release(v2.13.1): harden Docker startup perms + explicit inline MIME mapping (see #79)

error311 · web-flow · commit 85cbd996c1bf · 2026-01-02T21:37:50.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,24 @@
 # Changelog
 
+## Changes 1/2/2025 (v2.13.1)
+
+`release(v2.13.1): harden Docker startup perms + explicit inline MIME mapping (see #79)`
+
+**Fixes**  
+
+- Prevent Docker container startup from exiting when `chown/chmod` are unsupported (exFAT/NTFS/CIFS/NFS root_squash, non-root runs). Startup now logs warnings and continues.
+- Add non-fatal permission writeability hints for `/var/www/{uploads,users,metadata,sessions}` to help diagnose mount/UID issues.
+
+**Improvements**  
+
+- Serve inline-safe images/audio/video with explicit MIME mapping to avoid `nosniff` + `application/octet-stream` preview issues (more reliable inline previews).
+
+**Docs**  
+
+- Add AI disclosure section to README.
+
+---
+
 ## Changes 12/30/2025 (v2.13.0)
 
 `release(v2.13.0): inline rename + video preview limits + folder tree perf (see #79)`
diff --git a/README.md b/README.md
@@ -339,6 +339,12 @@ If FileRise saves you time or becomes your daily driver, a ⭐ on GitHub or spon
 
 ---
 
+## AI Disclosure
+
+FileRise is my project. I use AI like a tool for some tasks (e.g., translations/snippets), but the architecture, core code, and ongoing maintenance are mine.
+
+---
+
 ## License & third-party code
 
 FileRise Core is released under the **MIT License** – see `LICENSE`.
diff --git a/scripts/manual-sync.sh b/scripts/manual-sync.sh
@@ -2,7 +2,7 @@
 # === Update FileRise to v2.3.2 (safe rsync, no composer on demo) ===
 set -Eeuo pipefail
 
-VER="v2.7.1"
+VER="v2.13.0"
 ASSET="FileRise-${VER}.zip"      # matches GitHub release asset name
 
 WEBROOT="/var/www"
diff --git a/src/controllers/FileController.php b/src/controllers/FileController.php
@@ -1326,10 +1326,34 @@ public function downloadFile()
         $ext   = strtolower(pathinfo($realFilePath, PATHINFO_EXTENSION));
         $isSvg = ($ext === 'svg' || $ext === 'svgz');
 
-        // Images we are OK to render inline
-        $inlineImageTypes = ['jpg', 'jpeg', 'png', 'gif', 'bmp', 'webp', 'ico'];
-        $inlineVideoTypes = ['mp4', 'mkv', 'webm', 'mov', 'ogv'];
-        $inlineAudioTypes = ['mp3', 'wav', 'm4a', 'ogg', 'flac', 'aac', 'wma', 'opus'];
+        // Inline-safe types with explicit MIME mapping (avoid nosniff + octet-stream issues)
+        $inlineImageMime = [
+            'jpg'  => 'image/jpeg',
+            'jpeg' => 'image/jpeg',
+            'png'  => 'image/png',
+            'gif'  => 'image/gif',
+            'bmp'  => 'image/bmp',
+            'webp' => 'image/webp',
+            'ico'  => 'image/x-icon',
+        ];
+        $inlineVideoMime = [
+            'mp4'  => 'video/mp4',
+            'm4v'  => 'video/mp4',
+            'mkv'  => 'video/x-matroska',
+            'webm' => 'video/webm',
+            'mov'  => 'video/quicktime',
+            'ogv'  => 'video/ogg',
+        ];
+        $inlineAudioMime = [
+            'mp3'  => 'audio/mpeg',
+            'wav'  => 'audio/wav',
+            'm4a'  => 'audio/mp4',
+            'ogg'  => 'audio/ogg',
+            'flac' => 'audio/flac',
+            'aac'  => 'audio/aac',
+            'wma'  => 'audio/x-ms-wma',
+            'opus' => 'audio/opus',
+        ];
 
         // Default mime if not provided
         if (empty($mimeType)) {
@@ -1344,17 +1368,15 @@ public function downloadFile()
         } else {
             $inline = false;
             if ($inlineParam) {
-                $mimeLower = strtolower((string)$mimeType);
-                $isVideoMime = (strpos($mimeLower, 'video/') === 0);
-                $isAudioMime = (strpos($mimeLower, 'audio/') === 0) || ($mimeLower === 'application/ogg');
-                $isOctet = ($mimeLower === 'application/octet-stream');
-
-                if (in_array($ext, $inlineImageTypes, true)) {
+                if (isset($inlineImageMime[$ext])) {
                     $inline = true;
-                } elseif (in_array($ext, $inlineVideoTypes, true) && ($isVideoMime || $isOctet)) {
+                    $mimeType = $inlineImageMime[$ext];
+                } elseif (isset($inlineVideoMime[$ext])) {
                     $inline = true;
-                } elseif (in_array($ext, $inlineAudioTypes, true) && ($isAudioMime || $isOctet)) {
+                    $mimeType = $inlineVideoMime[$ext];
+                } elseif (isset($inlineAudioMime[$ext])) {
                     $inline = true;
+                    $mimeType = $inlineAudioMime[$ext];
                 }
             }
         }
diff --git a/start.sh b/start.sh
@@ -3,6 +3,29 @@ set -euo pipefail
 umask 002
 echo "🚀 Running start.sh..."
 
