security: fix unprivileged content libraries creation

See: GHSA-3q74-3rfh-g37j openedx/edx-platform#32838 https://discuss.openedx.org/t/security-upcoming-security-release-for-edx-platform-on-2023-07-25/10769
overhangio · Jul 28, 2023 · a194524 · a194524
1 parent faf43bd
commit a194524
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/changelog.d/20230728_210255_regis.md b/changelog.d/20230728_210255_regis.md
@@ -0,0 +1 @@
+- [Security] Fix content libraries creation by unprivileged users in studio (see [security advisory](https://github.com/openedx/edx-platform/security/advisories/GHSA-3q74-3rfh-g37j)). (by @regisb)
diff --git a/tutor/templates/build/openedx/Dockerfile b/tutor/templates/build/openedx/Dockerfile
@@ -50,6 +50,9 @@ RUN git config --global user.email "[email protected]" \
 {{ patch("openedx-dockerfile-git-patches-default") }}
 {%- else %}
 # Patch edx-platform
+# Security advisory: https://github.com/openedx/edx-platform/security/advisories/GHSA-3q74-3rfh-g37j
+# https://github.com/openedx/edx-platform/pull/32838
+RUN curl -fsSL https://github.com/openedx/edx-platform/commit/163259779297a7dccb28e1f8c3dfa4d2cbdb9655.patch | git am
 {%- endif %}
 
 {# Example: RUN curl -fsSL https://github.com/openedx/edx-platform/commit/<GITSHA1>.patch | git am #}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- [Security] Fix content libraries creation by unprivileged users in studio (see [security advisory](https://github.com/openedx/edx-platform/security/advisories/GHSA-3q74-3rfh-g37j)). (by @regisb)