Merge pull request #152 from YunoHost-Apps/testing

Testing

README.md

@@ -5,10 +5,10 @@ Nextcloud for YunoHost
 own data. A personal cloud which run on your own server. With Nextcloud
 you can synchronize your files over your devices.
 
-**Shipped version:** 13.0.6
+**Shipped version:** 15.0.4
 
 [![Install Nextcloud with YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=nextcloud)
-![](https://github.com/nextcloud/screenshots/blob/master/files/filelist.png)
+![](https://raw.githubusercontent.com/nextcloud/screenshots/master/files/Files%20Overview.png)
 
 ## Features
 

conf/nginx.conf

@@ -13,22 +13,23 @@ location ^~ __PATH__ {
   }
 
   # Add headers to serve security related headers
-  add_header Strict-Transport-Security "max-age=15768000;";
-  add_header X-Content-Type-Options nosniff;
-  add_header X-XSS-Protection "1; mode=block";
-  add_header X-Robots-Tag none;
-  add_header X-Download-Options noopen;
-  add_header X-Permitted-Cross-Domain-Policies none;
+  more_set_headers "Strict-Transport-Security: max-age=15768000";
+  more_set_headers "X-Content-Type-Options: nosniff";
+  more_set_headers "X-XSS-Protection: 1; mode=block";
+  more_set_headers "X-Robots-Tag: none";
+  more_set_headers "X-Download-Options: noopen";
+  more_set_headers "X-Permitted-Cross-Domain-Policies: none";
+  more_set_headers "Referrer-Policy: no-referrer";
 
   # Set max upload size
   client_max_body_size 10G;
   fastcgi_buffers 64 4K;
-  
+
   # Extend timeouts
   client_body_timeout 60m;
   proxy_read_timeout 60m;
   fastcgi_read_timeout 60m;
-  
+
   # Disable gzip to avoid the removal of the ETag header
   gzip off;
 
@@ -77,14 +78,16 @@ location ^~ __PATH__ {
 
   # Adding the cache control header for js and css files
   location ~* \.(?:css|js)$ {
-    add_header Cache-Control "public, max-age=7200";
+    more_set_headers "Cache-Control: public, max-age=7200";
     # Add headers to serve security related headers
-    add_header Strict-Transport-Security "max-age=15768000;";
-    add_header X-Content-Type-Options nosniff;
-    add_header X-XSS-Protection "1; mode=block";
-    add_header X-Robots-Tag none;
-    add_header X-Download-Options noopen;
-    add_header X-Permitted-Cross-Domain-Policies none;
+    more_set_headers "Strict-Transport-Security: max-age=15768000";
+    more_set_headers "X-Content-Type-Options: nosniff";
+    more_set_headers "X-XSS-Protection: 1; mode=block";
+    more_set_headers "X-Robots-Tag: none";
+    more_set_headers "X-Download-Options: noopen";
+    more_set_headers "X-Permitted-Cross-Domain-Policies: none";
+    more_set_headers "Referrer-Policy: no-referrer";
+
     # Optional: Don't log access to assets
     access_log off;
   }

manifest.json

@@ -6,12 +6,12 @@
         "en": "Access & share your files, calendars, contacts, mail & more from any device, on your terms",
         "fr": "Consultez et partagez vos fichiers, agendas, carnets d'adresses, emails et bien plus depuis les appareils de votre choix, sous vos conditions"
     },
-    "version": "13.0.6~ynh1",
+    "version": "15.0.4~ynh1",
     "url": "https://nextcloud.com",
     "license": "AGPL-3.0",
     "maintainer": {
-        "name": "-",
-        "email": "-"
+        "name": "YunoHost Contributors",
+        "email": "apps@yunohost.org"
     },
     "requirements": {
         "yunohost": ">= 2.7.2"

