From 887d63ed7d25af94ceca37c6bc56db0a25ea5ea7 Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Sat, 27 Apr 2024 14:47:20 +0200
Subject: [PATCH] octoprint: apply patch for CVE-2024-28237

The 1.10.0 upgrade from #306861 seems to be too big to
be safely backported.

I also did not backport CVE-2024-23637: it is split across
a series of patches and impacts quite sensitive parts of OctoPrint.
I am not feeling confident enough to backport it and exploiting the issue
requires an admin level access.
---
 pkgs/applications/misc/octoprint/default.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pkgs/applications/misc/octoprint/default.nix b/pkgs/applications/misc/octoprint/default.nix
index e7daa60198d11..6920a8f3bbbe3 100644
--- a/pkgs/applications/misc/octoprint/default.nix
+++ b/pkgs/applications/misc/octoprint/default.nix
@@ -4,6 +4,7 @@
 , lib
 , fetchFromGitHub
 , fetchPypi
+, fetchpatch
 , python3
 , substituteAll
 , nix-update-script
@@ -188,6 +189,13 @@ let
                   src = ./ffmpeg-path.patch;
                   ffmpeg = "${pkgs.ffmpeg}/bin/ffmpeg";
                 })
+
+                (fetchpatch {
+                  # https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-x7mf-wrh9-r76c
+                  name = "CVE-2024-28237.patch";
+                  url = "https://github.com/OctoPrint/OctoPrint/commit/779894c1bc6478332d14bc9ed1006df1354eb517.patch";
+                  hash = "sha256-JtZSEbzkvVl1yz1fjJN1BCVIRSx3ZiLsj01dh+xchyM=";
+                })
               ];
 
               postPatch =