From a8a493d9da3d9e81f0ca6ebe975acbdeef43080a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Thu, 1 Jun 2023 09:51:02 +0200 Subject: [PATCH 1/9] fix --- conf/ecran_securite.php | 758 ++++++++++++++++++++++++++++++++++++++++ scripts/install | 3 + 2 files changed, 761 insertions(+) create mode 100644 conf/ecran_securite.php diff --git a/conf/ecran_securite.php b/conf/ecran_securite.php new file mode 100644 index 0000000..53581fc --- /dev/null +++ b/conf/ecran_securite.php @@ -0,0 +1,758 @@ + $val) { + if ( + $_GET[$var] and strncmp($var, "id_", 3) == 0 + and !in_array($var, $_exceptions) + ) { + $_GET[$var] = is_array($_GET[$var]) ? @array_map('intval', $_GET[$var]) : intval($_GET[$var]); + } +} +foreach ($_POST as $var => $val) { + if ( + $_POST[$var] and strncmp($var, "id_", 3) == 0 + and !in_array($var, $_exceptions) + ) { + $_POST[$var] = is_array($_POST[$var]) ? @array_map('intval', $_POST[$var]) : intval($_POST[$var]); + } +} +foreach ($GLOBALS as $var => $val) { + if ( + $GLOBALS[$var] and strncmp($var, "id_", 3) == 0 + and !in_array($var, $_exceptions) + ) { + $GLOBALS[$var] = is_array($GLOBALS[$var]) ? @array_map('intval', $GLOBALS[$var]) : intval($GLOBALS[$var]); + } +} + +/* + * Interdit la variable $cjpeg_command, qui était utilisée sans + * précaution dans certaines versions de dev (1.8b2 -> 1.8b5) + */ +$cjpeg_command = ''; + +/* + * Contrôle de quelques variables (XSS) + */ +foreach (array('lang', 'var_recherche', 'aide', 'var_lang_r', 'lang_r', 'var_ajax_ancre', 'nom_fichier') as $var) { + if (isset($_GET[$var])) { + $_REQUEST[$var] = $GLOBALS[$var] = $_GET[$var] = preg_replace(',[^\w\,/#&;-]+,', ' ', (string)$_GET[$var]); + } + if (isset($_POST[$var])) { + $_REQUEST[$var] = $GLOBALS[$var] = $_POST[$var] = preg_replace(',[^\w\,/#&;-]+,', ' ', (string)$_POST[$var]); + } +} + +/* + * Filtre l'accès à spip_acces_doc (injection SQL en 1.8.2x) + */ +if (isset($_SERVER['REQUEST_URI'])) { + if (preg_match(',^(.*/)?spip_acces_doc\.,', (string)$_SERVER['REQUEST_URI'])) { + $file = addslashes((string)$_GET['file']); + } +} + +/* + * Pas d'inscription abusive + */ +if ( + isset($_REQUEST['mode']) and isset($_REQUEST['page']) + and !in_array($_REQUEST['mode'], array("6forum", "1comite")) + and $_REQUEST['page'] == "identifiants" +) { + $ecran_securite_raison = "identifiants"; +} + +/* + * Agenda joue à l'injection php + */ +if ( + isset($_REQUEST['partie_cal']) + and $_REQUEST['partie_cal'] !== htmlentities((string)$_REQUEST['partie_cal']) +) { + $ecran_securite_raison = "partie_cal"; +} +if ( + isset($_REQUEST['echelle']) + and $_REQUEST['echelle'] !== htmlentities((string)$_REQUEST['echelle']) +) { + $ecran_securite_raison = "echelle"; +} + +/* + * Espace privé + */ +if ( + isset($_REQUEST['exec']) + and !preg_match(',^[\w-]+$,', (string)$_REQUEST['exec']) +) { + $ecran_securite_raison = "exec"; +} +if ( + isset($_REQUEST['cherche_auteur']) + and preg_match(',[<],', (string)$_REQUEST['cherche_auteur']) +) { + $ecran_securite_raison = "cherche_auteur"; +} +if ( + isset($_REQUEST['exec']) + and $_REQUEST['exec'] == 'auteurs' + and isset($_REQUEST['recherche']) + and preg_match(',[<],', (string)$_REQUEST['recherche']) +) { + $ecran_securite_raison = "recherche"; +} +if ( + isset($_REQUEST['exec']) + and $_REQUEST['exec'] == 'info_plugin' + and isset($_REQUEST['plugin']) + and preg_match(',[<],', (string)$_REQUEST['plugin']) +) { + $ecran_securite_raison = "plugin"; +} +if ( + isset($_REQUEST['exec']) + and $_REQUEST['exec'] == 'puce_statut' + and isset($_REQUEST['id']) + and !intval($_REQUEST['id']) +) { + $ecran_securite_raison = "puce_statut"; +} +if ( + isset($_REQUEST['action']) + and $_REQUEST['action'] == 'configurer' +) { + if ( + @file_exists('inc_version.php') + or @file_exists('ecrire/inc_version.php') + ) { + function action_configurer() { + include_spip('inc/autoriser'); + if (!autoriser('configurer', _request('configuration'))) { + include_spip('inc/minipres'); + echo minipres(_T('info_acces_interdit')); + exit; + } + require _DIR_RESTREINT . 'action/configurer.php'; + action_configurer_dist(); + } + } +} +if ( + isset($_REQUEST['action']) + and $_REQUEST['action'] == 'ordonner_liens_documents' + and isset($_REQUEST['ordre']) + and is_string($_REQUEST['ordre']) +) { + $ecran_securite_raison = "ordre a la chaine"; +} + + +/* + * Bloque les requêtes contenant %00 (manipulation d'include) + */ +if (strpos( + (function_exists('get_magic_quotes_gpc') and @get_magic_quotes_gpc()) + ? stripslashes(serialize($_REQUEST)) + : serialize($_REQUEST), + chr(0) +) !== false) { + $ecran_securite_raison = "%00"; +} + +/* + * Bloque les requêtes fond=formulaire_ + */ +if ( + isset($_REQUEST['fond']) + and preg_match(',^formulaire_,i', $_REQUEST['fond']) +) { + $ecran_securite_raison = "fond=formulaire_"; +} + +/* + * Bloque les requêtes du type ?GLOBALS[type_urls]=toto (bug vieux php) + */ +if (isset($_REQUEST['GLOBALS'])) { + $ecran_securite_raison = "GLOBALS[GLOBALS]"; +} + +/* + * Bloque les requêtes des bots sur: + * les agenda + * les paginations entremélées + */ +if (_IS_BOT) { + if ( + (isset($_REQUEST['echelle']) and isset($_REQUEST['partie_cal']) and isset($_REQUEST['type'])) + or (strpos((string)$_SERVER['REQUEST_URI'], 'debut_') and preg_match(',[?&]debut_.*&debut_,', (string)$_SERVER['REQUEST_URI'])) + or (isset($_REQUEST['calendrier_annee']) and strpos((string)$_SERVER['REQUEST_URI'], 'debut_')) + or (isset($_REQUEST['calendrier_annee']) and preg_match(',[?&]calendrier_annee=.*&calendrier_annee=,', (string)$_SERVER['REQUEST_URI'])) + ) { + $ecran_securite_raison = "robot agenda/double pagination"; + } +} + +/* + * Bloque une vieille page de tests de CFG (<1.11) + * Bloque un XSS sur une page inexistante + */ +if (isset($_REQUEST['page'])) { + if ($_REQUEST['page'] == 'test_cfg') { + $ecran_securite_raison = "test_cfg"; + } + if ($_REQUEST['page'] !== htmlspecialchars((string)$_REQUEST['page'])) { + $ecran_securite_raison = "xsspage"; + } + if ( + $_REQUEST['page'] == '404' + and isset($_REQUEST['erreur']) + ) { + $ecran_securite_raison = "xss404"; + } +} + +/* + * XSS par array + */ +foreach (array('var_login') as $var) { + if (isset($_REQUEST[$var]) and is_array($_REQUEST[$var])) { + $ecran_securite_raison = "xss " . $var; + } +} + +/* + * Parade antivirale contre un cheval de troie + */ +if (!function_exists('tmp_lkojfghx')) { + function tmp_lkojfghx() {} + function tmp_lkojfghx2($a = 0, $b = 0, $c = 0, $d = 0) { + // si jamais on est arrivé ici sur une erreur php + // et qu'un autre gestionnaire d'erreur est défini, l'appeller + if ($b && $GLOBALS['tmp_xhgfjokl']) { + call_user_func($GLOBALS['tmp_xhgfjokl'], $a, $b, $c, $d); + } + } +} +if (isset($_POST['tmp_lkojfghx3'])) { + $ecran_securite_raison = "gumblar"; +} + +/* + * Outils XML mal sécurisés < 2.0.9 + */ +if (isset($_REQUEST['transformer_xml'])) { + $ecran_securite_raison = "transformer_xml"; +} + +/* + * Outils XML mal sécurisés again + */ +if (isset($_REQUEST['var_url']) and $_REQUEST['var_url'] and isset($_REQUEST['exec']) and $_REQUEST['exec'] == 'valider_xml') { + $url = trim($_REQUEST['var_url']); + if ( + strncmp($url, '/', 1) == 0 + or (($p = strpos($url, '..')) !== false and strpos($url, '..', $p + 3) !== false) + or (($p = strpos($url, '..')) !== false and strpos($url, 'IMG', $p + 3) !== false) + or (strpos($url, '://') !== false or strpos($url, ':\\') !== false) + ) { + $ecran_securite_raison = 'URL interdite pour var_url'; + } +} + +/* + * Sauvegarde mal securisée < 2.0.9 + */ +if ( + isset($_REQUEST['nom_sauvegarde']) + and strstr((string)$_REQUEST['nom_sauvegarde'], '/') +) { + $ecran_securite_raison = 'nom_sauvegarde manipulee'; +} +if ( + isset($_REQUEST['znom_sauvegarde']) + and strstr((string)$_REQUEST['znom_sauvegarde'], '/') +) { + $ecran_securite_raison = 'znom_sauvegarde manipulee'; +} + + +/* + * op permet des inclusions arbitraires ; + * on vérifie 'page' pour ne pas bloquer ... drupal + */ +if ( + isset($_REQUEST['op']) and isset($_REQUEST['page']) + and $_REQUEST['op'] !