python312Packages.python-multipart: fix CVE-2024-53981

(cherry picked from commit bb2a6df)
NixOS · Dec 9, 2024 · 620a7f0 · 620a7f0
1 parent 1346cdc
commit 620a7f0
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/pkgs/development/python-modules/python-multipart/default.nix b/pkgs/development/python-modules/python-multipart/default.nix
@@ -1,6 +1,7 @@
 {
   lib,
   buildPythonPackage,
+  fetchpatch2,
   fetchPypi,
   hatchling,
   pytestCheckHook,
@@ -27,6 +28,27 @@ buildPythonPackage rec {
     hash = "sha256-A/VGiMZj8beXcQXwIQQ7B5MVHkyxwanUoR/BPWIsQCY=";
   };
 
+  patches = [
+    (fetchpatch2 {
+      name = "CVE-2024-53981-part1.patch";
+      url = "https://github.com/Kludex/python-multipart/commit/9205a0ec8c646b9f705430a6bfb52bd957b76c19.patch?full_index=1";
+      # undo the move of multipart/ to python_multipart/
+      stripLen = 2;
+      extraPrefix = "multipart/";
+      includes = [ "multipart/multipart.py" ];
+      hash = "sha256-n/b4lvHuK8pUsuanD8htnjOiUYgDhX1N7yHlqatCuAg=";
+    })
+    (fetchpatch2 {
+      name = "CVE-2024-53981-part2.patch";
+      url = "https://github.com/Kludex/python-multipart/commit/c4fe4d3cebc08c660e57dd709af1ffa7059b3177.patch?full_index=1";
+      # undo the move of multipart/ to python_multipart/
+      stripLen = 2;
+      extraPrefix = "multipart/";
+      includes = [ "multipart/multipart.py" ];
+      hash = "sha256-k/9DwHWtv/srktCwaDUGoepIdgCk872OsZdcUKZ5bjg=";
+    })
+  ];
+
   nativeBuildInputs = [ hatchling ];
 
   propagatedBuildInputs = [ six ];