revert: remove borgRestorePassword clearing and rate limiting (to be addressed in separate PRs)

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d7eb7ba7-23d8-4082-8255-09f1338de24b

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>

Containers/apache/Caddyfile

@@ -10,7 +10,7 @@
     }
 
     log {
-        level {$CADDY_LOG_LEVEL}
+        level ERROR
     }
 }
 

Containers/apache/start.sh

@@ -9,8 +9,6 @@ if [ -z "$NC_DOMAIN" ]; then
     exit 1
 fi
 
-CADDY_LOG_LEVEL="$(echo "$AIO_LOG_LEVEL" | tr '[:lower:]' '[:upper:]')"
-export CADDY_LOG_LEVEL
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
     export SUPERVISORD_STDOUT=/dev/stdout
 else

Containers/collabora/start.sh

@@ -6,6 +6,8 @@ fi
 
 if [ "$AIO_LOG_LEVEL" = "warn" ]; then
     COLLABORA_LOG_LEVEL="warning"
+elif [ "$AIO_LOG_LEVEL" = "info" ]; then
+    COLLABORA_LOG_LEVEL="notice"
 else
     COLLABORA_LOG_LEVEL="$AIO_LOG_LEVEL"
 fi

Containers/mastercontainer/acme.Caddyfile

@@ -10,7 +10,7 @@
 	}
 
 	log {
-		level {$CADDY_LOG_LEVEL}
+		level ERROR
 		# We need to exclude the remote-host plugin from logging as it would spam the logs
 		# See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 
 		exclude http.matchers.remote_host

Containers/mastercontainer/headers.Caddyfile

@@ -18,9 +18,9 @@ header {
     Referrer-Policy "no-referrer" # Tells the browser to never sent a Referer header. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/Referrer-Policy
     X-Robots-Tag "noindex, nofollow" # Tells web crawlers to not index this page. See https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Headers/X-Robots-Tag
     Origin-Agent-Cluster "?1" # Isolates AIO from other same site pages. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Origin-Agent-Cluster
-    Cross-Origin-Opener-Policy "same-origin"; # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
-    Cross-Origin-Embedder-Policy "require-corp"; # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
-    Cross-Origin-Resource-Policy "same-origin"; # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
+    Cross-Origin-Opener-Policy "same-origin" # AIO does not use any popup, still we can isolate its BCG if it is opened as a pop up by another page. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy
+    Cross-Origin-Embedder-Policy "require-corp" # Harder rules for cross origin embeds. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy
+    Cross-Origin-Resource-Policy "same-origin" # Only allow the same origin to load resources. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
 
     # Permissions-Policy disables browser features that AIO does not use. Since there is no "deny all" option, all known features need to be listed explicitly. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy
     Permissions-Policy "accelerometer=(), ambient-light-sensor=(), aria-notify=(), attribution-reporting=(), autoplay=(), bluetooth=(), browsing-topics=(), camera=(), captured-surface-control=(), ch-ua-high-entropy-values=(), compute-pressure=(), cross-origin-isolated=(), deferred-fetch=(), deferred-fetch-minimal=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), local-network=(), local-network-access=(), loopback-network=(), magnetometer=(), microphone=(), midi=(), on-device-speech-recognition=(), otp-credentials=(), payment=(), picture-in-picture=(), private-state-token-issuance=(), private-state-token-redemption=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), summarizer=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()"

Containers/mastercontainer/internal.Caddyfile

@@ -9,7 +9,7 @@
 	}
 
 	log {
-		level {$CADDY_LOG_LEVEL}
+		level ERROR
 		# We need to exclude the remote-host plugin from logging as it would spam the logs
 		# See https://github.com/nextcloud/all-in-one/pull/7006#issuecomment-4003238239 
 		exclude http.matchers.remote_host

Containers/mastercontainer/start.sh

@@ -338,7 +338,7 @@ else
 fi
 
 # Log level logics
-if [ -n "$AIO_LOG_LEVEL" ] && ! grep -q "^debug$\|^info$\|^warn$\|^error$"; then
+if [ -n "$AIO_LOG_LEVEL" ] && ! echo "$AIO_LOG_LEVEL" | grep -q "^debug$\|^info$\|^warn$\|^error$"; then
     print_red "AIO_LOG_LEVEL must be one of 'debug', 'info', 'warn' or 'error'.
 It is set to '$AIO_LOG_LEVEL'".
     exit 1
@@ -347,13 +347,11 @@ if [ -z "$AIO_LOG_LEVEL" ]; then
     export AIO_LOG_LEVEL="warn"
 fi
 
