From ddd69d35807ef0ea668f572a4b032c529b3ff6ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A9rard=20Collin?= Date: Wed, 1 Mar 2023 17:34:54 +0100 Subject: [PATCH 1/8] Fix upgrade of old stuff and security of chrome --- conf/systemd.service | 3 ++- scripts/upgrade | 6 +++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index b26c0df..f2c1d98 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -32,7 +32,8 @@ ProtectKernelModules=yes ProtectKernelTunables=yes LockPersonality=yes SystemCallArchitectures=native -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged +# We need to allow priviledged to enable chromium access to gpu +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html diff --git a/scripts/upgrade b/scripts/upgrade index 14e7d60..2d95ecb 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -104,7 +104,11 @@ complete_install=false # Check if we need to clean up old bad installs if [ -f "$final_path/package.json" ]; then complete_install=true - ynh_secure_remove --file="$final_path/*" + ynh_secure_remove --file="$final_path" + mkdir "$final_path" + chmod 750 "$final_path" + chmod -R o-rwx "$final_path" + chown -R $app:$app "$final_path" fi #================================================= From 591dc74ed5d4930d5cdde8e6c64f288cdff4206c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A9rard=20Collin?= Date: Wed, 1 Mar 2023 17:39:08 +0100 Subject: [PATCH 2/8] Upgrade version 1.1.6 --- conf/amd64.src | 4 ++-- manifest.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/conf/amd64.src b/conf/amd64.src index f9c125c..843e833 100644 --- a/conf/amd64.src +++ b/conf/amd64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/gcollin/cookie-aware-cors-proxy/releases/download/v1.1.4/cookie-aware-cors-proxy.tgz -SOURCE_SUM=c56ca989233d4d2f3a2304ec96d979445f97232c8be63d5910d819af66f83ab9 +SOURCE_URL=https://github.com/gcollin/cookie-aware-cors-proxy/releases/download/v1.1.6/cookie-aware-cors-proxy.tgz +SOURCE_SUM=110dd1dc2014dcc6c9d05ff947aa365f4ee960bf93ec7b9abf965ad892e2b2d5 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/manifest.json b/manifest.json index 02f8680..9af40ac 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "An advanced https proxy allowing you to call other websites from your own web application.", "fr": "Un proxy https avancé vous permettant d'appeler d'autres sites depuis votre propre application web." }, - "version": "1.0~ynh2", + "version": "1.1.6~ynh3", "url": "https://github.com/gcollin/cookie-aware-cors-proxy", "upstream": { "license": "MIT", From f480289cdf568e259cd55daa01e7804e67600e93 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Wed, 1 Mar 2023 16:39:31 +0000 Subject: [PATCH 3/8] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f2079dc..ec256b0 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ With Cookie Aware Cors Proxy, you can call a website not supporting CORS from yo - Two engines: a lightweight and one based on chrome to support websites running javascript -**Shipped version:** 1.0~ynh2 +**Shipped version:** 1.1.6~ynh3 ## Screenshots diff --git a/README_fr.md b/README_fr.md index 29aa749..f36869d 100644 --- a/README_fr.md +++ b/README_fr.md @@ -27,7 +27,7 @@ With Cookie Aware Cors Proxy, you can call a website not supporting CORS from yo - Two engines: a lightweight and one based on chrome to support websites running javascript -**Version incluse :** 1.0~ynh2 +**Version incluse :** 1.1.6~ynh3 ## Captures d’écran From 5bae1ac2dcfd8affa99676f42b53d57e0850ed1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A9rard=20Collin?= Date: Sat, 15 Apr 2023 12:28:56 +0200 Subject: [PATCH 4/8] bypass chrome sandbox for kernel 6.x --- conf/.env | 1 + scripts/install | 13 +++++++++++++ scripts/upgrade | 16 ++++++++++++---- 3 files changed, 26 insertions(+), 4 deletions(-) diff --git a/conf/.env b/conf/.env index 85c138e..2d91850 100644 --- a/conf/.env +++ b/conf/.env @@ -3,3 +3,4 @@ CACP_REDIRECT_HOST=https://__DOMAIN__ CACP_REDIRECT_PATH=__PATH_URL__ CACP_DEBUG=FALSE CACP_LOG=FALSE +CACP_BYPASS_SANDBOX=__BYPASS_SANDBOX__ diff --git a/scripts/install b/scripts/install index d64af45..861bc00 100755 --- a/scripts/install +++ b/scripts/install @@ -208,6 +208,19 @@ ynh_add_nginx_config #================================================= ynh_script_progression --message="Adding a configuration file..." --weight=1 +# We must use chrome sandbox for kernels 5.x, 6.x doesn't need it anymore +kernel_release=$(uname -r) +if [[ $kernel_release == 5.