diff --git a/README.md b/README.md index bf20566..865fc0c 100644 --- a/README.md +++ b/README.md @@ -5,10 +5,10 @@ Nextcloud for YunoHost own data. A personal cloud which run on your own server. With Nextcloud you can synchronize your files over your devices. -**Shipped version:** 13.0.6 +**Shipped version:** 15.0.4 [![Install Nextcloud with YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=nextcloud) -![](https://github.com/nextcloud/screenshots/blob/master/files/filelist.png) +![](https://raw.githubusercontent.com/nextcloud/screenshots/master/files/Files%20Overview.png) ## Features diff --git a/conf/nginx.conf b/conf/nginx.conf index 3eee860..2e085c9 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -13,22 +13,23 @@ location ^~ __PATH__ { } # Add headers to serve security related headers - add_header Strict-Transport-Security "max-age=15768000;"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; + more_set_headers "Strict-Transport-Security: max-age=15768000"; + more_set_headers "X-Content-Type-Options: nosniff"; + more_set_headers "X-XSS-Protection: 1; mode=block"; + more_set_headers "X-Robots-Tag: none"; + more_set_headers "X-Download-Options: noopen"; + more_set_headers "X-Permitted-Cross-Domain-Policies: none"; + more_set_headers "Referrer-Policy: no-referrer"; # Set max upload size client_max_body_size 10G; fastcgi_buffers 64 4K; - + # Extend timeouts client_body_timeout 60m; proxy_read_timeout 60m; fastcgi_read_timeout 60m; - + # Disable gzip to avoid the removal of the ETag header gzip off; @@ -77,14 +78,16 @@ location ^~ __PATH__ { # Adding the cache control header for js and css files location ~* \.(?:css|js)$ { - add_header Cache-Control "public, max-age=7200"; + more_set_headers "Cache-Control: public, max-age=7200"; # Add headers to serve security related headers - add_header Strict-Transport-Security "max-age=15768000;"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; + more_set_headers "Strict-Transport-Security: max-age=15768000"; + more_set_headers "X-Content-Type-Options: nosniff"; + more_set_headers "X-XSS-Protection: 1; mode=block"; + more_set_headers "X-Robots-Tag: none"; + more_set_headers "X-Download-Options: noopen"; + more_set_headers "X-Permitted-Cross-Domain-Policies: none"; + more_set_headers "Referrer-Policy: no-referrer"; + # Optional: Don't log access to assets access_log off; } diff --git a/manifest.json b/manifest.json index 1c09dac..43bf976 100644 --- a/manifest.json +++ b/manifest.json @@ -6,12 +6,12 @@ "en": "Access & share your files, calendars, contacts, mail & more from any device, on your terms", "fr": "Consultez et partagez vos fichiers, agendas, carnets d'adresses, emails et bien plus depuis les appareils de votre choix, sous vos conditions" }, - "version": "13.0.6~ynh1", + "version": "15.0.4~ynh1", "url": "https://nextcloud.com", "license": "AGPL-3.0", "maintainer": { - "name": "-", - "email": "-" + "name": "YunoHost Contributors", + "email": "apps@yunohost.org" }, "requirements": { "yunohost": ">= 2.7.2" diff --git a/scripts/_common.sh b/scripts/_common.sh index 7ce131e..e523909 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -3,7 +3,7 @@ # COMMON VARIABLES #================================================= -pkg_dependencies="php5-gd php5-json php5-intl php5-mcrypt php5-curl php5-apcu php5-redis php5-ldap php5-imagick imagemagick acl tar smbclient" +pkg_dependencies="php5-gd php5-json php5-intl php5-mcrypt php5-curl php5-apcu php5-redis php5-ldap php5-imagick imagemagick acl tar smbclient at" if [ "$(lsb_release --codename --short)" != "jessie" ]; then pkg_dependencies="$pkg_dependencies php-zip php-apcu php-mbstring php-xml" @@ -356,3 +356,29 @@ ynh_multimedia_addaccess () { groupadd -f multimedia usermod -a -G multimedia $user_name } + +ynh_smart_mktemp () { + local min_size="${1:-300}" + # Transform the minimum size from megabytes to kilobytes + min_size=$(( $min_size * 1024 )) + + # Check if there's enough free space in a directory + is_there_enough_space () { + local free_space=$(df --output=avail "$1" | sed 1d) + test $free_space -ge $min_size + } + + if is_there_enough_space /tmp; then + local tmpdir=/tmp + elif is_there_enough_space /var; then + local tmpdir=/var + elif is_there_enough_space /; then + local tmpdir=/ + elif is_there_enough_space /home; then + local tmpdir=/home + else + ynh_die "Insufficient free space to continue..." + fi + + echo "$(sudo mktemp --directory --tmpdir="$tmpdir")" +} diff --git a/scripts/install b/scripts/install index f46d396..5bc37bf 100755 --- a/scripts/install +++ b/scripts/install @@ -79,6 +79,8 @@ ynh_replace_string "__VERSION__" "$next_version" "../conf/app.src" ynh_replace_string "__SHA256_SUM__" "$nextcloud_source_sha256" "../conf/app.src" ynh_app_setting_set $app final_path $final_path +# Enable YunoHost patches on Nextcloud sources +cp -a ../sources/patches_last_version/* ../sources/patches # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source "$final_path" @@ -234,6 +236,11 @@ ynh_replace_string "#DESTDIR#" "$final_path" "$cron_path" exec_occ background:cron +#================================================= +# POST-INSTALL MAINTENANCE +#================================================= +(cd /tmp ; at now + 10 minutes <<< "(cd $final_path ; sudo -u $app php occ db:add-missing-indices ; sudo -u $app php occ db:convert-filecache-bigint -n) > /tmp/${app}_maintenance.log") + #================================================= # CONFIGURE THE HOOK FILE FOR USER CREATE #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 6c54ca5..d58f4b0 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -176,6 +176,8 @@ do # then it's the last upgrade to do if [ "$major_version" -eq "$current_major_version" ]; then current_major_version=last + # Execute the commands dedicated to the last upgrade + last_upgrade_operations fi # Load the value for this version @@ -189,7 +191,7 @@ do ynh_replace_string "__SHA256_SUM__" "$nextcloud_source_sha256" "../conf/app.src" # Create a temporary directory - tmpdir=$(mktemp -d) + tmpdir="$(ynh_smart_mktemp 300)" # Install the next nextcloud version in $tmpdir ynh_setup_source "$tmpdir" @@ -208,6 +210,7 @@ do # Replace the old nextcloud by the new one ynh_secure_remove "$final_path" mv "$tmpdir" "$final_path" + ynh_secure_remove "$tmpdir" # Set write access for the following commands chown -R $app: "$final_path" "$datadir" diff --git a/scripts/upgrade.d/upgrade.13.sh b/scripts/upgrade.d/upgrade.13.sh new file mode 100644 index 0000000..f979aa9 --- /dev/null +++ b/scripts/upgrade.d/upgrade.13.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# Last available nextcloud version +next_version="14.0.0" + +# Nextcloud tarball checksum sha256 +nextcloud_source_sha256="f965c14286e7aabbfe49c947d86af59597af302c35d10e0b5440e7e6c53b8f47" diff --git a/scripts/upgrade.d/upgrade.14.sh b/scripts/upgrade.d/upgrade.14.sh new file mode 100755 index 0000000..8c5e80c --- /dev/null +++ b/scripts/upgrade.d/upgrade.14.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# Last available nextcloud version +next_version="15.0.0" + +# Nextcloud tarball checksum sha256 +nextcloud_source_sha256="5bb0c58171353da844019b64080c21078002a59ab956ab72adb958844a98eb78" \ No newline at end of file diff --git a/scripts/upgrade.d/upgrade.last.sh b/scripts/upgrade.d/upgrade.last.sh index 4bcad4e..80d65dd 100755 --- a/scripts/upgrade.d/upgrade.last.sh +++ b/scripts/upgrade.d/upgrade.last.sh @@ -1,10 +1,16 @@ #!