chore: update Nextcloud to 28.0.14

This was caused by the update to Alpine 3.19.

.github/workflows/build.yml

@@ -3,7 +3,9 @@ name: build
 on:
   workflow_dispatch:
   push:
-    branches: [ version-24 ]
+    branches:
+      - master
+      - version-*
   schedule:
     # Build the image regularly (each Friday)
     - cron: '23 04 * * 5'
@@ -27,14 +29,17 @@ jobs:
 
       - name: Extract version for tags
         run: |
-          echo "FULL_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c6)" >> $GITHUB_ENV
-          echo "MAJOR_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c2)" >> $GITHUB_ENV
+          BRANCH="${GITHUB_REF#refs/heads/}"
+          VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile)
+          [ "$BRANCH" = "master" ] && echo "BRANCH_VERSION=latest" >> $GITHUB_ENV
+          echo "FULL_VERSION=${VERSION:0:7}" >> $GITHUB_ENV
+          echo "MAJOR_VERSION=${VERSION:0:2}" >> $GITHUB_ENV
 
       - name: Install cosign
         if: github.event_name != 'pull_request'
         uses: sigstore/cosign-installer@main
         with:
-          cosign-release: 'v1.13.1'
+          cosign-release: 'v2.2.2'
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
@@ -53,6 +58,7 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
+            ${{ env.BRANCH_VERSION }}
             ${{ env.FULL_VERSION }}
             ${{ env.MAJOR_VERSION }}
 
@@ -69,4 +75,4 @@ jobs:
         if: ${{ github.event_name != 'pull_request' }}
         env:
           COSIGN_EXPERIMENTAL: "true"
-        run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+        run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}

Dockerfile

@@ -1,24 +1,24 @@
 # -------------- Build-time variables --------------
-ARG NEXTCLOUD_VERSION=24.0.12
-ARG PHP_VERSION=8.1
-ARG NGINX_VERSION=1.22
+ARG NEXTCLOUD_VERSION=28.0.14
+ARG PHP_VERSION=8.2
+ARG NGINX_VERSION=1.26
 
-ARG ALPINE_VERSION=3.17
+ARG ALPINE_VERSION=3.20
 ARG HARDENED_MALLOC_VERSION=11
-ARG SNUFFLEUPAGUS_VERSION=0.8.3
+ARG SNUFFLEUPAGUS_VERSION=0.10.0
 
 ARG UID=1000
 ARG GID=1000
 
-# nextcloud-24.0.12.tar.bz2
-ARG SHA256_SUM="2f093bdf7d34faf38d22f38a5e11f3aee32746ff4add3df17c790b9b36390836"
+# nextcloud-28.0.14.tar.bz2
+ARG SHA256_SUM="4a937f1882486426c9703e59ec4b293f621be8d080b7f85016f629903c3af336"
 
 # Nextcloud Security <security@nextcloud.com> (D75899B9A724937A)
 ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372  792E D758 99B9 A724 937A"
 # ---------------------------------------------------
 
 ### Build PHP base
-FROM php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} as base
+FROM docker.io/library/php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} as base
 
 ARG SNUFFLEUPAGUS_VERSION
 
@@ -43,6 +43,7 @@ RUN apk -U upgrade \
         gmp \
         icu \
         libjpeg-turbo \
+        librsvg \
         libpq \
         libpq \
         libwebp \
@@ -58,12 +59,14 @@ RUN apk -U upgrade \
         bcmath \
         exif \
         gd \
+        bz2 \
         intl \
         ldap \
         opcache \
         pcntl \
         pdo_mysql \
         pdo_pgsql \
+        sysvsem \
         zip \
         gmp \
  && pecl install smbclient \
@@ -82,7 +85,7 @@ RUN apk -U upgrade \
 
 ### Build Hardened Malloc
 ARG ALPINE_VERSION
-FROM alpine:${ALPINE_VERSION} as build-malloc
+FROM docker.io/library/alpine:${ALPINE_VERSION} as build-malloc
 
 ARG HARDENED_MALLOC_VERSION
 ARG CONFIG_NATIVE=false
@@ -96,7 +99,7 @@ RUN apk --no-cache add build-base git gnupg && cd /tmp \
 
 
 ### Fetch nginx
-FROM nginx:${NGINX_VERSION}-alpine as nginx
+FROM docker.io/library/nginx:${NGINX_VERSION}-alpine as nginx
 