== preg_replace('/[^\\-\w]/', '', $_REQUEST['op']) +) { + $ecran_securite_raison = 'op'; +} + +/* + * Forms & Table ne se méfiait pas assez des uploads de fichiers + */ +if (count($_FILES)) { + foreach ($_FILES as $k => $v) { + if ( + preg_match(',^fichier_\d+$,', $k) + and preg_match(',\.php,i', $v['name']) + ) { + unset($_FILES[$k]); + } + } +} +/* + * et Contact trop laxiste avec une variable externe + * on bloque pas le post pour eviter de perdre des donnees mais on unset la variable et c'est tout + */ +if (isset($_REQUEST['pj_enregistrees_nom']) and $_REQUEST['pj_enregistrees_nom']) { + unset($_REQUEST['pj_enregistrees_nom']); + unset($_GET['pj_enregistrees_nom']); + unset($_POST['pj_enregistrees_nom']); +} + +/* + * reinstall=oui un peu trop permissif + */ +if ( + isset($_REQUEST['reinstall']) + and $_REQUEST['reinstall'] == 'oui' +) { + $ecran_securite_raison = 'reinstall=oui'; +} + +/* + * Pas d'action pendant l'install + */ +if (isset($_REQUEST['exec']) and $_REQUEST['exec'] === 'install' and isset($_REQUEST['action'])) { + $ecran_securite_raison = 'install&action impossibles'; +} + +/* + * Échappement xss referer + */ +if (isset($_SERVER['HTTP_REFERER'])) { + $_SERVER['HTTP_REFERER'] = strtr($_SERVER['HTTP_REFERER'], '<>"\'', '[]##'); +} + + +/* + * Echappement HTTP_X_FORWARDED_HOST + */ +if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) { + $_SERVER['HTTP_X_FORWARDED_HOST'] = strtr($_SERVER['HTTP_X_FORWARDED_HOST'], "<>?\"\{\}\$'` \r\n", '____________'); +} + + +/* + * Pas d'erreur dans l'erreur + */ +if (isset($_REQUEST['var_erreur']) and isset($_REQUEST['page']) and $_REQUEST['page'] === 'login') { + if (strlen($_REQUEST['var_erreur']) !== strcspn($_REQUEST['var_erreur'], '<>')) { + $ecran_securite_raison = 'var_erreur incorrecte'; + } +} + + +/* + * Réinjection des clés en html dans l'admin r19561 + */ +if ( + (isset($_SERVER['REQUEST_URI']) and strpos($_SERVER['REQUEST_URI'], "ecrire/") !== false) + or isset($_REQUEST['var_memotri']) +) { + $zzzz = implode("", array_keys($_REQUEST)); + if (strlen($zzzz) != strcspn($zzzz, '<>"\'')) { + $ecran_securite_raison = 'Cle incorrecte en $_REQUEST'; + } +} + +/* + * Injection par connect + */ +if ( + isset($_REQUEST['connect']) + // cas qui permettent de sortir d'un commentaire PHP + and ( + strpos($_REQUEST['connect'], "?") !== false + or strpos($_REQUEST['connect'], "<") !== false + or strpos($_REQUEST['connect'], ">") !== false + or strpos($_REQUEST['connect'], "\n") !== false + or strpos($_REQUEST['connect'], "\r") !== false + ) +) { + $ecran_securite_raison = "malformed connect argument"; +} + + +/* + * _oups donc + */ +if ( + isset($_REQUEST['_oups']) + and base64_decode($_REQUEST['_oups'], true) === false) { + $ecran_securite_raison = "malformed _oups argument"; +} + +if ( + isset($_REQUEST['formulaire_action_args']) || isset($_REQUEST['var_login']) +) { + foreach ($_REQUEST as $k => $v) { + if (is_string($v) + and strpbrk($v, "&\"'<>") !== false + and preg_match(',^[abis]:\d+[:;],', $v) + and __ecran_test_if_serialized($v) + ) { + $_REQUEST[$k] = htmlspecialchars($v, ENT_QUOTES); + if (isset($_POST[$k])) $_POST[$k] = $_REQUEST[$k]; + if (isset($_GET[$k])) $_GET[$k] = $_REQUEST[$k]; + } + } +} +/** + * Version simplifiée de https://developer.wordpress.org/reference/functions/is_serialized/ + */ +function __ecran_test_if_serialized($data) { + $data = trim($data); + if ('N;' === $data) {return true;} + if (strlen($data) < 4) {return false;} + if (':' !== $data[1]) {return false;} + $semicolon = strpos($data, ';'); + $brace = strpos($data, '}'); + // Either ; or } must exist. + if (false === $semicolon && false === $brace) {return false;} + // But neither must be in the first X characters. + if (false !== $semicolon && $semicolon < 3) {return false;} + if (false !== $brace && $brace < 4) {return false;} + $token = $data[0]; + if (in_array($token, array('s', 'S', 'a', 'O', 'C', 'o', 'E'))) { + if (in_array($token, array('s', 'S')) and false === strpos($data, '"')) {return false;} + return (bool)preg_match("/^{$token}:[0-9]+:/s", $data); + } elseif (in_array($token, array('b', 'i', 'd'))) { + return (bool)preg_match("/^{$token}:[0-9.E+-]+;/", $data); + } + return false; +} + + +/* + * S'il y a une raison de mourir, mourons + */ +if (isset($ecran_securite_raison)) { + header("HTTP/1.0 403 Forbidden"); + header("Expires: Wed, 11 Jan 1984 05:00:00 GMT"); + header("Cache-Control: no-cache, must-revalidate"); + header("Pragma: no-cache"); + header("Content-Type: text/html"); + header("Connection: close"); + die("
You are not authorized to view this page ($ecran_securite_raison)
"); +} + +/* + * Un filtre filtrer_entites securise + */ +if (!function_exists('filtre_filtrer_entites_dist')) { + function filtre_filtrer_entites_dist($t) { + include_spip('inc/texte'); + return interdire_scripts(filtrer_entites($t)); + } +} + + +/* + * Fin sécurité + */ + + + +/* + * Bloque les bots quand le load déborde + */ +if (!defined('_ECRAN_SECURITE_LOAD')) { + define('_ECRAN_SECURITE_LOAD', 4); +} + +if ( + defined('_ECRAN_SECURITE_LOAD') + and _ECRAN_SECURITE_LOAD > 0 + and _IS_BOT + and !_IS_BOT_FRIEND + and $_SERVER['REQUEST_METHOD'] === 'GET' + and ( + (function_exists('sys_getloadavg') + and $load = sys_getloadavg() + and is_array($load) + and $load = array_shift($load)) + or + (@is_readable('/proc/loadavg') + and $load = file_get_contents('/proc/loadavg') + and $load = floatval($load)) + ) + and $load > _ECRAN_SECURITE_LOAD // eviter l'evaluation suivante si de toute facon le load est inferieur a la limite + and rand(0, (int) ($load * $load)) > _ECRAN_SECURITE_LOAD * _ECRAN_SECURITE_LOAD +) { + //https://webmasters.stackexchange.com/questions/65674/should-i-return-a-429-or-503-status-code-to-a-bot + header("HTTP/1.0 429 Too Many Requests"); + header("Retry-After: 300"); + header("Expires: Wed, 11 Jan 1984 05:00:00 GMT"); + header("Cache-Control: no-cache, must-revalidate"); + header("Pragma: no-cache"); + header("Content-Type: text/html"); + header("Connection: close"); + die("Too Many Requests (try again soon)
"); +} diff --git a/scripts/install b/scripts/install index 17705a0..b90394c 100644 --- a/scripts/install +++ b/scripts/install @@ -162,6 +162,9 @@ ynh_script_progression --message="Adding a configuration file..." #ynh_replace_string "'','utf8');" "'ldap.php','utf8');" $final_path/config/connect.php cp ../conf/mes_options.php $final_path/config/mes_options.php +# Add security fix https://www.spip.net/en_article4201.html +cp ../conf/ecran_securite.php $final_path/config/ecran_securite.php + #================================================= # STORE THE CONFIG FILE CHECKSUM #================================================= From 4f73e1d08541021335dfb13be30c2c22e9b56063 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Thu, 1 Jun 2023 10:01:18 +0200 Subject: [PATCH 2/9] v2 --- conf/app.src | 6 --- conf/nginx.conf | 2 +- conf/php-fpm.conf | 2 +- manifest.toml | 76 +++++++++++++++++++++++++++++++++++ scripts/_common.sh | 32 +++++++-------- scripts/backup | 18 ++++----- scripts/change_url | 62 +++++++++++++++-------------- scripts/install | 88 ++++++++++++++++++++--------------------- scripts/remove | 28 ++++++------- scripts/restore | 48 +++++++++++------------ scripts/upgrade | 98 +++++++++++++++++++++++----------------------- 11 files changed, 266 insertions(+), 194 deletions(-) delete mode 100644 conf/app.src create mode 100644 manifest.toml diff --git a/conf/app.src b/conf/app.src deleted file mode 100644 index f8faac6..0000000 --- a/conf/app.src +++ /dev/null @@ -1,6 +0,0 @@ -SOURCE_URL=https://files.spip.net/spip/archives/spip-v4.2.2.zip -SOURCE_SUM=47ab43b1ac8014b70e60867ecd9474a2afeaff471852eab0f41b94cb077d18d1 -SOURCE_SUM_PRG=sha256sum -SOURCE_FORMAT=zip -SOURCE_IN_SUBDIR=false -SOURCE_EXTRACT=true diff --git a/conf/nginx.conf b/conf/nginx.conf index ac29444..ce8161b 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -2,7 +2,7 @@ location __PATH__/ { # Path to source - alias __FINALPATH__/; + alias __INSTALL_DIR__/; index index.php; diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index 37344f6..1cf8768 100644 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -358,7 +358,7 @@ request_terminate_timeout = 1d ; Chdir to this directory at the start. ; Note: relative path can be