Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update phpMyAdmin to the latest commit #18239

Merged
merged 1 commit into from
Jan 14, 2025
Merged

Update phpMyAdmin to the latest commit #18239

merged 1 commit into from
Jan 14, 2025

Conversation

williamdes
Copy link
Contributor

@williamdes williamdes commented Jan 14, 2025
edited
Loading

Follow up of #17398

  • Make all the files read-only
  • Only allow to write to tmp and sessions
  • removed PMA_SSL and PMA_SSLS from _FILE support as it makes no sense

@williamdes williamdes requested a review from a team as a code owner January 14, 2025 23:25
@github-actions GitHub Actions
Copy link

Diff for b76f6a8: 
diff --git a/_bashbrew-cat b/_bashbrew-cat
index f90e90d..9eb5ad1 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -3,15 +3,15 @@ GitRepo: /~https://github.com/phpmyadmin/docker.git
 
 Tags: 5.2.1-apache, 5.2-apache, 5-apache, apache, 5.2.1, 5.2, 5, latest
 Architectures: amd64, arm32v5, arm32v7, arm64v8, i386, mips64le, ppc64le, s390x
-GitCommit: ec0d6a5c3ae5d8df6e5f7d08570c91518cfc302e
+GitCommit: 04de4ca2ba06220049eac53b15793fb9b481994a
 Directory: apache
 
 Tags: 5.2.1-fpm, 5.2-fpm, 5-fpm, fpm
 Architectures: amd64, arm32v5, arm32v7, arm64v8, i386, mips64le, ppc64le, s390x
-GitCommit: ec0d6a5c3ae5d8df6e5f7d08570c91518cfc302e
+GitCommit: 04de4ca2ba06220049eac53b15793fb9b481994a
 Directory: fpm
 
 Tags: 5.2.1-fpm-alpine, 5.2-fpm-alpine, 5-fpm-alpine, fpm-alpine
 Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, riscv64, s390x
-GitCommit: ec0d6a5c3ae5d8df6e5f7d08570c91518cfc302e
+GitCommit: 04de4ca2ba06220049eac53b15793fb9b481994a
 Directory: fpm-alpine
diff --git a/phpmyadmin_fpm-alpine/Dockerfile b/phpmyadmin_fpm-alpine/Dockerfile
index eefb733..a0187c1 100644
--- a/phpmyadmin_fpm-alpine/Dockerfile
+++ b/phpmyadmin_fpm-alpine/Dockerfile
@@ -1,10 +1,11 @@
 # DO NOT EDIT: created by update.sh from Dockerfile-alpine.template
 FROM php:8.2-fpm-alpine
 
-# docker-entrypoint.sh dependencies
+# install and docker-entrypoint.sh dependencies
 RUN apk add --no-cache \
     bash \
-    tzdata
+    tzdata \
+    gnupg
 
 # Install dependencies
 RUN set -ex; \
@@ -47,6 +48,13 @@ ENV UPLOAD_LIMIT 2048K
 ENV TZ UTC
 ENV SESSION_SAVE_PATH /sessions
 RUN set -ex; \
+    mkdir $SESSION_SAVE_PATH; \
+    mkdir -p $PMA_SSL_DIR; \
+    chmod 1777 $SESSION_SAVE_PATH; \
+    chmod 755 $PMA_SSL_DIR; \
+    chown www-data:www-data /etc/phpmyadmin; \
+    chown www-data:www-data $PMA_SSL_DIR; \
+    chown www-data:www-data $SESSION_SAVE_PATH; \
     \
     { \
         echo 'opcache.memory_consumption=128'; \
@@ -72,6 +80,8 @@ RUN set -ex; \
         echo 'session.save_path=${SESSION_SAVE_PATH}'; \
     } > $PHP_INI_DIR/conf.d/phpmyadmin-misc.ini
 
+USER www-data:www-data
+
 # Calculate download URL
 ENV VERSION 5.2.1
 ENV SHA256 373f9599dfbd96d6fe75316d5dad189e68c305f297edf42377db9dd6b41b2557
@@ -89,15 +99,6 @@ LABEL org.opencontainers.image.title="Official phpMyAdmin Docker image" \
 
