diff --git a/Containers/clamav/Dockerfile b/Containers/clamav/Dockerfile index 39b8e420..68aa789c 100644 --- a/Containers/clamav/Dockerfile +++ b/Containers/clamav/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:latest # Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/1.1/alpine/Dockerfile -FROM clamav/clamav:1.3.1-54 +FROM clamav/clamav:1.3.1-57 COPY clamav.conf /tmp/clamav.conf diff --git a/Containers/nextcloud/Dockerfile b/Containers/nextcloud/Dockerfile index d07c1b80..080a3670 100644 --- a/Containers/nextcloud/Dockerfile +++ b/Containers/nextcloud/Dockerfile @@ -7,7 +7,7 @@ ENV PHP_MAX_TIME=3600 ENV SOURCE_LOCATION=/usr/src/nextcloud # AIO settings start # Do not remove or change this line! -ENV NEXTCLOUD_VERSION=29.0.2 +ENV NEXTCLOUD_VERSION=29.0.3 ENV AIO_TOKEN=123456 ENV AIO_URL=localhost # AIO settings end # Do not remove or change this line! diff --git a/manual-install/latest.yml b/manual-install/latest.yml index ac6f411b..da511f7c 100644 --- a/manual-install/latest.yml +++ b/manual-install/latest.yml @@ -219,6 +219,7 @@ services: - nextcloud-aio cap_add: - MKNOD + - SYS_ADMIN cap_drop: - NET_RAW diff --git a/php/domain-validator.php b/php/domain-validator.php index 5f5ac009..57506b8a 100644 --- a/php/domain-validator.php +++ b/php/domain-validator.php @@ -2,11 +2,11 @@ $domain = $_GET['domain'] ?? ''; -if (strpos($domain, '.') === false) { +if (!str_contains($domain, '.')) { http_response_code(400); -} elseif (strpos($domain, '/') !== false) { +} elseif (str_contains($domain, '/')) { http_response_code(400); -} elseif (strpos($domain, ':') !== false) { +} elseif (str_contains($domain, ':')) { http_response_code(400); } elseif (filter_var($domain, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) === false) { http_response_code(400); diff --git a/php/src/Data/ConfigurationManager.php b/php/src/Data/ConfigurationManager.php index 69e9bc6e..b2093839 100644 --- a/php/src/Data/ConfigurationManager.php +++ b/php/src/Data/ConfigurationManager.php @@ -271,17 +271,17 @@ public function SetTalkRecordingEnabledState(int $value) : void { */ public function SetDomain(string $domain) : void { // Validate that at least one dot is contained - if (strpos($domain, '.') === false) { + if (!str_contains($domain, '.')) { throw new InvalidSettingConfigurationException("Domain must contain at least one dot!"); } // Validate that no slashes are contained - if (strpos($domain, '/') !== false) { + if (str_contains($domain, '/')) { throw new InvalidSettingConfigurationException("Domain must not contain slashes!"); } // Validate that no colons are contained - if (strpos($domain, ':') !== false) { + if (str_contains($domain, ':')) { throw new InvalidSettingConfigurationException("Domain must not contain colons!"); } diff --git a/readme.md b/readme.md index 2152b2ac..68ee09bf 100644 --- a/readme.md +++ b/readme.md @@ -824,3 +824,6 @@ Afterwards apply the correct permissions with `sudo chown root:root /root/automa 1. Open the cronjob with `sudo crontab -u root -e` (and choose your editor of choice if not already done. I'd recommend nano). 1. Add the following new line to the crontab if not already present: `0 5 * * * /root/automatic-updates.sh` which will run the script at 05:00 each day. 1. save and close the crontab (when using nano the shortcuts for this are `Ctrl + o` then `Enter` to save, and close the editor with `Ctrl + x`). + +### Securing the AIO interface from unauthorized ACME challenges +[By design](https://github.com/nextcloud/all-in-one/discussions/4882#discussioncomment-9858384), Caddy that runs inside the mastercontainer, which handles automatic TLS certificate generation for the AIO interface, is vulnerable to receiving DNS challenges for arbitrary hostnames from anyone on the internet. While this does not compromise your server's security, it can result in cluttered logs and rejected certificate renewal attempts due to rate limit abuse. To mitigate this issue, it is recommended to place the AIO interface behind a VPN and/or limit its public exposure.