Merge branch 'master' of https://github.com/alchemy-fr/Phraseanet int…

…o PHRAS-4093-Reintegrate-ufraw-package-into-the-worker-image

.env

@@ -143,7 +143,7 @@ PHRASEANET_DOCKER_REGISTRY=local
 
 # Docker images tag.
 # @run
-PHRASEANET_DOCKER_TAG=4.1.9
+PHRASEANET_DOCKER_TAG=4.1.10
 
 # Stack Name
 # An optionnal Name for the stack
@@ -305,9 +305,15 @@ REQUEST_TERMINATE_TIMEOUT=300s
 
 # Maximum amount of memory a script may consume (128MB)
 # http://php.net/memory-limit
+# @run
 FPM_MEMORY_LIMIT=2048M
 PHP_CLI_MEMORY_LIMIT=2048M
 
+# Temporary directory for HTTP uploaded files (will use system default if not
+# specified).
+# http://php.net/upload-tmp-dir
+# @run
+PHP_UPLOAD_TMP_DIR=/var/alchemy/Phraseanet/tmp/php_upload_tmp
 
 # Php Opcache status. See [opcache Php documentation|
 # https://www.php.net/manual/en/intro.opcache.php].

CHANGELOG.md

@@ -1,5 +1,65 @@
 # CHANGELOG
 
+## 4.1.10
+
+### Update Instructions
+
+- **Migration Patch**:
+  - A migration script for the configuration file is available. Run the following command in the setup container with Docker if the environment variable `PHRASEANET_UPGRADE=1` is set:
+    ```
+    bin/setup system:upgrade
+    ```
+
+### Version Summary
+
+- **Bump Phraseanet Base Image to 1.1.0**:
+  - OS version updated.
+  - Bumped `Popeler` dependency .
+  - Added missing `ufraw` dependency .
+
+- **Updated Components**:
+  - **RabbitMQ**: Upgraded to version 3.8.34.
+  - **Nginx**: Updated to the latest stable release, 1.27.2.
+
+- **Security Fixes**:
+  - Fixed CSRF vulnerability in the userProfile endpoint.
+  - Addressed XSS injection vulnerability in the user profile.
+  - Corrected HTML injection in notification emails.
+
+- **Other Updates**:
+  - Updated translations.
+
+### Stack (Docker Compose and Helm)
+
+- **Phraseanet Base Image**: Version bumped.
+- **RabbitMQ**: Version bumped.
+- **Nginx**: Version bumped.
+- **Helm Updates**:
+  - Added `nodeSelector` property to all charts except for the DB pod.
+  - `imagePullPolicy` can now be set from `values.yaml`.
+  - Release details: [Helm chart release 0.47.0](https://github.com/alchemy-fr/alchemy-helm-charts-repo/releases/tag/phraseanet-0.47.0)
+
+## What's Changed
+* PHRAS-3416 : fix string in admin create subdef by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4534
+* PHRAS-3416 create subdefinition localisation by @nmaillat in https://github.com/alchemy-fr/Phraseanet/pull/4537
+* PHRAS-4094 Bump rabbitMQ version to 3.8.34 by @gjacobjn in https://github.com/alchemy-fr/Phraseanet/pull/4546
+* PHRAS-4090:Prod - expose-cli - publication - publication description is Nok by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4536
+* Fix for phraseanet-saml-sp image build in Dockerfile by @gjacobjn in https://github.com/alchemy-fr/Phraseanet/pull/4543
+* PHRAS-4100 Php upload tmp directory  by @nmaillat in https://github.com/alchemy-fr/Phraseanet/pull/4553
+* PHRAS-4079 Bump base image 1.1.0 by @moctardiouf in https://github.com/alchemy-fr/Phraseanet/pull/4554
+* PHRAS-3857 : Check CSRF token on account by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4556
+* PHRAS-4103 Prod xss check by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4555
+* PHRAS-4088: improving Job ack in workerRunningJob  by @aynsix in https://github.com/alchemy-fr/Phraseanet/pull/4535
+* fix typo by @tacman in https://github.com/alchemy-fr/Phraseanet/pull/4552
+* PHRAS-4104 Nginx bump 1.27.2 by @nmaillat in https://github.com/alchemy-fr/Phraseanet/pull/4557
+* PHRAS-4101: Update Range for Subdefinition Image Sizes by @nmaillat in https://github.com/alchemy-fr/Phraseanet/pull/4558
+
+## New Contributors
+* @tacman made their first contribution in https://github.com/alchemy-fr/Phraseanet/pull/4552
+
+**Full Changelog**: https://github.com/alchemy-fr/Phraseanet/compare/4.1.9...4.1.10
+
+___
 ## 4.1.9
 