 
 ### Build Nextcloud (production environemnt)

README.md

@@ -46,7 +46,7 @@ Don't run random images from random dudes on the Internet. Ideally, you want to
 - **Images are scanned every day** by [Trivy](https://github.com/aquasecurity/trivy) for OS vulnerabilities. Known vulnerabilities will be automatically uploaded to [GitHub Security Lab](https://github.com/Wonderfall/docker-nextcloud/security/code-scanning) for full transparency. This also warns me if I have to take action to fix a vulnerability. 
 - **Latest tag/version is automatically built weekly**, so you should often update your images regardless if you're already using the latest Nextcloud version.
 - **Build production images without cache** (use `docker build --no-cache` for instance) if you want to build your images manually. Latest dependencies will hence be used instead of outdated ones due to a cached layer.
-- **A security module for PHP called [Snuffleupagus](https://github.com/jvoisin/snuffleupagus) is used by default**. This module aims at killing entire bug and security exploit classes (including XXE, weak PRNG, file-upload based code execution), thus raising the cost of attacks. For now we're using a configuration file derived from [the default one](https://github.com/jvoisin/snuffleupagus/blob/master/config/default_php8.rules), with some explicit exceptions related to Nextcloud. This configuration file is tested and shouldn't break basic functionality, but it can cause issues in specific and untested use cases: if that happens to you, get logs from either `syslog` or `/nginx/logs/error.log` inside the container, and [open an issue](https://github.com/hoellen/docker-nextcloud/issues). You can also disable the security module altogether by changing the `PHP_HARDENING` environment variable to `false` before recreating the container.
+- **A security module for PHP called [Snuffleupagus](https://github.com/jvoisin/snuffleupagus) is used by default**. This module aims at killing entire bug and security exploit classes (including weak PRNG, file-upload based code execution), thus raising the cost of attacks. For now we're using a configuration file derived from [the default one](https://github.com/jvoisin/snuffleupagus/blob/master/config/default_php8.rules), with some explicit exceptions related to Nextcloud. This configuration file is tested and shouldn't break basic functionality, but it can cause issues in specific and untested use cases: if that happens to you, get logs from either `syslog` or `/nginx/logs/error.log` inside the container, and [open an issue](https://github.com/hoellen/docker-nextcloud/issues). You can also disable the security module altogether by changing the `PHP_HARDENING` environment variable to `false` before recreating the container.
 - **Images are signed with the GitHub-provided OIDC token in Actions** using the experimental "keyless" signing feature provided by [cosign](https://github.com/sigstore/cosign). You can verify the image signature using `cosign` as well:
 
 ```
@@ -58,8 +58,8 @@ Verifying the signature isn't a requirement, and might not be as seamless as usi
 ## Tags
 
 - `latest` : latest Nextcloud version
-- `x` : latest Nextcloud x.x (e.g. `24`)
-- `x.x.x` : Nextcloud x.x.x (e.g. `24.0.0`)
+- `x` : latest Nextcloud x.x (e.g. `28`)
+- `x.x.x` : Nextcloud x.x.x (e.g. `28.0.0`)
 
 You can always have a glance [here](https://github.com/users/hoellen/packages/container/package/nextcloud).
 Only the **latest stable version** will be maintained by myself.

SECURITY.md

@@ -7,11 +7,16 @@ and will receive the minor version updates and security patches.
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 24. x   | :white_check_mark: |
-| 23. x   | :white_check_mark: |
-| 22. x   | :white_check_mark: |
+| 28. x   | :white_check_mark: |
+| 27. x   | :white_check_mark: |
+| 26. x   | :negative_squared_cross_mark: |
+| 25. x   | :negative_squared_cross_mark: |
+| 24. x   | :negative_squared_cross_mark: |
+| 23. x   | :negative_squared_cross_mark: |
+| 22. x   | :negative_squared_cross_mark: |
 
 Please update to the latest version available. Major migrations are always tested before being pushed.
+An up-to-date list of the currently maintained Nextcloud versions can also be found in the [Nextcloud Repository Wiki](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule).
 
 ## Automated vulnerability scanning
 

rootfs/etc/nginx/conf.d/default.conf

@@ -18,10 +18,9 @@ server {
 
         add_header Referrer-Policy "no-referrer" always;
         add_header X-Content-Type-Options "nosniff" always;
-        add_header X-Download-Options "noopen" always;
         add_header X-Frame-Options "SAMEORIGIN" always;
         add_header X-Permitted-Cross-Domain-Policies "none" always;
-        add_header X-Robots-Tag "none" always;
+        add_header X-Robots-Tag "noindex, nofollow" always;
         add_header X-XSS-Protection "0" always;
 
         location = /robots.txt {
@@ -49,7 +48,7 @@ server {
             return 404;
         }
 
-        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