scripts/_common.sh

@@ -3,7 +3,7 @@
 # COMMON VARIABLES
 #=================================================
 
-pkg_dependencies="php5-gd php5-json php5-intl php5-mcrypt php5-curl php5-apcu php5-redis php5-ldap php5-imagick imagemagick acl tar smbclient"
+pkg_dependencies="php5-gd php5-json php5-intl php5-mcrypt php5-curl php5-apcu php5-redis php5-ldap php5-imagick imagemagick acl tar smbclient at"
 
 if [ "$(lsb_release --codename --short)" != "jessie" ]; then
 	pkg_dependencies="$pkg_dependencies php-zip php-apcu php-mbstring php-xml"
@@ -356,3 +356,29 @@ ynh_multimedia_addaccess () {
         groupadd -f multimedia
         usermod -a -G multimedia $user_name
 }
+
+ynh_smart_mktemp () {
+        local min_size="${1:-300}"
+        # Transform the minimum size from megabytes to kilobytes
+        min_size=$(( $min_size * 1024 ))
+
+        # Check if there's enough free space in a directory
+        is_there_enough_space () {
+                local free_space=$(df --output=avail "$1" | sed 1d)
+                test $free_space -ge $min_size
+        }
+
+        if is_there_enough_space /tmp; then
+                local tmpdir=/tmp
+        elif is_there_enough_space /var; then
+                local tmpdir=/var
+        elif is_there_enough_space /; then
+                local tmpdir=/   
+        elif is_there_enough_space /home; then
+                local tmpdir=/home
+        else
+		ynh_die "Insufficient free space to continue..."
+        fi
+
+        echo "$(sudo mktemp --directory --tmpdir="$tmpdir")"
+}

scripts/install

@@ -79,6 +79,8 @@ ynh_replace_string "__VERSION__" "$next_version" "../conf/app.src"
 ynh_replace_string "__SHA256_SUM__" "$nextcloud_source_sha256" "../conf/app.src"
 
 ynh_app_setting_set $app final_path $final_path
+# Enable YunoHost patches on Nextcloud sources
+cp -a ../sources/patches_last_version/* ../sources/patches
 # Download, check integrity, uncompress and patch the source from app.src
 ynh_setup_source "$final_path"
 
@@ -234,6 +236,11 @@ ynh_replace_string "#DESTDIR#" "$final_path" "$cron_path"
 
 exec_occ background:cron
 
+#=================================================
+# POST-INSTALL MAINTENANCE
+#=================================================
+(cd /tmp ; at now + 10 minutes <<< "(cd $final_path ; sudo -u $app php occ db:add-missing-indices ; sudo -u $app php occ db:convert-filecache-bigint -n) > /tmp/${app}_maintenance.log")
+
 #=================================================
 # CONFIGURE THE HOOK FILE FOR USER CREATE
 #=================================================

scripts/upgrade

@@ -176,6 +176,8 @@ do
     # then it's the last upgrade to do
     if [ "$major_version" -eq "$current_major_version" ]; then
       current_major_version=last
+      # Execute the commands dedicated to the last upgrade
+      last_upgrade_operations
     fi
 
     # Load the value for this version
@@ -189,7 +191,7 @@ do
     ynh_replace_string "__SHA256_SUM__" "$nextcloud_source_sha256" "../conf/app.src"
 
     # Create a temporary directory
-    tmpdir=$(mktemp -d)
+    tmpdir="$(ynh_smart_mktemp 300)"
 
     # Install the next nextcloud version in $tmpdir
     ynh_setup_source "$tmpdir"
@@ -208,6 +210,7 @@ do
     # Replace the old nextcloud by the new one
     ynh_secure_remove "$final_path"
     mv "$tmpdir" "$final_path"
+    ynh_secure_remove "$tmpdir"
 
