Loading Dockerfile +27 −3 Original line number Diff line number Diff line FROM nextcloud:19.0.8-fpm FROM nextcloud:19.0.9-fpm ARG BASE_DIR="/usr/src/nextcloud" ARG TMP_PATCH_DIR="/tmp/build_patches" ARG THEME_VERSION="19.0.8.2" Loading @@ -6,12 +6,15 @@ ARG NEWS_VERSION="14.2.2" ARG QUOTA_WARN_VERSION="1.8.0" ARG CARNET_VERSION="0.23.7" ARG NOTES_VERSION="3.6.4" ARG CONTACTS_VERSION="3.4.3" ARG CALENDAR_VERSION="2.0.5" ARG USER_BACKEND_RAW_SQL_VERSION="1.0.12" RUN mkdir -p /var/www/skeleton/Documents && mkdir -p /var/www/skeleton/Images COPY patches/ ${TMP_PATCH_DIR}/ COPY custom_entrypoint.sh / RUN chmod +x /custom_entrypoint.sh RUN sed -i 's/19,0,8,1/19,0,8,6/' ${BASE_DIR}/version.php RUN sed -i 's/19,0,9,1/19,0,9,3/' ${BASE_DIR}/version.php # Custom apps RUN curl -fsSL -o news.tar.gz \ Loading @@ -34,15 +37,36 @@ RUN curl -fsSL -o notes.tar.gz \ tar -xf notes.tar.gz -C ${BASE_DIR}/custom_apps/ && \ rm notes.tar.gz; RUN curl -fsSL -o contacts.tar.gz \ "https://github.com/nextcloud/contacts/releases/download/v${CONTACTS_VERSION}/contacts.tar.gz" && \ tar -xf contacts.tar.gz -C ${BASE_DIR}/custom_apps/ && \ rm contacts.tar.gz; RUN curl -fsSL -o calendar.tar.gz \ "https://github.com/nextcloud/calendar/releases/download/v${CALENDAR_VERSION}/calendar.tar.gz" && \ tar -xf calendar.tar.gz -C ${BASE_DIR}/custom_apps/ && \ rm calendar.tar.gz; RUN curl -fsSL -o user_backend_sql_raw.tar.gz \ "https://github.com/PanCakeConnaisseur/user_backend_sql_raw/releases/download/v${USER_BACKEND_RAW_SQL_VERSION}/user_backend_sql_raw.tar.gz" && \ tar -xf user_backend_sql_raw.tar.gz -C ${BASE_DIR}/custom_apps/ && \ rm user_backend_sql_raw.tar.gz; # Patches #RUN patch -u ${BASE_DIR}/core/signature.json -i ${TMP_PATCH_DIR}/001-sha512-signature.patch RUN patch -u ${BASE_DIR}/core/Controller/LoginController.php -i ${TMP_PATCH_DIR}/002-login-without-domain.patch RUN patch -u ${BASE_DIR}/core/templates/layout.user.php -i ${TMP_PATCH_DIR}/003-contact-search-removal.patch RUN patch -u ${BASE_DIR}/core/Controller/ContactsMenuController.php -i ${TMP_PATCH_DIR}/004-contact-search-controller-removal.patch RUN cd ${BASE_DIR} && patch -p0 < ${TMP_PATCH_DIR}/005-autocomplete-user-leak.patch RUN cd ${BASE_DIR} && patch -p0 < ${TMP_PATCH_DIR}/005-autocomplete-user-leak-core.patch RUN cd ${BASE_DIR}/custom_apps && patch -p0 < ${TMP_PATCH_DIR}/005-autocomplete-user-leak-custom-app.patch RUN patch -u ${BASE_DIR}/custom_apps/notes/lib/Service/NoteUtil.php -i ${TMP_PATCH_DIR}/006-notes-url-fix.patch RUN rm -rf ${TMP_PATCH_DIR} # autocomplete leak tweak apps frontend with sed, disable group suggestion RUN cd ${BASE_DIR}/custom_apps/contacts && sed -i 's/"GROUP","INDIVIDUAL"/"INDIVIDUAL"/g' js/contacts-main.js RUN cd ${BASE_DIR}/custom_apps/calendar && sed -i 's/"GROUP","INDIVIDUAL"/"INDIVIDUAL"/g' js/calendar.js # Custom theme RUN curl -fsSL -o eelo-theme.tar.gz \ "https://gitlab.e.foundation/e/infra/nextcloud-theme/-/archive/${THEME_VERSION}/nextcloud-theme-${THEME_VERSION}.tar.gz" && \ Loading custom_entrypoint.sh +3 −0 Original line number Diff line number Diff line Loading @@ -10,6 +10,9 @@ rsync $rsync_options --include "/news/" --exclude '/*' $SRC_DIR/custom_apps/ $DS rsync $rsync_options --include "/notes/" --exclude '/*' $SRC_DIR/custom_apps/ $DST_DIR/custom_apps/ rsync $rsync_options --include "/quota_warning/" --exclude '/*' $SRC_DIR/custom_apps/ $DST_DIR/custom_apps/ rsync $rsync_options --include "/carnet/" --exclude '/*' $SRC_DIR/custom_apps/ $DST_DIR/custom_apps/ rsync $rsync_options --include "/calendar/" --exclude '/*' $SRC_DIR/custom_apps/ $DST_DIR/custom_apps/ rsync $rsync_options --include "/contacts/" --exclude '/*' $SRC_DIR/custom_apps/ $DST_DIR/custom_apps/ rsync $rsync_options --include "/user_backend_sql_raw/" --exclude '/*' $SRC_DIR/custom_apps/ $DST_DIR/custom_apps/ rsync $rsync_options --include "/eelo/" --exclude '/*' $SRC_DIR/themes/ $DST_DIR/themes/ Loading patches/005-autocomplete-user-leak.patch→patches/005-autocomplete-user-leak-core.patch +0 −20 Original line number Diff line number Diff line --- lib/private/User/Database.php 2021-01-25 15:56:05.000000000 +0100 +++ lib/private/User/Database-new.php 2021-02-16 14:54:37.161624233 +0100 @@ -284,7 +284,7 @@ $result = $query->execute(); $displayNames = []; while ($row = $result->fetch()) { - $displayNames[(string)$row['uid']] = (string)$row['displayname']; + $displayNames[(string)$row['uid']] = (string)$row['uid']; } return $displayNames; --- lib/private/Collaboration/Collaborators/UserPlugin.php 2021-01-25 15:56:05.000000000 +0100 +++ lib/private/Collaboration/Collaborators/UserPlugin-new.php 2021-02-16 14:56:26.778152834 +0100 @@ -92,7 +92,7 @@ } } else { // Search in all users - $usersTmp = $this->userManager->searchDisplayName($search, $limit, $offset); + $usersTmp = $this->userManager->search($search, $limit, $offset); foreach ($usersTmp as $user) { if ($user->isEnabled()) { // Don't keep deactivated users $users[$user->getUID()] = $user; @@ -114,7 +114,7 @@ $uid = (string) $uid; if ( Loading patches/005-autocomplete-user-leak-custom-app.patch 0 → 100644 +12 −0 Original line number Diff line number Diff line --- user_backend_sql_raw/lib/UserBackend.php 2020-10-06 01:56:49.000000000 +0200 +++ user_backend_sql_raw/lib/UserBackend-new.php 2021-03-02 15:43:12.615868478 +0100 @@ -108,7 +108,8 @@ // Because MariaDB can not handle string parameters for LIMIT/OFFSET we have to bind the // values "manually" instead of passing an array to execute(). This is another instance of // MariaDB making the code "uglier". - $statement->bindValue(':search', '%' . $searchString . '%', \PDO::PARAM_STR); + $statement->bindValue(':search', $searchString , \PDO::PARAM_STR); + if (isset($limit)) { $statement->bindValue(':limit', intval($limit), \PDO::PARAM_INT); } No newline at end of file Loading