 # Download tarball, verify it using gpg and extract
 RUN set -ex; \
-    apk add --no-cache --virtual .fetch-deps \
-        gnupg \
-    ; \
-    mkdir $SESSION_SAVE_PATH; \
-    mkdir -p $PMA_SSL_DIR; \
-    chmod 1777 $SESSION_SAVE_PATH; \
-    chmod 755 $PMA_SSL_DIR; \
-    chown www-data:www-data $SESSION_SAVE_PATH; \
-    chown www-data:www-data $PMA_SSL_DIR; \
     \
     export GNUPGHOME="$(mktemp -d)"; \
     export GPGKEY="3D06A59ECE730EB71B511C17CE752F178259BD92"; \
@@ -111,7 +112,6 @@ RUN set -ex; \
     gpg --batch --verify phpMyAdmin.tar.xz.asc phpMyAdmin.tar.xz; \
     tar -xf phpMyAdmin.tar.xz -C /var/www/html --strip-components=1; \
     mkdir -p /var/www/html/tmp; \
-    chown www-data:www-data /var/www/html/tmp; \
     gpgconf --kill all; \
     rm -r "$GNUPGHOME" phpMyAdmin.tar.xz phpMyAdmin.tar.xz.asc; \
     rm -r -v /var/www/html/setup/ /var/www/html/examples/ /var/www/html/js/src/ /var/www/html/babel.config.json /var/www/html/doc/html/_sources/ /var/www/html/RELEASE-DATE-$VERSION /var/www/html/CONTRIBUTING.md; \
@@ -119,8 +119,9 @@ RUN set -ex; \
     sed -i "s@'configFile' => .*@'configFile' => '/etc/phpmyadmin/config.inc.php',@" /var/www/html/libraries/vendor_config.php; \
     grep -q -F "'configFile' => '/etc/phpmyadmin/config.inc.php'," /var/www/html/libraries/vendor_config.php; \
     php -l /var/www/html/libraries/vendor_config.php; \
-    chown -R www-data:www-data -R /var/www/html/; \
-    apk del --no-network .fetch-deps
+    find /var/www/html -type d -exec chmod 555 {} \;; \
+    find /var/www/html -type f -exec chmod 444 {} \;; \
+    chmod 1777 /var/www/html/tmp;
 
 # Copy configuration
 COPY --chown=www-data:www-data config.inc.php /etc/phpmyadmin/config.inc.php
@@ -129,5 +130,6 @@ COPY --chown=www-data:www-data helpers.php /etc/phpmyadmin/helpers.php
 # Copy main script
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 
+USER root
 ENTRYPOINT [ "/docker-entrypoint.sh" ]
 CMD ["php-fpm"]
diff --git a/phpmyadmin_fpm-alpine/docker-entrypoint.sh b/phpmyadmin_fpm-alpine/docker-entrypoint.sh
index 0d98e27..2b7b825 100755
--- a/phpmyadmin_fpm-alpine/docker-entrypoint.sh
+++ b/phpmyadmin_fpm-alpine/docker-entrypoint.sh
@@ -51,7 +51,5 @@ get_docker_secret PMA_HOST
 get_docker_secret PMA_CONTROLHOST
 get_docker_secret PMA_CONTROLUSER
 get_docker_secret PMA_CONTROLPASS
-get_docker_secret PMA_SSL
-get_docker_secret PMA_SSLS
 
 exec "$@"
diff --git a/phpmyadmin_fpm/Dockerfile b/phpmyadmin_fpm/Dockerfile
index f9fe9e1..bf296e4 100644
--- a/phpmyadmin_fpm/Dockerfile
+++ b/phpmyadmin_fpm/Dockerfile
@@ -3,10 +3,15 @@ FROM php:8.2-fpm
 
