From 82d7c3c40b88e89b254d4e820dce43c25385e2d8 Mon Sep 17 00:00:00 2001 From: Alex Gondek Date: Fri, 22 May 2026 11:41:12 -0700 Subject: [PATCH 1/3] delete dev-only files, add htaccess to block access to config files --- .gitignore | 1 + .htaccess | 8 +++++ Dockerfile | 9 +++++- delete-dev-files.sh | 76 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 .htaccess create mode 100644 delete-dev-files.sh diff --git a/.gitignore b/.gitignore index ea26ec2..4bf7ba1 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .data +.idea diff --git a/.htaccess b/.htaccess new file mode 100644 index 0000000..f2ac5c5 --- /dev/null +++ b/.htaccess @@ -0,0 +1,8 @@ +# Block direct web access to sensitive PHP files that must remain on disk. +# Returns 404 to avoid revealing file existence. +Redirect 404 /config.php +Redirect 404 /config-dist.php +Redirect 404 /install.php +Redirect 404 /brokenfile.php +Redirect 404 /register-redis-cache-store.php +Redirect 404 /version.php diff --git a/Dockerfile b/Dockerfile index db1e029..59dacbc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -32,10 +32,14 @@ RUN set -eux; \ # lockstep with whatever lands on ubc/moodle:ltic-v4.5.11 without having to # enumerate which files changed. ARG MOODLE_LTIC_REF=ltic-v4.5.11 +COPY delete-dev-files.sh /tmp/delete-dev-files.sh RUN set -eux; \ curl -fL "https://github.com/ubc/moodle/archive/${MOODLE_LTIC_REF}.tar.gz" \ | tar xz --strip=1 -C /var/www/html; \ - chown -R www-data:www-data /var/www/html + bash /tmp/delete-dev-files.sh; \ + rm /tmp/delete-dev-files.sh; \ + chown -R www-data:www-data /var/www/html; \ + chmod 444 /var/www/html/config.php # Addresses "Writable config.php" moodle warning # Fetching and unzipping all plugins COPY plugins/ /plugins/ @@ -121,6 +125,9 @@ RUN set -eux; \ done; \ rm -rf /plugins +COPY .htaccess /var/www/html/.htaccess +RUN chown www-data:www-data /var/www/html/.htaccess + COPY kalturapatch.sh /tmp/ RUN sh /tmp/kalturapatch.sh && rm /tmp/kalturapatch.sh diff --git a/delete-dev-files.sh b/delete-dev-files.sh new file mode 100644 index 0000000..7a080d0 --- /dev/null +++ b/delete-dev-files.sh @@ -0,0 +1,76 @@ +#!/usr/bin/env bash +# Remove paths from the Moodle release after extraction. +# Paths are relative to /var/www/html. Both files and directories are accepted. +set -euo pipefail + +BASE=/var/www/html + +# Exact paths (relative to $BASE) to remove. +REMOVE=( + "check_lang_sort.sh" + "admin/environment.xml" + "composer.json" + "composer.lock" + "package.json" + "npm-shrinkwrap.json" + "Gruntfile.js" + "behat.yml.dist" + "phpcs.xml.dist" + "phpunit.xml.dist" + "CONTRIBUTING.md" + "COPYING.txt" + "INSTALL.txt" + "PATCH_UPGRADE_NOTES.md" + "TRADEMARK.txt" + "UPGRADING.md" + "security.txt" + ".eslintrc" + ".gherkin-lintrc" + ".gitattributes" + ".github" + ".gitignore" + ".grunt" + ".jshintignore" + ".jshintrc" + ".nvmrc" + ".phpstorm.meta.php" + ".shifter.json" + ".stylelintrc" + ".upgradenotes" +) + +# Case-insensitive exact filenames matched recursively across the entire tree. +PATTERNS=( + "readme" + "readme.md" + "readme.txt" + "readme_moodle.txt" + "readme.rst" + "readme.html" + "upgrade.txt" + "upgrading.md" + "upgrading-current.md" +) + +# Path patterns matched recursively (use * as wildcard, e.g. "*/db/install.xml"). +PATH_PATTERNS=( + "*/db/install.xml" +) + +for entry in "${REMOVE[@]}"; do + target="${BASE}/${entry}" + if [[ -e "$target" || -L "$target" ]]; then + echo "Removing: $target" + rm -rf "$target" + else + echo "Not found (skipping): $target" + fi +done + +for pattern in "${PATTERNS[@]}"; do + find "$BASE" -depth -iname "$pattern" -printf "Removing: %p\n" -exec rm -rf {} + +done + +for path_pattern in "${PATH_PATTERNS[@]}"; do + find "$BASE" -depth -path "$path_pattern" -printf "Removing: %p\n" -exec rm -rf {} + +done From 001324a9d57d570af26c1c59fe0bc65a46b8a2fb Mon Sep 17 00:00:00 2001 From: Alex Gondek Date: Fri, 22 May 2026 12:06:21 -0700 Subject: [PATCH 2/3] Retain install.xml files since they might cause issues with plugin installs --- .htaccess | 5 ++++- delete-dev-files.sh | 9 --------- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/.htaccess b/.htaccess index f2ac5c5..fadf0fc 100644 --- a/.htaccess +++ b/.htaccess @@ -1,4 +1,4 @@ -# Block direct web access to sensitive PHP files that must remain on disk. +# Block direct web access to sensitive files that must remain on disk. # Returns 404 to avoid revealing file existence. Redirect 404 /config.php Redirect 404 /config-dist.php @@ -6,3 +6,6 @@ Redirect 404 /install.php Redirect 404 /brokenfile.php Redirect 404 /register-redis-cache-store.php Redirect 404 /version.php + +# Block db/install.xml across all plugin paths. +RedirectMatch 404 /install\.xml$ diff --git a/delete-dev-files.sh b/delete-dev-files.sh index 7a080d0..3834a94 100644 --- a/delete-dev-files.sh +++ b/delete-dev-files.sh @@ -52,11 +52,6 @@ PATTERNS=( "upgrading-current.md" ) -# Path patterns matched recursively (use * as wildcard, e.g. "*/db/install.xml"). -PATH_PATTERNS=( - "*/db/install.xml" -) - for entry in "${REMOVE[@]}"; do target="${BASE}/${entry}" if [[ -e "$target" || -L "$target" ]]; then @@ -70,7 +65,3 @@ done for pattern in "${PATTERNS[@]}"; do find "$BASE" -depth -iname "$pattern" -printf "Removing: %p\n" -exec rm -rf {} + done - -for path_pattern in "${PATH_PATTERNS[@]}"; do - find "$BASE" -depth -path "$path_pattern" -printf "Removing: %p\n" -exec rm -rf {} + -done From ab82265670537aa19c071e11e0d292a15276050a Mon Sep 17 00:00:00 2001 From: Alex Gondek Date: Fri, 22 May 2026 12:57:01 -0700 Subject: [PATCH 3/3] Collapse copy+chown into one layer --- Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 59dacbc..19ca68f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -125,8 +125,7 @@ RUN set -eux; \ done; \ rm -rf /plugins -COPY .htaccess /var/www/html/.htaccess -RUN chown www-data:www-data /var/www/html/.htaccess +COPY --chown=www-data:www-data .htaccess /var/www/html/.htaccess COPY kalturapatch.sh /tmp/ RUN sh /tmp/kalturapatch.sh && rm /tmp/kalturapatch.sh