Dockerfile +27 −3 Original line number Diff line number Diff line FROM nextcloud:19.0.8-fpm FROM nextcloud:19.0.9-fpm ARG BASE_DIR="/usr/src/nextcloud" ARG TMP_PATCH_DIR="/tmp/build_patches" ARG THEME_VERSION="19.0.8.2" Loading @@ -6,12 +6,15 @@ ARG NEWS_VERSION="14.2.2" ARG QUOTA_WARN_VERSION="1.8.0" ARG CARNET_VERSION="0.23.7" ARG NOTES_VERSION="3.6.4" ARG CONTACTS_VERSION="3.4.3" ARG CALENDAR_VERSION="2.0.5" ARG USER_BACKEND_RAW_SQL_VERSION="1.0.12" RUN mkdir -p /var/www/skeleton/Documents && mkdir -p /var/www/skeleton/Images COPY patches/ ${TMP_PATCH_DIR}/ COPY custom_entrypoint.sh / RUN chmod +x /custom_entrypoint.sh RUN sed -i 's/19,0,8,1/19,0,8,6/' ${BASE_DIR}/version.php RUN sed -i 's/19,0,9,1/19,0,9,3/' ${BASE_DIR}/version.php # Custom apps RUN curl -fsSL -o news.tar.gz \ Loading @@ -34,15 +37,36 @@ RUN curl -fsSL -o notes.tar.gz \ tar -xf notes.tar.gz -C ${BASE_DIR}/custom_apps/ && \ rm notes.tar.gz; RUN curl -fsSL -o contacts.tar.gz \ "https://github.com/nextcloud/contacts/releases/download/v${CONTACTS_VERSION}/contacts.tar.gz" && \ tar -xf contacts.tar.gz -C ${BASE_DIR}/custom_apps/ && \ rm contacts.tar.gz; RUN curl -fsSL -o calendar.tar.gz \ "https://github.com/nextcloud/calendar/releases/download/v${CALENDAR_VERSION}/calendar.tar.gz" && \ tar -xf calendar.tar.gz -C ${BASE_DIR}/custom_apps/ && \ rm calendar.tar.gz; RUN curl -fsSL -o user_backend_sql_raw.tar.gz \ "https://github.com/PanCakeConnaisseur/user_backend_sql_raw/releases/download/v${USER_BACKEND_RAW_SQL_VERSION}/user_backend_sql_raw.tar.gz" && \ tar -xf user_backend_sql_raw.tar.gz -C ${BASE_DIR}/custom_apps/ && \ rm user_backend_sql_raw.tar.gz; # Patches #RUN patch -u ${BASE_DIR}/core/signature.json -i ${TMP_PATCH_DIR}/001-sha512-signature.patch RUN patch -u ${BASE_DIR}/core/Controller/LoginController.php -i ${TMP_PATCH_DIR}/002-login-without-domain.patch RUN patch -u ${BASE_DIR}/core/templates/layout.user.php -i ${TMP_PATCH_DIR}/003-contact-search-removal.patch RUN patch -u ${BASE_DIR}/core/Controller/ContactsMenuController.php -i ${TMP_PATCH_DIR}/004-contact-search-controller-removal.patch RUN cd ${BASE_DIR} && patch -p0 < ${TMP_PATCH_DIR}/005-autocomplete-user-leak.patch RUN cd ${BASE_DIR} && patch -p0 < ${TMP_PATCH_DIR}/005-autocomplete-user-leak-core.patch RUN cd ${BASE_DIR}/custom_apps && patch -p0 < ${TMP_PATCH_DIR}/005-autocomplete-user-leak-custom-app.patch RUN patch -u ${BASE_DIR}/custom_apps/notes/lib/Service/NoteUtil.php -i ${TMP_PATCH_DIR}/006-notes-url-fix.patch RUN rm -rf ${TMP_PATCH_DIR} # autocomplete leak tweak apps frontend with sed, disable group suggestion RUN cd ${BASE_DIR}/custom_apps/contacts && sed -i 's/"GROUP","INDIVIDUAL"/"INDIVIDUAL"/g' js/contacts-main.js RUN cd ${BASE_DIR}/custom_apps/calendar && sed -i 's/"GROUP","INDIVIDUAL"/"INDIVIDUAL"/g' js/calendar.js # Custom theme RUN curl -fsSL -o eelo-theme.tar.gz \ "https://gitlab.e.foundation/e/infra/nextcloud-theme/-/archive/${THEME_VERSION}/nextcloud-theme-${THEME_VERSION}.tar.gz" && \ Loading
