Merge branch 'release/bugfixes-and-dependency-updates' into fix/laravel-automations

Author: jaydrogers

.github/workflows/action_update-dockerhub-readme.yml

@@ -14,7 +14,7 @@ jobs:
     name: Push README to Docker Hub
     steps:
       - name: git checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           ref: main
 

.github/workflows/scheduled-task_update-sponsors.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout 🛎️
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Generate Sponsors 💖
         uses: JamesIves/github-sponsors-readme-action@v1

.github/workflows/service_docker-build-and-publish.yml

@@ -39,7 +39,7 @@ jobs:
       php-version-map-json: ${{ steps.get-php-versions.outputs.php-version-map-json }}
     steps:
     - name: Check out code
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
       with:
         ref: ${{ inputs.ref }}
 
@@ -67,25 +67,25 @@ jobs:
         echo "${MATRIX_JSON}" | jq '.'
   
     - name: Upload the php-versions.yml file
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v6
       with:
         name: php-versions.yml
         path: ${{ inputs.php-versions-file }}
 
   docker-publish:
     needs: setup-matrix
-    runs-on: depot-ubuntu-24.04-4
+    runs-on: depot-ubuntu-24.04-8
     strategy:
       matrix: ${{fromJson(needs.setup-matrix.outputs.php-version-map-json)}}
 
     steps:
       - name: Check out code.
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           ref: ${{ inputs.ref }}
 
       - name: Download PHP Versions file
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v7
         with:
           name: php-versions.yml
           path: ./artifacts

docs/content/docs/1.getting-started/4.these-images-vs-others.md

@@ -197,7 +197,7 @@ FROM serversideup/php:8.5-cli
 USER root
 
 # Install any PHP extension easily
-RUN install-php-extensions redis imagick mongodb
+RUN install-php-extensions bcmath imagick mongodb
 
 # Switch back to unprivileged user
 USER www-data
@@ -322,4 +322,4 @@ We're here to help! Check out these resources:
 
 ::tip
 Join our community! Star us on [GitHub](https://github.com/serversideup/docker-php) and follow updates.
-::
+::

docs/content/docs/1.getting-started/6.default-configurations.md

@@ -75,7 +75,7 @@ Environment variables give you a ton of flexibility to customize your container
 | **PHP INI file**  | **Description** |
 |-----------------|-----------------|
 | **Image Default** <br /><br /> `/usr/local/etc/php/conf.d/serversideup-docker-php.ini` | This is our production-ready PHP ini file that accepts environment variables. You can [review it in greater detail on GitHub](https://github.com/serversideup/docker-php/blob/main/src/common/usr/local/etc/php/conf.d/serversideup-docker-php.ini){target="_blank"}. |
-| **Adding your own PHP INI file** <br /><br /> `/usr/local/etc/php/conf.d/*.ini` | If you want to use our defaults, you can simple create a `.ini` file in the `/usr/local/etc/php/conf.d/` directory and it will be loaded automatically. This will be loaded *after* our default ini file, so whatever you set in your own ini file will override the default values. |
+| **Adding your own PHP INI file** <br /><br /> `/usr/local/etc/php/conf.d/*.ini` | To set your own PHP settings, simply create a `.ini` file in the `/usr/local/etc/php/conf.d/` directory. It will be loaded automatically *after* our default ini file, so any settings you define will override the defaults. |
 
 :u-button{to="/docs/customizing-the-image/changing-common-php-settings" label="Learn more about changing common PHP settings" aria-label="Learn more about changing common PHP settings" size="md" color="primary" variant="outline"  trailing-icon="i-lucide-arrow-right" class="font-bold ring ring-inset ring-blue-600 text-blue-600 hover:ring-blue-500 hover:text-blue-500"}
 

src/variations/fpm-apache/etc/apache2/conf-available/security.conf

@@ -1,98 +1,83 @@
+##
+# Security Configuration
+##
+
+# This configuration follows security best practices from:
 #
-# Disable access to the entire file system except for the directories that
-# are explicitly allowed later.
+#   H5BP Server Configs (Apache)
+#   https://github.com/h5bp/server-configs-apache
 #
-# This currently breaks the configurations that come with some web application
-# Debian packages.
+#   OWASP Secure Headers Project
+#   https://owasp.org/www-project-secure-headers/
 #
-#<Directory />
-#   AllowOverride None
-#   Require all denied
-#</Directory>
-
+#   RFC 8615 - Well-Known URIs
+#   https://www.rfc-editor.org/rfc/rfc8615
+#
+# ##############################################################################
 
