YunoHost-Apps/spip_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/spip_ynh.git synced 2024-09-03 20:25:59 +02:00
Code Issues Activity Actions

Merge pull request #68 from YunoHost-Apps/version-2

Browse source 
Version 2
This commit is contained in:
Éric Gaspar 2023-06-01 10:52:08 +02:00 committed by GitHub
commit 0997504dd6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
24 changed files with 902 additions and 1373 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

130
.github/workflows/updater.sh vendored
View file

@ -1,130 +0,0 @@
#!/bin/bash
#=================================================
# PACKAGE UPDATING HELPER
#=================================================
# This script is meant to be run by GitHub Actions
# The YunoHost-Apps organisation offers a template Action to run this script periodically
# Since each app is different, maintainers can adapt its contents so as to perform
# automatic actions when a new upstream release is detected.
#=================================================
# FETCHING LATEST RELEASE AND ITS ASSETS
#=================================================
# Fetching information
current_version=$(cat manifest.json | jq -j '.version|split("~")[0]')
repo=$(cat manifest.json | jq -j '.upstream.code|split("https://git.spip.net/")[1]')
# Some jq magic is needed, because the latest upstream release is not always the latest version (e.g. security patches for older versions)
version=$(curl --silent "https://git.spip.net/api/v1/repos/spip/spip/tags" | jq -r '.[] | .name' | grep -v "alpha" | grep -v "beta" | grep -v "rc" | sort -V | tail -1)
assets=("https://files.spip.net/spip/archives/spip-$version.zip")
# Later down the script, we assume the version has only digits and dots
# Sometimes the release name starts with a "v", so let's filter it out.
# You may need more tweaks here if the upstream repository has different naming conventions.
if [[ ${version:0:1} == "v" || ${version:0:1} == "V" ]]; then
version=${version:1}
fi
# Setting up the environment variables
echo "Current version: $current_version"
echo "Latest release from upstream: $version"
echo "VERSION=$version" >> $GITHUB_ENV
# For the time being, let's assume the script will fail
echo "PROCEED=false" >> $GITHUB_ENV
# Proceed only if the retrieved version is greater than the current one
if ! dpkg --compare-versions "$current_version" "lt" "$version" ; then
echo "::warning ::No new version available"
exit 0
# Proceed only if a PR for this new version does not already exist
elif git ls-remote -q --exit-code --heads https://github.com/$GITHUB_REPOSITORY.git ci-auto-update-v$version ; then
echo "::warning ::A branch already exists for this update"
exit 0
fi
# Each release can hold multiple assets (e.g. binaries for different architectures, source code, etc.)
echo "${#assets[@]} available asset(s)"
#=================================================
# UPDATE SOURCE FILES
#=================================================
# Here we use the $assets variable to get the resources published in the upstream release.
# Here is an example for Grav, it has to be adapted in accordance with how the upstream releases look like.
# Let's loop over the array of assets URLs
for asset_url in "${assets[@]}"; do
echo "Handling asset at $asset_url"
# Assign the asset to a source file in conf/ directory
# Here we base the source file name upon a unique keyword in the assets url (admin vs. update)
# Leave $src empty to ignore the asset
case $asset_url in
*"v$version.zip"*)
src="app"
;;
*)
src=""
;;
esac
# If $src is not empty, let's process the asset
if [ ! -z "$src" ]; then
# Create the temporary directory
tempdir="$(mktemp -d)"
# Download sources and calculate checksum
filename=${asset_url##*/}
curl --silent -4 -L $asset_url -o "$tempdir/$filename"
checksum=$(sha256sum "$tempdir/$filename" | head -c 64)
# Delete temporary directory
rm -rf $tempdir
# Get extension
if [[ $filename == *.tar.gz ]]; then
extension=tar.gz
else
extension=${filename##*.}
fi
# Rewrite source file
cat <<EOT > conf/$src.src
SOURCE_URL=$asset_url
SOURCE_SUM=$checksum
SOURCE_SUM_PRG=sha256sum
SOURCE_FORMAT=$extension
SOURCE_IN_SUBDIR=false
SOURCE_EXTRACT=true
EOT
echo "... conf/$src.src updated"
else
echo "... asset ignored"
fi
done
#=================================================
# SPECIFIC UPDATE STEPS
#=================================================
# Any action on the app's source code can be done.
# The GitHub Action workflow takes care of committing all changes after this script ends.
#=================================================
# GENERIC FINALIZATION
#=================================================
# Replace new version in manifest
echo "$(jq -s --indent 4 ".[] | .version = \"$version~ynh1\"" manifest.json)" > manifest.json
# No need to update the README, yunohost-bot takes care of it
# The Action will proceed only if the PROCEED environment variable is set to true
echo "PROCEED=true" >> $GITHUB_ENV
exit 0

49
.github/workflows/updater.yml vendored
View file

@ -1,49 +0,0 @@
# This workflow allows GitHub Actions to automagically update your app whenever a new upstream release is detected.
# You need to enable Actions in your repository settings, and fetch this Action from the YunoHost-Apps organization.
# This file should be enough by itself, but feel free to tune it to your needs.
# It calls updater.sh, which is where you should put the app-specific update steps.
name: Check for new upstream releases
on:
# Allow to manually trigger the workflow
workflow_dispatch:
# Run it every day at 6:00 UTC
schedule:
- cron: '0 6 * * *'
jobs:
updater:
runs-on: ubuntu-latest
steps:
- name: Fetch the source code
uses: actions/checkout@v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run the updater script
id: run_updater
run: |
# Setting up Git user
git config --global user.name 'yunohost-bot'
git config --global user.email 'yunohost-bot@users.noreply.github.com'
# Run the updater script
/bin/bash .github/workflows/updater.sh
- name: Commit changes
id: commit
if: ${{ env.PROCEED == 'true' }}
run: |
git commit -am "Upgrade to v$VERSION"
- name: Create Pull Request
id: cpr
if: ${{ env.PROCEED == 'true' }}
uses: peter-evans/create-pull-request@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: Update to version ${{ env.VERSION }}
committer: 'yunohost-bot <yunohost-bot@users.noreply.github.com>'
author: 'yunohost-bot <yunohost-bot@users.noreply.github.com>'
signoff: false
base: testing
branch: ci-auto-update-v${{ env.VERSION }}
delete-branch: true
title: 'Upgrade to version ${{ env.VERSION }}'
body: |
Upgrade to v${{ env.VERSION }}
draft: false

35
README.md
View file

@ -26,41 +26,6 @@ CMS with a focus on collaborative edition and multilingualism
![Screenshot of SPIP](./doc/screenshots/220px-Logo_SPIP.png)
## Disclaimers / important information
## Configuration
How to configure this app: by an admin panel.
#### Multi-users support
* Are LDAP and HTTP auth supported? **Yes**
* Can the app be used by multiple users? **Yes**
## Migrate from SPIP2
**This is not considered as stable yet, please do it with care and only for testing!**
This package handle the migration from SPIP2 to SPIP. For that, your
SPIP2 application must be **up-to-date** in YunoHost. To ensure that, execute:
```bash
sudo yunohost app upgrade -u https://github.com/YunoHost-Apps/spip2_ynh spip2 --debug
```
You will then have to upgrade your SPIP2 application with this repository.
This can only be done from the command-line interface - e.g. through SSH. Once you're connected, you simply have to execute the following:
```bash
sudo yunohost app upgrade -u https://github.com/YunoHost-Apps/spip_ynh spip2 --debug
```
The `--debug` option will let you see the full output. If you encounter any issue, please paste it.
Note that a cron job will be executed at some time after the end of this
command. You must wait that before doing any other application operations!
You should see that SPIP is installed after that.
## Documentation and resources
* Official app website: <http://www.spip.net/>