-CADDY_LOG_LEVEL="$(echo "$AIO_LOG_LEVEL" | tr '[:lower:]' '[:upper:]')"
 if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
     export SUPERVISORD_STDOUT=/dev/stdout
 else
     export SUPERVISORD_STDOUT=NONE
 fi
-export CADDY_LOG_LEVEL
 
 # Check if ghcr.io is reachable
 # Solves issues like https://github.com/nextcloud/all-in-one/discussions/5268

Containers/nextcloud/Dockerfile

@@ -8,7 +8,7 @@ ENV SOURCE_LOCATION=/usr/src/nextcloud
 ENV REDIS_DB_INDEX=0
 
 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=33.0.2
+ENV NEXTCLOUD_VERSION=33.0.3
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!

Containers/nextcloud/entrypoint.sh

@@ -671,6 +671,7 @@ fi
 # Adjusting log files to be stored on a volume
 echo "Adjusting log files..."
 php /var/www/html/occ config:system:set upgrade.cli-upgrade-link --value="https://github.com/nextcloud/all-in-one/discussions/2726"
+php /var/www/html/occ config:system:set loglevel --value="$NEXTCLOUD_LOG_LEVEL" --type=integer
 if [ "$NEXTCLOUD_LOG_TYPE" = "errorlog" ]; then
     php /var/www/html/occ config:system:set log_type --value="errorlog"
     php /var/www/html/occ config:system:set log_type_audit --value="errorlog"

Containers/postgresql/Dockerfile

@@ -14,6 +14,7 @@ RUN set -ex; \
         bash \
         openssl \
         shadow \
+        netcat-openbsd \
         grep; \
     \
 # We need to use the same gid and uid as on old installations

Containers/postgresql/healthcheck.sh

@@ -6,6 +6,9 @@ fi
 
 test -f "/mnt/data/backup-is-running" && exit 0
 
-PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 11000 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" && exit 0
+# If database import is running, do not continue with the health check
+if nc -z 127.0.0.1 11000; then
+    exit 0
+fi
 
 PGPASSWORD="$POSTGRES_PASSWORD" psql -h 127.0.0.1 -p 5432 -U "oc_$POSTGRES_USER" -d "$POSTGRES_DB" -c "select now()" || exit 1

Containers/redis/start.sh

@@ -4,8 +4,11 @@ if [ "$AIO_LOG_LEVEL" = 'debug' ]; then
     set -x
 fi
 
-if [ "$AIO_LOG_LEVEL" = "warn" ]; then
+# Redis only supports [debug, verbose, notice, warning, nothing] as log level
+if [ "$AIO_LOG_LEVEL" = "warn" ] || [ "$AIO_LOG_LEVEL" = "error" ]; then
     REDIS_LOG_LEVEL="warning"
+elif [ "$AIO_LOG_LEVEL" = "info" ]; then
+    REDIS_LOG_LEVEL="notice"
 else
     REDIS_LOG_LEVEL="$AIO_LOG_LEVEL"
 fi

manual-install/update-yaml.sh

@@ -100,7 +100,7 @@ sed -i 's|NC_DOMAIN=|NC_DOMAIN=yourdomain.com          # TODO! Needs to be chang
 sed -i 's|NEXTCLOUD_PASSWORD=|NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".|' sample.conf
 sed -i 's|TIMEZONE=|TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.|' sample.conf
 sed -i 's|COLLABORA_SECCOMP_POLICY=|COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.|' sample.conf
-sed -i 's|AIO_LOG_LEVEL=|AIO_LOG_LEVEL=warning          # Allows to adjust the global AIO log level. Valid values are debug, info, warn and error.|' sample.conf
+sed -i 's|AIO_LOG_LEVEL=|AIO_LOG_LEVEL=warn          # Allows to adjust the global AIO log level. Valid values are debug, info, warn and error.|' sample.conf
 sed -i 's|FULLTEXTSEARCH_JAVA_OPTIONS=|FULLTEXTSEARCH_JAVA_OPTIONS="-Xms512M -Xmx512M"          # Allows to adjust the fulltextsearch java options.|' sample.conf
 sed -i 's|NEXTCLOUD_STARTUP_APPS=|NEXTCLOUD_STARTUP_APPS="deck twofactor_totp tasks calendar contacts notes"        # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. You can also disable apps by using a hyphen in front of them. E.g. "-app_api"|' sample.conf
 sed -i 's|NEXTCLOUD_ADDITIONAL_APKS=|NEXTCLOUD_ADDITIONAL_APKS=imagemagick        # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value.|' sample.conf