 # Install dependencies
 RUN set -ex; \
+    \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        gnupg \
+        dirmngr \
+    ; \
     \
     savedAptMark="$(apt-mark showmanual)"; \
     \
-    apt-get update; \
     apt-get install -y --no-install-recommends \
         libbz2-dev \
         libfreetype6-dev \
@@ -44,7 +49,12 @@ RUN set -ex; \
     ldd "$extdir"/*.so | grep -qzv "=> not found" || (echo "Sanity check failed: missing libraries:"; ldd "$extdir"/*.so | grep " => not found"; exit 1); \
     ldd "$extdir"/*.so | grep -q "libzip.so.* => .*/libzip.so.*" || (echo "Sanity check failed: libzip.so is not referenced"; ldd "$extdir"/*.so; exit 1); \
     err="$(php --version 3>&1 1>&2 2>&3)"; \
-    [ -z "$err" ] || (echo "Sanity check failed: php returned errors; $err"; exit 1;);
+    [ -z "$err" ] || (echo "Sanity check failed: php returned errors; $err"; exit 1;); \
+    \
+    apt-mark auto '.*' > /dev/null; \
+    apt-mark manual $savedAptMark; \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+    rm -rf /var/lib/apt/lists/*
 
 # set recommended PHP.ini settings
 # see https://secure.php.net/manual/en/opcache.installation.php
@@ -55,6 +65,13 @@ ENV UPLOAD_LIMIT 2048K
 ENV TZ UTC
 ENV SESSION_SAVE_PATH /sessions
 RUN set -ex; \
+    mkdir $SESSION_SAVE_PATH; \
+    mkdir -p $PMA_SSL_DIR; \
+    chmod 1777 $SESSION_SAVE_PATH; \
+    chmod 755 $PMA_SSL_DIR; \
+    chown www-data:www-data /etc/phpmyadmin; \
+    chown www-data:www-data $PMA_SSL_DIR; \
+    chown www-data:www-data $SESSION_SAVE_PATH; \
     \
     { \
         echo 'opcache.memory_consumption=128'; \
@@ -80,6 +97,8 @@ RUN set -ex; \
         echo 'session.save_path=${SESSION_SAVE_PATH}'; \
     } > $PHP_INI_DIR/conf.d/phpmyadmin-misc.ini
 
+USER www-data:www-data
+
 # Calculate download URL
 ENV VERSION 5.2.1
 ENV SHA256 373f9599dfbd96d6fe75316d5dad189e68c305f297edf42377db9dd6b41b2557
@@ -97,21 +116,6 @@ LABEL org.opencontainers.image.title="Official phpMyAdmin Docker image" \
 
 # Download tarball, verify it using gpg and extract
 RUN set -ex; \
-    \
-    savedAptMark="$(apt-mark showmanual)"; \
-    \
-    apt-get update; \
-    apt-get install -y --no-install-recommends \
-        gnupg \
-        dirmngr \
-    ; \
-    mkdir $SESSION_SAVE_PATH; \
-    mkdir -p $PMA_SSL_DIR; \
-    chmod 1777 $SESSION_SAVE_PATH; \
-    chmod 755 $PMA_SSL_DIR; \
-    chown www-data:www-data $SESSION_SAVE_PATH; \
-    chown www-data:www-data $PMA_SSL_DIR; \
-    \
     export GNUPGHOME="$(mktemp -d)"; \
     export GPGKEY="3D06A59ECE730EB71B511C17CE752F178259BD92"; \
     curl -fsSL -o phpMyAdmin.tar.xz $URL; \
@@ -124,7 +128,6 @@ RUN set -ex; \
     gpg --batch --verify phpMyAdmin.tar.xz.asc phpMyAdmin.tar.xz; \
     tar -xf phpMyAdmin.tar.xz -C /var/www/html --strip-components=1; \
     mkdir -p /var/www/html/tmp; \
-    chown www-data:www-data /var/www/html/tmp; \
     gpgconf --kill all; \
     rm -r "$GNUPGHOME" phpMyAdmin.tar.xz phpMyAdmin.tar.xz.asc; \
     rm -r -v /var/www/html/setup/ /var/www/html/examples/ /var/www/html/js/src/ /var/www/html/babel.config.json /var/www/html/doc/html/_sources/ /var/www/html/RELEASE-DATE-$VERSION /var/www/html/CONTRIBUTING.md; \
@@ -132,12 +135,9 @@ RUN set -ex; \
     sed -i "s@'configFile' => .*@'configFile' => '/etc/phpmyadmin/config.inc.php',@" /var/www/html/libraries/vendor_config.php; \
     grep -q -F "'configFile' => '/etc/phpmyadmin/config.inc.php'," /var/www/html/libraries/vendor_config.php; \
     php -l /var/www/html/libraries/vendor_config.php; \
-    chown -R www-data:www-data -R /var/www/html/; \
-    \
-    apt-mark auto '.*' > /dev/null; \
-    apt-mark manual $savedAptMark; \
-    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
-    rm -rf /var/lib/apt/lists/*
+    find /var/www/html -type d -exec chmod 555 {} \;; \
+    find /var/www/html -type f -exec chmod 444 {} \;; \
+    chmod 1777 /var/www/html/tmp;
 
