chore: update Nextcloud to 25.0.13

Nextcloud now prevents loading external entities by using libxml_set_external_entity_loader.

ref:
https://github.com/nextcloud/server/pull/39490
https://github.com/hoellen/docker-nextcloud/issues/42

.github/workflows/build.yml

@@ -3,7 +3,7 @@ name: build
 on:
   workflow_dispatch:
   push:
-    branches: [ master ]
+    branches: [ version-25 ]
   schedule:
     # Build the image regularly (each Friday)
     - cron: '23 04 * * 5'
@@ -53,7 +53,6 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
-            latest
             ${{ env.FULL_VERSION }}
             ${{ env.MAJOR_VERSION }}
 

Dockerfile

@@ -1,17 +1,17 @@
 # -------------- Build-time variables --------------
-ARG NEXTCLOUD_VERSION=25.0.4
+ARG NEXTCLOUD_VERSION=25.0.13
 ARG PHP_VERSION=8.1
 ARG NGINX_VERSION=1.22
 
-ARG ALPINE_VERSION=3.16
+ARG ALPINE_VERSION=3.17
 ARG HARDENED_MALLOC_VERSION=11
 ARG SNUFFLEUPAGUS_VERSION=0.8.3
 
 ARG UID=1000
 ARG GID=1000
 
-# nextcloud-25.0.4.tar.bz2
+# nextcloud-25.0.13.tar.bz2
-ARG SHA256_SUM="c3251e0083a94303e2d6988b352f3b33082a79a726b30ff746709b0fe869a1a6"
+ARG SHA256_SUM="387bac148a696244f1ec02698a082d408283a875b3de85eb9719dd4493eebe33"
 
 # Nextcloud Security <security@nextcloud.com> (D75899B9A724937A)
 ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372  792E D758 99B9 A724 937A"

README.md

@@ -46,7 +46,7 @@ Don't run random images from random dudes on the Internet. Ideally, you want to
 - **Images are scanned every day** by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. Known vulnerabilities will be automatically uploaded to [GitHub Security Lab](https://github.com/Wonderfall/docker-nextcloud/security/code-scanning) for full transparency. This also warns me if I have to take action to fix a vulnerability. 
 - **Latest tag/version is automatically built weekly**, so you should often update your images regardless if you're already using the latest Nextcloud version.
 - **Build production images without cache** (use `docker build --no-cache` for instance) if you want to build your images manually. Latest dependencies will hence be used instead of outdated ones due to a cached layer.
-- **A security module for PHP called [Snuffleupagus](https://github.com/jvoisin/snuffleupagus) is used by default**. This module aims at killing entire bug and security exploit classes (including XXE, weak PRNG, file-upload based code execution), thus raising the cost of attacks. For now we're using a configuration file derived from [the default one](https://github.com/jvoisin/snuffleupagus/blob/master/config/default_php8.rules), with some explicit exceptions related to Nextcloud. This configuration file is tested and shouldn't break basic functionality, but it can cause issues in specific and untested use cases: if that happens to you, get logs from either `syslog` or `/nginx/logs/error.log` inside the container, and [open an issue](https://github.com/hoellen/docker-nextcloud/issues). You can also disable the security module altogether by changing the `PHP_HARDENING` environment variable to `false` before recreating the container.
+- **A security module for PHP called [Snuffleupagus](https://github.com/jvoisin/snuffleupagus) is used by default**. This module aims at killing entire bug and security exploit classes (including weak PRNG, file-upload based code execution), thus raising the cost of attacks. For now we're using a configuration file derived from [the default one](https://github.com/jvoisin/snuffleupagus/blob/master/config/default_php8.rules), with some explicit exceptions related to Nextcloud. This configuration file is tested and shouldn't break basic functionality, but it can cause issues in specific and untested use cases: if that happens to you, get logs from either `syslog` or `/nginx/logs/error.log` inside the container, and [open an issue](https://github.com/hoellen/docker-nextcloud/issues). You can also disable the security module altogether by changing the `PHP_HARDENING` environment variable to `false` before recreating the container.
 - **Images are signed with the GitHub-provided OIDC token in Actions** using the experimental "keyless" signing feature provided by [cosign](https://github.com/sigstore/cosign). You can verify the image signature using `cosign` as well:
 
 ```

rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules

@@ -8,7 +8,7 @@
 sp.harden_random.enable();
 
 # Disabled XXE
-sp.xxe_protection.enable();
+#sp.xxe_protection.enable();
 
 # Global configuration variables
 # sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
@@ -34,7 +34,7 @@ sp.sloppy_comparison.enable();
 # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
 sp.cookie.name("PHPSESSID").samesite("lax");
 
-# Nextcloud whitelist (tested with Nextcloud 25.0.0)
+# Nextcloud whitelist (tested with Nextcloud 27.0.1)
 sp.disable_function.function("function_exists").param("function").value("proc_open").filename("/nextcloud/3rdparty/symfony/console/Terminal.php").allow();
 sp.disable_function.function("function_exists").param("function").value("exec").filename("/nextcloud/lib/private/legacy/OC_Helper.php").allow();
 sp.disable_function.function("function_exists").param("function").value("exec").filename("/nextcloud/lib/public/Util.php").allow();