[CVE-2024-6844] Replace use of (urllib) unquote_plus with unquote for paths

adrianosela · adrianosela · commit d3f85dcc9f49 · 2025-05-14T10:14:29.000-07:00
diff --git a/flask_cors/extension.py b/flask_cors/extension.py
@@ -1,5 +1,5 @@
 import logging
-from urllib.parse import unquote_plus
+from urllib.parse import unquote
 
 from flask import request
 
@@ -188,7 +188,7 @@ def cors_after_request(resp):
         if resp.headers is not None and resp.headers.get(ACL_ORIGIN):
             LOG.debug("CORS have been already evaluated, skipping")
             return resp
-        normalized_path = unquote_plus(request.path)
+        normalized_path = unquote(request.path)
         for res_regex, res_options in resources:
             if try_match(normalized_path, res_regex):
                 LOG.debug(
