From 726d3f4fa9e8a2960541debc2d2713571da54441 Mon Sep 17 00:00:00 2001 From: David Lord Date: Tue, 2 May 2023 06:56:08 -0700 Subject: [PATCH 1/5] start version 2.2.5 --- CHANGES.rst | 6 ++++++ src/flask/__init__.py | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGES.rst b/CHANGES.rst index 1a75f418..471d8e22 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -1,3 +1,9 @@ +Version 2.2.5 +------------- + +Unreleased + + Version 2.2.4 ------------- diff --git a/src/flask/__init__.py b/src/flask/__init__.py index 2e0128e0..13ea2fc1 100644 --- a/src/flask/__init__.py +++ b/src/flask/__init__.py @@ -42,7 +42,7 @@ from .templating import render_template_string as render_template_string from .templating import stream_template as stream_template from .templating import stream_template_string as stream_template_string -__version__ = "2.2.4" +__version__ = "2.2.5.dev" def __getattr__(name): From 3fbfbad79fe294918459b70eb409d555b20de2c8 Mon Sep 17 00:00:00 2001 From: David Lord Date: Tue, 2 May 2023 07:05:51 -0700 Subject: [PATCH 2/5] werkzeug 2.3.3 compatibility --- CHANGES.rst | 2 ++ src/flask/testing.py | 17 ++++++++++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index 471d8e22..ee9acf77 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -3,6 +3,8 @@ Version 2.2.5 Unreleased +- Update for compatibility with Werkzeug 2.3.3. + Version 2.2.4 ------------- diff --git a/src/flask/testing.py b/src/flask/testing.py index a972a3f5..b78ec6d4 100644 --- a/src/flask/testing.py +++ b/src/flask/testing.py @@ -168,10 +168,21 @@ class FlaskClient(Client): app.session_interface.save_session(app, sess, resp) if hasattr(self, "_update_cookies_from_response"): - self._update_cookies_from_response( - ctx.request.host.partition(":")[0], resp.headers.getlist("Set-Cookie") - ) + try: + # Werkzeug>=2.3.3 + self._update_cookies_from_response( + ctx.request.host.partition(":")[0], + ctx.request.path, + resp.headers.getlist("Set-Cookie"), + ) + except TypeError: + # Werkzeug>=2.3.0,<2.3.3 + self._update_cookies_from_response( # type: ignore[call-arg] + ctx.request.host.partition(":")[0], + resp.headers.getlist("Set-Cookie"), # type: ignore[arg-type] + ) else: + # Werkzeug<2.3.0 self.cookie_jar.extract_wsgi( # type: ignore[union-attr] ctx.request.environ, resp.headers ) From 8646edca6f47e2cd57464081b3911218d4734f8d Mon Sep 17 00:00:00 2001 From: David Lord Date: Mon, 1 May 2023 08:01:32 -0700 Subject: [PATCH 3/5] set `Vary: Cookie` header consistently for session --- CHANGES.rst | 1 + src/flask/sessions.py | 10 ++++++---- tests/test_basic.py | 23 +++++++++++++++++++++++ 3 files changed, 30 insertions(+), 4 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index ee9acf77..e95ae429 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -4,6 +4,7 @@ Version 2.2.5 Unreleased - Update for compatibility with Werkzeug 2.3.3. +- Set ``Vary: Cookie`` header when the session is accessed, modified, or refreshed. Version 2.2.4 diff --git a/src/flask/sessions.py b/src/flask/sessions.py index 02b8cf76..201593f2 100644 --- a/src/flask/sessions.py +++ b/src/flask/sessions.py @@ -383,6 +383,10 @@ class SecureCookieSessionInterface(SessionInterface): samesite = self.get_cookie_samesite(app) httponly = self.get_cookie_httponly(app) + # Add a "Vary: Cookie" header if the session was accessed at all. + if session.accessed: + response.vary.add("Cookie") + # If the session is modified to be empty, remove the cookie. # If the session is empty, return without setting the cookie. if not session: @@ -395,13 +399,10 @@ class SecureCookieSessionInterface(SessionInterface): samesite=samesite, httponly=httponly, ) + response.vary.add("Cookie") return - # Add a "Vary: Cookie" header if the session was accessed at all. - if session.accessed: - response.vary.add("Cookie") - if not self.should_set_cookie(app, session): return @@ -417,3 +418,4 @@ class SecureCookieSessionInterface(SessionInterface): secure=secure, samesite=samesite, ) + response.vary.add("Cookie") diff --git a/tests/test_basic.py b/tests/test_basic.py index a622fa93..3e5e4120 100644 --- a/tests/test_basic.py +++ b/tests/test_basic.py @@ -560,6 +560,11 @@ def test_session_vary_cookie(app, client): def setdefault(): return flask.session.setdefault("test", "default") + @app.route("/clear") + def clear(): + flask.session.clear() + return "" + @app.route("/vary-cookie-header-set") def vary_cookie_header_set(): response = flask.Response() @@ -592,11 +597,29 @@ def