     # Set write access for the following commands
     chown -R $app: "$final_path" "$datadir"

scripts/upgrade.d/upgrade.13.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# Last available nextcloud version
+next_version="14.0.0"
+
+# Nextcloud tarball checksum sha256
+nextcloud_source_sha256="f965c14286e7aabbfe49c947d86af59597af302c35d10e0b5440e7e6c53b8f47"

scripts/upgrade.d/upgrade.14.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# Last available nextcloud version
+next_version="15.0.0"
+
+# Nextcloud tarball checksum sha256
+nextcloud_source_sha256="5bb0c58171353da844019b64080c21078002a59ab956ab72adb958844a98eb78"

scripts/upgrade.d/upgrade.last.sh

@@ -1,10 +1,16 @@
 #!/bin/bash
 
 # Last available nextcloud version
-next_version="13.0.6"
+next_version="15.0.4"
 
 # Nextcloud tarball checksum sha256
-nextcloud_source_sha256="90fc9e960b6a477bb14ee87042b3d158bde95c3f0157677cb4547ca7649968d4"
+nextcloud_source_sha256="f87db047c174f563e391a22c959d9ace767ca14ef0f97fc394f3061fc63d8f77"
 
-# Patch nextcloud files only for the last version
-cp -a ../sources/patches_last_version/* ../sources/patches
+# This function will only be executed upon applying the last upgrade referenced above
+last_upgrade_operations () {
+  # Patch nextcloud files only for the last version
+  cp -a ../sources/patches_last_version/* ../sources/patches
+
+  # Execute post-upgrade operations later on
+  (cd /tmp ; at now + 10 minutes <<< "(cd $final_path ; sudo -u $app php occ db:add-missing-indices ; sudo -u $app php occ db:convert-filecache-bigint -n) > /tmp/${app}_maintenance.log")
+}

sources/patches_last_version/app-00-add-logout_url-conf.patch

@@ -1,14 +1,62 @@
+ core/Controller/LoginController.php | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php
+index 182d2bc106..82523e306e 100644
 --- a/core/Controller/LoginController.php
 +++ b/core/Controller/LoginController.php
-@@ -119,7 +119,10 @@
+@@ -95,13 +95,13 @@ class LoginController extends Controller {
+ 	 * @param Throttler $throttler
+ 	 */
+ 	public function __construct($appName,
+-								IRequest $request,
+-								IUserManager $userManager,
+-								IConfig $config,
+-								ISession $session,
+-								IUserSession $userSession,
+-								IURLGenerator $urlGenerator,
+-								ILogger $logger,
++						 IRequest $request,
++						 IUserManager $userManager,
++						 IConfig $config,
++						 ISession $session,
++						 IUserSession $userSession,
++						 IURLGenerator $urlGenerator,
++						 ILogger $logger,
+ 								Manager $twoFactorManager,
+ 								Defaults $defaults,
+ 								Throttler $throttler) {
+@@ -130,7 +130,10 @@ class LoginController extends Controller {
  		}
  		$this->userSession->logout();
-
+ 
 -		$response = new RedirectResponse($this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm'));
 +		$redirectUrl = $this->config->getSystemValue('logout_url',
-+			$this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm')
++		$this->urlGenerator->linkToRouteAbsolute('core.login.showLoginForm')
 +		);
 +		$response = new RedirectResponse($redirectUrl);
- 		$response->addHeader('Clear-Site-Data', '"cache", "cookies", "storage", "executionContexts"');
+ 		$response->addHeader('Clear-Site-Data', '"cache", "storage", "executionContexts"');
  		return $response;
  	}
+@@ -303,10 +306,10 @@ class LoginController extends Controller {
+ 				$previousUser = $user;
+ 				$user = $users[0]->getUID();
+ 				if($user !== $previousUser) {
+-					$loginResult = $this->userManager->checkPassword($user, $password);
+-				}
++				$loginResult = $this->userManager->checkPassword($user, $password);
+ 			}
+ 		}
++		}
+ 
+ 		if ($loginResult === false) {
+ 			$this->logger->warning('Login failed: \''. $user .
+@@ -314,7 +317,7 @@ class LoginController extends Controller {
+ 				['app' => 'core']);
+ 			return $this->createLoginFailedResponse($user, $originalUser,
+ 				$redirect_url, self::LOGIN_MSG_INVALIDPASSWORD);
+-		}
++			}
+ 
+ 		// TODO: remove password checks from above and let the user session handle failures
+ 		// requires https://github.com/owncloud/core/pull/24616

sources/patches_last_version/app-01-disable-CSPv3-nonce_and_allow-YNH-fonts.patch

