mirror of
https://github.com/outbackdingo/Mailu.git
synced 2026-01-27 10:19:35 +00:00
Merge #3889
3889: Fix CI, upgrade base image r=mergify[bot] a=nextgens ## What type of PR? bug-fix ## What does this PR do? Fix CI by upgrading the base image: - Alpine: 3.21.4 - Carddav: 5.1.1 - docs infra, snufflepagus rules ### Related issue(s) ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [ ] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. Co-authored-by: Florent Daigniere <nextgens@freenetproject.org> Co-authored-by: Florent Daigniere <nextgens@users.noreply.github.com>
This commit is contained in:
bors-mailu[bot]
@@ -3,7 +3,7 @@
|
||||
# base system image (intermediate)
|
||||
# Note when updating the alpine tag, first manually run the workflow .github/workflows/mirror.yml.
|
||||
# Just run the workflow with the tag that must be synchronised.
|
||||
ARG DISTRO=ghcr.io/mailu/alpine:3.21.0
|
||||
ARG DISTRO=ghcr.io/mailu/alpine:3.21.4
|
||||
FROM $DISTRO as system
|
||||
|
||||
ENV TZ=Etc/UTC LANG=C.UTF-8
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
# Convert .rst files to .html in temporary build container
|
||||
FROM python:3.12.3-alpine3.19 AS build
|
||||
FROM python:3.13.6-alpine3.22 AS build
|
||||
|
||||
ARG version=master
|
||||
ENV VERSION=$version
|
||||
@@ -25,7 +25,7 @@ RUN set -euxo pipefail \
|
||||
|
||||
|
||||
# Build nginx deployment image including generated html
|
||||
FROM nginx:1.25.5-alpine
|
||||
FROM nginx:1.29.0-alpine
|
||||
|
||||
ARG version=master
|
||||
ARG pinned_version=master
|
||||
|
||||
1
towncrier/newsfragments/3889.misc
Normal file
1
towncrier/newsfragments/3889.misc
Normal file
@@ -0,0 +1 @@
|
||||
Upgrade the following: Alpine: 3.21.4, Roundcube: 1.6.11, Carddav: 5.1.1, docs infra, snufflepagus rules
|
||||
@@ -29,7 +29,7 @@ RUN set -euxo pipefail \
|
||||
|
||||
# roundcube
|
||||
ENV ROUNDCUBE_URL https://github.com/roundcube/roundcubemail/releases/download/1.6.11/roundcubemail-1.6.11-complete.tar.gz
|
||||
ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v5.1.0/carddav-v5.1.0.tar.gz
|
||||
ENV CARDDAV_URL https://github.com/mstilkerich/rcmcarddav/releases/download/v5.1.1/carddav-v5.1.1.tar.gz
|
||||
|
||||
RUN set -euxo pipefail \
|
||||
; cd /var/www \
|
||||
|
||||
@@ -42,35 +42,38 @@ sp.disable_function.function("chmod").param("permissions").value("511").drop();
|
||||
|
||||
# Prevent various `mail`-related vulnerabilities
|
||||
# Uncommend the second rule if you're using php8.3+
|
||||
@condition PHP_VERSION_ID < 80300;
|
||||
sp.disable_function.function("mail").param("additional_parameters").value_r("\\-").drop();
|
||||
@condition PHP_VERSION_ID >= 80300;
|
||||
sp.disable_function.function("mail").param("additional_params").value_r("\\-").drop();
|
||||
@end_condition;
|
||||
|
||||
# Since it's now burned, me might as well mitigate it publicly
|
||||
sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop()
|
||||
sp.disable_function.function("putenv").param("assignment").value("PATH").drop()
|
||||
sp.disable_function.function("putenv").param("assignment").value_r("LD_").drop();
|
||||
sp.disable_function.function("putenv").param("assignment").value("PATH").drop();
|
||||
|
||||
# This one was burned in Nov 2019 - https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
|
||||
sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop()
|
||||
sp.disable_function.function("putenv").param("assignment").value_r("GCONV_").drop();
|
||||
|
||||
# Since people are stupid enough to use `extract` on things like $_GET or $_POST, we might as well mitigate this vector
|
||||
sp.disable_function.function("extract").param("array").value_r("^_").drop()
|
||||
sp.disable_function.function("extract").param("flags").value("0").drop()
|
||||
sp.disable_function.function("extract").param("array").value_r("^_").drop();
|
||||
sp.disable_function.function("extract").param("flags").value("0").drop();
|
||||
|
||||
# See https://dustri.org/b/ini_set-based-open_basedir-bypass.html
|
||||
# Since we have no way of matching on two parameters at the same time, we're
|
||||
# blocking calls to open_basedir altogether: nobody is using it via ini_set anyway.
|
||||
# Moreover, there are non-public bypasses that are also using this vector ;)
|
||||
sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop()
|
||||
sp.disable_function.function("ini_set").param("option").value_r("open_basedir").drop();
|
||||
|
||||
# Prevent various `include`-related vulnerabilities
|
||||
sp.disable_function.function("require_once").value_r("\.(inc|phtml|php)$").allow();
|
||||
sp.disable_function.function("include_once").value_r("\.(inc|phtml|php)$").allow();
|
||||
sp.disable_function.function("require").value_r("\.(inc|phtml|php)$").allow();
|
||||
sp.disable_function.function("include").value_r("\.(inc|phtml|php)$").allow();
|
||||
sp.disable_function.function("require_once").drop()
|
||||
sp.disable_function.function("include_once").drop()
|
||||
sp.disable_function.function("require").drop()
|
||||
sp.disable_function.function("include").drop()
|
||||
sp.disable_function.function("require_once").drop();
|
||||
sp.disable_function.function("include_once").drop();
|
||||
sp.disable_function.function("require").drop();
|
||||
sp.disable_function.function("include").drop();
|
||||
|
||||
# Prevent `system`-related injections
|
||||
sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
|
||||
@@ -129,11 +132,22 @@ sp.disable_function.function("curl_init").param("url").value_r("file://").drop()
|
||||
# File upload
|
||||
sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ph").drop();
|
||||
sp.disable_function.function("move_uploaded_file").param("to").value_r("\\.ht").drop();
|
||||
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ph").drop();
|
||||
sp.disable_function.function("move_uploaded_file").param("destination").value_r("\\.ht").drop();
|
||||
|
||||
# Logging lockdown
|
||||
sp.disable_function.function("ini_set").param("option").value_r("error_log").drop()
|
||||
sp.disable_function.function("ini_set").param("option").value_r("error_log").drop();
|
||||
sp.disable_function.function("ini_set").param("option").value_r("display_errors").filename_r("/var/www/snappymail/snappymail/v/[0-9]+\.[0-9]+\.[0-9]+/app/libraries/snappymail/shutdown.php").allow();
|
||||
sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop()
|
||||
sp.disable_function.function("ini_set").param("option").value_r("display_errors").drop();
|
||||
|
||||
# Classic webshells patterns
|
||||
sp.disable_function.function("system>base64_decode").drop();
|
||||
sp.disable_function.function("shell_exec>base64_decode").drop();
|
||||
sp.disable_function.function("exec>base64_decode").drop();
|
||||
sp.disable_function.function("passthru>base64_decode").drop();
|
||||
sp.disable_function.function("proc_open>base64_decode").drop();
|
||||
# TODO: enable this for real
|
||||
sp.eval_blacklist.list("system,exec,shell_exec,passthru,proc_open").simulation();
|
||||
|
||||
sp.auto_cookie_secure.enable();
|
||||
# TODO: consider encrypting the cookies?
|
||||
|
||||
Reference in New Issue
Block a user