 ### Update instructions

Dockerfile

@@ -1,5 +1,5 @@
 
-FROM alchemyfr/phraseanet-base:1.0.0 as builder
+FROM alchemyfr/phraseanet-base:1.1.0 AS builder
 
 COPY --from=composer:2.1.6 /usr/bin/composer /usr/bin/composer
 
@@ -39,8 +39,8 @@ USER app
 
 # Warm up composer cache for faster builds
 COPY docker/caching/composer.* ./
-RUN composer install --prefer-dist --no-dev --no-progress --classmap-authoritative --no-interaction --no-scripts \
-    && rm -rf vendor composer.*
+RUN composer install --prefer-dist --no-dev --no-progress --classmap-authoritative --no-interaction --no-scripts
+#    && rm -rf vendor composer.*
 # End warm up
 
 COPY --chown=app  . .
@@ -72,7 +72,7 @@ CMD []
 # Phraseanet install and setup application image
 #########################################################################
 
-FROM alchemyfr/phraseanet-base:1.0.0 as phraseanet-setup
+FROM alchemyfr/phraseanet-base:1.1.0 AS phraseanet-setup
 
 COPY --from=builder --chown=app /var/alchemy/Phraseanet /var/alchemy/Phraseanet
 ADD ./docker/phraseanet/root /
@@ -85,7 +85,7 @@ CMD []
 # Phraseanet web application image
 #########################################################################
 
-FROM alchemyfr/phraseanet-base:1.0.0 as phraseanet-fpm
+FROM alchemyfr/phraseanet-base:1.1.0 AS phraseanet-fpm
 
 COPY --from=builder --chown=app /var/alchemy/Phraseanet /var/alchemy/Phraseanet
 ADD ./docker/phraseanet/root /
@@ -97,7 +97,7 @@ CMD ["php-fpm", "-F"]
 # Phraseanet worker application image
 #########################################################################
 
-FROM alchemyfr/phraseanet-base:1.0.0 as phraseanet-worker
+FROM alchemyfr/phraseanet-base:1.1.0 AS phraseanet-worker
 
 COPY --from=builder --chown=app /var/alchemy/Phraseanet /var/alchemy/Phraseanet
 ADD ./docker/phraseanet/root /
@@ -128,7 +128,7 @@ CMD ["/bin/bash", "bin/run-worker.sh"]
 # phraseanet-nginx
 #########################################################################
 
-FROM nginx:1.17.8-alpine as phraseanet-nginx
+FROM nginx:1.27.2-alpine AS phraseanet-nginx
 RUN adduser --uid 1000 --disabled-password app
 RUN apk add --update apache2-utils \
     && rm -rf /var/cache/apk/*
@@ -144,10 +144,8 @@ HEALTHCHECK CMD wget --spider http://127.0.0.1/login || nginx -s reload || exit
 # phraseanet adapted simplesaml service provider 
 #########################################################################
 