+# ──────────────────────────────────────────────────────────────
+# Helpers: NEVER crash the container just because chown/chmod isn't supported
+# (exFAT/NTFS/CIFS/NFS root_squash, or running as non-root, etc.)
+IS_ROOT=false
+if [ "$(id -u)" -eq 0 ]; then IS_ROOT=true; fi
+
+safe_chown() {
+  if [ "${IS_ROOT}" = "true" ]; then
+    chown "$@" 2>&1 || echo "[startup] chown failed (continuing): chown $*"
+  fi
+}
+
+safe_chmod() {
+  if [ "${IS_ROOT}" = "true" ]; then
+    chmod "$@" 2>&1 || echo "[startup] chmod failed (continuing): chmod $*"
+  fi
+}
+
+safe_truncate() {
+  # Truncate/create a file without killing the container if the FS is read-only, etc.
+  : > "$1" 2>&1 || echo "[startup] could not write: $1"
+}
+
 # ──────────────────────────────────────────────────────────────
 # 0) If NOT root, we can't remap/chown. Log a hint and skip those parts.
 #    If root, remap www-data to PUID/PGID and (optionally) chown data dirs.
@@ -28,8 +51,8 @@ else
   # Optional: normalize ownership on data dirs (good for first run on existing shares)
   if [ "${CHOWN_ON_START:-true}" = "true" ]; then
     echo "[startup] Normalizing ownership on uploads/metadata..."
-    chown -R www-data:www-data /var/www/metadata /var/www/uploads || echo "[startup] chown failed (continuing)"
-    chmod -R u+rwX /var/www/metadata /var/www/uploads || echo "[startup] chmod failed (continuing)"
+    safe_chown -R www-data:www-data /var/www/metadata /var/www/uploads
+    safe_chmod -R u+rwX /var/www/metadata /var/www/uploads
   fi
 fi
 
@@ -62,24 +85,33 @@ fi
 
 # 2.1) Prepare metadata/log & sessions
 mkdir -p /var/www/metadata/log
-chown www-data:www-data /var/www/metadata/log
-chmod 775 /var/www/metadata/log
-: > /var/www/metadata/log/error.log
-: > /var/www/metadata/log/access.log
-chown www-data:www-data /var/www/metadata/log/*.log
+safe_chown www-data:www-data /var/www/metadata/log
+safe_chmod 775 /var/www/metadata/log
+safe_truncate /var/www/metadata/log/error.log
+safe_truncate /var/www/metadata/log/access.log
+safe_chown www-data:www-data /var/www/metadata/log/*.log
 
 mkdir -p /var/www/sessions
-chown www-data:www-data /var/www/sessions
-chmod 700 /var/www/sessions
+safe_chown www-data:www-data /var/www/sessions
+safe_chmod 700 /var/www/sessions
 
 # 2.2) Prepare dynamic dirs (uploads/users/metadata)
 for d in uploads users metadata; do
   tgt="/var/www/${d}"
   mkdir -p "${tgt}"
-  chown www-data:www-data "${tgt}"
-  chmod 775 "${tgt}"
+  safe_chown www-data:www-data "${tgt}"
+  safe_chmod 775 "${tgt}"
 done
 
+# 2.3) Optional: log quick permission hints (non-fatal)
+if [ "$(id -u)" -eq 0 ]; then
+  if command -v runuser >/dev/null 2>&1; then
+    for p in /var/www/uploads /var/www/users /var/www/metadata /var/www/sessions; do
+      runuser -u www-data -- test -w "$p" 2>/dev/null || echo "[startup] WARNING: www-data may not be able to write to $p"
+    done
+  fi
+fi
+
 # 3) Ensure PHP conf dir & set upload limits
 mkdir -p /etc/php/8.3/apache2/conf.d
 if [ -n "${TOTAL_UPLOAD_SIZE:-}" ]; then
@@ -97,7 +129,7 @@ if [ "${CLAMAV_AUTO_UPDATE:-true}" = "true" ]; then
       echo "[startup] Updating ClamAV signatures via freshclam..."
       # Suppress noisy "NotifyClamd" warnings – we don't run clamd in this container.
       freshclam >/dev/null 2>&1 \
-  || echo "[startup] freshclam failed; continuing with existing signatures (if any)."
+        || echo "[startup] freshclam failed; continuing with existing signatures (if any)."
     else
       echo "[startup] Not running as root; skipping freshclam (requires root)."
     fi
@@ -151,20 +183,20 @@ fi
 # 8) Initialize persistent files if absent
 if [ ! -f /var/www/users/users.txt ]; then
   echo "" > /var/www/users/users.txt
-  chown www-data:www-data /var/www/users/users.txt
-  chmod 664 /var/www/users/users.txt
+  safe_chown www-data:www-data /var/www/users/users.txt
+  safe_chmod 664 /var/www/users/users.txt
 fi
 
 if [ ! -f /var/www/metadata/createdTags.json ]; then
   echo "[]" > /var/www/metadata/createdTags.json
-  chown www-data:www-data /var/www/metadata/createdTags.json
-  chmod 664 /var/www/metadata/createdTags.json
+  safe_chown www-data:www-data /var/www/metadata/createdTags.json
+  safe_chmod 664 /var/www/metadata/createdTags.json
 fi
 
 # 8.5) Harden scan script perms (only if root)
 if [ -f /var/www/scripts/scan_uploads.php ] && [ "$(id -u)" -eq 0 ]; then
-  chown root:root /var/www/scripts/scan_uploads.php
-  chmod 0644 /var/www/scripts/scan_uploads.php
+  chown root:root /var/www/scripts/scan_uploads.php || true
+  chmod 0644 /var/www/scripts/scan_uploads.php || true
 fi
 
 # 9) One-shot scan when the container starts (opt-in via SCAN_ON_START)