test_session_vary_cookie(app, client): expect("/get") expect("/getitem") expect("/setdefault") + expect("/clear") expect("/vary-cookie-header-set") expect("/vary-header-set", "Accept-Encoding, Accept-Language, Cookie") expect("/no-vary-header", None) +def test_session_refresh_vary(app, client): + @app.get("/login") + def login(): + flask.session["user_id"] = 1 + flask.session.permanent = True + return "" + + @app.get("/ignored") + def ignored(): + return "" + + rv = client.get("/login") + assert rv.headers["Vary"] == "Cookie" + rv = client.get("/ignored") + assert rv.headers["Vary"] == "Cookie" + + def test_flashes(app, req_ctx): assert not flask.session.modified flask.flash("Zap") From ca12e8ebb7753d4a982584c2909ad9c7e5c2b029 Mon Sep 17 00:00:00 2001 From: David Lord Date: Tue, 2 May 2023 07:17:52 -0700 Subject: [PATCH 4/5] update dependencies --- examples/celery/requirements.txt | 14 ++++++++------ requirements/dev.txt | 10 +++++----- requirements/docs.txt | 2 +- requirements/typing.txt | 2 +- 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/examples/celery/requirements.txt b/examples/celery/requirements.txt index ce9ae72c..29075ab5 100644 --- a/examples/celery/requirements.txt +++ b/examples/celery/requirements.txt @@ -1,5 +1,5 @@ # -# This file is autogenerated by pip-compile with Python 3.10 +# This file is autogenerated by pip-compile with Python 3.11 # by the following command: # # pip-compile --resolver=backtracking pyproject.toml @@ -10,6 +10,8 @@ async-timeout==4.0.2 # via redis billiard==3.6.4.0 # via celery +blinker==1.6.2 + # via flask celery[redis]==5.2.7 # via flask-example-celery (pyproject.toml) click==8.1.3 @@ -25,7 +27,7 @@ click-plugins==1.1.1 # via celery click-repl==0.2.0 # via celery -flask==2.2.3 +flask==2.3.2 # via flask-example-celery (pyproject.toml) itsdangerous==2.1.2 # via flask @@ -37,11 +39,11 @@ markupsafe==2.1.2 # via # jinja2 # werkzeug -prompt-toolkit==3.0.37 +prompt-toolkit==3.0.38 # via click-repl -pytz==2022.7.1 +pytz==2023.3 # via celery -redis==4.5.1 +redis==4.5.4 # via celery six==1.16.0 # via click-repl @@ -52,5 +54,5 @@ vine==5.0.0 # kombu wcwidth==0.2.6 # via prompt-toolkit -werkzeug==2.2.3 +werkzeug==2.3.3 # via flask diff --git a/requirements/dev.txt b/requirements/dev.txt index f9732cc9..5e5bc43b 100644 --- a/requirements/dev.txt +++ b/requirements/dev.txt @@ -28,7 +28,7 @@ filelock==3.12.0 # via # tox # virtualenv -identify==2.5.22 +identify==2.5.23 # via pre-commit nodeenv==1.7.0 # via pre-commit @@ -36,11 +36,11 @@ pip-compile-multi==2.6.2 # via -r requirements/dev.in pip-tools==6.13.0 # via pip-compile-multi -platformdirs==3.3.0 +platformdirs==3.5.0 # via # tox # virtualenv -pre-commit==3.2.2 +pre-commit==3.3.1 # via -r requirements/dev.in pyproject-api==1.5.1 # via tox @@ -50,9 +50,9 @@ pyyaml==6.0 # via pre-commit toposort==1.10 # via pip-compile-multi -tox==4.5.0 +tox==4.5.1 # via -r requirements/dev.in -virtualenv==20.22.0 +virtualenv==20.23.0 # via # pre-commit # tox diff --git a/requirements/docs.txt b/requirements/docs.txt index 7ee48f68..c56dde85 100644 --- a/requirements/docs.txt +++ b/requirements/docs.txt @@ -35,7 +35,7 @@ pygments==2.15.1 # via # sphinx # sphinx-tabs -requests==2.28.2 +requests==2.29.0 # via sphinx snowballstemmer==2.2.0 # via sphinx diff --git a/requirements/typing.txt b/requirements/typing.txt index 7b40becb..82b3e7e7 100644 --- a/requirements/typing.txt +++ b/requirements/typing.txt @@ -19,7 +19,7 @@ types-contextvars==2.4.7.2 # via -r requirements/typing.in types-dataclasses==0.6.6 # via -r requirements/typing.in -types-setuptools==67.7.0.0 +types-setuptools==67.7.0.1 # via -r requirements/typing.in typing-extensions==4.5.0 # via mypy From 47af817c8fe01045c641b97f8fb784c7ad864eee Mon Sep 17 00:00:00 2001 From: David Lord Date: Tue, 2 May 2023 07:35:27 -0700 Subject: [PATCH 5/5] release version 2.2.5 --- CHANGES.rst | 2 +- src/flask/__init__.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index e95ae429..71493abf 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -1,7 +1,7 @@ Version 2.2.5 ------------- -Unreleased +Released 2023-05-02 - Update for compatibility with Werkzeug 2.3.3. - Set ``Vary: Cookie`` header when the session is accessed, modified, or refreshed. diff --git a/src/flask/__init__.py b/src/flask/__init__.py index 13ea2fc1..19993402 100644 --- a/src/flask/__init__.py +++ b/src/flask/__init__.py @@ -42,7 +42,7 @@ from .templating import render_template_string as render_template_string from .templating import stream_template as stream_template from .templating import stream_template_string as stream_template_string -__version__ = "2.2.5.dev" +__version__ = "2.2.5" def __getattr__(name):