From cc08c702240e0ff8ff35abcf0590e928a47323bf Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 20 Mar 2019 20:22:37 +0100 Subject: [PATCH 1/9] Quickfix for path traversal issue --- conf/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 2e085c9..a416de2 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -6,7 +6,7 @@ location = /.well-known/caldav { } location ^~ __PATH__ { - alias __FINALPATH__/; + alias __FINALPATH__; if ($scheme = http) { rewrite ^ https://$server_name$request_uri? permanent; From 0be7e16d743ce501dd53ff9fdca203c06595a502 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 20 Mar 2019 20:56:17 +0100 Subject: [PATCH 2/9] Add `/` at the end of the location + add rewrite rule --- conf/nginx.conf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index a416de2..6b18d36 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -5,8 +5,9 @@ location = /.well-known/caldav { return 301 https://$server_name__PATH__/remote.php/dav; } -location ^~ __PATH__ { - alias __FINALPATH__; +#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; +location ^~ __PATH__/ { + alias __FINALPATH__/; if ($scheme = http) { rewrite ^ https://$server_name$request_uri? permanent; @@ -42,7 +43,7 @@ location ^~ __PATH__ { #rewrite ^/.well-known/host-meta __PATH__/public.php?service=host-meta last; #rewrite ^/.well-known/host-meta.json __PATH__/public.php?service=host-meta-json last; - location __PATH__ { + location __PATH__/ { rewrite ^ __PATH__/index.php$request_uri; } From 493172ea4dfc812518df575e6b18c982e31a3e7e Mon Sep 17 00:00:00 2001 From: Jimmy Monin Date: Sun, 24 Mar 2019 22:57:40 +0100 Subject: [PATCH 3/9] Add fail2ban configuration --- manifest.json | 2 +- scripts/_common.sh | 160 ++++++++++++++++++++++++++++++++++++++++++++- scripts/backup | 8 +++ scripts/install | 8 +++ scripts/remove | 8 +++ scripts/restore | 17 +++++ scripts/upgrade | 8 +++ 7 files changed, 207 insertions(+), 4 deletions(-) diff --git a/manifest.json b/manifest.json index cd64223..b4b54e3 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Access & share your files, calendars, contacts, mail & more from any device, on your terms", "fr": "Consultez et partagez vos fichiers, agendas, carnets d'adresses, emails et bien plus depuis les appareils de votre choix, sous vos conditions" }, - "version": "15.0.5~ynh1", + "version": "15.0.5~ynh2", "url": "https://nextcloud.com", "license": "AGPL-3.0", "maintainer": { diff --git a/scripts/_common.sh b/scripts/_common.sh index 4a5a280..64f2467 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -5,6 +5,160 @@ pkg_dependencies="php-gd php-json php-intl php-mcrypt php-curl php-apcu php-redis php-ldap php-imagick php-zip php-mbstring php-xml imagemagick acl tar smbclient at" +#================================================= +# UNSTABLE HELPERS +#================================================= + +# Create a dedicated fail2ban config (jail and filter conf files) +# +# usage 1: ynh_add_fail2ban_config --logpath=log_file --failregex=filter [--max_retry=max_retry] [--ports=ports] +# | arg: -l, --logpath= - Log file to be checked by fail2ban +# | arg: -r, --failregex= - Failregex to be looked for by fail2ban +# | arg: -m, --max_retry= - Maximum number of retries allowed before banning IP address - default: 3 +# | arg: -p, --ports= - Ports blocked for a banned IP address - default: http,https +# +# ----------------------------------------------------------------------------- +# +# usage 2: ynh_add_fail2ban_config --use_template [--others_var="list of others variables to replace"] +# | arg: -t, --use_template - Use this helper in template mode +# | arg: -v, --others_var= - List of others variables to replace separeted by a space +# | for example : 'var_1 var_2 ...' +# +# This will use a template in ../conf/f2b_jail.conf and ../conf/f2b_filter.conf +# __APP__ by $app +# +# You can dynamically replace others variables by example : +# __VAR_1__ by $var_1 +# __VAR_2__ by $var_2 +# +# Generally your template will look like that by example (for synapse): +# +# f2b_jail.conf: +# [__APP__] +# enabled = true +# port = http,https +# filter = __APP__ +# logpath = /var/log/__APP__/logfile.log +# maxretry = 3 +# +# f2b_filter.conf: +# [INCLUDES] +# before = common.conf +# [Definition] +# +# # Part of regex definition (just used to make more easy to make the global regex) +# __synapse_start_line = .? \- synapse\..