34
README_fr.md
View file

@ -16,7 +16,7 @@ Si vous navez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po
## Vue densemble
CMS conçu pour l'édition collaborative et le multilinguisme
CMS with a focus on collaborative edition and multilingualism
**Version incluse :** 4.2.2~ynh1
@ -26,38 +26,6 @@ CMS conçu pour l'édition collaborative et le multilinguisme
![Capture décran de SPIP](./doc/screenshots/220px-Logo_SPIP.png)
## Avertissements / informations importantes
## Configuration
Comment configurer cette application: via le panneau d'administration.
#### Support multi-utilisateurs
* L'authentification LDAP et HTTP est-elle prise en charge? **Oui**
* L'application peut-elle être utilisée par plusieurs utilisateurs? **Oui**
## Migration depuis SPIP2
**Ceci n'est pas encore considéré comme stable, veuillez le faire avec soin et uniquement pour test!**
Ce paquet gère la migration de SPIP2 vers SPIP. Pour cela, votre application SPIP2 doit être **à jour** dans YunoHost. Pour s'en assurer :
```bash
sudo yunohost app upgrade -u https://github.com/YunoHost-Apps/spip2_ynh spip2 --debug
```
Vous devrez ensuite mettre à jour votre application SPIP2 avec ce dépôt.
Cela ne peut se faire qu'à partir de l'interface en ligne de commande - par exemple via SSH. Une fois connecté, il vous suffit d'exécuter ce qui suit :
```bash
sudo yunohost app upgrade -u https://github.com/YunoHost-Apps/spip_ynh spip2 --debug
```
L'option `--debug` vous permettra de voir la sortie complète. Si vous rencontrez un problème, veuillez ouvrir une issue.
Notez qu'une tâche cron sera exécutée après la fin de cette commande. Vous devez attendre cela avant de faire toute autre opération d'application ! Vous devriez voir que SPIP est installé après cela.
## Documentations et ressources
* Site officiel de lapp : <http://www.spip.net/>

6
conf/app.src
View file

@ -1,6 +0,0 @@
SOURCE_URL=https://files.spip.net/spip/archives/spip-v4.2.2.zip
SOURCE_SUM=47ab43b1ac8014b70e60867ecd9474a2afeaff471852eab0f41b94cb077d18d1
SOURCE_SUM_PRG=sha256sum
SOURCE_FORMAT=zip
SOURCE_IN_SUBDIR=false
SOURCE_EXTRACT=true

