pkgs/applications/networking/pyload-ng/CVE-2024-22416.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

From 63b26a03dfa91fda47783a1a02ed5ae1f41433d3 Mon Sep 17 00:00:00 2001
From: GammaC0de <gammac0de@users.noreply.github.com>
Date: Thu, 18 Jan 2024 00:56:58 +0200
Subject: [PATCH 1/2] fix GHSA-pgpj-v85q-h5fm security advisory

(cherry picked from commit c7cdc18ad9134a75222974b39e8b427c4af845fc)
---
 setup.cfg                        | 7 +++----
 src/pyload/webui/app/__init__.py | 1 +
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/setup.cfg b/setup.cfg
index b168fa1ff..dde44a869 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -53,13 +53,12 @@ package_dir =
 	= src
 install_requires = 
 	Cheroot~=8.4
-	Flask;python_version<"3.8"
-	Flask~=2.3.0;python_version>="3.8"
+	Flask
 	Flask-Babel~=1.0
 	Flask-Caching~=1.9
 	Flask-Compress~=1.8
-	Flask-Session~=0.3;python_version<"3.7"
-	Flask-Session2~=1.3;python_version>="3.7"
+	Flask-Session~=0.4.1;python_version<"3.7"
+	Flask-Session;python_version>="3.7"
 	Flask-Themes2~=1.0
 	bitmath~=1.3
 	cryptography>=35.0.0
diff --git a/src/pyload/webui/app/__init__.py b/src/pyload/webui/app/__init__.py
index 2c9226b1c..7f4ecf016 100644
--- a/src/pyload/webui/app/__init__.py
+++ b/src/pyload/webui/app/__init__.py
@@ -112,6 +112,7 @@ class App:
         app.config["SESSION_FILE_DIR"] = cache_path
         app.config["SESSION_TYPE"] = "filesystem"
         app.config["SESSION_COOKIE_NAME"] = "pyload_session"
+        app.config["SESSION_COOKIE_SAMESITE"] = "None"
         app.config["SESSION_COOKIE_SECURE"] = app.config["PYLOAD_API"].get_config_value("webui", "use_ssl")
         app.config["SESSION_PERMANENT"] = False
 
-- 
2.43.2


From d727404b2de55337a92261cc2100d79e5c68945a Mon Sep 17 00:00:00 2001
From: GammaC0de <gammac0de@users.noreply.github.com>
Date: Thu, 18 Jan 2024 01:11:24 +0200
Subject: [PATCH 2/2] fix GHSA-pgpj-v85q-h5fm security advisory (2)

(cherry picked from commit 1374c824271cb7e927740664d06d2e577624ca3e)
---
 src/pyload/webui/app/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pyload/webui/app/__init__.py b/src/pyload/webui/app/__init__.py
index 7f4ecf016..3e2933f0e 100644
--- a/src/pyload/webui/app/__init__.py
+++ b/src/pyload/webui/app/__init__.py
@@ -112,7 +112,7 @@ class App:
         app.config["SESSION_FILE_DIR"] = cache_path
         app.config["SESSION_TYPE"] = "filesystem"
         app.config["SESSION_COOKIE_NAME"] = "pyload_session"
-        app.config["SESSION_COOKIE_SAMESITE"] = "None"
+        app.config["SESSION_COOKIE_SAMESITE"] = "Strict"
         app.config["SESSION_COOKIE_SECURE"] = app.config["PYLOAD_API"].get_config_value("webui", "use_ssl")
         app.config["SESSION_PERMANENT"] = False
 
-- 
2.43.2