern(maybe_regex))
+        # Sort patterns with static (literal) paths first, then by regex specificity
+        def sort_key(pair):
+            pattern, _ = pair
+            if isinstance(pattern, RegexObject):
+                return (1, 0, pattern.pattern.count("/"), -len(pattern.pattern))
+            elif probably_regex(pattern):
+                return (1, 1, pattern.count("/"), -len(pattern))
+            else:
+                return (0, 0, pattern.count("/"), -len(pattern))
 
-        return sorted(resources, key=pattern_length, reverse=True)
+        return sorted(resources, key=sort_key)
 
     elif isinstance(resources, str):
         return [(re_fix(resources), {})]
@@ -121,9 +124,10 @@ def get_cors_origins(options, request_origin):
         if wildcard and options.get("send_wildcard"):
             LOG.debug("Allowed origins are set to '*'. Sending wildcard CORS header.")
             return ["*"]
-        # If the value of the Origin header is a case-sensitive match
-        # for any of the values in list of origins
-        elif try_match_any(request_origin, origins):
+        # If the value of the Origin header is a case-insensitive match
+        # for any of the values in list of origins.
+        # NOTE: Per RFC 1035 and RFC 4343 schemes and hostnames are case insensitive.
+        elif try_match_any_pattern(request_origin, origins, caseSensitive=False):
             LOG.debug(
                 "The request's Origin header matches. Sending CORS headers.",
             )
@@ -164,7 +168,7 @@ def get_allow_headers(options, acl_request_headers):
         request_headers = [h.strip() for h in acl_request_headers.split(",")]
 
         # any header that matches in the allow_headers
-        matching_headers = filter(lambda h: try_match_any(h, options.get("allow_headers")), request_headers)
+        matching_headers = filter(lambda h: try_match_any_pattern(h, options.get("allow_headers"), caseSensitive=False), request_headers)
 
         return ", ".join(sorted(matching_headers))
 
@@ -277,22 +281,31 @@ def re_fix(reg):
     return r".*" if reg == r"*" else reg
 
 
-def try_match_any(inst, patterns):
-    return any(try_match(inst, pattern) for pattern in patterns)
-
+def try_match_any_pattern(inst, patterns, caseSensitive=True):
+    return any(try_match_pattern(inst, pattern, caseSensitive) for pattern in patterns)
 
-def try_match(request_origin, maybe_regex):
-    """Safely attempts to match a pattern or string to a request origin."""
-    if isinstance(maybe_regex, RegexObject):
-        return re.match(maybe_regex, request_origin)
-    elif probably_regex(maybe_regex):
-        return re.match(maybe_regex, request_origin, flags=re.IGNORECASE)
-    else:
+def try_match_pattern(value, pattern, caseSensitive=True):
+    """
+    Safely attempts to match a pattern or string to a value. This
+    function can be used to match request origins, headers, or paths.
+    The value of caseSensitive should be set in accordance to the
+    data being compared e.g. origins and headers are case insensitive
+    whereas paths are case-sensitive
+    """
+    if isinstance(pattern, RegexObject):
+        return re.match(pattern, value)
+    if probably_regex(pattern):
+        flags = 0 if caseSensitive else re.IGNORECASE
         try:
-            return request_origin.lower() == maybe_regex.lower()
-        except AttributeError:
-            return request_origin == maybe_regex
-
+            return re.match(pattern, value, flags=flags)
+        except re.error:
+            return False
+    try:
+        v = str(value)
+        p = str(pattern)
+        return v == p if caseSensitive else v.casefold() == p.casefold()
+    except Exception:
+        return value == pattern
 
 def get_cors_options(appInstance, *dicts):
     """
diff --git a/contrib/python/Flask-Cors/py3/flask_cors/extension.py b/contrib/python/Flask-Cors/py3/flask_cors/extension.py
index 87e55b7bddd..434f65eaa20 100644
--- a/contrib/python/Flask-Cors/py3/flask_cors/extension.py
+++ b/contrib/python/Flask-Cors/py3/flask_cors/extension.py
@@ -1,9 +1,9 @@
 import logging
-from urllib.parse import unquote_plus
+from urllib.parse import unquote
 
 from flask import request
 
-from .core import ACL_ORIGIN, get_cors_options, get_regexp_pattern, parse_resources, set_cors_headers, try_match
+from .core import ACL_ORIGIN, get_cors_options, get_regexp_pattern, parse_resources, set_cors_headers, try_match_pattern
 
 LOG = logging.getLogger(__name__)
 
@@ -188,9 +188,9 @@ def make_after_request_function(resources):
         if resp.headers is not None and resp.headers.get(ACL_ORIGIN):
             LOG.debug("CORS have been already evaluated, skipping")
             return resp
-        normalized_path = unquote_plus(request.path)
+        normalized_path = unquote(request.path)
         for res_regex, res_options in resources:
-            if try_match(normalized_path, res_regex):
+            if try_match_pattern(normalized_path, res_regex, caseSensitive=True):
                 LOG.debug(
                     "Request to '%r' matches CORS resource '%s'. Using options: %s",
                     request.path,
diff --git a/contrib/python/Flask-Cors/py3/flask_cors/version.py b/contrib/python/Flask-Cors/py3/flask_cors/version.py
index 2fe5fde13bb..0f607a5d2d6 100644
--- a/contrib/python/Flask-Cors/py3/flask_cors/version.py
+++ b/contrib/python/Flask-Cors/py3/flask_cors/version.py
@@ -1 +1 @@
-__version__ = "5.0.1"
+__version__ = "6.0.0"
diff --git a/contrib/python/Flask-Cors/py3/ya.make b/contrib/python/Flask-Cors/py3/ya.make
index 56b564e1d27..631966d8c5c 100644
--- a/contrib/python/Flask-Cors/py3/ya.make
+++ b/contrib/python/Flask-Cors/py3/ya.make
@@ -2,7 +2,7 @@
 
 PY3_LIBRARY()
 
-VERSION(5.0.1)
+VERSION(6.0.0)
 
 LICENSE(MIT)