community/roundcubemail: generate random session key in post-install

4 files changed, 43 insertions, 9 deletions

diff --git a/community/roundcubemail/APKBUILD b/community/roundcubemail/APKBUILD
index 24617a22f0..e97b0fd845 100644
--- a/community/roundcubemail/APKBUILD
+++ b/community/roundcubemail/APKBUILD
@@ -29,10 +29,11 @@ depends="$_php
 	ca-certificates
 	"
 options="!check"  # no tests provided
-install="$pkgname.post-upgrade"
+install="$pkgname.post-install $pkgname.post-upgrade"
 subpackages="$pkgname-installer $pkgname-doc"
 source="https://github.com/roundcube/$pkgname/releases/download/$pkgver/$pkgname-$pkgver.tar.gz
 	fix-dirs.patch
+	config-session_key.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"
 
@@ -93,4 +94,5 @@ _mv() {
 }
 
 sha512sums="c5e1e80034392ea4fcf780750ad2b7db43422a746462015865cbdb027e9e47b2bae7b191da19b65a7b9303c195bdfd0aa5b5a0382c09dd97d117671271cdc122  roundcubemail-1.3.6.tar.gz
-d205ba8442870b26f93fb287e7fe2bd1a452ea534823869b7ef299e2dca52d64c8a3fdc9a44bd3bc731c1e400efcf745c1866974e3b908e4e54d05b47b835f3e  fix-dirs.patch"
+d205ba8442870b26f93fb287e7fe2bd1a452ea534823869b7ef299e2dca52d64c8a3fdc9a44bd3bc731c1e400efcf745c1866974e3b908e4e54d05b47b835f3e  fix-dirs.patch
+7c4b88da4d2baa53d247dcb7b130d564954a04611c13f2770f45924fafab2a0e98f8dd078cabc87f3eddd0ab03f3ca48a48f27a462676354af22566cb19d220b  config-session_key.patch"
diff --git a/community/roundcubemail/config-session_key.patch b/community/roundcubemail/config-session_key.patch
new file mode 100644
index 0000000000..a94bd9bd10
--- /dev/null
+++ b/community/roundcubemail/config-session_key.patch
@@ -0,0 +1,11 @@
+--- a/config/config.inc.php.sample
++++ b/config/config.inc.php.sample
+@@ -74,7 +74,7 @@
+ // in the session record (and the client cookie if remember password is enabled).
+ // please provide a string of exactly 24 chars.
+ // YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
+-$config['des_key'] = 'rcmail-!24ByteDESkey*Str';
++$config['des_key'] = trim(file(RCMAIL_CONFIG_DIR . '/session_key')[0]);
+ 
+ // List of active plugins (in plugins/ directory)
+ $config['plugins'] = array(
diff --git a/community/roundcubemail/roundcubemail.post-install b/community/roundcubemail/roundcubemail.post-install
new file mode 100644
index 0000000000..f899f7e02d
--- /dev/null
+++ b/community/roundcubemail/roundcubemail.post-install
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+keyfile='/etc/roundcube/session_key'
+
+if ! [ -e "$keyfile" ]; then
+	echo '* Generating random session key' >&2
+
+	{ head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 && echo ''; } > "$keyfile"
+	chmod 440 "$keyfile"
+
+	# This is for silly and insecure type of installation when Roundcube
+	# is run under Apache with Apache's privileges instead of separate
+	# user. Just for backward compatibility.
+	# Ignore if group www-data does not exist.
+	chgrp www-data "$keyfile" 2>/dev/null || true
+fi
+
+if [ "${0##*.}" = 'post-upgrade' ]; then
+	cat >&2 <<-EOF
+	*
+	* Please read /usr/share/doc/roundcube/UPGRADE
+	* in roundcubemail-doc package for schema or config update
+	*
+	EOF
+fi
+
+exit 0
diff --git a/community/roundcubemail/roundcubemail.post-upgrade b/community/roundcubemail/roundcubemail.post-upgrade
index 7557e4178f..ef34de84ef 100644..120000
--- a/community/roundcubemail/roundcubemail.post-upgrade
+++ b/community/roundcubemail/roundcubemail.post-upgrade
@@ -1,7 +1 @@
-#!/bin/sh
-
-echo "*" >&2
-echo -e "* Please read /usr/share/doc/roundcube/UPGRADE\n\
-* in roundcubemail-doc package for schema or config update" >&2
-echo "*" >&2
-exit 0
+roundcubemail.post-install
\ No newline at end of file