758
conf/ecran_securite.php Normal file
View file

@ -0,0 +1,758 @@
<?php
/*
* ecran_securite.php
* ------------------
*/
define('_ECRAN_SECURITE', '1.5.3'); // 2023-05-31
/*
* Documentation : https://www.spip.net/fr_article4200.html
*/
/*
* Test utilisateur
*/
if (isset($_GET['test_ecran_securite'])) {
$ecran_securite_raison = 'test ' . _ECRAN_SECURITE;
}
if (file_exists($f = __DIR__ . DIRECTORY_SEPARATOR . 'ecran_securite_options.php')) {
include ($f);
}
/*
* Monitoring
* var_isbot=0 peut etre utilise par un bot de monitoring pour surveiller la disponibilite d'un site vu par les users
* var_isbot=1 peut etre utilise pour monitorer la disponibilite pour les bots (sujets a 503 de delestage si
* le load depasse ECRAN_SECURITE_LOAD)
*/
if (!defined('_IS_BOT') and isset($_GET['var_isbot'])) {
define('_IS_BOT', $_GET['var_isbot'] ? true : false);
}
/*
* Détecteur de robot d'indexation
*/
if (!defined('_IS_BOT')) {
define(
'_IS_BOT',
isset($_SERVER['HTTP_USER_AGENT'])
and preg_match(
','
. implode('|', array(
// mots generiques
'bot',
'slurp',
'crawler',
'crwlr',
'java',
'monitoring',
'spider',
'webvac',
'yandex',
'MSIE 6\.0', // botnet 99,9% du temps
// UA plus cibles
'200please',
'80legs',
'a6-indexer',
'aboundex',
'accoona',
'acrylicapps',
'addthis',
'adressendeutschland',
'alexa',
'altavista',
'analyticsseo',
'antennapod',
'arachnys',
'archive',
'argclrint',
'aspseek',
'baidu',
'begunadvertising',
'bing',
'bloglines',
'buck',
'browsershots',
'bubing',
'butterfly',
'changedetection',
'charlotte',
'chilkat',
'china',
'coccoc',
'crowsnest',
'dataminr',
'daumoa',
'dlvr\.it',
'dlweb',
'drupal',
'ec2linkfinder',
'eset\.com',
'estyle',
'exalead',
'ezooms',
'facebookexternalhit',
'facebookplatform',
'fairshare',
'feedfetcher',
'feedfetcher-google',
'feedly',
'fetch',
'flipboardproxy',
'genieo',
'google',
'go-http-client',
'grapeshot',
'hatena-useragent',
'head',
'hosttracker',
'hubspot',
'ia_archiver',
'ichiro',
'iltrovatore-setaccio',
'immediatenet',
'ina',
'inoreader',
'infegyatlas',
'infohelfer',
'instapaper',
'jabse',
'james',
'jersey',
'kumkie',
'linkdex',
'linkfluence',
'linkwalker',
'litefinder',
'loadimpactpageanalyzer',
'ltx71',
'luminate',
'lycos',
'lycosa',
'mediapartners-google',
'msai',
'myapp',
'nativehost',
'najdi',
'netcraftsurveyagent',
'netestate',
'netseer',
'netnewswire',
'newspaper',
'newsblur',
'nuhk',
'nuzzel',
'okhttp',
'otmedia',
'owlin',
'owncloud',
'panscient',
'paper\.li',
'parsijoo',
'protopage',
'plukkie',
'proximic',
'pubsub',
'python',
'qirina',
'qoshe',
'qualidator',
'qwantify',
'rambler',
'readability',
'ruby',
'sbsearch',
'scoop\.it',
'scooter',
'scoutjet',
'scrapy',
'scrubby',
'scrubbybloglines',
'shareaholic',
'shopwiki',
'simplepie',
'sistrix',
'sitechecker',
'siteexplorer',
'snapshot',
'sogou',
'special_archiver',
'speedy',
'spinn3r',
'spreadtrum',
'steeler',
'subscriber',
'suma',
'superdownloads',
'svenska-webbsido',
'teoma',
'the knowledge AI',
'thumbshots',
'tineye',
'traackr',
'trendiction',
'trendsmap',
'tweetedtimes',
'tweetmeme',
'universalfeedparser',
'uaslinkchecker',
'undrip',
'unwindfetchor',
'upday',
'vedma',
'vkshare',
'vm',
'wch',
'webalta',
'webcookies',
'webparser',
'webthumbnail',
'wesee',
'wise-guys',
'woko',
'wordpress',
'wotbox',
'y!j-bri',
'y!j-bro',
'y!j-brw',
'y!j-bsc',
'yahoo',
'yahoo!',
'yahooysmcm',
'ymobactus',
'yats',
'yeti',
'zeerch'
)) . ',i',
(string)$_SERVER['HTTP_USER_AGENT']
)
);
}
if (!defined('_IS_BOT_FRIEND')) {
define(
'_IS_BOT_FRIEND',
isset($_SERVER['HTTP_USER_AGENT'])
and preg_match(
',' . implode('|', array(
'facebookexternalhit',
'twitterbot',
'flipboardproxy',
'wordpress'
)) . ',i',
(string)$_SERVER['HTTP_USER_AGENT']
)
);
}
/*
* Interdit de passer une variable id_article (ou id_xxx) qui ne
* soit pas numérique (ce qui bloque l'exploitation de divers trous
* de sécurité, dont celui de toutes les versions < 1.8.2f)
* (sauf pour id_table, qui n'est pas numérique jusqu'à [5743])
* (id_base est une variable de la config des widgets de WordPress)
*/
$_exceptions = array('id_table', 'id_base', 'id_parent', 'id_article_pdf');
foreach ($_GET as $var => $val) {
if (
$_GET[$var] and strncmp($var, "id_", 3) == 0
and !in_array($var, $_exceptions)
) {
$_GET[$var] = is_array($_GET[$var]) ? @array_map('intval', $_GET[$var]) : intval($_GET[$var]);
}
}
foreach ($_POST as $var => $val) {
if (
$_POST[$var] and strncmp($var, "id_", 3) == 0
and !in_array($var, $_exceptions)
) {
$_POST[$var] = is_array($_POST[$var]) ? @array_map('intval', $_POST[$var]) : intval($_POST[$var]);
}
}
foreach ($GLOBALS as $var => $val) {
if (
$GLOBALS[$var] and strncmp($var, "id_", 3) == 0
and !in_array($var, $_exceptions)
) {
$GLOBALS[$var] = is_array($GLOBALS[$var]) ? @array_map('intval', $GLOBALS[$var]) : intval($GLOBALS[$var]);
}
}
/*
* Interdit la variable $cjpeg_command, qui était utilisée sans
* précaution dans certaines versions de dev (1.8b2 -> 1.8b5)
*/
$cjpeg_command = '';
/*
* Contrôle de quelques variables (XSS)
*/
foreach (array('lang', 'var_recherche', 'aide', 'var_lang_r', 'lang_r', 'var_ajax_ancre', 'nom_fichier') as $var) {
if (isset($_GET[$var])) {
$_REQUEST[$var] = $GLOBALS[$var] = $_GET[$var] = preg_replace(',[^\w\,/#&;-]+,', ' ', (string)$_GET[$var]);
}
if (isset($_POST[$var])) {
$_REQUEST[$var] = $GLOBALS[$var] = $_POST[$var] = preg_replace(',[^\w\,/#&;-]+,', ' ', (string)$_POST[$var]);
}
}
/*
* Filtre l'accès à spip_acces_doc (injection SQL en 1.8.2x)
*/
if (isset($_SERVER['REQUEST_URI'])) {
if (preg_match(',^(.*/)?spip_acces_doc\.,', (string)$_SERVER['REQUEST_URI'])) {
$file = addslashes((string)$_GET['file']);
}
}
/*
* Pas d'inscription abusive
*/
if (
isset($_REQUEST['mode']) and isset($_REQUEST['page'])
and !in_array($_REQUEST['mode'], array("6forum", "1comite"))
and $_REQUEST['page'] == "identifiants"
) {
$ecran_securite_raison = "identifiants";
}
/*
* Agenda joue à l'injection php
*/
if (
isset($_REQUEST['partie_cal'])
and $_REQUEST['partie_cal'] !== htmlentities((string)$_REQUEST['partie_cal'])
) {
$ecran_securite_raison = "partie_cal";
}
if (
isset($_REQUEST['echelle'])
and $_REQUEST['echelle'] !== htmlentities((string)$_REQUEST['echelle'])
) {
$ecran_securite_raison = "echelle";
}
/*
* Espace privé
*/
if (
isset($_REQUEST['exec'])
and !preg_match(',^[\w-]+$,', (string)$_REQUEST['exec'])
) {
$ecran_securite_raison = "exec";
}
if (
isset($_REQUEST['cherche_auteur'])
and preg_match(',[<],', (string)$_REQUEST['cherche_auteur'])
) {
$ecran_securite_raison = "cherche_auteur";
}
if (
isset($_REQUEST['exec'])
and $_REQUEST['exec'] == 'auteurs'
and isset($_REQUEST['recherche'])
and preg_match(',[<],', (string)$_REQUEST['recherche'])
) {
$ecran_securite_raison = "recherche";
}
if (
isset($_REQUEST['exec'])
and $_REQUEST['exec'] == 'info_plugin'
and isset($_REQUEST['plugin'])
and preg_match(',[<],', (string)$_REQUEST['plugin'])
) {
$ecran_securite_raison = "plugin";
}
if (
isset($_REQUEST['exec'])
and $_REQUEST['exec'] == 'puce_statut'
and isset($_REQUEST['id'])
and !intval($_REQUEST['id'])
) {
$ecran_securite_raison = "puce_statut";
}
if (
isset($_REQUEST['action'])
and $_REQUEST['action'] == 'configurer'
) {
if (
@file_exists('inc_version.php')
or @file_exists('ecrire/inc_version.php')
) {
function action_configurer() {
include_spip('inc/autoriser');
if (!autoriser('configurer', _request('configuration'))) {
include_spip('inc/minipres');
echo minipres(_T('info_acces_interdit'));
exit;
}
require _DIR_RESTREINT . 'action/configurer.php';
action_configurer_dist();
}
}
}
if (
isset($_REQUEST['action'])
and $_REQUEST['action'] == 'ordonner_liens_documents'
and isset($_REQUEST['ordre'])
and is_string($_REQUEST['ordre'])
) {
$ecran_securite_raison = "ordre a la chaine";
}
/*
* Bloque les requêtes contenant %00 (manipulation d'include)
*/
if (strpos(
(function_exists('get_magic_quotes_gpc') and @get_magic_quotes_gpc())
? stripslashes(serialize($_REQUEST))
: serialize($_REQUEST),
chr(0)
) !== false) {
$ecran_securite_raison = "%00";
}
/*
* Bloque les requêtes fond=formulaire_
*/
if (
isset($_REQUEST['fond'])
and preg_match(',^formulaire_,i', $_REQUEST['fond'])
) {
$ecran_securite_raison = "fond=formulaire_";
}
/*
* Bloque les requêtes du type ?GLOBALS[type_urls]=toto (bug vieux php)
*/
if (isset($_REQUEST['GLOBALS'])) {
$ecran_securite_raison = "GLOBALS[GLOBALS]";
}
/*
* Bloque les requêtes des bots sur:
* les agenda
* les paginations entremélées
*/
if (_IS_BOT) {
if (
(isset($_REQUEST['echelle']) and isset($_REQUEST['partie_cal']) and isset($_REQUEST['type']))
or (strpos((string)$_SERVER['REQUEST_URI'], 'debut_') and preg_match(',[?&]debut_.*&debut_,', (string)$_SERVER['REQUEST_URI']))
or (isset($_REQUEST['calendrier_annee']) and strpos((string)$_SERVER['REQUEST_URI'], 'debut_'))
or (isset($_REQUEST['calendrier_annee']) and preg_match(',[?&]calendrier_annee=.*&calendrier_annee=,', (string)$_SERVER['REQUEST_URI']))
) {
$ecran_securite_raison = "robot agenda/double pagination";
}
}
/*
* Bloque une vieille page de tests de CFG (<1.11)
* Bloque un XSS sur une page inexistante
*/
if (isset($_REQUEST['page'])) {
if ($_REQUEST['page'] == 'test_cfg') {
$ecran_securite_raison = "test_cfg";
}
if ($_REQUEST['page'] !== htmlspecialchars((string)$_REQUEST['page'])) {
$ecran_securite_raison = "xsspage";
}
if (
$_REQUEST['page'] == '404'
and isset($_REQUEST['erreur'])
) {
$ecran_securite_raison = "xss404";
}
}
/*
* XSS par array
*/
foreach (array('var_login') as $var) {
if (isset($_REQUEST[$var]) and is_array($_REQUEST[$var])) {
$ecran_securite_raison = "xss " . $var;
}
}
/*
* Parade antivirale contre un cheval de troie
*/
if (!function_exists('tmp_lkojfghx')) {
function tmp_lkojfghx() {}
function tmp_lkojfghx2($a = 0, $b = 0, $c = 0, $d = 0) {
// si jamais on est arrivé ici sur une erreur php
// et qu'un autre gestionnaire d'erreur est défini, l'appeller
if ($b && $GLOBALS['tmp_xhgfjokl']) {
call_user_func($GLOBALS['tmp_xhgfjokl'], $a, $b, $c, $d);
}
}
}
if (isset($_POST['tmp_lkojfghx3'])) {
$ecran_securite_raison = "gumblar";
}
/*
* Outils XML mal sécurisés < 2.0.9
*/
if (isset($_REQUEST['transformer_xml'])) {
$ecran_securite_raison = "transformer_xml";
}
/*
* Outils XML mal sécurisés again
*/
if (isset($_REQUEST['var_url']) and $_REQUEST['var_url'] and isset($_REQUEST['exec']) and $_REQUEST['exec'] == 'valider_xml') {
$url = trim($_REQUEST['var_url']);
if (
strncmp($url, '/', 1) == 0
or (($p = strpos($url, '..')) !== false and strpos($url, '..', $p + 3) !== false)
or (($p = strpos($url, '..')) !== false and strpos($url, 'IMG', $p + 3) !== false)
or (strpos($url, '://') !== false or strpos($url, ':\\') !== false)
) {
$ecran_securite_raison = 'URL interdite pour var_url';
}
}
/*
* Sauvegarde mal securisée < 2.0.9
*/
if (
isset($_REQUEST['nom_sauvegarde'])
and strstr((string)$_REQUEST['nom_sauvegarde'], '/')
) {
$ecran_securite_raison = 'nom_sauvegarde manipulee';
}
if (
isset($_REQUEST['znom_sauvegarde'])
and strstr((string)$_REQUEST['znom_sauvegarde'], '/')
) {
$ecran_securite_raison = 'znom_sauvegarde manipulee';
}
/*
* op permet des inclusions arbitraires ;
* on vérifie 'page' pour ne pas bloquer ... drupal
*/
if (
isset($_REQUEST['op']) and isset($_REQUEST['page'])
and $_REQUEST['op'] !== preg_replace('/[^\\-\w]/', '', $_REQUEST['op'])
) {
$ecran_securite_raison = 'op';
}
/*
* Forms & Table ne se méfiait pas assez des uploads de fichiers
*/
if (count($_FILES)) {
foreach ($_FILES as $k => $v) {
if (
preg_match(',^fichier_\d+$,', $k)
and preg_match(',\.php,i', $v['name'])
) {
unset($_FILES[$k]);
}
}
}
/*
* et Contact trop laxiste avec une variable externe
* on bloque pas le post pour eviter de perdre des donnees mais on unset la variable et c'est tout
*/
if (isset($_REQUEST['pj_enregistrees_nom']) and $_REQUEST['pj_enregistrees_nom']) {
unset($_REQUEST['pj_enregistrees_nom']);
unset($_GET['pj_enregistrees_nom']);
unset($_POST['pj_enregistrees_nom']);
}
/*
* reinstall=oui un peu trop permissif
*/
if (
isset($_REQUEST['reinstall'])
and $_REQUEST['reinstall'] == 'oui'
) {
$ecran_securite_raison = 'reinstall=oui';
}
/*
* Pas d'action pendant l'install
*/
if (isset($_REQUEST['exec']) and $_REQUEST['exec'] === 'install' and isset($_REQUEST['action'])) {
$ecran_securite_raison = 'install&action impossibles';
}
/*
* Échappement xss referer
*/
if (isset($_SERVER['HTTP_REFERER'])) {
$_SERVER['HTTP_REFERER'] = strtr($_SERVER['HTTP_REFERER'], '<>"\'', '[]##');
}
/*
* Echappement HTTP_X_FORWARDED_HOST
*/
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_X_FORWARDED_HOST'] = strtr($_SERVER['HTTP_X_FORWARDED_HOST'], "<>?\"\{\}\$'` \r\n", '____________');
}
/*
* Pas d'erreur dans l'erreur
*/
if (isset($_REQUEST['var_erreur']) and isset($_REQUEST['page']) and $_REQUEST['page'] === 'login') {
if (strlen($_REQUEST['var_erreur']) !== strcspn($_REQUEST['var_erreur'], '<>')) {
$ecran_securite_raison = 'var_erreur incorrecte';
}
}
/*
* Réinjection des clés en html dans l'admin r19561
*/
if (
(isset($_SERVER['REQUEST_URI']) and strpos($_SERVER['REQUEST_URI'], "ecrire/") !== false)
or isset($_REQUEST['var_memotri'])
) {
$zzzz = implode("", array_keys($_REQUEST));
if (strlen($zzzz) != strcspn($zzzz, '<>"\'')) {
$ecran_securite_raison = 'Cle incorrecte en $_REQUEST';
}
}
/*
* Injection par connect
*/
if (
isset($_REQUEST['connect'])
// cas qui permettent de sortir d'un commentaire PHP
and (
strpos($_REQUEST['connect'], "?") !== false
or strpos($_REQUEST['connect'], "<") !== false
or strpos($_REQUEST['connect'], ">") !== false
or strpos($_REQUEST['connect'], "\n") !== false
or strpos($_REQUEST['connect'], "\r") !== false
)
) {
$ecran_securite_raison = "malformed connect argument";
}
/*
* _oups donc
*/
if (
isset($_REQUEST['_oups'])
and base64_decode($_REQUEST['_oups'], true) === false) {
$ecran_securite_raison = "malformed _oups argument";
}
if (
isset($_REQUEST['formulaire_action_args']) || isset($_REQUEST['var_login'])
) {
foreach ($_REQUEST as $k => $v) {
if (is_string($v)
and strpbrk($v, "&\"'<>") !== false
and preg_match(',^[abis]:\d+[:;],', $v)
and __ecran_test_if_serialized($v)
) {
$_REQUEST[$k] = htmlspecialchars($v, ENT_QUOTES);
if (isset($_POST[$k])) $_POST[$k] = $_REQUEST[$k];
if (isset($_GET[$k])) $_GET[$k] = $_REQUEST[$k];
}
}
}
/**
* Version simplifiée de https://developer.wordpress.org/reference/functions/is_serialized/
*/
function __ecran_test_if_serialized($data) {
$data = trim($data);
if ('N;' === $data) {return true;}
if (strlen($data) < 4) {return false;}
if (':' !== $data[1]) {return false;}
$semicolon = strpos($data, ';');
$brace = strpos($data, '}');
// Either ; or } must exist.
if (false === $semicolon && false === $brace) {return false;}
// But neither must be in the first X characters.
if (false !== $semicolon && $semicolon < 3) {return false;}
if (false !== $brace && $brace < 4) {return false;}
$token = $data[0];
if (in_array($token, array('s', 'S', 'a', 'O', 'C', 'o', 'E'))) {
if (in_array($token, array('s', 'S')) and false === strpos($data, '"')) {return false;}
return (bool)preg_match("/^{$token}:[0-9]+:/s", $data);
} elseif (in_array($token, array('b', 'i', 'd'))) {
return (bool)preg_match("/^{$token}:[0-9.E+-]+;/", $data);
}
return false;
}
/*
* S'il y a une raison de mourir, mourons
*/
if (isset($ecran_securite_raison)) {
header("HTTP/1.0 403 Forbidden");
header("Expires: Wed, 11 Jan 1984 05:00:00 GMT");
header("Cache-Control: no-cache, must-revalidate");
header("Pragma: no-cache");
header("Content-Type: text/html");
header("Connection: close");
die("<html><title>Error 403: Forbidden</title><body><h1>Error 403</h1><p>You are not authorized to view this page ($ecran_securite_raison)</p></body></html>");
}
/*
* Un filtre filtrer_entites securise
*/
if (!function_exists('filtre_filtrer_entites_dist')) {
function filtre_filtrer_entites_dist($t) {
include_spip('inc/texte');
return interdire_scripts(filtrer_entites($t));
}
}
/*
* Fin sécurité
*/
/*
* Bloque les bots quand le load déborde
*/
if (!defined('_ECRAN_SECURITE_LOAD')) {
define('_ECRAN_SECURITE_LOAD', 4);
}
if (
defined('_ECRAN_SECURITE_LOAD')
and _ECRAN_SECURITE_LOAD > 0
and _IS_BOT
and !_IS_BOT_FRIEND
and $_SERVER['REQUEST_METHOD'] === 'GET'
and (
(function_exists('sys_getloadavg')
and $load = sys_getloadavg()
and is_array($load)
and $load = array_shift($load))
or
(@is_readable('/proc/loadavg')
and $load = file_get_contents('/proc/loadavg')
and $load = floatval($load))
)
and $load > _ECRAN_SECURITE_LOAD // eviter l'evaluation suivante si de toute facon le load est inferieur a la limite
and rand(0, (int) ($load * $load)) > _ECRAN_SECURITE_LOAD * _ECRAN_SECURITE_LOAD
) {
//https://webmasters.stackexchange.com/questions/65674/should-i-return-a-429-or-503-status-code-to-a-bot
header("HTTP/1.0 429 Too Many Requests");
header("Retry-After: 300");
header("Expires: Wed, 11 Jan 1984 05:00:00 GMT");
header("Cache-Control: no-cache, must-revalidate");
header("Pragma: no-cache");
header("Content-Type: text/html");
header("Connection: close");
die("<html><title>Status 429: Too Many Requests</title><body><h1>Status 429</h1><p>Too Many Requests (try again soon)</p></body></html>");
}