 # Copy configuration
 COPY --chown=www-data:www-data config.inc.php /etc/phpmyadmin/config.inc.php
@@ -146,5 +146,6 @@ COPY --chown=www-data:www-data helpers.php /etc/phpmyadmin/helpers.php
 # Copy main script
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 
+USER root
 ENTRYPOINT [ "/docker-entrypoint.sh" ]
 CMD ["php-fpm"]
diff --git a/phpmyadmin_fpm/docker-entrypoint.sh b/phpmyadmin_fpm/docker-entrypoint.sh
index 0d98e27..2b7b825 100755
--- a/phpmyadmin_fpm/docker-entrypoint.sh
+++ b/phpmyadmin_fpm/docker-entrypoint.sh
@@ -51,7 +51,5 @@ get_docker_secret PMA_HOST
 get_docker_secret PMA_CONTROLHOST
 get_docker_secret PMA_CONTROLUSER
 get_docker_secret PMA_CONTROLPASS
-get_docker_secret PMA_SSL
-get_docker_secret PMA_SSLS
 
 exec "$@"
diff --git a/phpmyadmin_latest/Dockerfile b/phpmyadmin_latest/Dockerfile
index dff2005..a6bbd20 100644
--- a/phpmyadmin_latest/Dockerfile
+++ b/phpmyadmin_latest/Dockerfile
@@ -3,10 +3,15 @@ FROM php:8.2-apache
 
 # Install dependencies
 RUN set -ex; \
+    \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        gnupg \
+        dirmngr \
+    ; \
     \
     savedAptMark="$(apt-mark showmanual)"; \
     \
-    apt-get update; \
     apt-get install -y --no-install-recommends \
         libbz2-dev \
         libfreetype6-dev \
@@ -47,7 +52,12 @@ RUN set -ex; \
     ldd "$extdir"/*.so | grep -qzv "=> not found" || (echo "Sanity check failed: missing libraries:"; ldd "$extdir"/*.so | grep " => not found"; exit 1); \
     ldd "$extdir"/*.so | grep -q "libzip.so.* => .*/libzip.so.*" || (echo "Sanity check failed: libzip.so is not referenced"; ldd "$extdir"/*.so; exit 1); \
     err="$(php --version 3>&1 1>&2 2>&3)"; \
-    [ -z "$err" ] || (echo "Sanity check failed: php returned errors; $err"; exit 1;);
+    [ -z "$err" ] || (echo "Sanity check failed: php returned errors; $err"; exit 1;); \
+    \
+    apt-mark auto '.*' > /dev/null; \
+    apt-mark manual $savedAptMark; \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+    rm -rf /var/lib/apt/lists/*
 
 # set recommended PHP.ini settings
 # see https://secure.php.net/manual/en/opcache.installation.php
@@ -58,6 +68,13 @@ ENV UPLOAD_LIMIT 2048K
 ENV TZ UTC
 ENV SESSION_SAVE_PATH /sessions
 RUN set -ex; \
+    mkdir $SESSION_SAVE_PATH; \
+    mkdir -p $PMA_SSL_DIR; \
+    chmod 1777 $SESSION_SAVE_PATH; \
+    chmod 755 $PMA_SSL_DIR; \
+    chown www-data:www-data /etc/phpmyadmin; \
+    chown www-data:www-data $PMA_SSL_DIR; \
+    chown www-data:www-data $SESSION_SAVE_PATH; \
     \
     { \
         echo 'opcache.memory_consumption=128'; \
@@ -83,6 +100,8 @@ RUN set -ex; \
         echo 'session.save_path=${SESSION_SAVE_PATH}'; \
     } > $PHP_INI_DIR/conf.d/phpmyadmin-misc.ini
 
+USER www-data:www-data
+
 # Calculate download URL
 ENV VERSION 5.2.1
 ENV SHA256 373f9599dfbd96d6fe75316d5dad189e68c305f297edf42377db9dd6b41b2557
@@ -100,21 +119,6 @@ LABEL org.opencontainers.image.title="Official phpMyAdmin Docker image" \
 
 # Download tarball, verify it using gpg and extract
 RUN set -ex; \
-    \
-    savedAptMark="$(apt-mark showmanual)"; \
-    \
-    apt-get update; \
-    apt-get install -y --no-install-recommends \
-        gnupg \
-        dirmngr \
-    ; \
-    mkdir $SESSION_SAVE_PATH; \
-    mkdir -p $PMA_SSL_DIR; \
-    chmod 1777 $SESSION_SAVE_PATH; \
-    chmod 755 $PMA_SSL_DIR; \
-    chown www-data:www-data $SESSION_SAVE_PATH; \
-    chown www-data:www-data $PMA_SSL_DIR; \
-    \
     export GNUPGHOME="$(mktemp -d)"; \
     export GPGKEY="3D06A59ECE730EB71B511C17CE752F178259BD92"; \
     curl -fsSL -o phpMyAdmin.tar.xz $URL; \
@@ -127,7 +131,6 @@ RUN set -ex; \
     gpg --batch --verify phpMyAdmin.tar.xz.asc phpMyAdmin.tar.xz; \
     tar -xf phpMyAdmin.tar.xz -C /var/www/html --strip-components=1; \
     mkdir -p /var/www/html/tmp; \
-    chown www-data:www-data /var/www/html/tmp; \
     gpgconf --kill all; \
     rm -r "$GNUPGHOME" phpMyAdmin.tar.xz phpMyAdmin.tar.xz.asc; \
     rm -r -v /var/www/html/setup/ /var/www/html/examples/ /var/www/html/js/src/ /var/www/html/babel.config.json /var/www/html/doc/html/_sources/ /var/www/html/RELEASE-DATE-$VERSION /var/www/html/CONTRIBUTING.md; \
@@ -135,12 +138,9 @@ RUN set -ex; \
     sed -i "s@'configFile' => .*@'configFile' => '/etc/phpmyadmin/config.inc.php',@" /var/www/html/libraries/vendor_config.php; \
     grep -q -F "'configFile' => '/etc/phpmyadmin/config.inc.php'," /var/www/html/libraries/vendor_config.php; \
     php -l /var/www/html/libraries/vendor_config.php; \
-    chown -R www-data:www-data -R /var/www/html/; \
-    \
-    apt-mark auto '.*' > /dev/null; \
-    apt-mark manual $savedAptMark; \
-    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
-    rm -rf /var/lib/apt/lists/*
+    find /var/www/html -type d -exec chmod 555 {} \;; \
+    find /var/www/html -type f -exec chmod 444 {} \;; \
+    chmod 1777 /var/www/html/tmp;
 
 # Copy configuration
 COPY --chown=www-data:www-data config.inc.php /etc/phpmyadmin/config.inc.php
@@ -149,5 +149,6 @@ COPY --chown=www-data:www-data helpers.php /etc/phpmyadmin/helpers.php
 # Copy main script
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 
+USER root
 ENTRYPOINT [ "/docker-entrypoint.sh" ]
 CMD ["apache2-foreground"]
diff --git a/phpmyadmin_latest/docker-entrypoint.sh b/phpmyadmin_latest/docker-entrypoint.sh
index 5c2e85a..5fe099f 100755
--- a/phpmyadmin_latest/docker-entrypoint.sh
+++ b/phpmyadmin_latest/docker-entrypoint.sh
@@ -59,7 +59,5 @@ get_docker_secret PMA_HOST
 get_docker_secret PMA_CONTROLHOST
 get_docker_secret PMA_CONTROLUSER
 get_docker_secret PMA_CONTROLPASS
-get_docker_secret PMA_SSL
-get_docker_secret PMA_SSLS
 
 exec "$@"

Relevant Maintainers:

@tianon tianon merged commit ab4b4ce into docker-library:master Jan 14, 2025
8 checks passed
@williamdes williamdes deleted the williamdes-phpmyadmin branch January 14, 2025 23:46
@williamdes williamdes mentioned this pull request Jan 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tianon tianon tianon approved these changes

Assignees
No one assigned
Labels
library/phpmyadmin
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@williamdes @tianon