1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/garradin_ynh.git synced 2024-09-03 18:36:17 +02:00

update nginx.conf to protect against path traversal issue

This commit is contained in:
Robles Rodolphe 2020-10-27 13:05:19 +01:00
commit d8604b9682
14 changed files with 94 additions and 172 deletions

View file

@ -1,18 +0,0 @@
## Problem
-
## Solution
-
## PR Status
-
## Validation
---
*Minor decision*
- **Upgrade previous version** :
- [ ] **Code review** :
- [ ] **Approval (LGTM)** :
- [ ] **Approval (LGTM)** :
- **CI succeeded** : [![Build Status](https://ci-apps-dev.yunohost.org/jenkins/job/garradin_ynh%20xxx%20(Official)/badge/icon)](https://ci-apps-dev.yunohost.org/jenkins/job/nextcloud_ynh%20xxx%20(Official)/)
When the PR is mark as ready to merge, you have to wait for 3 days before really merge it.

View file

@ -1,6 +1,6 @@
# Garradin for Yunohost
# Garradin for YunoHost
[![Integration level](https://dash.yunohost.org/integration/garradin.svg)](https://dash.yunohost.org/appci/app/garradin) ![](https://ci-apps.yunohost.org/ci/badges/garradin.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/garradin.maintain.svg)
[![Integration level](https://dash.yunohost.org/integration/garradin.svg)](https://dash.yunohost.org/appci/app/garradin) ![](https://ci-apps.yunohost.org/ci/badges/garradin.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/garradin.maintain.svg)
[![Install Garradin with YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=garradin)
*[Lire ce readme en français.](./README_fr.md)*
@ -25,7 +25,6 @@ Garradin is a free association managing software.
* [Official demo](https://garradin.eu/essai/)
## Documentation
* Official documentation: https://fossil.kd2.org/garradin/wiki?name=Documentation
@ -46,9 +45,6 @@ LDAP is not supported yet.
* The application is ONLY translated into french.
* Do not install this application on the default root path's domain name without adding a subpath, otherwise the sso conection page will be substitute by home's garradin page.
**More info on the documentation page:**
https://yunohost.org/packaging_apps
## Links
* Report a bug: https://github.com/YunoHost-Apps/garradin_ynh/issues
@ -58,15 +54,13 @@ https://yunohost.org/packaging_apps
---
Developer info
----------------
## Developer info
**Only if you want to use a testing branch for coding, instead of merging directly into master.**
Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/garradin_ynh/tree/testing).
To try the testing branch, please proceed like that.
```
sudo yunohost app install https://github.com/YunoHost-Apps/garradin_ynh/tree/testing --debug
or
sudo yunohost app upgrade REPLACEBYYOURAPP -u https://github.com/YunoHost-Apps/garradin_ynh/tree/testing --debug
sudo yunohost app upgrade garradin -u https://github.com/YunoHost-Apps/garradin_ynh/tree/testing --debug
```

View file

@ -1,4 +1,4 @@
# Garradin pour Yunohost
# Garradin pour YunoHost
[![Niveau d'intégration](https://dash.yunohost.org/integration/garradin.svg)](https://dash.yunohost.org/appci/app/garradin) ![](https://ci-apps.yunohost.org/ci/badges/garradin.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/garradin.maintain.svg)
[![Installer Garradin avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=garradin)
@ -54,15 +54,13 @@ Garradin est un logiciel libre de gestion associative. il permet de gérer des m
---
Informations pour les développeurs
----------------
## Informations pour les développeurs
**Seulement si vous voulez utiliser une branche de test pour le codage, au lieu de fusionner directement dans la banche principale.**
Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/garradin_ynh/tree/testing).
Pour essayer la branche testing, procédez comme suit.
```
sudo yunohost app install https://github.com/YunoHost-Apps/garradin_ynh/tree/testing --debug
ou
sudo yunohost app upgrade REPLACEBYYOURAPP -u https://github.com/YunoHost-Apps/garradin_ynh/tree/testing --debug
sudo yunohost app upgrade garradin -u https://github.com/YunoHost-Apps/garradin_ynh/tree/testing --debug
```