-# Changing the following options will not really affect the security of the
-# server, but might make attacks slightly more difficult in some cases.
+# ------------------------------------------------------------------------------
+# | Server Software Information                                                |
+# ------------------------------------------------------------------------------
 
-#
-# ServerTokens
-# This directive configures what you return as the Server HTTP response
-# Header. The default is 'Full' which sends information about the OS-Type
-# and compiled in modules.
-# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
-# where Full conveys the most information, and Prod the least.
-#ServerTokens Minimal
-# ServerTokens OS
-# #ServerTokens Full
+# Minimize information sent about the server
+# https://httpd.apache.org/docs/current/mod/core.html#servertokens
 ServerTokens Prod
 
-#
-# Optionally add a line containing the server version and virtual host
-# name to server-generated pages (internal error documents, FTP directory
-# listings, mod_status and mod_info output etc., but not CGI generated
-# documents or custom error documents).
-# Set to "EMail" to also include a mailto: link to the ServerAdmin.
-# Set to one of:  On | Off | EMail
+# Disable server signature on error pages
+# https://httpd.apache.org/docs/current/mod/core.html#serversignature
 ServerSignature Off
-# ServerSignature On
 
-#
-# Allow TRACE method
-#
-# Set to "extended" to also reflect the request body (only for testing and
-# diagnostic purposes).
-#
-# Set to one of:  On | Off | extended
+# Disable TRACE HTTP method to prevent XST attacks
+# https://owasp.org/www-community/attacks/Cross_Site_Tracing
 TraceEnable Off
-#TraceEnable On
 
-#
-# Forbid access to version control directories
-#
-# If you use version control systems in your document root, you should
-# probably deny access to their directories. For example, for subversion:
-#
-<DirectoryMatch "/\.git">
-   Require all denied
+# ------------------------------------------------------------------------------
+# | Security Headers                                                           |
+# ------------------------------------------------------------------------------
+
+# Prevent clickjacking attacks by disabling iframe embedding
+# https://owasp.org/www-project-secure-headers/#x-frame-options
+Header always set X-Frame-Options "SAMEORIGIN"
+
+# Prevent MIME type sniffing attacks
+# https://owasp.org/www-project-secure-headers/#x-content-type-options
+Header always set X-Content-Type-Options "nosniff"
+
+# Control referrer information sent with requests
+# https://owasp.org/www-project-secure-headers/#referrer-policy
+Header always set Referrer-Policy "strict-origin-when-cross-origin"
+
+# Enable HTTP Strict Transport Security (HSTS)
+# https://owasp.org/www-project-secure-headers/#strict-transport-security
+Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+
+# ------------------------------------------------------------------------------
+# | File Access Restrictions                                                   |
+# ------------------------------------------------------------------------------
+
+# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+<LocationMatch "^/storage/.*\.php$">
+    Require all denied
+</LocationMatch>
+
+# Block access to all hidden files and directories (dotfiles)
+# EXCEPT for the "/.well-known/" directory which is required by RFC 8615
+# for ACME challenges, security.txt, and other standardized endpoints.
+# https://www.rfc-editor.org/rfc/rfc8615
+# https://github.com/h5bp/server-configs-apache
+<DirectoryMatch "/\.(?!well-known/)">
+    Require all denied
 </DirectoryMatch>
 
-# Prevent Apache from serving Gitlab files
-<FilesMatch "\.gitlab-ci.yml$">
-   Require all denied
+# Block access to files that may expose sensitive information
+# Based on H5BP server configs: https://github.com/h5bp/server-configs-apache
+<FilesMatch "(^#.*#|\.(bak|conf|config|dist|inc|ini|log|sh|sql|sw[op])|~)$">
+    Require all denied
 </FilesMatch>
 