-FROM alchemyfr/phraseanet-base:1.0.0 as phraseanet-saml-sp
-RUN adduser --uid 1000 --disabled-password app
-RUN echo "deb http://archive.debian.org/debian stretch main non-free" > /etc/apt/sources.list \
-    && apt-get update \
+FROM alchemyfr/phraseanet-base:1.1.0 AS phraseanet-saml-sp
+RUN apt-get update \
     && apt-get install -y \
         apt-transport-https \
         ca-certificates \
@@ -164,15 +162,8 @@ RUN echo "deb http://archive.debian.org/debian stretch main non-free" > /etc/apt
         gettext \
         mcrypt \
         libldap2-dev \
-    && curl -Ls https://github.com/simplesamlphp/simplesamlphp/releases/download/simplesamlphp-1.10.0/simplesamlphp-1.10.0.tar.gz | tar xzvf - -C /var/www/ \
-    && docker-php-ext-install zip mbstring pdo_mysql gettext mcrypt \
-    && pecl install \
-        redis-5.3.7 \
-    && docker-php-ext-enable redis \
-    && pecl clear-cache \
-    && docker-php-source delete
+    && curl -Ls https://github.com/simplesamlphp/simplesamlphp/releases/download/simplesamlphp-1.10.0/simplesamlphp-1.10.0.tar.gz | tar xzvf - -C /var/www/
 ADD ./docker/phraseanet/saml-sp/root /
 ENTRYPOINT ["/bootstrap/entrypoint.sh"]
 CMD ["/bootstrap/bin/start-servers.sh"]
-HEALTHCHECK CMD wget --spider http://127.0.0.1/ || nginx -s reload || exit 
-
+HEALTHCHECK CMD wget --spider http://127.0.0.1/ || nginx -s reload || exit

README.md

@@ -7,7 +7,7 @@ Phraseanet 4.1 - Digital Asset Management application
 
  - Several GUI : Prod, Admin, Thesaurus, Lightbox, Report,    
  - Metadata Management (includes Thesaurus and DublinCore Mapping)
- - RestFull APIS
+ - RESTful APIS
  - Elasticsearch search engine
  - Multiple resolution assets generation
  - Advanced Rights Management

docker-compose.datastores.yml

@@ -21,7 +21,7 @@ services:
       - internal
 
   rabbitmq:
-    image: rabbitmq:3.6.16-management
+    image: rabbitmq:3.8.34-management
     profiles: ["rabbitmq"]
     restart: on-failure
     hostname: $RABBITMQ_HOSTNAME
@@ -55,4 +55,4 @@ services:
     volumes:
     - ${PHRASEANET_ELASTICSEARCH_DIR}:/usr/share/elasticsearch/data
     networks:
-      - internal
+      - internal

docker-compose.yml

@@ -105,6 +105,7 @@ services:
     - SESSION_CACHE_LIMITER
     - PHP_LOG_LEVEL
     - PHP_CLI_MEMORY_LIMIT
+    - PHP_UPLOAD_TMP_DIR
     - PHRASEANET_ADMIN_ACCOUNT_ID
     - PHRASEANET_ADMIN_ACCOUNT_EMAIL
     - PHRASEANET_ADMIN_ACCOUNT_PASSWORD
@@ -230,6 +231,7 @@ services:
     - OPCACHE_ENABLED
     - SESSION_CACHE_LIMITER
     - PHP_LOG_LEVEL
+    - PHP_UPLOAD_TMP_DIR
     - PHRASEANET_SCHEME
     - PHRASEANET_HOSTNAME
     - PHRASEANET_APP_PORT

docker/phraseanet/fpm/entrypoint.sh

@@ -5,7 +5,6 @@ set -e
 envsubst < "docker/phraseanet/php.ini.sample" > /usr/local/etc/php/php.ini
 envsubst < "docker/phraseanet/php-fpm.conf.sample" > /usr/local/etc/php-fpm.conf
 envsubst < "docker/phraseanet/root/usr/local/etc/php-fpm.d/zz-docker.conf" > /usr/local/etc/php-fpm.d/zz-docker.conf
-# cat docker/phraseanet/root/usr/local/etc/php-fpm.d/zz-docker.conf  | sed "s/\$REQUEST_TERMINATE_TIMEOUT/$REQUEST_TERMINATE_TIMEOUT/g" > /usr/local/etc/php-fpm.d/zz-docker.conf
 
 if [ ${XDEBUG_ENABLED} == "1" ]; then
     echo "XDEBUG is enabled. YOU MAY KEEP THIS FEATURE DISABLED IN PRODUCTION."
@@ -35,12 +34,6 @@ fi
 chown -R app:app cache
 echo `date +"%Y-%m-%d %H:%M:%S"` " - chown APP:APP on cache/ repository"
 