+ \- +# +# # Regex definition. +# failregex = ^%(__synapse_start_line)s INFO \- POST\-(\d+)\- \- \d+ \- Received request\: POST /_matrix/client/r0/login\??%(__synapse_start_line)s INFO \- POST\-\1\- Got login request with identifier: \{u'type': u'm.id.user', u'user'\: u'(.+?)'\}, medium\: None, address: None, user\: u'\5'%(__synapse_start_line)s WARNING \- \- (Attempted to login as @\5\:.+ but they do not exist|Failed password login for user @\5\:.+)$ +# +# ignoreregex = +# +# ----------------------------------------------------------------------------- +# +# Note about the "failregex" option: +# regex to match the password failure messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# +# You can find some more explainations about how to make a regex here : +# https://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Filters +# +# Note that the logfile need to exist before to call this helper !! +# +# To validate your regex you can test with this command: +# fail2ban-regex /var/log/YOUR_LOG_FILE_PATH /etc/fail2ban/filter.d/YOUR_APP.conf +# +# Requires YunoHost version 3.?.? or higher. +ynh_add_fail2ban_config () { + # Declare an array to define the options of this helper. + local legacy_args=lrmptv + declare -Ar args_array=( [l]=logpath= [r]=failregex= [m]=max_retry= [p]=ports= [t]=use_template [v]=others_var=) + local logpath + local failregex + local max_retry + local ports + local others_var + local use_template + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + use_template="${use_template:-0}" + max_retry=${max_retry:-3} + ports=${ports:-http,https} + + finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf" + finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf" + ynh_backup_if_checksum_is_different "$finalfail2banjailconf" + ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" + + if [ $use_template -eq 1 ] + then + # Usage 2, templates + cp ../conf/f2b_jail.conf $finalfail2banjailconf + cp ../conf/f2b_filter.conf $finalfail2banfilterconf + + if [ -n "${app:-}" ] + then + ynh_replace_string "__APP__" "$app" "$finalfail2banjailconf" + ynh_replace_string "__APP__" "$app" "$finalfail2banfilterconf" + fi + + # Replace all other variable given as arguments + for var_to_replace in ${others_var:-}; do + # ${var_to_replace^^} make the content of the variable on upper-cases + # ${!var_to_replace} get the content of the variable named $var_to_replace + ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalfail2banjailconf" + ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalfail2banfilterconf" + done + + else + # Usage 1, no template. Build a config file from scratch. + test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing." + test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing." + + tee $finalfail2banjailconf < Date: Mon, 25 Mar 2019 19:52:08 +0100 Subject: [PATCH 4/9] Add ynh_systemd_action unstable helper --- scripts/_common.sh | 96 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/scripts/_common.sh b/scripts/_common.sh index 64f2467..1b4d782 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -9,6 +9,102 @@ pkg_dependencies="php-gd php-json php-intl php-mcrypt php-curl php-apcu php-redi # UNSTABLE HELPERS #================================================= +# Start (or other actions) a service, print a log in case of failure and optionnaly wait until the