 # Disable XML-RPC on all wordpress sites
 <Files xmlrpc.php>
    Require all denied
 # allow from xxx.xxx.xxx.xxx
-</Files>
-
-#
-# Setting this header will prevent MSIE from interpreting files as something
-# else than declared by the content type in the HTTP headers.
-# Requires mod_headers to be enabled.
-#
-Header always set X-Content-Type-Options: "nosniff"
-
-#
-# Setting this header will prevent other sites from embedding pages from this
-# site as frames. This defends against clickjacking attacks.
-# Requires mod_headers to be enabled.
-#
-Header always set X-Frame-Options: "sameorigin"
-
-#
-# Referrer policy
-#
-Header always set Referrer-Policy "no-referrer-when-downgrade"
-
-#
-# Content Security Policy
-# UPDATE - September 2020: Commenting this out until we grasp better security requirements
-# 
-#Header always set Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'"
-
-#
-# Strict-Transport-Security Policy (set HSTS)
-#
-Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
+</Files>

src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf

@@ -1,24 +1,51 @@
+##
+# Security Configuration
+##
+
+# This configuration follows security best practices from:
+#
+#   H5BP Server Configs (nginx)
+#   https://github.com/h5bp/server-configs-nginx
 #
-# Security Headers
+#   OWASP Secure Headers Project
+#   https://owasp.org/www-project-secure-headers/
 #
+#   RFC 8615 - Well-Known URIs
+#   https://www.rfc-editor.org/rfc/rfc8615
+#
+# ##############################################################################
 
-# Prevent IFRAME spoofing attacks
+# Prevent clickjacking attacks by disabling iframe embedding
+# https://owasp.org/www-project-secure-headers/#x-frame-options
 add_header X-Frame-Options           "SAMEORIGIN" always;
 
-# Prevent MIME attacks
+# Prevent MIME type sniffing attacks
+# https://owasp.org/www-project-secure-headers/#x-content-type-options
 add_header X-Content-Type-Options    "nosniff" always;
 
-# Prevent Referrer URL from being leaked
-add_header Referrer-Policy           "no-referrer-when-downgrade" always;
-
-# Configure Content Security Policy
-# UPDATE - September 2020: Commenting this out until we grasp better security requirements
-#add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+# Control referrer information sent with requests
+# https://owasp.org/www-project-secure-headers/#referrer-policy
+add_header Referrer-Policy           "strict-origin-when-cross-origin" always;
 
-# Enable HSTS
+# Enable HTTP Strict Transport Security (HSTS)
+# https://owasp.org/www-project-secure-headers/#strict-transport-security
 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
-# Prevent access to . files (the well-known directory)
+# ------------------------------------------------------------------------------
+# | File Access Restrictions                                                   |
+# ------------------------------------------------------------------------------
+
+# Block access to hidden files and directories (dotfiles)
+# EXCEPT for the "/.well-known/" directory which is required by RFC 8615
+# for ACME challenges, security.txt, and other standardized endpoints.
+# https://www.rfc-editor.org/rfc/rfc8615
+# https://github.com/h5bp/server-configs-nginx
 location ~ /\.(?!well-known) {
     deny all;
+}
+
+# Block access to files that may expose sensitive information
+# Based on H5BP server configs: https://github.com/h5bp/server-configs-nginx
+location ~* (?:#.*#|\.(?:bak|conf|config|dist|inc|ini|log|sh|sql|sw[op])|~)$ {
+    deny all;
 }

src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template

@@ -30,6 +30,12 @@ location / {
     try_files $uri $uri/ /index.php?$query_string;
 }
 
+# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+location ~* ^/storage/.*\.php$ {
+    deny all;
+}
+
 # Pass "*.php" files to PHP-FPM
 location ~ \.php$ {
     fastcgi_pass   127.0.0.1:9000;

src/variations/fpm-nginx/etc/nginx/site-opts.d/https.conf.template

@@ -36,6 +36,12 @@ location / {
     try_files $uri $uri/ /index.php?$query_string;
 }
 
+# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running
+# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3)
+location ~* ^/storage/.*\.php$ {
+    deny all;
+}
+
 # Pass "*.php" files to PHP-FPM
 location ~ \.php$ {
     fastcgi_pass   127.0.0.1:9000;

src/variations/frankenphp/Dockerfile

@@ -2,7 +2,7 @@
 ARG BASE_OS_VERSION='trixie'
 ARG PHP_VERSION='8.5'
 ARG BASE_IMAGE="php:${PHP_VERSION}-zts-${BASE_OS_VERSION}"
-ARG FRANKENPHP_VERSION='1.10.1'
+ARG FRANKENPHP_VERSION='1.11.1'
 ARG GOLANG_VERSION='1.25'
 
 ########################