used. ; Default Value: current directory or / when chroot -chdir = __FINALPATH__ +chdir = __INSTALL_DIR__ ; Redirect worker stdout and stderr into main error log. If not set, stdout and ; stderr will be redirected to /dev/null according to FastCGI specs. diff --git a/manifest.toml b/manifest.toml new file mode 100644 index 0000000..8bc317f --- /dev/null +++ b/manifest.toml @@ -0,0 +1,76 @@ +packaging_format = 2 + +id = "spip" +name = "SPIP" +description.en = "CMS with a focus on collaborative edition and multilingualism" +description.fr = "CMS conçu pour l'édition collaborative et le multilinguisme" + +version = "4.2.2~ynh1" + +maintainers = ["cyp"] + +[upstream] +license = "GPL-3.0-or-later" +website = "http://www.spip.net/" +demo = "https://demo.spip.net/" +admindoc = "https://www.spip.net/en_rubrique209.html" +userdoc = "https://www.spip.net/en_rubrique57.html" +code = "https://git.spip.net/spip/spip" +cpe = "???" # FIXME: optional but recommended if relevant, this is meant to contain the Common Platform Enumeration, which is sort of a standard id for applications defined by the NIST. In particular, Yunohost may use this is in the future to easily track CVE (=security reports) related to apps. The CPE may be obtained by searching here: https://nvd.nist.gov/products/cpe/search. For example, for Nextcloud, the CPE is 'cpe:2.3:a:nextcloud:nextcloud' (no need to include the version number) +fund = "???" # FIXME: optional but recommended (or remove if irrelevant / not applicable). This is meant to be an URL where people can financially support this app, especially when its development is based on volunteers and/or financed by its community. YunoHost may later advertise it in the webadmin. + +[integration] +yunohost = ">= 4.3.2" +architectures = "all" # FIXME: can be replaced by a list of supported archs using the dpkg --print-architecture nomenclature (amd64/i386/armhf/arm64), for example: ["amd64", "i386"] +multi_instance = true +ldap = "?" # FIXME: replace with true, false, or "not_relevant". Not to confuse with the "sso" key : the "ldap" key corresponds to wether or not a user *can* login on the app using its YunoHost credentials. +sso = "?" # FIXME: replace with true, false, or "not_relevant". Not to confuse with the "ldap" key : the "sso" key corresponds to wether or not a user is *automatically logged-in* on the app when logged-in on the YunoHost portal. +disk = "50M" # FIXME: replace with an **estimate** minimum disk requirement. e.g. 20M, 400M, 1G, ... +ram.build = "50M" # FIXME: replace with an **estimate** minimum ram requirement. e.g. 50M, 400M, 1G, ... +ram.runtime = "50M" # FIXME: replace with an **estimate** minimum ram requirement. e.g. 50M, 400M, 1G, ... + +[install] + [install.domain] + # this is a generic question - ask strings are automatically handled by Yunohost's core + type = "domain" + + [install.path] + # this is a generic question - ask strings are automatically handled by Yunohost's core + type = "path" + default = "/spip" + + [install.init_main_permission] + type = "group" + default = "visitors" + + [install.admin] + # this is a generic question - ask strings are automatically handled by Yunohost's core + type = "user" + + [install.password] + # this is a generic question - ask strings are automatically handled by Yunohost's core + type = "password" + + [install.users_status] + ask.en = "Choose the status of YunoHost users" + ask.fr = "Choisissez le status des utilisateurs de YunoHost" + type = "string" + choices = ["Administrator", "Editor", "Visitor"] + default = "Editor" + +[resources] + [resources.sources.main] + url = "https://files.spip.net/spip/archives/spip-v4.2.2.zip" + sha256 = "47ab43b1ac8014b70e60867ecd9474a2afeaff471852eab0f41b94cb077d18d1" + in_subdir = false + + + [resources.system_user] + + [resources.install_dir] + + [resources.permissions] + main.url = "/" + + [resources.database] + type = "mysql" diff --git a/scripts/_common.sh b/scripts/_common.sh index 171badd..b3239b6 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -4,9 +4,9 @@ # COMMON VARIABLES #================================================= -YNH_PHP_VERSION="7.4" +#REMOVEME? YNH_PHP_VERSION="7.4" -pkg_dependencies="libsodium23 php${YNH_PHP_VERSION}-curl php${YNH_PHP_VERSION}-xml php${YNH_PHP_VERSION}-gd php${YNH_PHP_VERSION}-mysqli php${YNH_PHP_VERSION}-zip" +#REMOVEME? pkg_dependencies="libsodium23 php${YNH_PHP_VERSION}-curl php${YNH_PHP_VERSION}-xml php${YNH_PHP_VERSION}-gd php${YNH_PHP_VERSION}-mysqli php${YNH_PHP_VERSION}-zip" #================================================= # EXPERIMENTAL HELPERS @@ -35,7 +35,7 @@ ynh_send_readme_to_admin() { type="${type:-install}" # Get the value of admin_mail_html - admin_mail_html=$(ynh_app_setting_get $app admin_mail_html) +#REMOVEME? admin_mail_html=$(ynh_app_setting_get $app admin_mail_html) admin_mail_html="${admin_mail_html:-0}" # Retrieve the email of users @@ -173,7 +173,7 @@ __PRE_TAG1__$(yunohost tools diagnosis | grep -B 100 "services:" | sed '/service # If you don't have a $pkg_dependencies variable, the helper can't know what the app dependencies are. # # The app settings.yml will be modified as follows: -# - finalpath will be changed according to the new name (but only if the existing $final_path contains the old app name) +# - finalpath will be changed according to the new name (but only if the existing $install_dir contains the old app name) # - The checksums of php-fpm and nginx config files will be updated too. # - If there is a $db_name value, it will be changed. # - And, of course, the ID will be changed to the new name too. @@ -196,7 +196,7 @@ ynh_handle_app_migration () { # LOAD SETTINGS #================================================= - old_app=$YNH_APP_INSTANCE_NAME +#REMOVEME? old_app=$YNH_APP_INSTANCE_NAME local old_app_id=$YNH_APP_ID local old_app_number=$YNH_APP_INSTANCE_NUMBER @@ -281,7 +281,7 @@ ynh_handle_app_migration () { # https://github.com/YunoHost/yunohost/blob/c6b5284be8da39cf2da4e1036a730eb5e0515096/src/yunohost/app.py#L1316-L1321 # Change the label if it's simply the name of the app - old_label=$(ynh_app_setting_get $new_app label) +#REMOVEME? old_label=$(ynh_app_setting_get $new_app label) if [ "${old_label,,}" == "$old_app_id" ] then # Build the new label from the id of the app. With the first character as upper case @@ -312,15 +312,15 @@ ynh_handle_app_migration () { # Replace php5-fpm checksums ynh_replace_string "\(^checksum__etc_php5.*[-_]\)$old_app" "\1$new_app/" "$settings_dir/$new_app/settings.yml" - # Replace final_path - ynh_replace_string "\(^final_path: .*\)$old_app" "\1$new_app" "$settings_dir/$new_app/settings.yml" + # Replace install_dir + ynh_replace_string "\(^install_dir: .*\)$old_app" "\1$new_app" "$settings_dir/$new_app/settings.yml" #================================================= # MOVE THE DATABASE #================================================= - db_pwd=$(ynh_app_setting_get $old_app mysqlpwd) - db_name=$(ynh_app_setting_get $old_app db_name) +#REMOVEME? db_pwd=$(ynh_app_setting_get $old_app mysqlpwd) +#REMOVEME? db_name=$(ynh_app_setting_get $old_app db_name) # Check if a database exists before trying to move it local mysql_root_password=$(cat $MYSQL_ROOT_PWD_FILE) @@ -335,18 +335,18 @@ ynh_handle_app_migration () { ynh_mysql_dump_db "$db_name" > "$sql_dump" # Create a new database - ynh_mysql_setup_db $new_db_name $new_db_name $db_pwd +#REMOVEME? ynh_mysql_setup_db $new_db_name $new_db_name $db_pwd # Then restore the old one into the new one ynh_mysql_connect_as $new_db_name $db_pwd $new_db_name < "$sql_dump" # Remove the old database - ynh_mysql_remove_db $db_name $db_name +#REMOVEME? ynh_mysql_remove_db $db_name $db_name # And the dump ynh_secure_remove "$sql_dump" # Update the value of $db_name db_name=$new_db_name - ynh_app_setting_set $new_app db_name $db_name +#REMOVEME? ynh_app_setting_set $new_app db_name $db_name fi #================================================= @@ -357,7 +357,7 @@ ynh_handle_app_migration () { if ynh_system_user_exists "$old_app" then echo "Create a new user $new_app to replace $old_app" >&2 - ynh_system_user_create $new_app +#REMOVEME? ynh_system_user_create $new_app fi #================================================= @@ -376,10 +376,10 @@ ynh_handle_app_migration () { then # Install a new fake package app=$new_app - ynh_install_app_dependencies $pkg_dependencies +#REMOVEME? ynh_install_app_dependencies $pkg_dependencies # Then remove the old one app=$old_app - ynh_remove_app_dependencies +#REMOVEME? ynh_remove_app_dependencies fi fi diff --git a/scripts/backup b/scripts/backup index 86cad22..fe749c0 100644 --- a/scripts/backup +++ b/scripts/backup @@ -14,23 +14,23 @@ source /usr/share/yunohost/helpers # MANAGE SCRIPT FAILURE #================================================= -ynh_clean_setup () { +#REMOVEME? ynh_clean_setup () { true } # Exit if an error occurs during the execution of the script -ynh_abort_if_errors +#REMOVEME? ynh_abort_if_errors #================================================= # LOAD SETTINGS #================================================= -ynh_print_info --message="Loading installation settings..." +#REMOVEME? ynh_print_info --message="Loading installation settings..." -app=$YNH_APP_INSTANCE_NAME +#REMOVEME? app=$YNH_APP_INSTANCE_NAME -final_path=$(ynh_app_setting_get --app=$app --key=final_path) -domain=$(ynh_app_setting_get --app=$app --key=domain) -db_name=$(ynh_app_setting_get --app=$app --key=db_name) -phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) +#REMOVEME? #REMOVEME? install_dir=$(ynh_app_setting_get --app=$app --key=install_dir) +#REMOVEME? domain=$(ynh_app_setting_get --app=$app --key=domain) +#REMOVEME? db_name=$(ynh_app_setting_get --app=$app --key=db_name) +#REMOVEME? phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) #================================================= # DECLARE DATA AND CONF FILES TO BACKUP @@ -41,7 +41,7 @@ ynh_print_info --message="Declaring files to be backed up..." # BACKUP THE APP MAIN DIR #================================================= -ynh_backup --src_path="$final_path" +ynh_backup --src_path="$install_dir" #================================================= # BACKUP THE NGINX CONFIGURATION diff --git a/scripts/change_url b/scripts/change_url index 7b8d1cb..8f54bad 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -13,53 +13,53 @@ source /usr/share/yunohost/helpers # RETRIEVE ARGUMENTS #================================================= -old_domain=$YNH_APP_OLD_DOMAIN -old_path=$YNH_APP_OLD_PATH +#REMOVEME? old_domain=$YNH_APP_OLD_DOMAIN +#REMOVEME? old_path=$YNH_APP_OLD_PATH -new_domain=$YNH_APP_NEW_DOMAIN -new_path=$YNH_APP_NEW_PATH +#REMOVEME? new_domain=$YNH_APP_NEW_DOMAIN +#REMOVEME? new_path=$YNH_APP_NEW_PATH -app=$YNH_APP_INSTANCE_NAME +#REMOVEME? app=$YNH_APP_INSTANCE_NAME #================================================= # LOAD SETTINGS #================================================= -ynh_script_progression --message="Loading installation settings..." +#REMOVEME? ynh_script_progression --message="Loading installation settings..." -# Needed for helper "ynh_add_nginx_config" -final_path=$(ynh_app_setting_get --app=$app --key=final_path) +#REMOVEME? # Needed for helper "ynh_add_nginx_config" +#REMOVEME? #REMOVEME? install_dir=$(ynh_app_setting_get --app=$app --key=install_dir) #================================================= # BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP #================================================= -ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." +#REMOVEME? ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." # Backup the current version of the app -ynh_backup_before_upgrade -ynh_clean_setup () { +#REMOVEME? ynh_backup_before_upgrade +#REMOVEME? ynh_clean_setup () { # Remove the new domain config file, the remove script won't do it as it doesn't know yet its location. - ynh_secure_remove --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" +#REMOVEME? ynh_secure_remove --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" # Restore it if the upgrade fails - ynh_restore_upgradebackup +#REMOVEME? ynh_restore_upgradebackup } # Exit if an error occurs during the execution of the script -ynh_abort_if_errors +#REMOVEME? ynh_abort_if_errors #================================================= # CHECK WHICH PARTS SHOULD BE CHANGED #================================================= -change_domain=0 -if [ "$old_domain" != "$new_domain" ] +#REMOVEME? change_domain=0 +#REMOVEME? if [ "$old_domain" != "$new_domain" ] then - change_domain=1 + #REMOVEME? change_domain=1 fi -change_path=0 -if [ "$old_path" != "$new_path" ] +#REMOVEME? change_path=0 +#REMOVEME? if [ "$old_path" != "$new_path" ] then - change_path=1 + #REMOVEME? change_path=1 fi #================================================= @@ -69,28 +69,30 @@ fi #================================================= ynh_script_progression --message="Updating NGINX web server configuration..." -nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf +ynh_change_url_nginx_config + +#REMOVEME? nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf # Change the path in the NGINX config file if [ $change_path -eq 1 ] then # Make a backup of the original NGINX config file if modified - ynh_backup_if_checksum_is_different --file="$nginx_conf_path" +#REMOVEME? ynh_backup_if_checksum_is_different --file="$nginx_conf_path" # Set global variables for NGINX helper - domain="$old_domain" - path_url="$new_path" +#REMOVEME? domain="$old_domain" +#REMOVEME? path="$new_path" # Create a dedicated NGINX config - ynh_add_nginx_config +#REMOVEME? ynh_add_nginx_config fi # Change the domain for NGINX if [ $change_domain -eq 1 ] then # Delete file checksum for the old conf file location - ynh_delete_file_checksum --file="$nginx_conf_path" - mv $nginx_conf_path /etc/nginx/conf.d/$new_domain.d/$app.conf +#REMOVEME? ynh_delete_file_checksum --file="$nginx_conf_path" +#REMOVEME? mv $nginx_conf_path /etc/nginx/conf.d/$new_domain.d/$app.conf # Store file checksum for the new config file location - ynh_store_file_checksum --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" +#REMOVEME? ynh_store_file_checksum --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" fi #================================================= @@ -98,9 +100,9 @@ fi #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading NGINX web server..." +#REMOVEME? ynh_script_progression --message="Reloading NGINX web server..." -ynh_systemd_action --service_name=nginx --action=reload +#REMOVEME? #REMOVEME? ynh_systemd_action --service_name=nginx --action=reload #================================================= # END OF SCRIPT diff --git a/scripts/install b/scripts/install index b90394c..ace7b4b 100644 --- a/scripts/install +++ b/scripts/install @@ -13,45 +13,45 @@ source /usr/share/yunohost/helpers # MANAGE SCRIPT FAILURE #================================================= -ynh_clean_setup () { +#REMOVEME? ynh_clean_setup () { true } # Exit if an error occurs during the execution of the script -ynh_abort_if_errors +#REMOVEME? ynh_abort_if_errors #================================================= # RETRIEVE ARGUMENTS FROM THE MANIFEST #================================================= -domain=$YNH_APP_ARG_DOMAIN -path_url=$YNH_APP_ARG_PATH -is_public=$YNH_APP_ARG_IS_PUBLIC -admin=$YNH_APP_ARG_ADMIN -password=$YNH_APP_ARG_PASSWORD -users_status=$YNH_APP_ARG_USERS_STATUS +#REMOVEME? domain=$YNH_APP_ARG_DOMAIN +#REMOVEME? path=$YNH_APP_ARG_PATH +#REMOVEME? is_public=$YNH_APP_ARG_IS_PUBLIC +#REMOVEME? admin=$YNH_APP_ARG_ADMIN +#REMOVEME? password=$YNH_APP_ARG_PASSWORD +#REMOVEME? users_status=$YNH_APP_ARG_USERS_STATUS -app=$YNH_APP_INSTANCE_NAME +#REMOVEME? app=$YNH_APP_INSTANCE_NAME #================================================= # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS #================================================= -ynh_script_progression --message="Validating installation parameters..." +#REMOVEME? ynh_script_progression --message="Validating installation parameters..." -final_path=/var/www/$app -test ! -e "$final_path" || ynh_die --message="This path already contains a folder" +#REMOVEME? install_dir=/var/www/$app +#REMOVEME? test ! -e "$install_dir" || ynh_die --message="This path already contains a folder" # Register (book) web path -ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url +#REMOVEME? ynh_webpath_register --app=$app --domain=$domain --path=$path #================================================= # STORE SETTINGS FROM MANIFEST #================================================= -ynh_script_progression --message="Storing installation settings..." +#REMOVEME? ynh_script_progression --message="Storing installation settings..." -ynh_app_setting_set --app=$app --key=domain --value=$domain -ynh_app_setting_set --app=$app --key=path --value=$path_url -ynh_app_setting_set --app=$app --key=admin --value=$admin -ynh_app_setting_set --app=$app --key=password --value=$password +#REMOVEME? ynh_app_setting_set --app=$app --key=domain --value=$domain +#REMOVEME? ynh_app_setting_set --app=$app --key=path --value=$path +#REMOVEME? ynh_app_setting_set --app=$app --key=admin --value=$admin +#REMOVEME? ynh_app_setting_set --app=$app --key=password --value=$password ynh_app_setting_set --app=$app --key=users_status --value=$users_status #================================================= @@ -59,41 +59,41 @@ ynh_app_setting_set --app=$app --key=users_status --value=$users_status #================================================= # INSTALL DEPENDENCIES #================================================= -ynh_script_progression --message="Installing dependencies..." +#REMOVEME? ynh_script_progression --message="Installing dependencies..." -ynh_install_app_dependencies $pkg_dependencies +#REMOVEME? ynh_install_app_dependencies $pkg_dependencies #================================================= # CREATE DEDICATED USER #================================================= -ynh_script_progression --message="Configuring system user..." +#REMOVEME? ynh_script_progression --message="Configuring system user..." # Create a system user -ynh_system_user_create --username=$app --home_dir="$final_path" +#REMOVEME? ynh_system_user_create --username=$app --home_dir="$install_dir" #================================================= # CREATE A MYSQL DATABASE #================================================= -ynh_script_progression --message="Creating a MySQL database..." +#REMOVEME? ynh_script_progression --message="Creating a MySQL database..." -db_name=$(ynh_sanitize_dbid --db_name=$app) -db_user=$db_name -ynh_app_setting_set --app=$app --key=db_name --value=$db_name -ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name -db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd) +#REMOVEME? db_name=$(ynh_sanitize_dbid --db_name=$app) +#REMOVEME? db_user=$db_name +#REMOVEME? ynh_app_setting_set --app=$app --key=db_name --value=$db_name +#REMOVEME? ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name +#REMOVEME? db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd) #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= ynh_script_progression --message="Setting up source files..." -ynh_app_setting_set --app=$app --key=final_path --value=$final_path +#REMOVEME? ynh_app_setting_set --app=$app --key=install_dir --value=$install_dir # Download, check integrity, uncompress and patch the source from app.src -ynh_setup_source --dest_dir="$final_path" +ynh_setup_source --dest_dir="$install_dir" -chmod 750 "$final_path" -chmod -R o-rwx "$final_path" -chown -R $app:www-data "$final_path" +chmod 750 "$install_dir" +chmod -R o-rwx "$install_dir" +chown -R $app:www-data "$install_dir" #================================================= # PHP-FPM CONFIGURATION @@ -119,8 +119,8 @@ ynh_add_nginx_config ynh_script_progression --message="Setuping application with CURL..." # Set right permissions for curl install -mkdir -p $final_path/plugins/auto -chown -R $app:www-data "$final_path" +mkdir -p $install_dir/plugins/auto +chown -R $app:www-data "$install_dir" # Set the app as temporarily public for curl call ynh_script_progression --message="Configuring SSOwat..." @@ -159,39 +159,39 @@ ynh_local_curl "/ecrire/?suivant" "exec=install" "etape=fin" #================================================= ynh_script_progression --message="Adding a configuration file..." -#ynh_replace_string "'','utf8');" "'ldap.php','utf8');" $final_path/config/connect.php -cp ../conf/mes_options.php $final_path/config/mes_options.php +#ynh_replace_string "'','utf8');" "'ldap.php','utf8');" $install_dir/config/connect.php +cp ../conf/mes_options.php $install_dir/config/mes_options.php # Add security fix https://www.spip.net/en_article4201.html -cp ../conf/ecran_securite.php $final_path/config/ecran_securite.php +cp ../conf/ecran_securite.php $install_dir/config/ecran_securite.php #================================================= # STORE THE CONFIG FILE CHECKSUM #================================================= -ynh_store_file_checksum --file="$final_path/config/connect.php" +ynh_store_file_checksum --file="$install_dir/config/connect.php" #================================================= # GENERIC FINALIZATION #================================================= # SETUP SSOWAT #================================================= -ynh_script_progression --message="Configuring permissions..." +#REMOVEME? ynh_script_progression --message="Configuring permissions..." # Make app public if necessary -if [ $is_public -eq 1 ] +#REMOVEME? if [ $is_public -eq 1 ] then # Everyone can access the app. # The "main" permission is automatically created before the install script. - ynh_permission_update --permission="main" --add="visitors" +#REMOVEME? ynh_permission_update --permission="main" --add="visitors" fi #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading NGINX web server..." +#REMOVEME? ynh_script_progression --message="Reloading NGINX web server..." -ynh_systemd_action --service_name=nginx --action=reload +#REMOVEME? ynh_systemd_action --service_name=nginx --action=reload #================================================= # END OF SCRIPT diff --git a/scripts/remove b/scripts/remove index 8c4a4e1..badafc3 100644 --- a/scripts/remove +++ b/scripts/remove @@ -12,14 +12,14 @@ source /usr/share/yunohost/helpers #================================================= # LOAD SETTINGS #================================================= -ynh_script_progression --message="Loading installation settings..." +#REMOVEME? ynh_script_progression --message="Loading installation settings..." -app=$YNH_APP_INSTANCE_NAME +#REMOVEME? app=$YNH_APP_INSTANCE_NAME -domain=$(ynh_app_setting_get --app=$app --key=domain) -db_name=$(ynh_app_setting_get --app=$app --key=db_name) -db_user=$db_name -final_path=$(ynh_app_setting_get --app=$app --key=final_path) +#REMOVEME? domain=$(ynh_app_setting_get --app=$app --key=domain) +#REMOVEME? db_name=$(ynh_app_setting_get --app=$app --key=db_name) +#REMOVEME? db_user=$db_name +#REMOVEME? #REMOVEME? install_dir=$(ynh_app_setting_get --app=$app --key=install_dir) #================================================= # STANDARD REMOVE @@ -34,18 +34,18 @@ ynh_remove_systemd_config #================================================= # REMOVE THE MYSQL DATABASE #================================================= -ynh_script_progression --message="Removing the MySQL database..." +#REMOVEME? ynh_script_progression --message="Removing the MySQL database..." # Remove a database if it exists, along with the associated user -ynh_mysql_remove_db --db_user=$db_user --db_name=$db_name +#REMOVEME? ynh_mysql_remove_db --db_user=$db_user --db_name=$db_name #================================================= # REMOVE APP MAIN DIR #================================================= -ynh_script_progression --message="Removing app main directory..." +#REMOVEME? ynh_script_progression --message="Removing app main directory..." # Remove the app directory securely -ynh_secure_remove --file="$final_path" +#REMOVEME? ynh_secure_remove --file="$install_dir" #================================================= # REMOVE NGINX CONFIGURATION @@ -66,20 +66,20 @@ ynh_remove_fpm_config #================================================= # REMOVE DEPENDENCIES #================================================= -ynh_script_progression --message="Removing dependencies..." +#REMOVEME? ynh_script_progression --message="Removing