ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

fix(mail): vendor AWL — Z-Push's CalDAV client requires it at login
ci / changes (push) Successful in 4s
Details
ci / tc_portal (push) Has been skipped
Details
ci / tc_booking (push) Has been skipped
Details
ci / tc_operator (push) Has been skipped
Details
ci / tc_platform_api (push) Has been skipped
Details
ci / test_platform_api (push) Has been skipped
Details
ci / build_portal (push) Has been skipped
Details
ci / build_booking (push) Has been skipped
Details
ci / build_operator (push) Has been skipped
Details
ci / build_platform_api (push) Has been skipped
Details
ci / tc_website (push) Has been skipped
Details
ci / build_zpush (push) Successful in 17s
Details
ci / deploy (push) Successful in 25s
Details

Browse Source 
include/z_caldav.php needs XMLDocument.php from AWL (Andrew's Web
Libraries); the Debian z-push packages pull php-awl in automatically
but bookworm dropped the package, so vendor it from upstream at
r0.65 into /usr/share/awl/inc (already on Z-Push's include_path).
Only surfaces on *authenticated* requests: combined login hits IMAP
first, so fake-credential smoke tests never reach the CalDAV class.

Hardening from the same incident: a build-time class-load smoke test
fails the image if any backend dependency is missing, and
zend.exception_ignore_args stops uncaught fatals from logging the
raw passwords Z-Push passes through Logon().
This commit is contained in:
Ronni Baslund
2026-06-12 14:21:55 +02:00
parent 959223c044
commit 9bc89bcd5d
2 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
services/zpush/Dockerfile
+17
View File
@@ -15,6 +15,12 @@ FROM alpine/git AS source
ARG ZPUSH_VERSION
RUN git clone --depth 1 --branch ${ZPUSH_VERSION} \
https://github.com/EGroupware/z-push.git /z-push
# AWL (Andrew's Web Libraries) — Z-Push's CalDAV client (include/z_caldav.php)
# requires XMLDocument.php from it, and its include_path already expects the
# Debian location /usr/share/awl/inc. Debian dropped the php-awl package
# after bullseye, so vendor it from upstream at a pinned tag.
RUN git clone --depth 1 --branch r0.65 \
https://gitlab.com/davical-project/awl.git /awl
# php:8.2 — the imap extension lives in PHP core through 8.3 and moved to
# PECL in 8.4; stay on a version where docker-php-ext-install still works.
@@ -31,6 +37,7 @@ RUN apt-get update \
&& rm -rf /var/lib/apt/lists/*
COPY --from=source /z-push/src/ /usr/share/z-push/
COPY --from=source /awl/inc/ /usr/share/awl/inc/
# Main config: keep the 50+ upstream defaults, patch only what we change.
# The greps make the build fail loudly if an upstream config rename ever
@@ -65,6 +72,16 @@ COPY config/autodiscover.config.php /usr/share/z-push/autodiscover/config.php
# autodiscover.php resolves its requires relative to that directory.
COPY autodiscover-router.php /usr/share/z-push/autodiscover/router.php
# Build-time smoke test: force-load every class the combined backend pulls
# in at runtime. Catches missing vendored dependencies (the AWL include
# above only crashes on the first *authenticated* request otherwise).
RUN php -d include_path='.:/usr/local/lib/php:/usr/share/z-push/:/usr/share/awl/inc' -r ' \
require "/usr/share/z-push/vendor/autoload.php"; \
foreach (array("CalDAVClient", "carddav_backend", "BackendIMAP", "BackendCalDAV", "BackendCardDAV", "BackendCombined") as $c) { \
if (!class_exists($c)) { fwrite(STDERR, "FAILED loading $c\n"); exit(1); } \
} \
echo "class-load smoke OK\n";'
COPY apache/zpush.conf /etc/apache2/conf-available/zpush.conf
COPY php/zpush.ini /usr/local/etc/php/conf.d/zpush.ini
RUN a2enconf zpush \
services/zpush/php/zpush.ini
+3
View File
@@ -9,3 +9,6 @@ log_errors = On
error_log = /dev/stderr
display_errors = Off
expose_php = Off
; Never capture function arguments in exception traces — Z-Push passes raw
; passwords through Logon(), and an uncaught fatal would log them.
zend.exception_ignore_args = 1