Bug 215058 - www/joomla3 update to 3.6.4/take maintainership
Summary: www/joomla3 update to 3.6.4/take maintainership
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Adam Weinberger
Depends on:
Reported: 2016-12-05 01:11 UTC by Larry Rosenman
Modified: 2016-12-22 03:22 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (nivit)

update patch (167.27 KB, patch)
2016-12-05 01:11 UTC, Larry Rosenman
no flags Details | Diff
Add MYSQL/PGSQL Options (167.41 KB, patch)
2016-12-05 02:47 UTC, Larry Rosenman
no flags Details | Diff
3.6.5 security update (167.41 KB, patch)
2016-12-21 03:52 UTC, Larry Rosenman
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Larry Rosenman freebsd_committer 2016-12-05 01:11:52 UTC
Created attachment 177671 [details]
update patch

update www/joomla3 to 3.6.4, mordenize port, add pgsql, clean up permissions

The current maintainer hasn't touched the port in over a year, and is 2 major versions out of date.
Comment 1 Larry Rosenman freebsd_committer 2016-12-05 01:48:43 UTC
NOTE: There ARE security vulnerabilities in the previous version,

Comment 2 Adam Weinberger freebsd_committer 2016-12-05 02:21:06 UTC
Are both the mysqli and pgsql modules required? If not, they should be OPTIONS.
Comment 3 Larry Rosenman freebsd_committer 2016-12-05 02:23:15 UTC
the code can pick, but you're probably right.....

I'll go make that change.
(original author only supported MySQL.  I'm a PostgreSQL bigot).
Comment 4 Larry Rosenman freebsd_committer 2016-12-05 02:47:36 UTC
Created attachment 177672 [details]

Added MYSQL and PGSQL options to pick which DB (or both) you want.
Comment 5 Adam Weinberger freebsd_committer 2016-12-05 02:54:47 UTC
Are you sure that everything needs to be owned by www? That doesn't seem right. www is supposed to be an unprivileged user. Shouldn't it only own the directories it needs to write to, and nothing else?
Comment 6 Larry Rosenman freebsd_committer 2016-12-05 02:57:05 UTC
the auto-upgrade wants to replace stuff and also adding extensions/etc.

the original port had it all owned by WWW as well, AFAICT.
Comment 7 Adam Weinberger freebsd_committer 2016-12-05 03:02:56 UTC
Does the auto-upgrade overwrite the files themselves installed by the port? I feel like www should only own the stuff it absolutely has to be able to write to.

Sorry Larry, but I don't think that whether the port currently does it that way or not is relevant; you're asking to take maintainership, so you should make sure that it's using best practice.
Comment 8 Larry Rosenman freebsd_committer 2016-12-05 03:04:47 UTC
Yes, it does update the files installed by the port.  We could disable that functionality, but...

With all the extensions, etc, that ADD stuff all over the tree, it really does need to 
have write.  and I don't want it to be 777. :)
Comment 9 Adam Weinberger freebsd_committer 2016-12-05 03:08:28 UTC
That behaviour seems strange. What happens if the port gets reinstalled, PORTREVISION gets bumped, etc?
Comment 10 Larry Rosenman freebsd_committer 2016-12-05 03:10:45 UTC
it would reinstall the base files, and then whine about needing an upgrade, but the releases are far between, and when a new release comes (March for 3.7) I'd update to the new GH tag. 

Also, there are thousands(literally) of extensions that can be web installed, and the server needs to add them ll over it's tree.  

Apache won't let a vhost run under a different UID :(
Comment 11 Mark Felder freebsd_committer 2016-12-05 19:04:24 UTC
cache, logs, and tmp are the only directories that should be writable. It specifically notes in the Joomla setup guide to redirect anything writable out of the root of your joomla install.

"Ensure that all configurable paths to writable or uploadable directories (document repositories, image galleries, caches) are outside of public_html. Check third party extensions such as DOCMan and Gallery2 for editable paths to writable directories."

Comment 12 Larry Rosenman freebsd_committer 2016-12-05 19:13:19 UTC
Hrm.  Then how is the auto-updater supposed to do it's job and the install-from-web option.  

I'll go make the change however. 

Thanks, Mark.
Comment 13 Larry Rosenman freebsd_committer 2016-12-05 19:16:48 UTC
Oh, and since their installer needs to write to the root, at least temporarily, what's the right answer there?
Comment 14 Larry Rosenman freebsd_committer 2016-12-05 19:40:41 UTC
I've sent a question to the Joomla! security folks.  I'll wait to see what all they say.
Comment 15 Mark Felder freebsd_committer 2016-12-05 22:02:28 UTC
I'm going to guess that the install-from-web and auto-updater are not expected to work if it is installed from an OS-provided package with file permissions locked down. I'm curious to hear what the Joomla folks have to say, though.