custom_entrypoint.sh +3 −0 Original line number Diff line number Diff line Loading @@ -10,6 +10,9 @@ rsync $rsync_options --include "/news/" --exclude '/*' $SRC_DIR/custom_apps/ $DS rsync $rsync_options --include "/notes/" --exclude '/*' $SRC_DIR/custom_apps/ $DST_DIR/custom_apps/ rsync $rsync_options --include "/quota_warning/" --exclude '/*' $SRC_DIR/custom_apps/ $DST_DIR/custom_apps/ rsync $rsync_options --include "/carnet/" --exclude '/*' $SRC_DIR/custom_apps/ $DST_DIR/custom_apps/ rsync $rsync_options --include "/calendar/" --exclude '/*' $SRC_DIR/custom_apps/ $DST_DIR/custom_apps/ rsync $rsync_options --include "/contacts/" --exclude '/*' $SRC_DIR/custom_apps/ $DST_DIR/custom_apps/ rsync $rsync_options --include "/user_backend_sql_raw/" --exclude '/*' $SRC_DIR/custom_apps/ $DST_DIR/custom_apps/ rsync $rsync_options --include "/eelo/" --exclude '/*' $SRC_DIR/themes/ $DST_DIR/themes/ Loading
patches/005-autocomplete-user-leak.patch→patches/005-autocomplete-user-leak-core.patch +0 −20 Original line number Diff line number Diff line --- lib/private/User/Database.php 2021-01-25 15:56:05.000000000 +0100 +++ lib/private/User/Database-new.php 2021-02-16 14:54:37.161624233 +0100 @@ -284,7 +284,7 @@ $result = $query->execute(); $displayNames = []; while ($row = $result->fetch()) { - $displayNames[(string)$row['uid']] = (string)$row['displayname']; + $displayNames[(string)$row['uid']] = (string)$row['uid']; } return $displayNames; --- lib/private/Collaboration/Collaborators/UserPlugin.php 2021-01-25 15:56:05.000000000 +0100 +++ lib/private/Collaboration/Collaborators/UserPlugin-new.php 2021-02-16 14:56:26.778152834 +0100 @@ -92,7 +92,7 @@ } } else { // Search in all users - $usersTmp = $this->userManager->searchDisplayName($search, $limit, $offset); + $usersTmp = $this->userManager->search($search, $limit, $offset); foreach ($usersTmp as $user) { if ($user->isEnabled()) { // Don't keep deactivated users $users[$user->getUID()] = $user; @@ -114,7 +114,7 @@ $uid = (string) $uid; if ( Loading
patches/005-autocomplete-user-leak-custom-app.patch 0 → 100644 +12 −0 Original line number Diff line number Diff line --- user_backend_sql_raw/lib/UserBackend.php 2020-10-06 01:56:49.000000000 +0200 +++ user_backend_sql_raw/lib/UserBackend-new.php 2021-03-02 15:43:12.615868478 +0100 @@ -108,7 +108,8 @@ // Because MariaDB can not handle string parameters for LIMIT/OFFSET we have to bind the // values "manually" instead of passing an array to execute(). This is another instance of // MariaDB making the code "uglier". - $statement->bindValue(':search', '%' . $searchString . '%', \PDO::PARAM_STR); + $statement->bindValue(':search', $searchString , \PDO::PARAM_STR); + if (isset($limit)) { $statement->bindValue(':limit', intval($limit), \PDO::PARAM_INT); } No newline at end of file