4
conf/extra_php-fpm.conf Normal file
View file

@ -0,0 +1,4 @@
; Additional php.ini defines, specific to this pool of workers.
php_admin_value[upload_max_filesize] = 50M
php_admin_value[post_max_size] = 50M

4
conf/nginx.conf
View file

@ -2,11 +2,11 @@
location __PATH__/ {
# Path to source
alias __FINALPATH__/;
alias __INSTALL_DIR__/;
index index.php;
client_max_body_size 30M;
client_max_body_size 50M;
try_files $uri $uri/ index.php;

430
conf/php-fpm.conf
View file

@ -1,430 +0,0 @@
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[__NAMETOCHANGE__]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = __USER__
group = __USER__
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /var/run/php/php__PHPVERSION__-fpm-__NAMETOCHANGE__.sock
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = www-data
listen.group = www-data
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.0/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
request_terminate_timeout = 1d
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
chdir = __FINALPATH__
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M
; Common values to change to increase file upload limit
php_admin_value[upload_max_filesize] = 30M
php_admin_value[post_max_size] = 30M
; php_admin_flag[mail.add_x_header] = Off
; Other common parameters
; php_admin_value[max_execution_time] = 600
; php_admin_value[max_input_time] = 300
; php_admin_value[memory_limit] = 256M
; php_admin_flag[short_open_tag] = On