             include /etc/nginx/fastcgi_params;
             fastcgi_split_path_info ^(.+\.php)(/.*)$;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
@@ -62,18 +61,18 @@ server {
             fastcgi_read_timeout 1200;
         }
 
-        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
+        location ~ ^\/(?:updater|ocs-provider)(?:$|\/) {
             try_files $uri/ =404;
             index index.php;
         }
 
-        location ~ \.(?:css|js|svg|gif|map)$ {
+        location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
             try_files $uri /index.php$uri$is_args$args;
             expires 6M;
             access_log off;
         }
 
-        location ~ \.woff2?$ {
+        location ~ \.(otf|woff2)?$ {
             try_files $uri /index.php$uri$is_args$args;
             expires 7d;
             access_log off;

rootfs/etc/nginx/nginx.conf

@@ -9,6 +9,11 @@ events {
 
 http {
     include /etc/nginx/mime.types;
+    # Add .mjs as a file extension for javascript
+    # https://github.com/nextcloud/server/pull/36057
+    types {
+        application/javascript mjs;
+    }
     default_type  application/octet-stream;
 
     access_log /nginx/logs/access.log combined;

rootfs/usr/local/bin/run.sh

@@ -15,6 +15,16 @@ if [ "$PHP_HARDENING" == "true" ] && [ ! -f /usr/local/etc/php/conf.d/snuffleupa
     cp /usr/local/etc/php/snuffleupagus/* /usr/local/etc/php/conf.d
 fi
 
+# Check if database is available
+if [ -n "${DB_TYPE}" ] && [ "${DB_TYPE}" != "sqlite3" ]; then
+  DB_PORT=${DB_PORT:-$( [ "${DB_TYPE}" = "pgsql" ] && echo 5432 || echo 3306 )}
+  until nc -z "${DB_HOST:-nextcloud-db}" "${DB_PORT}"
+  do
+    echo "waiting for the database container..."
+    sleep 1
+  done
+fi
+
 # If new install, run setup
 if [ ! -f /nextcloud/config/config.php ]; then
     touch /nextcloud/config/CAN_INSTALL

rootfs/usr/local/bin/setup.sh

@@ -55,14 +55,6 @@ cat >> /nextcloud/config/autoconfig.php <<EOF;
 ?>
 EOF
 
-if [ ${DB_TYPE} != "sqlite3" ]; then
-  until nc -z "${DB_HOST:-nextcloud-db}" "${DB_PORT:-3306}"
-  do
-    echo "waiting for the database container..."
-    sleep 1
-  done
-fi
-
 echo "Starting automatic configuration..."
 # Execute setup
 (cd /nextcloud; php index.php &>/dev/null)

rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules

@@ -8,7 +8,7 @@
 sp.harden_random.enable();
 
 # Disabled XXE
-sp.xxe_protection.enable();
+#sp.xxe_protection.enable();
 
 # Global configuration variables
 # sp.global.secret_key("YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.");
@@ -34,16 +34,22 @@ sp.sloppy_comparison.enable();
 # https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery
 sp.cookie.name("PHPSESSID").samesite("lax");
 
-# Nextcloud whitelist (tested with Nextcloud 24.0.0)
+# Nextcloud whitelist (tested with Nextcloud 27.0.1)
 sp.disable_function.function("function_exists").param("function").value("proc_open").filename("/nextcloud/3rdparty/symfony/console/Terminal.php").allow();
+sp.disable_function.function("function_exists").param("function").value("exec").filename("/nextcloud/lib/private/legacy/OC_Helper.php").allow();
+sp.disable_function.function("function_exists").param("function").value("exec").filename("/nextcloud/lib/public/Util.php").allow();
 sp.disable_function.function("proc_open").filename("/nextcloud/3rdparty/symfony/console/Terminal.php").allow();
 sp.disable_function.function("ini_set").param("option").value_r("display_errors").filename("/nextcloud/lib/base.php").allow();
 sp.disable_function.function("ini_get").param("option").value("open_basedir").filename("/nextcloud/3rdparty/bantu/ini-get-wrapper/src/IniGetWrapper.php").allow();
-sp.disable_function.function("function_exists").param("function").value("exec").filename("/nextcloud/lib/private/legacy/OC_Helper.php").allow();
 sp.disable_function.function("ini_get").param("option").value_r("suhosin").filename("/nextcloud/3rdparty/bantu/ini-get-wrapper/src/IniGetWrapper.php").allow();
 sp.disable_function.function("ini_get").param("option").value("open_basedir").filename("/nextcloud/apps2/twofactor_webauthn/vendor/symfony/process/ExecutableFinder.php").allow();
 sp.disable_function.function("ini_get").param("option").value("open_basedir").filename("/nextcloud/3rdparty/symfony/process/ExecutableFinder.php").allow();
 sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").filename("/nextcloud/3rdparty/guzzlehttp/guzzle/src/Utils.php").allow();
+sp.disable_function.function("exec").param("command").value("apachectl -M | grep mpm").filename("/nextcloud/apps2/spreed/lib/Settings/Admin/AdminSettings.php").allow();
+
+# Nextcloud inherently enables XXE-Protection since 27.0.1, therefore, drop setting a new external entity loader
+sp.disable_function.function("libxml_set_external_entity_loader").filename("/nextcloud/lib/base.php").allow(); 
+sp.disable_function.function("libxml_set_external_entity_loader").drop(); 
 
 # Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
 sp.disable_function.function("chmod").param("permissions").value("438").drop();