View file

@ -26,7 +26,7 @@ if ($scheme = http) {
location ~ [^/]\.php(/|$) {
try_files $uri $uri/ /_route.php;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm-__NAME__.sock;
fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param REMOTE_USER $remote_user;

View file

@ -30,7 +30,7 @@ group = __USER__
; specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /var/run/php/php7.0-fpm-__NAMETOCHANGE__.sock
listen = /var/run/php/php__PHPVERSION__-fpm-__NAMETOCHANGE__.sock
; Set listen(2) backlog. A value of '-1' means unlimited.
; Default Value: 128 (-1 on FreeBSD and OpenBSD)

View file

@ -2,19 +2,19 @@
"name": "Garradin",
"id": "garradin",
"packaging_format": 1,
"requirements": {
"yunohost": ">=3.7.1"
},
"description": {
"en": "Software to manage association",
"fr": "Logiciel libre de gestion d'association"
},
"version": "0.9.8.1~ynh3",
"version": "0.9.8.1~ynh4",
"url": "http://garradin.eu/a-propos/",
"license": "GPL-3.0-or-later",
"maintainer": {
"name": "frju365",
"email": "win10@tutanota.com"
},
"requirements": {
"yunohost": ">=3.8.1"
},
"multi_instance": true,
"services": [

18
pull_request_template.md Normal file
View file

@ -0,0 +1,18 @@
## Problem
- *Description of why you made this PR*
## Solution
- *And how do you fix that problem*
## PR Status
- [ ] Code finished.
- [ ] Tested with Package_check.
- [ ] Fix or enhancement tested.
- [ ] Upgrade from last version tested.
- [ ] Can be reviewed and tested.
## Package_check results
---
*If you have access to [App Continuous Integration for packagers](https://yunohost.org/#/packaging_apps_ci) you can provide a link to the package_check results like below, replacing '-NUM-' in this link by the PR number and USERNAME by your username on the ci-apps-dev. Or you provide a screenshot or a pastebin of the results*
[![Build Status](https://ci-apps-dev.yunohost.org/jenkins/job/garradin_ynh%20PR-NUM-%20(USERNAME)/badge/icon)](https://ci-apps-dev.yunohost.org/jenkins/job/garradin_ynh%20PR-NUM-%20(USERNAME)/)

View file

@ -4,51 +4,22 @@
# COMMON VARIABLES
#=================================================
# dependencies used by the app
if [ "$lsb_release --codename --short" = "buster" ]; then
pkg_dependencies="php7.3-sqlite3"
else [ "$lsb_release --codename --short" = "stretch" ]
pkg_dependencies="php7.0-sqlite3"
fi
YNH_PHP_VERSION="7.3"
# ============= FUTURE YUNOHOST HELPER =============
extra_php_dependencies="php${YNH_PHP_VERSION}-sqlite3"
# Check if a permission exists
#
# While waiting for this new helper https://github.com/YunoHost/yunohost/pull/905
# We have to use another one because the new helper use a new YunoHost command, not available for now.
#
# usage: ynh_permission_has_user --permission=permission --user=user
# | arg: -p, --permission - the permission to check
# | arg: -u, --user - the user seek in the permission
#
# example: ynh_permission_has_user --permission=main --user=visitors
#
# Requires YunoHost version 3.7.1 or higher.
# ynh_permission_has_user() {
# local legacy_args=pu
# # Declare an array to define the options of this helper.
# declare -Ar args_array=( [p]=permission= [u]=user= )
# local permission
# local user
# # Manage arguments with getopts
# ynh_handle_getopts_args "$@"
#=================================================
# PERSONAL HELPERS
#=================================================
# if ! ynh_permission_exists --permission=$permission
# then
# return 1
# fi
#=================================================
# EXPERIMENTAL HELPERS
#=================================================
# # List all permissions
# # Filter only the required permission with a multiline sed (Here a cut from the permission to the next one), remove the url and his value
# perm="$(yunohost user permission list --full --output-as plain | sed --quiet "/^#$app.$permission/,/^#[[:alnum:]]/p" | sed "/^##url/,+1d")"
# # Remove all lines starting by # (got from the plain output before)
# allowed_users="$(echo "$perm" | grep --invert-match '^#')"
# # Grep the list of users an return the result if the user is indeed into the list
# echo "$allowed_users" | grep --quiet --word "$user"
# }
#=================================================
# FUTURE OFFICIAL HELPERS
#=================================================
#=================================================
#=================================================
# FUTURE OFFICIAL HELPERS
#=================================================