-#    config \
-#    tmp \
-#    logs \
-#    www
-
-
 if [ -d "plugins/" ];then
 chown -R app:app plugins
 echo `date +"%Y-%m-%d %H:%M:%S"` " - chown APP:APP on plugins/ repository"

docker/phraseanet/php.ini.sample

@@ -817,7 +817,7 @@ file_uploads = On
 ; Temporary directory for HTTP uploaded files (will use system default if not
 ; specified).
 ; http://php.net/upload-tmp-dir
-;upload_tmp_dir =
+upload_tmp_dir = $PHP_UPLOAD_TMP_DIR
 
 ; Maximum allowed size for uploaded files.
 ; http://php.net/upload-max-filesize

docker/phraseanet/setup/entrypoint.sh

@@ -4,6 +4,20 @@ set -e
 envsubst < "docker/phraseanet/php.ini.worker.sample" > /usr/local/etc/php/php.ini
 cat docker/phraseanet/root/usr/local/etc/php-fpm.d/zz-docker.conf  | sed "s/\$REQUEST_TERMINATE_TIMEOUT/$REQUEST_TERMINATE_TIMEOUT/g" > /usr/local/etc/php-fpm.d/zz-docker.conf
 
+if [ -d "$PHP_UPLOAD_TMP_DIR" ]; then
+  echo `date +"%Y-%m-%d %H:%M:%S"` " - The directory: $PHP_UPLOAD_TMP_DIR already exists."
+else
+  echo `date +"%Y-%m-%d %H:%M:%S"` " - The directory: $PHP_UPLOAD_TMP_DIR does not exist. Creating the directory..."
+  mkdir -p "$PHP_UPLOAD_TMP_DIR"
+
+  if [ $? -eq 0 ]; then
+    echo `date +"%Y-%m-%d %H:%M:%S"` " - The directory: $PHP_UPLOAD_TMP_DIR was successfully created."
+  else
+    echo `date +"%Y-%m-%d %H:%M:%S"` " - Failed to create directory: $PHP_UPLOAD_TMP_DIR."
+    exit 1
+  fi
+fi
+
 if [[ -z "$PHRASEANET_APP_PORT" || $PHRASEANET_APP_PORT = "80" || $PHRASEANET_APP_PORT = "443" ]];then
 export PHRASEANET_BASE_URL="$PHRASEANET_SCHEME://$PHRASEANET_HOSTNAME"
 echo  `date +"%Y-%m-%d %H:%M:%S"` " - Phraseanet BASE URL IS : " $PHRASEANET_BASE_URL 
@@ -293,9 +307,14 @@ chown -R app:app backup
 echo `date +"%Y-%m-%d %H:%M:%S"` " - chown APP:APP on www/repository excluding www/thumbnails"
 cd www
 chown -R app:app  $(ls -I thumbnails)
-    
+
 echo `date +"%Y-%m-%d %H:%M:%S"` " - End of chown!"   
 
+if [ -d "$PHP_UPLOAD_TMP_DIR" ]; then
+  echo `date +"%Y-%m-%d %H:%M:%S"` " - Cleaning files older than 2 days in $PHP_UPLOAD_TMP_DIR "
+  find "$PHP_UPLOAD_TMP_DIR" -type f -mtime +2 -exec rm -f {} \;
+fi
+
 echo `date +"%Y-%m-%d %H:%M:%S"` " - End of Phraseanet setup entrypoint.sh"
 
 

lib/Alchemy/Phrasea/Controller/Root/AccountController.php

@@ -318,6 +318,8 @@ public function displayAccount()
 
         $initiatedValidations = $this->getBasketRepository()->findby(['vote_initiator' => $user, ]);
 
+        $this->setSessionFormToken('userAccount');
+
         return $this->render('account/account.html.twig', [
             'user'                  => $user,
             'evt_mngr'              => $manager,
@@ -417,6 +419,10 @@ public function confirmDeleteAccount(Request $request)
      */
     public function updateAccount(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'userAccount')) {
+            return new Response('invalid crsf token form', 403);
+        }
+
         $registrations = $request->request->get('registrations', []);
 
         if (false === is_array($registrations)) {

lib/Alchemy/Phrasea/Controller/Root/DeveloperController.php

@@ -171,6 +171,10 @@ public function authorizeGrantPassword(Request $request, ApiApplication $applica
      */
     public function newApp(Request $request)
     {
+        if (!$this->isCrsfValid($request, 'newApplication')) {
+            return new Response('invalid crsf token form', 403);
+        }
+
         if ($request->request->get('type') === ApiApplication::DESKTOP_TYPE) {
             $form = new \API_OAuth2_Form_DevAppDesktop($request);
         } else {
@@ -223,6 +227,8 @@ public function listApps()
      */
     public function displayFormApp(Request $request)
     {
+        $this->setSessionFormToken('newApplication');
+
         return $this->render('developers/application_form.html.twig', [
             "violations" => null,
             'form'       => null,

lib/Alchemy/Phrasea/Core/Configuration/DisplaySettingService.php

@@ -98,6 +98,10 @@ public function getUserSetting(User $user, $name, $default = null)
             return array_key_exists($name, $this->usersSettings) ? $this->usersSettings[$name] : $default;
         }
 
+        if ($name == 'start_page_query') {
+            return htmlentities($user->getSettings()->get($name)->getValue());
+        }
+
         return $user->getSettings()->get($name)->getValue();
     }
 

lib/Alchemy/Phrasea/Core/Version.php

@@ -17,7 +17,7 @@ class Version
      * @var string
      */
 
-    private $number = '4.1.9';
+    private $number = '4.1.10';
 
     /**
      * @var string

lib/Alchemy/Phrasea/Media/Subdef/Image.php

@@ -33,7 +33,7 @@ public function __construct(TranslatorInterface $translator)
     {
         $this->translator = $translator;
 
-        $this->registerOption(new OptionType\Range($this->translator->trans('Dimension'), self::OPTION_SIZE, 20, 5000, 800));
+        $this->registerOption(new OptionType\Range($this->translator->trans('Dimension'), self::OPTION_SIZE, 20, 10000, 800));
         $this->registerOption(new OptionType\Range($this->translator->trans('Resolution'), self::OPTION_RESOLUTION, 50, 1000, 72));
         $this->registerOption(new OptionType\Boolean($this->translator->trans('Remove ICC Profile'), self::OPTION_STRIP, false));
         $this->registerOption(new OptionType\Boolean($this->translator->trans('Flatten layers'), self::OPTION_FLATTEN, true));

lib/Alchemy/Phrasea/Model/Repositories/WorkerRunningJobRepository.php

@@ -328,14 +328,16 @@ private function releaseMutex(int $recordMutexId)
      * mark a job a "finished"
      * nb : after a long job, connection may be lost so we reconnect.
      *      But sometimes (?) a first commit fails (due to reconnect ?), while the second one is ok.
-     *      So here we try 2 times, just in case...
+     *      So here we try 4 times, just in case...
      *
      * @param int $workerRunningJobId
+     * @param MessagePublisher $messagePublisher
+     * @param $jobType
      * @param null $info
      */
-    public function markFinished(int $workerRunningJobId, $info = null)
+    public function markFinished(int $workerRunningJobId, MessagePublisher $messagePublisher, $jobType, $info = null)
     {
-        for($tryout=1; $tryout<=2; $tryout++) {
+        for($wait = 2, $tryout=1; $tryout<=4; $tryout++) {
             try {
                 $this->reconnect();
                 $cnx = $this->getEntityManager()->getConnection()->getWrappedConnection();
@@ -356,8 +358,10 @@ public function markFinished(int $workerRunningJobId, $info = null)
                 throw new Exception(sprintf("updating WorkerRunningJob should return 1 row affected, got %s", $a));
             }
             catch (Exception $e) {
-                if($tryout < 2) {
-                    sleep(1);   // retry in 1 sec
+                if($tryout < 4) {
+                    $messagePublisher->pushLog(sprintf("failed updating WorkerRunningJob to finished with id=%d for %s, attempt %d", $workerRunningJobId, $jobType, $tryout));
+                    sleep($wait);   // retry after more sec
+                    $wait *= 2;
                 }
             }
         }