php/containers.json

@@ -892,7 +892,6 @@
       "environment": [
         "HP_SHARED_KEY=%HP_SHARED_KEY%",
         "NC_INSTANCE_URL=https://%NC_DOMAIN%",
-        "HP_LOG_LEVEL=%COLLABORA_LOG_LEVEL%",
         "HP_FRP_DISABLE_TLS=true",
         "TZ=%TIMEZONE%"
       ],

php/public/clean-history.js

@@ -0,0 +1,26 @@
+// This script is loaded after a successful token-based login.
+// It replaces the browser's current history entry (stripping the token from the
+// URL) before navigating to the main AIO page, so the token is never left in
+// the browser history and cannot be accidentally exposed via the back-button.
+//
+// The target URL is passed via the script tag's data-target attribute.
+// document.currentScript is only available during synchronous script execution
+// (not with defer/async), so this script is loaded without those attributes.
+//
+// We replace with location.pathname only (no query string, no hash), which
+// intentionally strips the ?token=… parameter and any hash fragment from the
+// recorded history entry.
+
+// Guard against environments where document.currentScript may be null.
+if (!document.currentScript) {
+    window.location.replace('/');
+} else {
+    const rawTarget = document.currentScript.dataset.target;
+
+    // Only accept the exact relative path we set server-side to prevent any
+    // potential open-redirect via a manipulated data-target value.
+    const target = rawTarget === '../../' ? rawTarget : '/';
+
+    history.replaceState(null, '', location.pathname);
+    window.location.replace(target);
+}

php/public/index.php

@@ -181,7 +181,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'community_containers' => $configurationManager->listAvailableCommunityContainers(),
         'community_containers_enabled' => $configurationManager->aioCommunityContainers,
         'bypass_container_update' => $bypass_container_update,
-    ]);
+    ])->withHeader('Cache-Control', 'no-store');
 })->setName('profile');
 $app->get('/login', function (Request $request, Response $response, array $args) use ($container) {
     $view = Twig::fromRequest($request);
@@ -209,7 +209,7 @@ $app->get('/setup', function (Request $request, Response $response, array $args)
         [
             'password' => $setup->Setup(),
         ]
-    );
+    )->withHeader('Cache-Control', 'no-store');
 });
 $app->get('/log', function (Request $request, Response $response, array $args) use ($container) {
     $params = $request->getQueryParams();

php/src/Controller/DockerController.php

@@ -339,7 +339,7 @@ readonly class DockerController {
 
         $body = $nonbufResp->getBody();
         $addToStreamingResponseBody = function (string $message) use ($body) : void {
-            $body->write("<div>$message</div>");
+            $body->write('<div>' . htmlspecialchars($message, ENT_QUOTES | ENT_HTML5) . '</div>');
         };
 
         $this->dockerActionManager->SystemPrune($addToStreamingResponseBody);
@@ -430,7 +430,7 @@ readonly class DockerController {
         // if it'll actually pull an image), but which should not need to know anything about the
         // wanted markup or formatting.
         $addToStreamingResponseBody = function (Container $container, string $message) use ($nonbufResp) : void {
-            $nonbufResp->getBody()->write("<div>{$container->displayName}: {$message}</div>");
+            $nonbufResp->getBody()->write('<div>' . htmlspecialchars($container->displayName, ENT_QUOTES | ENT_HTML5) . ': ' . htmlspecialchars($message, ENT_QUOTES | ENT_HTML5) . '</div>');
         };
 
         return $addToStreamingResponseBody;

php/src/Controller/LoginController.php

@@ -39,7 +39,19 @@ readonly class LoginController {
         $token = $request->getQueryParams()['token'] ?? '';
         if($this->authManager->CheckToken($token)) {
             $this->authManager->SetAuthState(true);
-            return $response->withHeader('Location', '../..')->withStatus(302);
+            // Return a minimal HTML page that uses JavaScript to replace the browser's
+            // current history entry (removing the token from it) before navigating to
+            // the main AIO page.  This prevents the token from remaining in browser history.
+            // The script is served from 'self'; same-origin scripts are already trusted under
+            // the 'script-src-elem self' CSP directive, so no SRI hash is needed here.
+            $response->getBody()->write(
+                '<!DOCTYPE html>' .
+                '<html lang="en">' .
+                '<head><script src="../../clean-history.js" data-target="../../"></script></head>' .
+                '<body></body>' .
+                '</html>'
+            );
+            return $response->withHeader('Content-Type', 'text/html; charset=utf-8')->withStatus(200);
         }
 
         // Punish failed auth attempts with a delay, as a very simple means against bots.

php/templates/includes/aio-version.twig

@@ -1 +1 @@
-13.0.0
+13.0.1