10
conf/spip2_migration
View file

@ -1,10 +0,0 @@
#!/bin/bash
# Final path
/var/www/$app
# Nginx config
/etc/nginx/conf.d/$domain.d/$app.conf
# php-fpm config
/etc/php/7.0/fpm/pool.d/$app.conf

38
conf/spip2_post_migration.sh
View file

@ -1,38 +0,0 @@
#!/bin/bash
# Ending the migration process from Spip2 to Spip
set -u
#=================================================
# IMPORT GENERIC HELPERS
#=================================================
source /usr/share/yunohost/helpers
#=================================================
# SET VARIABLES
#=================================================
old_app="__OLD_APP__"
new_app="__NEW_APP__"
script_name="$0"
#=================================================
# DELETE OLD APP'S SETTINGS
#=================================================
ynh_secure_remove "/etc/yunohost/apps/$old_app"
yunohost app ssowatconf
#=================================================
# REMOVE THE OLD USER
#=================================================
ynh_system_user_delete $old_app
#=================================================
# DELETE THIS SCRIPT
#=================================================
echo "rm $script_name" | at now + 1 minutes

1
doc/DESCRIPTION.md Normal file
View file

@ -0,0 +1 @@
CMS with a focus on collaborative edition and multilingualism

32
doc/DISCLAIMER.md
View file

@ -1,32 +0,0 @@
## Configuration
How to configure this app: by an admin panel.
#### Multi-users support
* Are LDAP and HTTP auth supported? **Yes**
* Can the app be used by multiple users? **Yes**
## Migrate from SPIP2
**This is not considered as stable yet, please do it with care and only for testing!**
This package handle the migration from SPIP2 to SPIP. For that, your
SPIP2 application must be **up-to-date** in YunoHost. To ensure that, execute:
```bash
sudo yunohost app upgrade -u https://github.com/YunoHost-Apps/spip2_ynh spip2 --debug
```
You will then have to upgrade your SPIP2 application with this repository.
This can only be done from the command-line interface - e.g. through SSH. Once you're connected, you simply have to execute the following:
```bash
sudo yunohost app upgrade -u https://github.com/YunoHost-Apps/spip_ynh spip2 --debug
```
The `--debug` option will let you see the full output. If you encounter any issue, please paste it.
Note that a cron job will be executed at some time after the end of this
command. You must wait that before doing any other application operations!
You should see that SPIP is installed after that.

29
doc/DISCLAIMER_fr.md
View file

@ -1,29 +0,0 @@
## Configuration
Comment configurer cette application: via le panneau d'administration.
#### Support multi-utilisateurs
* L'authentification LDAP et HTTP est-elle prise en charge? **Oui**
* L'application peut-elle être utilisée par plusieurs utilisateurs? **Oui**
## Migration depuis SPIP2
**Ceci n'est pas encore considéré comme stable, veuillez le faire avec soin et uniquement pour test!**
Ce paquet gère la migration de SPIP2 vers SPIP. Pour cela, votre application SPIP2 doit être **à jour** dans YunoHost. Pour s'en assurer :
```bash
sudo yunohost app upgrade -u https://github.com/YunoHost-Apps/spip2_ynh spip2 --debug
```
Vous devrez ensuite mettre à jour votre application SPIP2 avec ce dépôt.
Cela ne peut se faire qu'à partir de l'interface en ligne de commande - par exemple via SSH. Une fois connecté, il vous suffit d'exécuter ce qui suit :
```bash
sudo yunohost app upgrade -u https://github.com/YunoHost-Apps/spip_ynh spip2 --debug
```
L'option `--debug` vous permettra de voir la sortie complète. Si vous rencontrez un problème, veuillez ouvrir une issue.
Notez qu'une tâche cron sera exécutée après la fin de cette commande. Vous devez attendre cela avant de faire toute autre opération d'application ! Vous devriez voir que SPIP est installé après cela.

73
manifest.json
View file

@ -1,73 +0,0 @@
{
"name": "SPIP",
"id": "spip",
"packaging_format": 1,
"description": {
"en": "CMS with a focus on collaborative edition and multilingualism",
"fr": "CMS conçu pour l'édition collaborative et le multilinguisme"
},
"version": "4.2.2~ynh1",
"url": "http://www.spip.net/",
"upstream": {
"license": "GPL-3.0-or-later",
"website": "http://www.spip.net/",
"demo": "https://demo.spip.net/",
"admindoc": "https://www.spip.net/en_rubrique209.html",
"userdoc": "https://www.spip.net/en_rubrique57.html",
"code": "https://git.spip.net/spip/spip"
},
"license": "GPL-3.0-or-later",
"maintainer": {
"name": "cyp",
"email": "cyp@rouquin.me"
},
"requirements": {
"yunohost": ">= 4.3.2"
},
"multi_instance": true,
"services": [
"nginx",
"mysql"
],
"arguments": {
"install": [
{
"name": "domain",
"type": "domain"
},
{
"name": "path",
"type": "path",
"example": "/spip",
"default": "/spip"
},
{
"name": "is_public",
"type": "boolean",
"default": true
},
{
"name": "admin",
"type": "user"
},
{
"name": "password",
"type": "password"
},
{
"name": "users_status",
"type": "string",
"ask": {
"en": "Choose the status of YunoHost users",
"fr": "Choisissez le status des utilisateurs de YunoHost"
},
"choices": [
"Administrator",
"Editor",
"Visitor"
],
"default": "Editor"
}
]
}
}

74
manifest.toml Normal file
View file

@ -0,0 +1,74 @@
packaging_format = 2
id = "spip"
name = "SPIP"
description.en = "CMS with a focus on collaborative edition and multilingualism"
description.fr = "CMS conçu pour l'édition collaborative et le multilinguisme"
version = "4.2.2~ynh1"
maintainers = ["cyp"]
[upstream]
license = "GPL-3.0-or-later"
website = "http://www.spip.net/"
demo = "https://demo.spip.net/"
admindoc = "https://www.spip.net/en_rubrique209.html"
userdoc = "https://www.spip.net/en_rubrique57.html"
code = "https://git.spip.net/spip/spip"
[integration]
yunohost = ">= 11.1.19"
architectures = "all"
multi_instance = true
ldap = false
sso = true
disk = "50M"
ram.build = "50M"
ram.runtime = "50M"
[install]
[install.domain]
type = "domain"
[install.path]
type = "path"
default = "/spip"
[install.init_main_permission]
type = "group"
default = "visitors"
[install.admin]
type = "user"
[install.password]
type = "password"
[install.users_status]
ask.en = "Choose the status of YunoHost users"
ask.fr = "Choisissez le status des utilisateurs de YunoHost"
type = "string"
choices = ["Administrator", "Editor", "Visitor"]
default = "Editor"
[resources]
[resources.sources.main]
url = "https://files.spip.net/spip/archives/spip-v4.2.2.zip"
sha256 = "47ab43b1ac8014b70e60867ecd9474a2afeaff471852eab0f41b94cb077d18d1"
in_subdir = false
[resources.system_user]
[resources.install_dir]
[resources.permissions]
main.url = "/"
[resources.apt]
packages = "mariadb-server libsodium23 php8.2-curl php8.2-xml php8.2-gd php8.2-mysqli php8.2-zip"
[resources.database]
type = "mysql"