dependencies..." # Remove metapackage and its dependencies -ynh_remove_app_dependencies +#REMOVEME? ynh_remove_app_dependencies #================================================= # GENERIC FINALIZATION #================================================= # REMOVE DEDICATED USER #================================================= -ynh_script_progression --message="Removing the dedicated system user..." +#REMOVEME? ynh_script_progression --message="Removing the dedicated system user..." # Delete a system user -ynh_system_user_delete --username=$app +#REMOVEME? ynh_system_user_delete --username=$app #================================================= # END OF SCRIPT diff --git a/scripts/restore b/scripts/restore index 5136010..e4a7477 100644 --- a/scripts/restore +++ b/scripts/restore @@ -14,62 +14,62 @@ source /usr/share/yunohost/helpers # MANAGE SCRIPT FAILURE #================================================= -ynh_clean_setup () { +#REMOVEME? ynh_clean_setup () { true } # Exit if an error occurs during the execution of the script -ynh_abort_if_errors +#REMOVEME? ynh_abort_if_errors #================================================= # LOAD SETTINGS #================================================= -ynh_script_progression --message="Loading installation settings..." +#REMOVEME? ynh_script_progression --message="Loading installation settings..." -app=$YNH_APP_INSTANCE_NAME +#REMOVEME? app=$YNH_APP_INSTANCE_NAME -domain=$(ynh_app_setting_get --app=$app --key=domain) -path_url=$(ynh_app_setting_get --app=$app --key=path) -final_path=$(ynh_app_setting_get --app=$app --key=final_path) -db_name=$(ynh_app_setting_get --app=$app --key=db_name) -db_user=$db_name -phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) +#REMOVEME? domain=$(ynh_app_setting_get --app=$app --key=domain) +#REMOVEME? path=$(ynh_app_setting_get --app=$app --key=path) +#REMOVEME? #REMOVEME? install_dir=$(ynh_app_setting_get --app=$app --key=install_dir) +#REMOVEME? db_name=$(ynh_app_setting_get --app=$app --key=db_name) +#REMOVEME? db_user=$db_name +#REMOVEME? phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) #================================================= # CHECK IF THE APP CAN BE RESTORED #================================================= -ynh_script_progression --message="Validating restoration parameters..." +#REMOVEME? ynh_script_progression --message="Validating restoration parameters..." -test ! -d $final_path \ - || ynh_die --message="There is already a directory: $final_path " +#REMOVEME? test ! -d $install_dir \ + || ynh_die --message="There is already a directory: $install_dir " #================================================= # STANDARD RESTORATION STEPS #================================================= # RECREATE THE DEDICATED USER #================================================= -ynh_script_progression --message="Recreating the dedicated system user..." +#REMOVEME? ynh_script_progression --message="Recreating the dedicated system user..." # Create the dedicated user (if not existing) -ynh_system_user_create --username=$app --home_dir=$final_path +#REMOVEME? ynh_system_user_create --username=$app --home_dir=$install_dir #================================================= # RESTORE THE APP MAIN DIR #================================================= ynh_script_progression --message="Restoring the app main directory..." -ynh_restore_file --origin_path="$final_path" +ynh_restore_file --origin_path="$install_dir" -chmod 750 "$final_path" -chmod -R o-rwx "$final_path" -chown -R $app:www-data "$final_path" +chmod 750 "$install_dir" +chmod -R o-rwx "$install_dir" +chown -R $app:www-data "$install_dir" #================================================= # REINSTALL DEPENDENCIES #================================================= -ynh_script_progression --message="Reinstalling dependencies..." +#REMOVEME? ynh_script_progression --message="Reinstalling dependencies..." # Define and install dependencies -ynh_install_app_dependencies $pkg_dependencies +#REMOVEME? ynh_install_app_dependencies $pkg_dependencies #================================================= # RESTORE THE PHP-FPM CONFIGURATION @@ -92,10 +92,10 @@ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= # RESTORE THE MYSQL DATABASE #================================================= -ynh_script_progression --message="Restoring the MySQL database..." +#REMOVEME? ynh_script_progression --message="Restoring the MySQL database..." -db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd) -ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd +#REMOVEME? db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd) +#REMOVEME? ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd ynh_mysql_connect_as --user=$db_user --password=$db_pwd --database=$db_name < ./db.sql #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 3fab063..d461faa 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -12,19 +12,19 @@ source /usr/share/yunohost/helpers #================================================= # LOAD SETTINGS #================================================= -ynh_script_progression --message="Loading installation settings..." +#REMOVEME? ynh_script_progression --message="Loading installation settings..." -app=$YNH_APP_INSTANCE_NAME +#REMOVEME? app=$YNH_APP_INSTANCE_NAME -domain=$(ynh_app_setting_get --app=$app --key=domain) -path_url=$(ynh_app_setting_get --app=$app --key=path) -admin=$(ynh_app_setting_get --app=$app --key=admin) -password=$(ynh_app_setting_get --app=$app --key=password) -final_path=$(ynh_app_setting_get --app=$app --key=final_path) -users_status=$(ynh_app_setting_get --app=$app --key=users_status) -db_name=$(ynh_app_setting_get --app=$app --key=db_name) -db_user=$db_name -db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd) +#REMOVEME? domain=$(ynh_app_setting_get --app=$app --key=domain) +#REMOVEME? path=$(ynh_app_setting_get --app=$app --key=path) +#REMOVEME? admin=$(ynh_app_setting_get --app=$app --key=admin) +#REMOVEME? password=$(ynh_app_setting_get --app=$app --key=password) +#REMOVEME? #REMOVEME? install_dir=$(ynh_app_setting_get --app=$app --key=install_dir) +#REMOVEME? users_status=$(ynh_app_setting_get --app=$app --key=users_status) +#REMOVEME? db_name=$(ynh_app_setting_get --app=$app --key=db_name) +#REMOVEME? db_user=$db_name +#REMOVEME? db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd) #================================================= # CHECK VERSION @@ -36,21 +36,21 @@ upgrade_type=$(ynh_check_app_version_changed) #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= -ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." +#REMOVEME? ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." # Backup the current version of the app -ynh_backup_before_upgrade -ynh_clean_setup () { +#REMOVEME? ynh_backup_before_upgrade +#REMOVEME? ynh_clean_setup () { if [ $migration_process -eq 1 ]; then yunohost app remove $app # Reload some values changed by the migration process - app=$YNH_APP_INSTANCE_NAME +#REMOVEME? app=$YNH_APP_INSTANCE_NAME fi # Restore it if the upgrade fails - ynh_restore_upgradebackup +#REMOVEME? ynh_restore_upgradebackup } # Exit if an error occurs during the execution of the script -ynh_abort_if_errors +#REMOVEME? ynh_abort_if_errors #================================================= # STANDARD UPGRADE STEPS @@ -60,20 +60,20 @@ ynh_abort_if_errors ynh_script_progression --message="Ensuring downward compatibility..." # Remove is_public -if [ -n "$(ynh_app_setting_get --app=$app --key=is_public)" ]; then +#REMOVEME? if [ -n "$(ynh_app_setting_get --app=$app --key=is_public)" ]; then ynh_app_setting_delete --app=$app --key=is_public fi # If db_name doesn't exist, create it if [ -z $db_name ]; then db_name=$app - ynh_app_setting_set --app=$app --key=db_name --value=$db_name +#REMOVEME? ynh_app_setting_set --app=$app --key=db_name --value=$db_name fi -# If final_path doesn't exist, create it -if [ -z $final_path ]; then - final_path=/var/www/$app - ynh_app_setting_set --app=$app --key=final_path --value=$final_path +# If install_dir doesn't exist, create it +if [ -z $install_dir ]; then +#REMOVEME? install_dir=/var/www/$app +#REMOVEME? ynh_app_setting_set --app=$app --key=install_dir --value=$install_dir fi # If users_status doesn't exist, create it @@ -92,12 +92,12 @@ if [ -z $password ]; then ynh_send_readme_to_admin --app_message="mail_to_send" --type="upgrade" - ynh_app_setting_set --app=$app --key=password --value=$password +#REMOVEME? ynh_app_setting_set --app=$app --key=password --value=$password fi # Cleaning legacy permissions -if ynh_legacy_permissions_exists; then - ynh_legacy_permissions_delete_all +#REMOVEME? if ynh_legacy_permissions_exists; then +#REMOVEME? ynh_legacy_permissions_delete_all fi #================================================= @@ -108,17 +108,17 @@ ynh_handle_app_migration "spip2" "spip2_migration" if [ $migration_process -eq 1 ]; then # If a migration has been perform # Reload some values changed by the migration process - final_path=$(ynh_app_setting_get --app=$app --key=final_path) - db_name=$(ynh_app_setting_get --app=$app --key=db_name) +#REMOVEME? #REMOVEME? install_dir=$(ynh_app_setting_get --app=$app --key=install_dir) +#REMOVEME? db_name=$(ynh_app_setting_get --app=$app --key=db_name) fi #================================================= # CREATE DEDICATED USER #================================================= -ynh_script_progression --message="Making sure dedicated system user exists..." +#REMOVEME? ynh_script_progression --message="Making sure dedicated system user exists..." # Create a dedicated user (if not existing) -ynh_system_user_create --username=$app --home_dir="$final_path" +#REMOVEME? ynh_system_user_create --username=$app --home_dir="$install_dir" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -129,19 +129,19 @@ then ynh_script_progression --message="Upgrading source files..." # Download, check integrity, uncompress and patch the source from app.src - ynh_setup_source --dest_dir="$final_path" + ynh_setup_source --dest_dir="$install_dir" fi -chmod 750 "$final_path" -chmod -R o-rwx "$final_path" -chown -R $app:www-data "$final_path" +chmod 750 "$install_dir" +chmod -R o-rwx "$install_dir" +chown -R $app:www-data "$install_dir" #================================================= # UPGRADE DEPENDENCIES #================================================= -ynh_script_progression --message="Upgrading dependencies..." +#REMOVEME? ynh_script_progression --message="Upgrading dependencies..." -ynh_install_app_dependencies $pkg_dependencies +#REMOVEME? ynh_install_app_dependencies $pkg_dependencies #================================================= # PHP-FPM CONFIGURATION @@ -167,15 +167,15 @@ ynh_add_nginx_config ynh_script_progression --message="Setuping application with CURL..." # Set right permissions for curl install -mkdir -p $final_path/plugins/auto -chown -R $app:www-data "$final_path" +mkdir -p $install_dir/plugins/auto +chown -R $app:www-data "$install_dir" # Set the app as temporarily public for curl call ynh_script_progression --message="Configuring SSOwat..." -ynh_backup_if_checksum_is_different --file="$final_path/config/connect.php" +ynh_backup_if_checksum_is_different --file="$install_dir/config/connect.php" -mv $final_path/config/connect.php $final_path/config/connect.php.ynh_bkp +mv $install_dir/config/connect.php $install_dir/config/connect.php.ynh_bkp # Installation with curl ynh_script_progression --message="Finalizing installation..." @@ -211,31 +211,31 @@ ynh_local_curl "/ecrire/?suivant" "exec=install" "etape=fin" #================================================= ynh_script_progression --message="Updating a configuration file..." -#ynh_replace_string --match_string="'','utf8');" --replace_string="'ldap.php','utf8');" --target_file=$final_path/config/connect.php -cp ../conf/mes_options.php $final_path/config/mes_options.php +#ynh_replace_string --match_string="'','utf8');" --replace_string="'ldap.php','utf8');" --target_file=$install_dir/config/connect.php +cp ../conf/mes_options.php $install_dir/config/mes_options.php -if [ ! -f $final_path/config/connect.php ]; then - mv $final_path/config/connect.php.ynh_bkp $final_path/config/connect.php +if [ ! -f $install_dir/config/connect.php ]; then + mv $install_dir/config/connect.php.ynh_bkp $install_dir/config/connect.php else - ynh_secure_remove --file="$final_path/config/connect.php.ynh_bkp" +#REMOVEME? ynh_secure_remove --file="$install_dir/config/connect.php.ynh_bkp" fi -ynh_store_file_checksum --file="$final_path/config/connect.php" +ynh_store_file_checksum --file="$install_dir/config/connect.php" #================================================= # GENERIC FINALIZATION #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading NGINX web server..." +#REMOVEME? ynh_script_progression --message="Reloading NGINX web server..." -ynh_systemd_action --service_name=nginx --action=reload +#REMOVEME? ynh_systemd_action --service_name=nginx --action=reload #================================================= # SEND INFORMATION #================================================= -echo "To finish the upgrade, you may have to update the database by clicking on the button (if asked) at this location: https://$domain$path_url/ecrire/" > mail_to_send +echo "To finish the upgrade, you may have to update the database by clicking on the button (if asked) at this location: https://$domain$path/ecrire/" > mail_to_send ynh_send_readme_to_admin --app_message="mail_to_send" --type="upgrade" From 42337fa79cfbdcd81e3138f870d0bd4e984db606 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Thu, 1 Jun 2023 10:09:17 +0200 Subject: [PATCH 3/9] v2 --- conf/extra_php-fpm.conf | 4 + conf/nginx.conf | 2 +- conf/php-fpm.conf | 430 ----------------------------------- conf/spip2_migration | 10 - conf/spip2_post_migration.sh | 38 ---- doc/DESCRIPTION.md | 1 + doc/DISCLAIMER.md | 32 --- doc/DISCLAIMER_fr.md | 29 --- manifest.json | 73 ------ manifest.toml | 24 +- scripts/_common.sh | 4 - scripts/backup | 22 -- scripts/change_url | 86 ------- scripts/install | 104 +-------- scripts/upgrade | 114 +--------- 15 files changed, 22 insertions(+), 951 deletions(-) create mode 100644 conf/extra_php-fpm.conf delete mode 100644 conf/php-fpm.conf delete mode 100644 conf/spip2_migration delete mode 100644 conf/spip2_post_migration.sh create mode 100644 doc/DESCRIPTION.md delete mode 100644 doc/DISCLAIMER.md delete mode 100644 doc/DISCLAIMER_fr.md delete mode 100644 manifest.json diff --git a/conf/extra_php-fpm.conf b/conf/extra_php-fpm.conf new file mode 100644 index 0000000..700c37c --- /dev/null +++ b/conf/extra_php-fpm.conf @@ -0,0 +1,4 @@ +; Additional php.ini defines, specific to this pool of workers. + +php_admin_value[upload_max_filesize] = 50M +php_admin_value[post_max_size] = 50M diff --git a/conf/nginx.conf b/conf/nginx.conf index ce8161b..6b6e3c9 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -6,7 +6,7 @@ location __PATH__/ { index index.php; - client_max_body_size 30M; + client_max_body_size 50M; try_files $uri $uri/ index.php; diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf deleted file mode 100644 index 1cf8768..0000000 --- a/conf/php-fpm.conf +++ /dev/null @@ -1,430 +0,0 @@ -; Start a new pool named 'www'. -; the variable $pool can be used in any directive and will be replaced by the -; pool name ('www' here) -[__NAMETOCHANGE__] - -; Per pool prefix -; It only applies on the following directives: -; - 'access.log' -; - 'slowlog' -; - 'listen' (unixsocket) -; - 'chroot' -; - 'chdir' -; - 'php_values' -; - 'php_admin_values' -; When not set, the global prefix (or /usr) applies instead. -; Note: This directive can also be relative to the global prefix. -; Default Value: none -;prefix = /path/to/pools/$pool - -; Unix user/group of processes -; Note: The user is mandatory. If the group is not set, the default user's group -; will be used. -user = __USER__ -group = __USER__ - -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on -; a specific port; -; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses -; (IPv6 and IPv4-mapped) on a specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. -listen = /var/run/php/php__PHPVERSION__-fpm-__NAMETOCHANGE__.sock - -; Set listen(2) backlog. -; Default Value: 511 (-1 on FreeBSD and OpenBSD) -;listen.backlog = 511 - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. -; Default Values: user and group are set as the running user -; mode is set to 0660 -listen.owner = www-data -listen.group = www-data -;listen.mode = 0660 -; When POSIX Access Control Lists are supported you can set them using -; these options, value is a comma separated list of user/group names. -; When set, listen.owner and listen.group are ignored -;listen.acl_users = -;listen.acl_groups = - -; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -;listen.allowed_clients = 127.0.0.1 - -; Specify the nice(2) priority to apply to the pool processes (only if set) -; The value can vary from -19 (highest priority) to 20 (lower priority) -; Note: - It will only work if the FPM master process is launched as root -; - The pool processes will inherit the master process priority -; unless it specified otherwise -; Default Value: no set -; process.priority = -19 - -; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user -; or group is differrent than the master process user. It allows to create process -; core dump and ptrace the process for the pool user. -; Default Value: no -; process.dumpable = yes - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives. With this process management, there will be -; always at least 1 children. -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; ondemand - no children are created at startup. Children will be forked when -; new requests will connect. The following parameter are used: -; pm.max_children - the maximum number of children that -; can be alive at the same time. -; pm.process_idle_timeout - The number of seconds after which -; an idle process will be killed. -; Note: This value is mandatory. -pm = dynamic - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. The below defaults are based on a server without much resources. Don't -; forget to tweak pm.* to fit your needs. -; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' -; Note: This value is mandatory. -pm.max_children = 5 - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 -pm.start_servers = 2 - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.min_spare_servers = 1 - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.max_spare_servers = 3 - -; The number of seconds after which an idle process will be killed. -; Note: Used only when pm is set to 'ondemand' -; Default Value: 10s -;pm.process_idle_timeout = 10s; - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -;pm.max_requests = 500 - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. It shows the following informations: -; pool - the name of the pool; -; process manager - static, dynamic or ondemand; -; start time - the date and time FPM has started; -; start since - number of seconds since FPM has started; -; accepted conn - the number of request accepted by the pool; -; listen queue - the number of request in the queue of pending -; connections (see backlog in listen(2)); -; max listen queue - the maximum number of requests in the queue -; of pending connections since FPM has started; -; listen queue len - the size of the socket queue of pending connections; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes; -; max active processes - the maximum number of active processes since FPM -; has started; -; max children reached - number of times, the process limit has been reached, -; when pm tries to start more children (works only for -; pm 'dynamic' and 'ondemand'); -; Value are updated in real time. -; Example output: -; pool: www -; process manager: static -; start time: 01/Jul/2011:17:53:49 +0200 -; start since: 62636 -; accepted conn: 190460 -; listen queue: 0 -; max listen queue: 1 -; listen queue len: 42 -; idle processes: 4 -; active processes: 11 -; total processes: 15 -; max active processes: 12 -; max children reached: 0 -; -; By default the status page output is formatted as text/plain. Passing either -; 'html', 'xml' or 'json' in the query string will return the corresponding -; output syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; http://www.foo.bar/status?xml -; -; By default the status page only outputs short status. Passing 'full' in the -; query string will also return status for each pool process. -; Example: -; http://www.foo.bar/status?full -; http://www.foo.bar/status?json&full -; http://www.foo.bar/status?html&full -; http://www.foo.bar/status?xml&full -; The Full status returns for each process: -; pid - the PID of the process; -; state - the state of the process (Idle, Running, ...); -; start time - the date and time the process has started; -; start since - the number of seconds since the process has started; -; requests - the number of requests the process has served; -; request duration - the duration in µs of the requests; -; request method - the request method (GET, POST, ...); -; request URI - the request URI with the query string; -; content length - the content length of the request (only with POST); -; user - the user (PHP_AUTH_USER) (or '-' if not set); -; script - the main script called (or '-' if not set); -; last request cpu - the %cpu the last request consumed -; it's always 0 if the process is not in Idle state -; because CPU calculation is done when the request -; processing has terminated; -; last request memory - the max amount of memory the last request consumed -; it's always 0 if the process is not in Idle state -; because memory calculation is done when the request -; processing has terminated; -; If the process is in Idle state, then informations are related to the -; last request the process has served. Otherwise informations are related to -; the current request being served. -; Example output: -; ************************ -; pid: 31330 -; state: Running -; start time: 01/Jul/2011:17:53:49 +0200 -; start since: 63087 -; requests: 12808 -; request duration: 1250261 -; request method: GET -; request URI: /test_mem.php?N=10000 -; content length: 0 -; user: - -; script: /home/fat/web/docs/php/test_mem.php -; last request cpu: 0.00 -; last request memory: 0 -; -; Note: There is a real-time FPM status monitoring sample web page available -; It's available in: /usr/share/php/7.0/fpm/status.html -; -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;pm.status_path = /status - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;ping.path = /ping - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -;ping.response = pong - -; The access log file -; Default: not set -;access.log = log/$pool.access.log - -; The access log format. -; The following syntax is allowed -; %%: the '%' character -; %C: %CPU used by the request -; it can accept the following format: -; - %{user}C for user CPU only -; - %{system}C for system CPU only -; - %{total}C for user + system CPU (default) -; %d: time taken to serve the request -; it can accept the following format: -; - %{seconds}d (default) -; - %{miliseconds}d -; - %{mili}d -; - %{microseconds}d -; - %{micro}d -; %e: an environment variable (same as $_ENV or $_SERVER) -; it must be associated with embraces to specify the name of the env -; variable. Some exemples: -; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e -; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e -; %f: script filename -; %l: content-length of the request (for POST request only) -; %m: request method -; %M: peak of memory allocated by PHP -; it can accept the following format: -; - %{bytes}M (default) -; - %{kilobytes}M -; - %{kilo}M -; - %{megabytes}M -; - %{mega}M -; %n: pool name -; %o: output header -; it must be associated with embraces to specify the name of the header: -; - %{Content-Type}o -; - %{X-Powered-By}o -; - %{Transfert-Encoding}o -; - .... -; %p: PID of the child that serviced the request -; %P: PID of the parent of the child that serviced the request -; %q: the query string -; %Q: the '?' character if query string exists -; %r: the request URI (without the query string, see %q and %Q) -; %R: remote IP address -; %s: status (response code) -; %t: server time the request was received -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; The strftime(3) format must be encapsuled in a %{