In Wordpress world I know they added the ability to ftp/sftp to localhost to update the files so they don't have to be owned by the webserver user. Maybe they do something like that?
Comment 16 Larry Rosenman freebsd_committer 2016-12-08 15:30:31 UTC
response from the JSSF:
Hi Larry,

For extension installation and core updates to work, the web space does need to have appropriate write permissions. There are some files that can be locked to read only (such as configuration.php, which Joomla does when saving the global configuration) as they generally won't change once in place.

For Joomla to run, files don't need to be writable except for the cache and logs directories (the tmp directory is mainly used during install/update, though some extensions may use it as well), but if someone were to take extra steps to lock down their filesystem, they would need to make the files writable long enough to perform any updates then switch it back.

Joomla! Security Strike Team

so I am going to leave the www:www ownership.
Comment 17 Larry Rosenman freebsd_committer 2016-12-21 03:52:19 UTC
Created attachment 178165 [details]
3.6.5 security update

3.6.5/Security updates.

Comment 18 commit-hook freebsd_committer 2016-12-21 21:57:18 UTC
A commit references this bug:

Author: adamw
Date: Wed Dec 21 21:56:31 UTC 2016
New revision: 429131
URL: https://svnweb.freebsd.org/changeset/ports/429131

  Update to 3.6.5, which resolves a number of CVEs. Add postgresql support
  via a knob, and pass maintainership to submitter. Thanks to nivit for
  looking after this port for so long.

  PR:		215058
  Submitted by:	Larry Rosenman
  Approved by:	maintainer timeout
  MFH:		2016Q4
  Security:	CVE-2016-8869
  Security:	CVE-2016-8870
  Security:	CVE-2016-9081
  Security:	CVE-2016-9836
  Security:	CVE-2016-9837
  Security:	CVE-2016-9838

Comment 19 Adam Weinberger freebsd_committer 2016-12-21 21:58:12 UTC
Committed with small modifications after timeout. Good work on this, Larry. I'm going to keep this PR open until it's merged to quarterly.
Comment 20 commit-hook freebsd_committer 2016-12-22 02:03:38 UTC
A commit references this bug:

Author: adamw
Date: Thu Dec 22 02:03:22 UTC 2016
New revision: 429136
URL: https://svnweb.freebsd.org/changeset/ports/429136

  MFH: r429131

  Update to 3.6.5, which addresses a number of CVEs. Add postgresql support
  via a knob, and pass maintainership to submitter. Thanks to nivit for
  looking after this port for so long.

  PR:		215058
  Submitted by:	Larry Rosenman
  Approved by:	maintainer timeout
  Security:	CVE-2016-8869
  Security:	CVE-2016-8870
  Security:	CVE-2016-9081
  Security:	CVE-2016-9836
  Security:	CVE-2016-9837
  Security:	CVE-2016-9838

  Approved by:	ports-secteam (junovitch)

_U  branches/2016Q4/
Comment 21 Adam Weinberger freebsd_committer 2016-12-22 02:04:28 UTC
Merge to quarterly is done.
Comment 22 commit-hook freebsd_committer 2016-12-22 03:22:40 UTC
A commit references this bug:

Author: junovitch
Date: Thu Dec 22 03:21:59 UTC 2016
New revision: 429139
URL: https://svnweb.freebsd.org/changeset/ports/429139

  Document Joomla! security advisories since 3.4.6 was released.

  While here, update entry for 3.4.6 with final advisory information from
  JSST page.

  A big thanks to Larry Rosenman for reporting the open issues and getting the
  port up to date.

  PR:		215058
  Reported by:	Larry Rosenman <ler@lerctr.org>
  Security:	CVE-2016-8869
  Security:	CVE-2016-8870
  Security:	CVE-2016-9081
  Security:	CVE-2016-9836
  Security:	CVE-2016-9837
  Security:	CVE-2016-9838
  Security:	https://vuxml.FreeBSD.org/freebsd/624b45c0-c7f3-11e6-ae1b-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/a27d234a-c7f2-11e6-ae1b-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/c0ef061a-c7f0-11e6-ae1b-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/f0806cad-c7f1-11e6-ae1b-002590263bf5.html