32
scripts/_common.sh
View file

@ -4,10 +4,6 @@
# COMMON VARIABLES
#=================================================
YNH_PHP_VERSION="7.4"
pkg_dependencies="libsodium23 php${YNH_PHP_VERSION}-curl php${YNH_PHP_VERSION}-xml php${YNH_PHP_VERSION}-gd php${YNH_PHP_VERSION}-mysqli php${YNH_PHP_VERSION}-zip"
#=================================================
# EXPERIMENTAL HELPERS
#=================================================
@ -35,7 +31,7 @@ ynh_send_readme_to_admin() {
type="${type:-install}"
# Get the value of admin_mail_html
admin_mail_html=$(ynh_app_setting_get $app admin_mail_html)
#REMOVEME? admin_mail_html=$(ynh_app_setting_get $app admin_mail_html)
admin_mail_html="${admin_mail_html:-0}"
# Retrieve the email of users
@ -173,7 +169,7 @@ __PRE_TAG1__$(yunohost tools diagnosis | grep -B 100 "services:" | sed '/service
# If you don't have a $pkg_dependencies variable, the helper can't know what the app dependencies are.
#
# The app settings.yml will be modified as follows:
# - finalpath will be changed according to the new name (but only if the existing $final_path contains the old app name)
# - finalpath will be changed according to the new name (but only if the existing $install_dir contains the old app name)
# - The checksums of php-fpm and nginx config files will be updated too.
# - If there is a $db_name value, it will be changed.
# - And, of course, the ID will be changed to the new name too.
@ -196,7 +192,7 @@ ynh_handle_app_migration () {
# LOAD SETTINGS
#=================================================
old_app=$YNH_APP_INSTANCE_NAME
#REMOVEME? old_app=$YNH_APP_INSTANCE_NAME
local old_app_id=$YNH_APP_ID
local old_app_number=$YNH_APP_INSTANCE_NUMBER
@ -281,7 +277,7 @@ ynh_handle_app_migration () {
# https://github.com/YunoHost/yunohost/blob/c6b5284be8da39cf2da4e1036a730eb5e0515096/src/yunohost/app.py#L1316-L1321
# Change the label if it's simply the name of the app
old_label=$(ynh_app_setting_get $new_app label)
#REMOVEME? old_label=$(ynh_app_setting_get $new_app label)
if [ "${old_label,,}" == "$old_app_id" ]
then
# Build the new label from the id of the app. With the first character as upper case
@ -312,15 +308,15 @@ ynh_handle_app_migration () {
# Replace php5-fpm checksums
ynh_replace_string "\(^checksum__etc_php5.*[-_]\)$old_app" "\1$new_app/" "$settings_dir/$new_app/settings.yml"
# Replace final_path
ynh_replace_string "\(^final_path: .*\)$old_app" "\1$new_app" "$settings_dir/$new_app/settings.yml"
# Replace install_dir
ynh_replace_string "\(^install_dir: .*\)$old_app" "\1$new_app" "$settings_dir/$new_app/settings.yml"
#=================================================
# MOVE THE DATABASE
#=================================================
db_pwd=$(ynh_app_setting_get $old_app mysqlpwd)
db_name=$(ynh_app_setting_get $old_app db_name)
#REMOVEME? db_pwd=$(ynh_app_setting_get $old_app mysqlpwd)
#REMOVEME? db_name=$(ynh_app_setting_get $old_app db_name)
# Check if a database exists before trying to move it
local mysql_root_password=$(cat $MYSQL_ROOT_PWD_FILE)
@ -335,18 +331,18 @@ ynh_handle_app_migration () {
ynh_mysql_dump_db "$db_name" > "$sql_dump"
# Create a new database
ynh_mysql_setup_db $new_db_name $new_db_name $db_pwd
#REMOVEME? ynh_mysql_setup_db $new_db_name $new_db_name $db_pwd
# Then restore the old one into the new one
ynh_mysql_connect_as $new_db_name $db_pwd $new_db_name < "$sql_dump"
# Remove the old database
ynh_mysql_remove_db $db_name $db_name
#REMOVEME? ynh_mysql_remove_db $db_name $db_name
# And the dump
ynh_secure_remove "$sql_dump"
# Update the value of $db_name
db_name=$new_db_name
ynh_app_setting_set $new_app db_name $db_name
#REMOVEME? ynh_app_setting_set $new_app db_name $db_name
fi
#=================================================
@ -357,7 +353,7 @@ ynh_handle_app_migration () {
if ynh_system_user_exists "$old_app"
then
echo "Create a new user $new_app to replace $old_app" >&2
ynh_system_user_create $new_app
#REMOVEME? ynh_system_user_create $new_app
fi
#=================================================
@ -376,10 +372,10 @@ ynh_handle_app_migration () {
then
# Install a new fake package
app=$new_app
ynh_install_app_dependencies $pkg_dependencies
#REMOVEME? ynh_install_app_dependencies $pkg_dependencies
# Then remove the old one
app=$old_app
ynh_remove_app_dependencies
#REMOVEME? ynh_remove_app_dependencies
fi
fi

24
scripts/backup
View file

@ -10,28 +10,6 @@
source ../settings/scripts/_common.sh
source /usr/share/yunohost/helpers
#=================================================
# MANAGE SCRIPT FAILURE
#=================================================
ynh_clean_setup () {
true
}
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
#=================================================
# LOAD SETTINGS
#=================================================
ynh_print_info --message="Loading installation settings..."
app=$YNH_APP_INSTANCE_NAME
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
domain=$(ynh_app_setting_get --app=$app --key=domain)
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
#=================================================
# DECLARE DATA AND CONF FILES TO BACKUP
#=================================================
@ -41,7 +19,7 @@ ynh_print_info --message="Declaring files to be backed up..."
# BACKUP THE APP MAIN DIR
#=================================================
ynh_backup --src_path="$final_path"
ynh_backup --src_path="$install_dir"
#=================================================
# BACKUP THE NGINX CONFIGURATION

86
scripts/change_url
View file

@ -9,59 +9,6 @@
source _common.sh
source /usr/share/yunohost/helpers
#=================================================
# RETRIEVE ARGUMENTS
#=================================================
old_domain=$YNH_APP_OLD_DOMAIN
old_path=$YNH_APP_OLD_PATH
new_domain=$YNH_APP_NEW_DOMAIN
new_path=$YNH_APP_NEW_PATH
app=$YNH_APP_INSTANCE_NAME
#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading installation settings..."
# Needed for helper "ynh_add_nginx_config"
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
#=================================================
# BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP
#=================================================
ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..."
# Backup the current version of the app
ynh_backup_before_upgrade
ynh_clean_setup () {
# Remove the new domain config file, the remove script won't do it as it doesn't know yet its location.
ynh_secure_remove --file="/etc/nginx/conf.d/$new_domain.d/$app.conf"
# Restore it if the upgrade fails
ynh_restore_upgradebackup
}
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
#=================================================
# CHECK WHICH PARTS SHOULD BE CHANGED
#=================================================
change_domain=0
if [ "$old_domain" != "$new_domain" ]
then
change_domain=1
fi
change_path=0
if [ "$old_path" != "$new_path" ]
then
change_path=1
fi
#=================================================
# STANDARD MODIFICATIONS
#=================================================
@ -69,38 +16,7 @@ fi
#=================================================
ynh_script_progression --message="Updating NGINX web server configuration..."
nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf
# Change the path in the NGINX config file
if [ $change_path -eq 1 ]
then
# Make a backup of the original NGINX config file if modified
ynh_backup_if_checksum_is_different --file="$nginx_conf_path"
# Set global variables for NGINX helper
domain="$old_domain"
path_url="$new_path"
# Create a dedicated NGINX config
ynh_add_nginx_config
fi
# Change the domain for NGINX
if [ $change_domain -eq 1 ]
then
# Delete file checksum for the old conf file location
ynh_delete_file_checksum --file="$nginx_conf_path"
mv $nginx_conf_path /etc/nginx/conf.d/$new_domain.d/$app.conf
# Store file checksum for the new config file location
ynh_store_file_checksum --file="/etc/nginx/conf.d/$new_domain.d/$app.conf"
fi
#=================================================
# GENERIC FINALISATION
#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading NGINX web server..."
ynh_systemd_action --service_name=nginx --action=reload
ynh_change_url_nginx_config
#=================================================
# END OF SCRIPT

