From 2ed28e8f2defd0fa6b9501efd1aabfb44313d282 Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Wed, 14 Feb 2024 20:46:32 +0100
Subject: [PATCH] phpPackages.composer: apply patch for CVE-2024-24821

Upgrade to the 2.7.x branch needs some work (see #288574), let's patch
the security issue in the meantime.
---
 pkgs/development/php-packages/composer/default.nix | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/php-packages/composer/default.nix b/pkgs/development/php-packages/composer/default.nix
index 9cfc8683eca5..8a626f46181a 100644
--- a/pkgs/development/php-packages/composer/default.nix
+++ b/pkgs/development/php-packages/composer/default.nix
@@ -1,4 +1,4 @@
-{ lib, callPackage, fetchFromGitHub, php, unzip, _7zz, xz, git, curl, cacert, makeBinaryWrapper }:
+{ lib, callPackage, fetchFromGitHub, fetchpatch, php, unzip, _7zz, xz, git, curl, cacert, makeBinaryWrapper }:
 
 php.buildComposerProject (finalAttrs: {
   # Hash used by ../../../build-support/php/pkgs/composer-phar.nix to
@@ -22,6 +22,18 @@ php.buildComposerProject (finalAttrs: {
     hash = "sha256-KsTZi7dSlQcAxoen9rpofbptVdLYhK+bZeDSXQY7o5M=";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2024-24821.patch";
+      url = "https://github.com/composer/composer/commit/77e3982918bc1d886843dc3d5e575e7e871b27b7.patch";
+      hash = "sha256-Q7gkPLf59+p++DpfJZeOrAOiWePuGkdGYRaS/rK+Nv4=";
+      excludes = [
+        # Skipping test files, they are not included in the source tarball
+        "tests/*"
+      ];
+    })
+  ];
+
   nativeBuildInputs = [ makeBinaryWrapper ];
 
   postInstall = ''