Debian 13 support, PHP 8.4/8.5, install script, security fixes#159
Open
bigbong420 wants to merge 22 commits intoDanWin:masterfrom
Open
Debian 13 support, PHP 8.4/8.5, install script, security fixes#159bigbong420 wants to merge 22 commits intoDanWin:masterfrom
bigbong420 wants to merge 22 commits intoDanWin:masterfrom
Conversation
- Debian 13 (Trixie) compatibility: - Build uw-imap c-client from source (removed from trixie) - Fix OpenSSL 3 include paths for c-client - Split libnginx-mod-http-brotli package name - Add -lgomp and -std=c++17 to PHP CXXFLAGS - Fix Dovecot 2.4 config syntax in setup - Use 127.0.0.1 for DB (works in FPM chroot) - PHP version updates: - Add PHP 8.5.4 and 8.4.19 - Remove PHP 8.1 (EOL) - Update igbinary to master, imagick to 3.8.1, brotli to 0.18.3 - Remove php-rar (unmaintained, incompatible with 8.4+) - setup.php uses DEFAULT_PHP_VERSION for FPM sockets - Users can switch PHP version from dashboard - Security hardening: - CSRF tokens use bin2hex(random_bytes(32)) - Admin password uses password_hash/password_verify - Session regeneration on login - All output escaped with htmlspecialchars - Nginx rewrite rules validated (flag whitelist, reject injection) - Path traversal protection in FileManager - SQL injection fix in password change - Security headers (CSP script-src:none, X-Frame-Options, etc) - Onion private keys encrypted at rest (libsodium) - SFTP password encrypted in session with expiry - Admin brute-force rate limiting - CSRF token on login form - Zero JavaScript - all pages work without JS - mt_rand replaced with random_int - Cookie secure flag precedence fix - PDO ERRMODE_EXCEPTION - Generic login error messages (no username enumeration) - FileManager rename validation - Self-bootstrapping install.sh: - Auto-clones repo if run standalone (curl | bash support) - Interactive prompts or --non-interactive flag - Optional vanity .onion generation via mkp224o - Password generation or custom input - Credentials saved to /root/hosting-credentials.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
added support for the new PHP versions, debian 13 support, as well as security upgrades. this also has an auto install+update script. Tested these on fresh debian 13 & ubuntu 24.04 machines, both work.