121
scripts/install
View file

@ -9,91 +9,23 @@
source _common.sh
source /usr/share/yunohost/helpers
#=================================================
# MANAGE SCRIPT FAILURE
#=================================================
ynh_clean_setup () {
true
}
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
#=================================================
# RETRIEVE ARGUMENTS FROM THE MANIFEST
#=================================================
domain=$YNH_APP_ARG_DOMAIN
path_url=$YNH_APP_ARG_PATH
is_public=$YNH_APP_ARG_IS_PUBLIC
admin=$YNH_APP_ARG_ADMIN
password=$YNH_APP_ARG_PASSWORD
users_status=$YNH_APP_ARG_USERS_STATUS
app=$YNH_APP_INSTANCE_NAME
#=================================================
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
#=================================================
ynh_script_progression --message="Validating installation parameters..."
final_path=/var/www/$app
test ! -e "$final_path" || ynh_die --message="This path already contains a folder"
# Register (book) web path
ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url
#=================================================
# STORE SETTINGS FROM MANIFEST
#=================================================
ynh_script_progression --message="Storing installation settings..."
ynh_app_setting_set --app=$app --key=domain --value=$domain
ynh_app_setting_set --app=$app --key=path --value=$path_url
ynh_app_setting_set --app=$app --key=admin --value=$admin
ynh_app_setting_set --app=$app --key=password --value=$password
ynh_app_setting_set --app=$app --key=users_status --value=$users_status
#=================================================
# STANDARD MODIFICATIONS
#=================================================
# INSTALL DEPENDENCIES
#=================================================
ynh_script_progression --message="Installing dependencies..."
ynh_install_app_dependencies $pkg_dependencies
#=================================================
# CREATE DEDICATED USER
#=================================================
ynh_script_progression --message="Configuring system user..."
# Create a system user
ynh_system_user_create --username=$app --home_dir="$final_path"
#=================================================
# CREATE A MYSQL DATABASE
#=================================================
ynh_script_progression --message="Creating a MySQL database..."
db_name=$(ynh_sanitize_dbid --db_name=$app)
db_user=$db_name
ynh_app_setting_set --app=$app --key=db_name --value=$db_name
ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name
db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================
ynh_script_progression --message="Setting up source files..."
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
# Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$final_path"
ynh_setup_source --dest_dir="$install_dir"
chmod 750 "$final_path"
chmod -R o-rwx "$final_path"
chown -R $app:www-data "$final_path"
chmod -R o-rwx "$install_dir"
chown -R $app:www-data "$install_dir"
#=================================================
# PHP-FPM CONFIGURATION
@ -101,12 +33,7 @@ chown -R $app:www-data "$final_path"
ynh_script_progression --message="Configuring PHP-FPM..."
# Create a dedicated PHP-FPM config
ynh_add_fpm_config
#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Configuring NGINX web server..."
ynh_add_fpm_config --usage=low --footprint=low
# Create a dedicated NGINX config
ynh_add_nginx_config
@ -116,20 +43,21 @@ ynh_add_nginx_config
#=================================================
# SETUP APPLICATION WITH CURL
#=================================================
ynh_script_progression --message="Setuping application with CURL..."
ynh_script_progression --message="Setuping application with cURL..."
# Set right permissions for curl install
mkdir -p $final_path/plugins/auto
chown -R $app:www-data "$final_path"
mkdir -p $install_dir/plugins/auto
chown -R $app:www-data "$install_dir"
# Set the app as temporarily public for curl call
ynh_script_progression --message="Configuring SSOwat..."
# Installation with curl
# Installation with cURL
ynh_script_progression --message="Finalizing installation..."
ynh_local_curl "/ecrire/?suivant" "exec=install" "etape=chmod"
ynh_local_curl "/ecrire/?suivant" "exec=install" "etape=2" "chmod=750" "adresse_db=localhost" "login_db=$db_name" "pass_db=$db_pwd" "server_db=mysql"
ynh_local_curl "/ecrire/?suivant" "exec=install" "etape=3" "adresse_db=localhost" "login_db=$db_name" "pass_db=$db_pwd" "server_db=mysql" "choix_db=$db_name" "tprefix=$db_name"
# For now spip have a problem with LDAP
#ynh_local_curl "/ecrire/?suivant" "exec=install" "etape=ldap1"
#ynh_local_curl "/ecrire/?suivant" "exec=install" "etape=ldap2" "adresse_ldap=localhost" "port_ldap=389" "tls_ldap=no" "protocole_ldap=3"
@ -159,36 +87,17 @@ ynh_local_curl "/ecrire/?suivant" "exec=install" "etape=fin"
#=================================================
ynh_script_progression --message="Adding a configuration file..."
#ynh_replace_string "'','utf8');" "'ldap.php','utf8');" $final_path/config/connect.php
cp ../conf/mes_options.php $final_path/config/mes_options.php
#ynh_replace_string "'','utf8');" "'ldap.php','utf8');" $install_dir/config/connect.php
cp ../conf/mes_options.php $install_dir/config/mes_options.php
# Add security fix https://www.spip.net/en_article4201.html to be removed after version 4.2.2
cp ../conf/ecran_securite.php $install_dir/config/ecran_securite.php
#=================================================
# STORE THE CONFIG FILE CHECKSUM
#=================================================
ynh_store_file_checksum --file="$final_path/config/connect.php"
#=================================================
# GENERIC FINALIZATION
#=================================================
# SETUP SSOWAT
#=================================================
ynh_script_progression --message="Configuring permissions..."
# Make app public if necessary
if [ $is_public -eq 1 ]
then
# Everyone can access the app.
# The "main" permission is automatically created before the install script.
ynh_permission_update --permission="main" --add="visitors"
fi
#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading NGINX web server..."
ynh_systemd_action --service_name=nginx --action=reload
ynh_store_file_checksum --file="$install_dir/config/connect.php"
#=================================================
# END OF SCRIPT

56
scripts/remove
View file

@ -9,18 +9,6 @@
source _common.sh
source /usr/share/yunohost/helpers
#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading installation settings..."
app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$db_name
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
#=================================================
# STANDARD REMOVE
#=================================================
@ -31,56 +19,12 @@ ynh_script_progression --message="Stopping and removing the systemd service..."
# Remove the dedicated systemd config
ynh_remove_systemd_config
#=================================================
# REMOVE THE MYSQL DATABASE
#=================================================
ynh_script_progression --message="Removing the MySQL database..."
# Remove a database if it exists, along with the associated user
ynh_mysql_remove_db --db_user=$db_user --db_name=$db_name
#=================================================
# REMOVE APP MAIN DIR
#=================================================
ynh_script_progression --message="Removing app main directory..."
# Remove the app directory securely
ynh_secure_remove --file="$final_path"
#=================================================
# REMOVE NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Removing NGINX web server configuration..."
# Remove the dedicated NGINX config
ynh_remove_nginx_config
#=================================================
# REMOVE PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Removing PHP-FPM configuration..."
# Remove the dedicated PHP-FPM config
ynh_remove_fpm_config
#=================================================
# REMOVE DEPENDENCIES
#=================================================
ynh_script_progression --message="Removing dependencies..."
# Remove metapackage and its dependencies
ynh_remove_app_dependencies
#=================================================
# GENERIC FINALIZATION
#=================================================
# REMOVE DEDICATED USER
#=================================================
ynh_script_progression --message="Removing the dedicated system user..."
# Delete a system user
ynh_system_user_delete --username=$app
#=================================================
# END OF SCRIPT
#=================================================

67
scripts/restore
View file

@ -10,66 +10,15 @@
source ../settings/scripts/_common.sh
source /usr/share/yunohost/helpers
#=================================================
# MANAGE SCRIPT FAILURE
#=================================================
ynh_clean_setup () {
true
}
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading installation settings..."
app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
path_url=$(ynh_app_setting_get --app=$app --key=path)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$db_name
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
#=================================================
# CHECK IF THE APP CAN BE RESTORED
#=================================================
ynh_script_progression --message="Validating restoration parameters..."
test ! -d $final_path \
|| ynh_die --message="There is already a directory: $final_path "
#=================================================
# STANDARD RESTORATION STEPS
#=================================================
# RECREATE THE DEDICATED USER
#=================================================
ynh_script_progression --message="Recreating the dedicated system user..."
# Create the dedicated user (if not existing)
ynh_system_user_create --username=$app --home_dir=$final_path
#=================================================
# RESTORE THE APP MAIN DIR
#=================================================
ynh_script_progression --message="Restoring the app main directory..."
ynh_restore_file --origin_path="$final_path"
ynh_restore_file --origin_path="$install_dir"
chmod 750 "$final_path"
chmod -R o-rwx "$final_path"
chown -R $app:www-data "$final_path"
#=================================================
# REINSTALL DEPENDENCIES
#=================================================
ynh_script_progression --message="Reinstalling dependencies..."
# Define and install dependencies
ynh_install_app_dependencies $pkg_dependencies
chmod -R o-rwx "$install_dir"
chown -R $app:www-data "$install_dir"
#=================================================
# RESTORE THE PHP-FPM CONFIGURATION
@ -79,14 +28,6 @@ ynh_script_progression --message="Restoring the PHP-FPM configuration..."
# Restore the file first, so it can have a backup if different
ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf"
# Recreate a dedicated php-fpm config
ynh_add_fpm_config --phpversion=$phpversion
#=================================================
# RESTORE THE NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Restoring the NGINX web server configuration..."
ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
#=================================================
@ -94,8 +35,6 @@ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
#=================================================
ynh_script_progression --message="Restoring the MySQL database..."
db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd
ynh_mysql_connect_as --user=$db_user --password=$db_pwd --database=$db_name < ./db.sql
#=================================================

