python311Packages.starlette: fix CVE-2024-47874

> Denial of service (DoS) via multipart/form-data https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw
2024-11-26 17:03:01 +00:00 · 2024-10-24 18:31:18 +02:00 · 2024-10-24 18:31:18 +02:00 · aa3ba8d7a9
commit aa3ba8d7a9
parent e0933d74a8
1 changed files with 10 additions and 0 deletions
--- a/pkgs/development/python-modules/starlette/default.nix
+++ b/pkgs/development/python-modules/starlette/default.nix
@ -2,6 +2,7 @@
  lib,
  buildPythonPackage,
  fetchFromGitHub,
+  fetchpatch2,

  # build-system
  hatchling,
@ -40,6 +41,15 @@ buildPythonPackage rec {
    hash = "sha256-GiCN1sfhLu9i19d2OcLZrlY8E64DFrFh+ITRSvLaxdE=";
  };

+  patches = [
+    (fetchpatch2 {
+      # https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw
+      name = "CVE-2024-47874.patch";
+      url = "https://github.com/encode/starlette/commit/fd038f3070c302bff17ef7d173dbb0b007617733.patch";
+      hash = "sha256-N/v0xBa6e40ZrdHfDa5mlHJhh5IyDdC/XdmTtKNOYP4=";
+    })
+  ];
+
  nativeBuildInputs = [ hatchling ];

  propagatedBuildInputs = [ anyio ] ++ lib.optionals (pythonOlder "3.10") [ typing-extensions ];