octoprint: apply patch for CVE-2024-28237

The 1.10.0 upgrade from #306861 seems to be too big to be safely backported. I also did not backport CVE-2024-23637: it is split across a series of patches and impacts quite sensitive parts of OctoPrint. I am not feeling confident enough to backport it and exploiting the issue requires an admin level access.
author: Thomas Gerbet <thomas@gerbet.me> 2024-04-27 14:47:20 +0200
committer: Thomas Gerbet <thomas@gerbet.me> 2024-04-27 14:55:30 +0200
commit: 887d63ed7d25af94ceca37c6bc56db0a25ea5ea7 (patch)
tree: 237294e0fc7bdddddf28ae44261e7216eb2bdede /pkgs/applications
parent: 41ea4d332aef73f273e0218405dece419b93a5e1 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/pkgs/applications/misc/octoprint/default.nix b/pkgs/applications/misc/octoprint/default.nix
index e7daa60198d11..6920a8f3bbbe3 100644
--- a/pkgs/applications/misc/octoprint/default.nix
+++ b/pkgs/applications/misc/octoprint/default.nix
@@ -4,6 +4,7 @@
 , lib
 , fetchFromGitHub
 , fetchPypi
+, fetchpatch
 , python3
 , substituteAll
 , nix-update-script
@@ -188,6 +189,13 @@ let
                   src = ./ffmpeg-path.patch;
                   ffmpeg = "${pkgs.ffmpeg}/bin/ffmpeg";
                 })
+
+                (fetchpatch {
+                  # https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c
+                  name = "CVE-2024-28237.patch";
+                  url = "https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517.patch";
+                  hash = "sha256-JtZSEbzkvVl1yz1fjJN1BCVIRSx3ZiLsj01dh+xchyM=";
+                })
               ];
 
               postPatch =
author	Thomas Gerbet <thomas@gerbet.me>	2024-04-27 14:47:20 +0200
committer	Thomas Gerbet <thomas@gerbet.me>	2024-04-27 14:55:30 +0200
commit	887d63ed7d25af94ceca37c6bc56db0a25ea5ea7 (patch)
tree	237294e0fc7bdddddf28ae44261e7216eb2bdede /pkgs/applications
parent	41ea4d332aef73f273e0218405dece419b93a5e1 (diff)