service is completely started +# +# usage: ynh_systemd_action [-n service_name] [-a action] [ [-l "line to match"] [-p log_path] [-t timeout] [-e length] ] +# | arg: -n, --service_name= - Name of the service to start. Default : $app +# | arg: -a, --action= - Action to perform with systemctl. Default: start +# | arg: -l, --line_match= - Line to match - The line to find in the log to attest the service have finished to boot. +# If not defined it don't wait until the service is completely started. +# WARNING: When using --line_match, you should always add `ynh_clean_check_starting` into your +# `ynh_clean_setup` at the beginning of the script. Otherwise, tail will not stop in case of failure +# of the script. The script will then hang forever. +# | arg: -p, --log_path= - Log file - Path to the log file. Default : /var/log/$app/$app.log +# | arg: -t, --timeout= - Timeout - The maximum time to wait before ending the watching. Default : 300 seconds. +# | arg: -e, --length= - Length of the error log : Default : 20 +ynh_systemd_action() { + # Declare an array to define the options of this helper. + declare -Ar args_array=( [n]=service_name= [a]=action= [l]=line_match= [p]=log_path= [t]=timeout= [e]=length= ) + local service_name + local action + local line_match + local length + local log_path + local timeout + + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + + local service_name="${service_name:-$app}" + local action=${action:-start} + local log_path="${log_path:-/var/log/$service_name/$service_name.log}" + local length=${length:-20} + local timeout=${timeout:-300} + + # Start to read the log + if [[ -n "${line_match:-}" ]] + then + local templog="$(mktemp)" + # Following the starting of the app in its log + if [ "$log_path" == "systemd" ] ; then + # Read the systemd journal + journalctl --unit=$service_name --follow --since=-0 --quiet > "$templog" & + # Get the PID of the journalctl command + local pid_tail=$! + else + # Read the specified log file + tail -F -n0 "$log_path" > "$templog" 2>&1 & + # Get the PID of the tail command + local pid_tail=$! + fi + fi + + ynh_print_info --message="${action^} the service $service_name" + + # Use reload-or-restart instead of reload. So it wouldn't fail if the service isn't running. + if [ "$action" == "reload" ]; then + action="reload-or-restart" + fi + + systemctl $action $service_name \ + || ( journalctl --no-pager --lines=$length -u $service_name >&2 \ + ; test -e "$log_path" && echo "--" >&2 && tail --lines=$length "$log_path" >&2 \ + ; false ) + + # Start the timeout and try to find line_match + if [[ -n "${line_match:-}" ]] + then + local i=0 + for i in $(seq 1 $timeout) + do + # Read the log until the sentence is found, that means the app finished to start. Or run until the timeout + if grep --quiet "$line_match" "$templog" + then + ynh_print_info --message="The service $service_name has correctly started." + break + fi + if [ $i -eq 3 ]; then + echo -n "Please wait, the service $service_name is ${action}ing" >&2 + fi + if [ $i -ge 3 ]; then + echo -n "." >&2 + fi + sleep 1 + done + if [ $i -ge 3 ]; then + echo "" >&2 + fi + if [ $i -eq $timeout ] + then + ynh_print_warn --message="The service $service_name didn't fully started before the timeout." + ynh_print_warn --message="Please find here an extract of the end of the log of the service $service_name:" + journalctl --no-pager --lines=$length -u $service_name >&2 + test -e "$log_path" && echo "--" >&2 && tail --lines=$length "$log_path" >&2 + fi + ynh_clean_check_starting + fi +} + # Create a dedicated fail2ban config (jail and filter conf files) # # usage 1: ynh_add_fail2ban_config --logpath=log_file --failregex=filter [--max_retry=max_retry] [--ports=ports] From acffd4cf383cf31c238fdec3244e8434655b6138 Mon Sep 17 00:00:00 2001 From: Jimmy Monin Date: Thu, 4 Apr 2019 22:28:24 +0200 Subject: [PATCH 5/9] Fix