173
scripts/upgrade
View file

@ -9,49 +9,12 @@
source _common.sh
source /usr/share/yunohost/helpers
#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading installation settings..."
app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain)
path_url=$(ynh_app_setting_get --app=$app --key=path)
admin=$(ynh_app_setting_get --app=$app --key=admin)
password=$(ynh_app_setting_get --app=$app --key=password)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
users_status=$(ynh_app_setting_get --app=$app --key=users_status)
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$db_name
db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
#=================================================
# CHECK VERSION
#=================================================
ynh_script_progression --message="Checking version..."
upgrade_type=$(ynh_check_app_version_changed)
#=================================================
# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
#=================================================
ynh_script_progression --message="Backing up the app before upgrading (may take a while)..."
# Backup the current version of the app
ynh_backup_before_upgrade
ynh_clean_setup () {
if [ $migration_process -eq 1 ]; then
yunohost app remove $app
# Reload some values changed by the migration process
app=$YNH_APP_INSTANCE_NAME
fi
# Restore it if the upgrade fails
ynh_restore_upgradebackup
}
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors
#=================================================
# STANDARD UPGRADE STEPS
#=================================================
@ -59,67 +22,12 @@ ynh_abort_if_errors
#=================================================
ynh_script_progression --message="Ensuring downward compatibility..."
# Remove is_public
if [ -n "$(ynh_app_setting_get --app=$app --key=is_public)" ]; then
ynh_app_setting_delete --app=$app --key=is_public
fi
# If db_name doesn't exist, create it
if [ -z $db_name ]; then
db_name=$app
ynh_app_setting_set --app=$app --key=db_name --value=$db_name
fi
# If final_path doesn't exist, create it
if [ -z $final_path ]; then
final_path=/var/www/$app
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
fi
# If users_status doesn't exist, create it
if [ -z $users_status ]; then
if [ -z "${users_status:-}" ]; then
users_status="Editor"
ynh_app_setting_set --app=$app --key=users_status --value=$users_status
fi
if [ -z $password ]; then
# Generate random password
password=$(ynh_string_random --length=8)
echo "The new version of SPIP provide a new password. You can change it in the private area." > mail_to_send
echo "" >> mail_to_send
echo "This password is: $password" >> mail_to_send
ynh_send_readme_to_admin --app_message="mail_to_send" --type="upgrade"
ynh_app_setting_set --app=$app --key=password --value=$password
fi
# Cleaning legacy permissions
if ynh_legacy_permissions_exists; then
ynh_legacy_permissions_delete_all
fi
#=================================================
# HANDLE MIGRATION FROM SPIP2
#=================================================
ynh_handle_app_migration "spip2" "spip2_migration"
if [ $migration_process -eq 1 ]; then
# If a migration has been perform
# Reload some values changed by the migration process
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
db_name=$(ynh_app_setting_get --app=$app --key=db_name)
fi
#=================================================
# CREATE DEDICATED USER
#=================================================
ynh_script_progression --message="Making sure dedicated system user exists..."
# Create a dedicated user (if not existing)
ynh_system_user_create --username=$app --home_dir="$final_path"
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================
@ -129,19 +37,11 @@ then
ynh_script_progression --message="Upgrading source files..."
# Download, check integrity, uncompress and patch the source from app.src
ynh_setup_source --dest_dir="$final_path"
ynh_setup_source --dest_dir="$install_dir"
fi
chmod 750 "$final_path"
chmod -R o-rwx "$final_path"
chown -R $app:www-data "$final_path"
#=================================================
# UPGRADE DEPENDENCIES
#=================================================
ynh_script_progression --message="Upgrading dependencies..."
ynh_install_app_dependencies $pkg_dependencies
chmod -R o-rwx "$install_dir"
chown -R $app:www-data "$install_dir"
#=================================================
# PHP-FPM CONFIGURATION
@ -149,12 +49,7 @@ ynh_install_app_dependencies $pkg_dependencies
ynh_script_progression --message="Upgrading PHP-FPM configuration..."
# Create a dedicated PHP-FPM config
ynh_add_fpm_config
#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Upgrading NGINX web server configuration..."
ynh_add_fpm_config --usage=low --footprint=low
# Create a dedicated NGINX config
ynh_add_nginx_config
@ -167,21 +62,22 @@ ynh_add_nginx_config
ynh_script_progression --message="Setuping application with CURL..."
# Set right permissions for curl install
mkdir -p $final_path/plugins/auto
chown -R $app:www-data "$final_path"
mkdir -p $install_dir/plugins/auto
chown -R $app:www-data "$install_dir"
# Set the app as temporarily public for curl call
ynh_script_progression --message="Configuring SSOwat..."
ynh_backup_if_checksum_is_different --file="$final_path/config/connect.php"
ynh_backup_if_checksum_is_different --file="$install_dir/config/connect.php"
mv $final_path/config/connect.php $final_path/config/connect.php.ynh_bkp
mv $install_dir/config/connect.php $install_dir/config/connect.php.ynh_bkp
# Installation with curl
ynh_script_progression --message="Finalizing installation..."
ynh_local_curl "/ecrire/?suivant" "exec=install" "etape=chmod"
ynh_local_curl "/ecrire/?suivant" "exec=install" "etape=2" "chmod=750" "adresse_db=localhost" "login_db=$db_name" "pass_db=$db_pwd" "server_db=mysql"
ynh_local_curl "/ecrire/?suivant" "exec=install" "etape=3" "adresse_db=localhost" "login_db=$db_name" "pass_db=$db_pwd" "server_db=mysql" "choix_db=$db_name" "tprefix=$db_name"
# For now spip have a problem with LDAP
#ynh_local_curl "/ecrire/?suivant" "exec=install" "etape=ldap1"
#ynh_local_curl "/ecrire/?suivant" "exec=install" "etape=ldap2" "adresse_ldap=localhost" "port_ldap=389" "tls_ldap=no" "protocole_ldap=3"
@ -211,50 +107,19 @@ ynh_local_curl "/ecrire/?suivant" "exec=install" "etape=fin"
#=================================================
ynh_script_progression --message="Updating a configuration file..."
#ynh_replace_string --match_string="'','utf8');" --replace_string="'ldap.php','utf8');" --target_file=$final_path/config/connect.php
cp ../conf/mes_options.php $final_path/config/mes_options.php
#ynh_replace_string --match_string="'','utf8');" --replace_string="'ldap.php','utf8');" --target_file=$install_dir/config/connect.php
cp ../conf/mes_options.php $install_dir/config/mes_options.php
if [ ! -f $final_path/config/connect.php ]; then
mv $final_path/config/connect.php.ynh_bkp $final_path/config/connect.php
# Add security fix https://www.spip.net/en_article4201.html to be removed after version 4.2.2
cp ../conf/ecran_securite.php $install_dir/config/ecran_securite.php
if [ ! -f $install_dir/config/connect.php ]; then
mv $install_dir/config/connect.php.ynh_bkp $install_dir/config/connect.php
else
ynh_secure_remove --file="$final_path/config/connect.php.ynh_bkp"
ynh_secure_remove --file="$install_dir/config/connect.php.ynh_bkp"
fi
ynh_store_file_checksum --file="$final_path/config/connect.php"
#=================================================
# GENERIC FINALIZATION
#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading NGINX web server..."
ynh_systemd_action --service_name=nginx --action=reload
#=================================================
# SEND INFORMATION
#=================================================
echo "To finish the upgrade, you may have to update the database by clicking on the button (if asked) at this location: https://$domain$path_url/ecrire/" > mail_to_send
ynh_send_readme_to_admin --app_message="mail_to_send" --type="upgrade"
if [ $migration_process -eq 1 ]
then
ynh_script_progression --message="Spip2 has been successfully migrated to Spip! \
A last scheduled operation will run in a couple of minutes to finish the \
migration in YunoHost side. Do not proceed any application operation while \
you don't see Spip as installed."
# Execute a post migration script after the end of this upgrade.
# Mainly for some cleaning
script_post_migration=spip2_post_migration.sh
cp ../conf/$script_post_migration /tmp
ynh_replace_string --match_string="__OLD_APP__" --replace_string="$old_app" --target_file=/tmp/$script_post_migration
ynh_replace_string --match_string="__NEW_APP__" --replace_string="$app" --target_file=/tmp/$script_post_migration
chmod +x /tmp/$script_post_migration
(cd /tmp; echo "/tmp/$script_post_migration > /tmp/$script_post_migration.log 2>&1" | at now + 2 minutes)
fi
ynh_store_file_checksum --file="$install_dir/config/connect.php"
#=================================================
# END OF SCRIPT

9
tests.toml Normal file
View file

@ -0,0 +1,9 @@
test_format = 1.0
[default]
# -------------------------------
# Default args to use for install
# -------------------------------
args.users_status = "Editor"