View file

@ -26,31 +26,34 @@ app=$YNH_APP_INSTANCE_NAME
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
domain=$(ynh_app_setting_get --app=$app --key=domain)
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
#=================================================
# DECLARE DATA AND CONF FILES TO BACKUP
#=================================================
ynh_print_info --message="Declaring files to be backed up..."
#=================================================
# STANDARD BACKUP STEPS
#=================================================
# BACKUP THE APP MAIN DIR
#=================================================
ynh_script_progression --message="Backing up the main app directory..."
ynh_backup --src_path="$final_path"
#=================================================
# BACKUP THE NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Backing up nginx web server configuration..."
ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"
#=================================================
# BACKUP THE PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Backing up php-fpm configuration..."
ynh_backup --src_path="/etc/php/7.0/fpm/pool.d/$app.conf"
ynh_backup --src_path="/etc/php/$phpversion/fpm/pool.d/$app.conf"
#=================================================
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." --last
ynh_print_info --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)."

View file

@ -24,7 +24,7 @@ app=$YNH_APP_INSTANCE_NAME
#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading installation settings..."
ynh_script_progression --message="Loading installation settings..." --weight=1
# Needed for helper "ynh_add_nginx_config"
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
@ -50,12 +50,12 @@ fi
#=================================================
# MODIFY URL IN NGINX CONF
#=================================================
ynh_script_progression --message="Updating nginx web server configuration..." --weight=5
ynh_script_progression --message="Updating NGINX web server configuration..." --weight=5
nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf
final_path=/var/www/$app
# Change the path in the nginx config file
# Change the path in the NGINX config file
if [ $change_path -eq 1 ]
then
# Make a backup of the original nginx config file if modified
@ -90,14 +90,13 @@ fi
#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading nginx web server..." --weight=2
ynh_script_progression --message="Reloading NGINX web server..." --weight=2
ynh_systemd_action --service_name=nginx --action=reload
#=================================================
# last configuration
#=================================================
#=================================================
# END OF SCRIPT
#=================================================

View file

@ -28,7 +28,7 @@ app=$YNH_APP_INSTANCE_NAME
#=================================================
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
#=================================================
ynh_script_progression --message="Validating installation parameters..."
ynh_script_progression --message="Validating installation parameters..." --weight=1
final_path=/var/www/$app
test ! -e "$final_path" || ynh_die "This path already contains a folder"
@ -44,19 +44,11 @@ ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url
#=================================================
# STORE SETTINGS FROM MANIFEST
#=================================================
ynh_script_progression --message="Storing installation settings..."
ynh_script_progression --message="Storing installation settings..." --weight=1
ynh_app_setting_set --app=$app --key=domain --value=$domain
ynh_app_setting_set --app=$app --key=path --value=$path_url
#=================================================
# Install dependency to convert tracks to a readable format for the browser
#=================================================
ynh_script_progression --message="Installing dependencies..." --weight=10
ynh_install_app_dependencies $pkg_dependencies
#=================================================
# CREATE DEDICATED USER
#=================================================
@ -68,7 +60,7 @@ ynh_system_user_create --username=$app
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================
ynh_script_progression --message="Setting up source files..."
ynh_script_progression --message="Setting up source files..." --weight=4
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
# Download, check integrity, uncompress and patch the source from app.src
@ -77,17 +69,19 @@ ynh_setup_source --dest_dir="$final_path"
#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Configuring nginx web server..." --weight=2
ynh_script_progression --message="Configuring NGINX web server..." --weight=2
# Create a dedicated nginx config
ynh_add_nginx_config
#=================================================
# PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Configuring php-fpm..." --weight=20
ynh_script_progression --message="Configuring PHP-FPM..." --weight=5
# Create a dedicated php-fpm config
ynh_add_fpm_config
# Create a dedicated PHP-FPM config
ynh_add_fpm_config --phpversion=$YNH_PHP_VERSION --package="$extra_php_dependencies"
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
#=================================================
# Files owned by user app
@ -131,12 +125,12 @@ fi
#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading nginx web server..."
ynh_script_progression --message="Reloading NGINX web server..." --weight=1
systemctl reload nginx
ynh_systemd_action --service_name=nginx --action=reload
#=================================================
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Installation of $app completed" --last
ynh_script_progression --message="Installation of Garradin completed" --last

View file

@ -19,18 +19,10 @@ app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
#=================================================
# REMOVE DEPENDENCIES
#=================================================
ynh_script_progression --message="Removing dependencies..." --weight=10
# Remove metapackage and its dependencies
ynh_remove_app_dependencies
#=================================================
# REMOVE APP MAIN DIR
#=================================================
ynh_script_progression --message="Removing app main directory..." --weight=3
ynh_script_progression --message="Removing Garradin main directory..." --weight=3
# Remove the app directory securely
ynh_secure_remove --file="$final_path"
@ -38,7 +30,7 @@ ynh_secure_remove --file="$final_path"
#=================================================
# REMOVE NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Removing nginx web server configuration..."
ynh_script_progression --message="Removing NGINX web server configuration..." --weight=1
# Remove the dedicated nginx config
ynh_remove_nginx_config
@ -46,7 +38,7 @@ ynh_remove_nginx_config
#=================================================
# REMOVE PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Removing php-fpm configuration..." --weight=2
ynh_script_progression --message="Removing PHP-FPM configuration..." --weight=2
# Remove the dedicated php-fpm config
ynh_remove_fpm_config
@ -65,4 +57,4 @@ ynh_system_user_delete --username=$app
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Removal of $app completed" --last
ynh_script_progression --message="Removal of Garradin completed" --last

View file

@ -20,13 +20,14 @@ ynh_abort_if_errors
#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading settings..."
ynh_script_progression --message="Loading settings..." --weight=1
app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
path_url=$(ynh_app_setting_get --app=$app --key=path)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
#=================================================
# CHECK IF THE APP CAN BE RESTORED
@ -49,7 +50,7 @@ ynh_restore_file "/etc/nginx/conf.d/$domain.d/$app.conf"
#=================================================
# RESTORE THE APP MAIN DIR
#=================================================
ynh_script_progression --message="Restoring the app main directory..."
ynh_script_progression --message="Restoring Garradin main directory..." --weight=5
ynh_restore_file "$final_path"
@ -68,34 +69,27 @@ ynh_system_user_create --username=$app
# Restore permissions on app files
chown -R $app:$app $final_path
#=================================================
# SPECIFIC RESTORATION
#=================================================
# REINSTALL DEPENDENCIES
#=================================================
ynh_script_progression --message="Reinstalling dependencies..." --weight=10
# Define and install dependencies
ynh_install_app_dependencies $pkg_dependencies
#=================================================
# RESTORE THE PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Restore php-fpm configuration..." --weight=30
ynh_script_progression --message="Reconfiguring PHP-FPM..." --weight=6
ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf"
ynh_add_fpm_config --phpversion=$YNH_PHP_VERSION --package="$extra_php_dependencies"
ynh_restore_file --origin_path="/etc/php/7.0/fpm/pool.d/$app.conf"
#=================================================
# GENERIC FINALIZATION
#=================================================
# RELOAD NGINX AND PHP-FPM
#=================================================
ynh_script_progression --message="Reloading nginx web server and php-fpm..." --weight=1
ynh_script_progression --message="Reloading NGINX web server and PHP-FPM..." --weight=1
ynh_systemd_action --service_name=php7.0-fpm --action=reload
ynh_systemd_action --service_name=php${phpversion}-fpm --action=reload
ynh_systemd_action --service_name=nginx --action=reload
#=================================================
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Restoration completed for $app" --last
ynh_script_progression --message="Restoration completed for Garradin" --last

View file

@ -19,22 +19,18 @@ app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
path_url=$(ynh_app_setting_get --app=$app --key=path)
final_path=$(ynh_app_setting_get --app=$app --key=final_path) || ynh_die "This path already contains a folder"
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
#=================================================
# CHECK VERSION
#=================================================
### This helper will compare the version of the currently installed app and the version of the upstream package.
### $upgrade_type can have 2 different values
### - UPGRADE_APP if the upstream app version has changed
### - UPGRADE_PACKAGE if only the YunoHost package has changed
### ynh_check_app_version_changed will stop the upgrade if the app is up to date.
### UPGRADE_APP should be used to upgrade the core app only if there's an upgrade to do.
upgrade_type=$(ynh_check_app_version_changed)
#=================================================
# ENSURE DOWNWARD COMPATIBILITY
#=================================================
ynh_script_progression --message="Ensuring downward compatibility..."
ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
# If final_path doesn't exist, create it
if [ -z "$final_path" ]; then
@ -83,7 +79,7 @@ fi
#=================================================
# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
#=================================================
ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=30
ynh_script_progression --message="Backing up Garradin before upgrading (may take a while)..." --weight=30
# Backup the current version of the app
ynh_backup_before_upgrade
@ -94,22 +90,10 @@ ynh_clean_setup () {
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
# #=================================================
# # CHECK THE PATH
# #=================================================
# Normalize the URL path syntax
# N.B. : this is for app installations before YunoHost 2.7
# where this value might be something like /foo/ or foo/
# instead of /foo ....
# If nobody installed your app before 2.7, then you may
# safely remove this line
#path_url=$(ynh_normalize_url_path --path_url=$path_url)
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================
ynh_script_progression --message="Upgrading source files..."
ynh_script_progression --message="Upgrading source files..." --weight=5
if [ "$upgrade_type" == "UPGRADE_APP" ]
then
@ -117,37 +101,29 @@ then
ynh_setup_source --dest_dir="$final_path"
fi
#=================================================
# UPGRADE DEPENDENCIES
#=================================================
ynh_script_progression --message="Upgrading dependencies..." --weight=5
ynh_install_app_dependencies $pkg_dependencies
#=================================================
# CREATE DEDICATED USER
#=================================================
ynh_script_progression --message="Making sure dedicated system user exists..."
ynh_script_progression --message="Making sure dedicated system user exists..." --weight=1
# Create a dedicated user (if not existing)
ynh_system_user_create --username=$app
#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Upgrading nginx web server configuration..." --weight=2
ynh_script_progression --message="Upgrading NGINX web server configuration..." --weight=2
# Create a dedicated nginx config
# Create a dedicated NGINX config
ynh_add_nginx_config
#=================================================
# PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Upgrading php-fpm configuration..." --weight=2
ynh_script_progression --message="Upgrading PHP-FPM configuration..." --weight=2
# Create a dedicated php-fpm config
ynh_add_fpm_config
# Create a dedicated PHP-FPM config
ynh_add_fpm_config --phpversion=$YNH_PHP_VERSION --package="$extra_php_dependencies"
#=======================================================
# backup bdd, squelettes directory and config.local.php
@ -197,11 +173,12 @@ fi
#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading nginx web server..."
ynh_script_progression --message="Reloading NGINX web server..." --weight=1
ynh_systemd_action --service_name=nginx --action=reload
#=================================================
# END OF SCRIPT
#=================================================
ynh_script_progression --message="Upgrade of $app completed" --last
ynh_script_progression --message="Upgrade of Garradin completed" --last