* ]] +then + bypass_sandbox="TRUE" + if [ $install_chromium -eq 1 ] + then + ynh_print_warn --message="Using non sandboxed chromium as kernel release is less than 6.x" + fi +else + bypass_sandbox="FALSE" +fi + ynh_add_config --template=".env" --destination="$final_path/.env" # FIXME: this should be handled by the core in the future diff --git a/scripts/upgrade b/scripts/upgrade index 2d95ecb..66d1d60 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -192,10 +192,18 @@ ynh_add_nginx_config #================================================= ynh_script_progression --message="Updating a configuration file..." --weight=1 -### Same as during install -### -### The file will automatically be backed-up if it's found to be manually modified (because -### ynh_add_config keeps track of the file's checksum) +# We must use chrome sandbox for kernels 5.x, 6.x doesn't need it anymore +kernel_release=$(uname -r) +if [[ $kernel_release == 5.* ]] +then + bypass_sandbox="TRUE" + if [ $install_chromium -eq 1 ] + then + ynh_print_warn --message="Using non sandboxed chromium as kernel release is less than 6.x" + fi +else + bypass_sandbox="FALSE" +fi ynh_add_config --template=".env" --destination="$final_path/.env" From c0631b62ce2d09e345eb2f1b1c264644724dc81a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A9rard=20Collin?= Date: Sat, 15 Apr 2023 12:32:45 +0200 Subject: [PATCH 5/8] Upgrade to latest cors-proxy version --- conf/amd64.src | 4 ++-- manifest.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/conf/amd64.src b/conf/amd64.src index 843e833..e7c8f4b 100644 --- a/conf/amd64.src +++ b/conf/amd64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/gcollin/cookie-aware-cors-proxy/releases/download/v1.1.6/cookie-aware-cors-proxy.tgz -SOURCE_SUM=110dd1dc2014dcc6c9d05ff947aa365f4ee960bf93ec7b9abf965ad892e2b2d5 +SOURCE_URL=https://github.com/gcollin/cookie-aware-cors-proxy/releases/download/v1.1.11/cookie-aware-cors-proxy.tgz +SOURCE_SUM=93a2564a9d244c0087a8103f68be31ef48d592180f37dd3e496feb438cc7e1c8 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true diff --git a/manifest.json b/manifest.json index 9af40ac..cb23a3f 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "An advanced https proxy allowing you to call other websites from your own web application.", "fr": "Un proxy https avancé vous permettant d'appeler d'autres sites depuis votre propre application web." }, - "version": "1.1.6~ynh3", + "version": "1.1.11~ynh1", "url": "https://github.com/gcollin/cookie-aware-cors-proxy", "upstream": { "license": "MIT", From 197a663d73f86ec56bcf115ae83754ef453774d1 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Sat, 15 Apr 2023 10:32:53 +0000 Subject: [PATCH 6/8] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ec256b0..6531856 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ With Cookie Aware Cors Proxy, you can call a website not supporting CORS from yo - Two engines: a lightweight and one based on chrome to support websites running javascript -**Shipped version:** 1.1.6~ynh3 +**Shipped version:** 1.1.11~ynh1 ## Screenshots diff --git a/README_fr.md b/README_fr.md index f36869d..ce8c6b3 100644 --- a/README_fr.md +++ b/README_fr.md @@ -27,7 +27,7 @@ With Cookie Aware Cors Proxy, you can call a website not supporting CORS from yo - Two engines: a lightweight and one based on chrome to support websites running javascript -**Version incluse :** 1.1.6~ynh3 +**Version incluse :** 1.1.11~ynh1 ## Captures d’écran From 8e78dee025a5c462433c8da8a91218ea7eb079f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A9rard=20Collin?= Date: Sun, 16 Apr 2023 10:28:04 +0200 Subject: [PATCH 7/8] Fixed missing param in change-url --- scripts/change_url | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/scripts/change_url b/scripts/change_url index cddf3e8..8e3ce2c 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -109,6 +109,20 @@ ynh_script_progression --message="Updating .env configuration..." ynh_backup_if_checksum_is_different --file="$final_path/.env" domain=$new_domain path_url=$new_path + +# We must use chrome sandbox for kernels 5.x, 6.x doesn't need it anymore +kernel_release=$(uname -r) +if [[ $kernel_release == 5.* ]] +then + bypass_sandbox="TRUE" + if [ $install_chromium -eq 1 ] + then + ynh_print_warn --message="Using non sandboxed chromium as kernel release is less than 6.x" + fi +else + bypass_sandbox="FALSE" +fi + ynh_add_config --template=".env" --destination="$final_path/.env" # FIXME: this should be handled by the core in the future From a5ff575b9b7b98a3ad1b7ba04a8a5840a3419a92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A9rard=20Collin?= Date: Mon, 17 Apr 2023 09:56:44 +0200 Subject: [PATCH 8/8] Fixed missing chromium param --- scripts/change_url | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/change_url b/scripts/change_url index 8e3ce2c..e40f6a7 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -29,6 +29,7 @@ ynh_script_progression --message="Loading installation settings..." --weight=1 # Needed for helper "ynh_add_nginx_config" final_path=$(ynh_app_setting_get --app=$app --key=final_path) port=$(ynh_app_setting_get --app=$app --key=port) +install_chromium=$(ynh_app_setting_get --app=$app --key=install_chromium) #================================================= # BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP