From f04a3820bd95d6975adef7f1f8841c03e9fb3d4b Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Thu, 13 Feb 2025 10:19:14 +0100
Subject: [PATCH 1/2] Make HTTP daemons use public_html/ as document root

To protect files outside of the document root against unauthorized
access.
This is possible and recommended since a while, and will be required for
Roundcubemail v1.7.
---
 apache/Dockerfile                              | 8 +++++++-
 examples/nginx/templates/default.conf.template | 2 +-
 fpm/Dockerfile                                 | 8 +++++++-
 nightly/Dockerfile                             | 2 +-
 templates/Dockerfile-debian.templ              | 8 +++++++-
 5 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/apache/Dockerfile b/apache/Dockerfile
index 9c1540edc..2470546a7 100644
--- a/apache/Dockerfile
+++ b/apache/Dockerfile
@@ -8,7 +8,13 @@ LABEL org.opencontainers.image.source="https://github.com/roundcube/roundcubemai
 RUN apt-get update && apt-get -y upgrade && apt-get clean
 
 RUN set -ex; \
-	if [ "apache" = "apache" ]; then a2enmod rewrite; fi; \
+	if [ "apache" = "apache" ]; then \
+		a2enmod rewrite; \
+		# Make Apache use public_html/ as document root to protect files outside of it \
+		# against unauthorized access. \
+		# This is possible and recommended since a while, and will be required for Roundcubemail v1.7. \
+		sed -i -e 's|\(DocumentRoot /var/www/html\)$|\1/public_html|' /etc/apache2/sites-available/000-default.conf; \
+	fi; \
 	apt-get update; \
 	\
 	savedAptMark="$(apt-mark showmanual)"; \
diff --git a/examples/nginx/templates/default.conf.template b/examples/nginx/templates/default.conf.template
index 93f4be900..bcb0fa4d9 100644
--- a/examples/nginx/templates/default.conf.template
+++ b/examples/nginx/templates/default.conf.template
@@ -3,7 +3,7 @@ server {
     server_name php-docker.local;
     error_log  /var/log/nginx/error.log;
     access_log /var/log/nginx/access.log;
-    root /var/www/html;
+    root /var/www/html/public_html;
 
     location ~ /(temp|logs)/ {
         deny all;
diff --git a/fpm/Dockerfile b/fpm/Dockerfile
index 5646d6bf9..6b36e6df6 100644
--- a/fpm/Dockerfile
+++ b/fpm/Dockerfile
@@ -8,7 +8,13 @@ LABEL org.opencontainers.image.source="https://github.com/roundcube/roundcubemai
 RUN apt-get update && apt-get -y upgrade && apt-get clean
 
 RUN set -ex; \
-	if [ "fpm" = "apache" ]; then a2enmod rewrite; fi; \
+	if [ "fpm" = "apache" ]; then \
+		a2enmod rewrite; \
+		# Make Apache use public_html/ as document root to protect files outside of it \
+		# against unauthorized access. \
+		# This is possible and recommended since a while, and will be required for Roundcubemail v1.7. \
+		sed -i -e 's|\(DocumentRoot /var/www/html\)$|\1/public_html|' /etc/apache2/sites-available/000-default.conf; \
+	fi; \
 	apt-get update; \
 	\
 	savedAptMark="$(apt-mark showmanual)"; \
diff --git a/nightly/Dockerfile b/nightly/Dockerfile
index c4d0ab7c7..4038c85f2 100644
--- a/nightly/Dockerfile
+++ b/nightly/Dockerfile
@@ -12,7 +12,7 @@ RUN set -ex; \
 	rm roundcubemail.tar.gz; \
 	mv /usr/src/roundcubemail-master /usr/src/roundcubemail; \
 	cd /usr/src/roundcubemail; \
-	rm -rf installer tests public_html .ci .github .gitignore .editorconfig .tx .travis.yml; \
+	rm -rf installer tests .ci .github .gitignore .editorconfig .tx .travis.yml; \
 	make css-elastic; \
 	composer require kolab/net_ldap3 --no-install; \
 	composer require bjeavons/zxcvbn-php --no-install; \
diff --git a/templates/Dockerfile-debian.templ b/templates/Dockerfile-debian.templ
index e31cd1832..a38c6e85a 100644
--- a/templates/Dockerfile-debian.templ
+++ b/templates/Dockerfile-debian.templ
@@ -8,7 +8,13 @@ LABEL org.opencontainers.image.source="https://github.com/roundcube/roundcubemai
 RUN apt-get update && apt-get -y upgrade && apt-get clean
 
 RUN set -ex; \
-	if [ "%%VARIANT%%" = "apache" ]; then a2enmod rewrite; fi; \
+	if [ "%%VARIANT%%" = "apache" ]; then \
+		a2enmod rewrite; \
+		# Make Apache use public_html/ as document root to protect files outside of it \
+		# against unauthorized access. \
+		# This is possible and recommended since a while, and will be required for Roundcubemail v1.7. \
+		sed -i -e 's|\(DocumentRoot /var/www/html\)$|\1/public_html|' /etc/apache2/sites-available/000-default.conf; \
+	fi; \
 	apt-get update; \
 	\
 	savedAptMark="$(apt-mark showmanual)"; \

From ed6d58694993dbee6b2fa118fe5e4d1df8dc9b17 Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Thu, 13 Feb 2025 10:22:05 +0100
Subject: [PATCH 2/2] Remove installer.php if present

This file is new since the move require the use of public_html
---
 nightly/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nightly/Dockerfile b/nightly/Dockerfile
index 4038c85f2..07a916d88 100644
--- a/nightly/Dockerfile
+++ b/nightly/Dockerfile
@@ -13,6 +13,7 @@ RUN set -ex; \
 	mv /usr/src/roundcubemail-master /usr/src/roundcubemail; \
 	cd /usr/src/roundcubemail; \
 	rm -rf installer tests .ci .github .gitignore .editorconfig .tx .travis.yml; \
+	[ -f  public_html/installer.php ] && rm -f public_html/installer.php; \
 	make css-elastic; \
 	composer require kolab/net_ldap3 --no-install; \
 	composer require bjeavons/zxcvbn-php --no-install; \