OPcache warnings --- conf/php-fpm.ini | 7 ------- scripts/upgrade | 4 ++++ 2 files changed, 4 insertions(+), 7 deletions(-) delete mode 100644 conf/php-fpm.ini diff --git a/conf/php-fpm.ini b/conf/php-fpm.ini deleted file mode 100644 index 104f242..0000000 --- a/conf/php-fpm.ini +++ /dev/null @@ -1,7 +0,0 @@ -opcache.enable=1 -opcache.enable_cli=1 -opcache.interned_strings_buffer=8 -opcache.max_accelerated_files=10000 -opcache.memory_consumption=128 -opcache.save_comments=1 -opcache.revalidate_freq=1 diff --git a/scripts/upgrade b/scripts/upgrade index d905f64..c600414 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -140,6 +140,10 @@ ynh_print_info "Upgrading php-fpm configuration..." # Create a dedicated php-fpm config ynh_add_fpm_config +# Delete existing ini configuration file (backward compatibility) +if [ -f /etc/php/7.0/fpm/conf.d/20-$app.ini ]; then + ynh_secure_remove /etc/php/7.0/fpm/conf.d/20-$app.ini +fi #================================================= # UPGRADE DEPENDENCIES #================================================= From 779173d6c4fb229d7cb0590be6a5f08c2f55c560 Mon Sep 17 00:00:00 2001 From: Jimmy Monin Date: Thu, 4 Apr 2019 22:28:53 +0200 Subject: [PATCH 6/9] Fix PATH warning --- conf/php-fpm.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index 74825fa..60ddc95 100644 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -392,7 +392,7 @@ chdir = __FINALPATH__ ;env[TMP] = /tmp ;env[TMPDIR] = /tmp ;env[TEMP] = /tmp - +env[PATH] = $PATH ; Additional php.ini defines, specific to this pool of workers. These settings ; overwrite the values previously defined in the php.ini. The directives are the ; same as the PHP SAPI: From 477391a2031bb6827910c1bc6a6a1feabbdfbdaf Mon Sep 17 00:00:00 2001 From: Jimmy Monin Date: Thu, 4 Apr 2019 22:29:06 +0200 Subject: [PATCH 7/9] Fix always_populate_raw_post_data warning --- conf/php-fpm.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index 60ddc95..f13ed6d 100644 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -433,7 +433,6 @@ env[PATH] = $PATH php_value[upload_max_filesize] = 10G php_value[post_max_size] = 10G php_value[default_charset] = UTF-8 -php_value[always_populate_raw_post_data] = -1 php_value[opcache.enable]=1 php_value[opcache.enable_cli]=1 php_value[opcache.interned_strings_buffer]=8 From 2549f0ed40fe217907fc91386d4b4fb97d0aff5b Mon Sep 17 00:00:00 2001 From: Jimmy Monin Date: Thu, 4 Apr 2019 22:29:43 +0200 Subject: [PATCH 8/9] Fix impossible upload via web interface --- conf/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 3159d95..6c5d7ec 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -65,7 +65,7 @@ location ^~ __PATH__/ { location ~ ^__PATH__/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|ocm-provider/.+)\.php(/.*|)$ { include fastcgi_params; - fastcgi_split_path_info ^(.+\.php)(/.*|)$; + fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS on; From a6ac80820dbc315cda93d5360ee48ea15181a038 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Mon, 15 Apr 2019 20:55:42 +0200 Subject: [PATCH 9/9] Move from ci-apps-dev to ci-apps-hq --- pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pull_request_template.md b/pull_request_template.md index 1301157..da30b7b 100644 --- a/pull_request_template.md +++ b/pull_request_template.md @@ -19,6 +19,6 @@ - [ ] **Approval (LGTM)** : - [ ] **Approval (LGTM)** : - **CI succeeded** : -[![Build Status](https://ci-apps-dev.yunohost.org/jenkins/job/nextcloud_ynh%20PR-NUM-/badge/icon)](https://ci-apps-dev.yunohost.org/jenkins/job/nextcloud_ynh%20PR-NUM-/) +[![Build Status](https://ci-apps-hq.yunohost.org/jenkins/job/nextcloud_ynh%20PR-NUM-/badge/icon)](https://ci-apps-hq.yunohost.org/jenkins/job/nextcloud_ynh%20PR-NUM-/) *Please replace '-NUM-' in this link by the PR number.* When the PR is marked as ready to merge, you have to wait for 3 days before really merging it.