@@ -1,33 +1,33 @@
- lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php | 4 ++++
- lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php    | 3 ++-
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
-index 85ae127f5f..91618a09fc 100644
---- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
-+++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
-@@ -65,6 +65,10 @@ class ContentSecurityPolicyNonceManager {
- 	 * @return bool
- 	 */
- 	public function browserSupportsCspV3() {
-+		// YunoHost patch: disable CSPv3 nonces to:
-+		// - avoid white page on first login from YunoHost portal
-+		// - allow YunoHost tile display
-+		return false;
- 		$browserWhitelist = [
- 			Request::USER_AGENT_CHROME,
- 			// Firefox 45+
-diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
-index 64d4eb6e5d..59d5885620 100644
---- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
-+++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
-@@ -377,7 +377,8 @@ class EmptyContentSecurityPolicy {
- 
- 		if(!empty($this->allowedFontDomains)) {
- 			$policy .= 'font-src ' . implode(' ', $this->allowedFontDomains);
--			$policy .= ';';
-+			// YunoHost patch: extend font-src to load data fonts embedded in YunoHost tile script
-+			$policy .= ' data:;';
- 		}
- 
- 		if(!empty($this->allowedConnectDomains)) {
+ .../Security/CSP/ContentSecurityPolicyNonceManager.php        | 4 ++++
+ lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php   | 3 ++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
+index 795d8cc864..5f3c961445 100644
+--- a/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
++++ b/lib/private/Security/CSP/ContentSecurityPolicyNonceManager.php
+@@ -70,6 +70,10 @@ class ContentSecurityPolicyNonceManager {
+ 	 * @return bool
+ 	 */
+ 	public function browserSupportsCspV3(): bool {
++		// YunoHost patch: disable CSPv3 nonces to:
++		// - avoid white page on first login from YunoHost portal
++		// - allow YunoHost tile display
++		return false;
+ 		$browserWhitelist = [
+ 			Request::USER_AGENT_CHROME,
+ 			// Firefox 45+
+diff --git a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+index 3fcef1d0ef..7ce01a68fc 100644
+--- a/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
++++ b/lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php
+@@ -449,7 +449,8 @@ class EmptyContentSecurityPolicy {
+
+ 		if(!empty($this->allowedFontDomains)) {
+ 			$policy .= 'font-src ' . implode(' ', $this->allowedFontDomains);
+-			$policy .= ';';
++			// YunoHost patch: extend font-src to load data fonts embedded in YunoHost tile script
++			$policy .= ' data:;';
+ 		}
+
+ 		if(!empty($this->allowedConnectDomains)) {

sources/patches_last_version/app-02-Allow-for-eval-in-JS-scripts-for-YunoHost-tile.patch

@@ -0,0 +1,17 @@
+ lib/public/AppFramework/Http/ContentSecurityPolicy.php | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/public/AppFramework/Http/ContentSecurityPolicy.php b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
+index e9ecf00036..8e69c8d2dc 100644
+--- a/lib/public/AppFramework/Http/ContentSecurityPolicy.php
++++ b/lib/public/AppFramework/Http/ContentSecurityPolicy.php
+@@ -44,7 +44,8 @@ class ContentSecurityPolicy extends EmptyContentSecurityPolicy {
+ 	/** @var bool Whether inline JS snippets are allowed */
+ 	protected $inlineScriptAllowed = false;
+ 	/** @var bool Whether eval in JS scripts is allowed */
+-	protected $evalScriptAllowed = false;
++	// YunoHost patch: allow for eval in JS scripts for YunoHost tile
++	protected $evalScriptAllowed = true;
+ 	/** @var array Domains from which scripts can get loaded */
+ 	protected $allowedScriptDomains = [
+ 		'\'self\'',