/bin/bash # Last available nextcloud version -next_version="13.0.6" +next_version="15.0.4" # Nextcloud tarball checksum sha256 -nextcloud_source_sha256="90fc9e960b6a477bb14ee87042b3d158bde95c3f0157677cb4547ca7649968d4" +nextcloud_source_sha256="f87db047c174f563e391a22c959d9ace767ca14ef0f97fc394f3061fc63d8f77" -# Patch nextcloud files only for the last version -cp -a ../sources/patches_last_version/* ../sources/patches +# This function will only be executed upon applying the last upgrade referenced above +last_upgrade_operations () { + # Patch nextcloud files only for the last version + cp -a ../sources/patches_last_version/* ../sources/patches + + # Execute post-upgrade operations later on + (cd /tmp ; at now + 10 minutes <<< "(cd $final_path ; sudo -u $app php occ db:add-missing-indices ; sudo -u $app php occ db:convert-filecache-bigint -n) > /tmp/${app}_maintenance.log") +} diff --git a/sources/patches_last_version/app-00-add-logout_url-conf.patch b/sources/patches_last_version/app-00-add-logout_url-conf.patch index 3659fb1..2e70ba7 100644 --- a/sources/patches_last_version/app-00-add-logout_url-conf.patch +++ b/sources/patches_last_version/app-00-add-logout_url-conf.patch @@ -1,14 +1,62 @@ + core/Controller/LoginController.php | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php +index 182d2bc106..82523e306e 100644 --- a/core/Controller/LoginController.php +++ b/core/Controller/LoginController.php -@@ -119,7 +119,10 @@ +@@ -95,13 +95,13 @@ class LoginController extends Controller { + * @param Throttler $throttler + */ + public function __construct($appName, +- IRequest $request, +- IUserManager $userManager, +- IConfig $config, +- ISession $session, +- IUserSession $userSession, +- IURLGenerator $urlGenerator, +- ILogger $logger, ++ IRequest $request, ++ IUserManager $userManager, ++ IConfig $config, ++ ISession $session, ++ IUserSession $userSession, ++ IURLGenerator $urlGenerator, ++ ILogger $logger, + Manager $twoFactorManager, + Defaults $defaults, + Throttler $throttler) { +@@ -130,7 +130,10 @@ class LoginController extends Controller { } $this->userSession->logout(); - + - $response = new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm')); + $redirectUrl = $this->config->getSystemValue('logout_url', -+ $this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm') ++ $this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm') + ); + $response = new RedirectResponse($redirectUrl); - $response->addHeader('Clear-Site-Data', '"cache", "cookies", "storage", "executionContexts"'); + $response->addHeader('Clear-Site-Data', '"cache", "storage", "executionContexts"'); return $response; } +@@ -303,10 +306,10 @@ class LoginController extends Controller { + $previousUser = $user; + $user = $users[0]->getUID(); + if($user !== $previousUser) { +- $loginResult = $this->userManager->checkPassword($user, $password); +- } ++ $loginResult = $this->userManager->checkPassword($user, $password); + } + } ++ } + + if ($loginResult === false) { + $this->logger->warning('Login failed: \''. $user . +@@ -314,7 +317,7 @@ class LoginController extends Controller { + ['app' => 'core']); + return $this->createLoginFailedResponse($user, $originalUser, + $redirect_url, self::LOGIN_MSG_INVALIDPASSWORD); +- } ++ } + + // TODO: remove password checks from above and let the user session handle failures + // requires https://github.com/owncloud/core/pull/24616 diff --git a/sources/patches_last_version/app-01-disable-CSPv3-nonce_and_allow-YNH-fonts.patch b/sources/patches_last_version/app-01-disable-CSPv3-nonce_and_allow-YNH-fonts.patch index f5ced3a..d5a609a 100644 --- a/sources/patches_last_version/app-01-disable-CSPv3-nonce_and_allow-YNH-fonts.patch +++ b/sources/patches_last_version/app-01-disable-CSPv3-nonce_and_allow-YNH-fonts.patch @@ -1,33 +1,33 @@ - lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php | 4 ++++ - lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php | 3 ++- - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php -index 85ae127f5f..91618a09fc 100644 ---- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php -+++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php -@@ -65,6 +65,10 @@ class ContentSecurityPolicyNonceManager { - * @return bool - */ - public function browserSupportsCspV3() { -+ // YunoHost patch: disable CSPv3 nonces to: -+ // - avoid white page on first login from YunoHost portal -+ // - allow YunoHost tile display -+ return false; - $browserWhitelist = [ - Request::USER_AGENT_CHROME, - // Firefox 45+ -diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php -index 64d4eb6e5d..59d5885620 100644 ---- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php -+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php -@@ -377,7 +377,8 @@ class EmptyContentSecurityPolicy { - - if(!empty($this->allowedFontDomains)) { - $policy .= 'font-src ' . implode(' ', $this->allowedFontDomains); -- $policy .= ';'; -+ // YunoHost patch: extend font-src to load data fonts embedded in YunoHost tile script -+ $policy .= ' data:;'; - } - - if(!empty($this->allowedConnectDomains)) { + .../Security/CSP/ContentSecurityPolicyNonceManager.php | 4 ++++ + lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php | 3 ++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php +index 795d8cc864..5f3c961445 100644 +--- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php ++++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php +@@ -70,6 +70,10 @@ class ContentSecurityPolicyNonceManager { + * @return bool + */ + public function browserSupportsCspV3(): bool { ++ // YunoHost patch: disable CSPv3 nonces to: ++ // - avoid white page on first login from YunoHost portal ++ // - allow YunoHost tile display ++ return false; + $browserWhitelist = [ + Request::USER_AGENT_CHROME, + // Firefox 45+ +diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +index 3fcef1d0ef..7ce01a68fc 100644 +--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php ++++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php +@@ -449,7 +449,8 @@ class EmptyContentSecurityPolicy { + + if(!empty($this->allowedFontDomains)) { + $policy .= 'font-src ' . implode(' ', $this->allowedFontDomains); +- $policy .= ';'; ++ // YunoHost patch: extend font-src to load data fonts embedded in YunoHost tile script ++ $policy .= ' data:;'; + } + + if(!empty($this->allowedConnectDomains)) { diff --git a/sources/patches_last_version/app-02-Allow-for-eval-in-JS-scripts-for-YunoHost-tile.patch b/sources/patches_last_version/app-02-Allow-for-eval-in-JS-scripts-for-YunoHost-tile.patch new file mode 100644 index 0000000..38f37f9 --- /dev/null +++ b/sources/patches_last_version/app-02-Allow-for-eval-in-JS-scripts-for-YunoHost-tile.patch @@ -0,0 +1,17 @@ + lib/public/AppFramework/Http/ContentSecurityPolicy.php | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php +index e9ecf00036..8e69c8d2dc 100644 +--- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php ++++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php +@@ -44,7 +44,8 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy { + /** @var bool Whether inline JS snippets are allowed */ + protected $inlineScriptAllowed = false; + /** @var bool Whether eval in JS scripts is allowed */ +- protected $evalScriptAllowed = false; ++ // YunoHost patch: allow for eval in JS scripts for YunoHost tile ++ protected $evalScriptAllowed = true; + /** @var array Domains from which scripts can get loaded */ + protected $allowedScriptDomains = [ + '\'self\'',