[FIX] Postgresql database creation#319
Open
galyfray wants to merge 3 commits into
Open
Conversation
eilandert
referenced
this pull request
in eilandert/ViMbAdmin
Jun 2, 2026
…eset
Security
- Remove unused OSS framework integrations (library/OSS/API/{DAViCal,SOGo,
RoundCube,Jabber2d}.php) -- DAViCal contained SQL injection via {$user_id}
/ {$collection_id} interpolated into queries; all four were 0-reference
dead code.
- ArchiveController: escapeshellarg() every path/name interpolated into the
tar/bzip2/chown/rm exec() commands (command-injection via mailbox/domain
names); harden unserialize() with allowed_classes=false.
- OSS/DiskUtils::du(): escapeshellarg() the path instead of escapeshellcmd()
on the whole command.
- OSS/String::random()/randomFromSet()/randomPassword(): replace the
insecure str_shuffle()/str_repeat() PRNG with random_int() (CSPRNG).
These feed remember-me tokens and salts.
- OSS/Resource/Logger: create log files mode 0640, not world-writable 0777.
Dead code
- Delete Doctrine1-era dead code: OSS/Yubico, OSS/Invoice,
OSS/Auth/DoctrineAdapter (+ its dead switch branch in
OSS/Controller/Trait/Auth), Smarty function.dynamicContent /
function.modelOperation; and the unused PDF chain (OSS/Pdf, OSS/Html,
OSS/Crypt/GibberishAES, PdfGenerator trait).
PHP 8.0+ / 8.5
- Fix every implicit-nullable parameter ($x = null without ?) across
Entities, Proxies, Twitter/Form, Doctrine2/FirebugProfiler.
- get_class() -> get_class($this) in the four application/plugins
constructors (upstream PR #314).
- error/error.phtml: {get_class($exception)} -> {$exception::class}
(Smarty 5).
Dependencies / build
- Declare required ext-* in composer.json, set platform php 8.1, enable
optimize-autoloader. Deps stay on current LTS lines (doctrine/orm 2.20,
dbal 3, symfony 7, smarty 5).
Upstream fixes folded in
- PR #319: rename duplicate IX_Username_1 unique constraint to
IX_Username_{admin,mailbox} (PostgreSQL schema-create clash).
- PR #314: get_class() argument (above).
Snuffleupagus
- New snuffleupagus/vimbadmin-strict.list: code-derived hardening profile,
validated end-to-end under the FPM SP build (login + ORM read/write +
exec + drop enforcement, 10/10 pages 200, zero segfaults). Documents the
build-specific landmines found: no .filename()/.allow()/.pos(0)/
cookie_encryption (each SIGSEGVs or is unsupported), and that PHP-native
disable_functions must be empty when SP manages it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When trying to create the database with postgresql as a backend, an error occurs due to some indexes sharing names.
Postgres and mysql handle indexes differently, an index in postgres uses the same namespace as the tables.
This MR aims at fixing the issue, the fix is quite simple and should not have any side effect.
fixes #308