diff --git a/Dockerfile b/Dockerfile index 6549936..5d0a598 100644 --- a/Dockerfile +++ b/Dockerfile @@ -32,7 +32,9 @@ RUN apk add --update --no-cache patch COPY --from=rootfs ["/", "/"] -RUN chmod a+x /usr/local/bin/wp +RUN set -eux \ + && chmod a+x /usr/local/bin/wp \ + && wp-apply-patch "/etc/wp-mods/wp-admin-update-core.patch" "/var/www/html/wp-admin/update-core.php" "true" ARG WP_VERSION ENV WP_VERSION="${WP_VERSION}" diff --git a/rootfs/etc/cont-init.d/10-verify-wordpress b/rootfs/etc/cont-init.d/10-verify-wordpress index 986bc4e..2e40f94 100755 --- a/rootfs/etc/cont-init.d/10-verify-wordpress +++ b/rootfs/etc/cont-init.d/10-verify-wordpress @@ -16,17 +16,6 @@ function scriptExitHandler() { exit "${LAST_EXIT_CODE}" } -# Applies patch for making WordPress updates impossible -function disableUpdatesPatch() { - DISABLE_WP_UPDATES="${ENFORCE_DISABLE_WP_UPDATES:-true}" - if [ "${DISABLE_WP_UPDATES}" != "false" ]; then - echo "> Disabling WordPress updates..." - patch /var/www/html/wp-admin/update-core.php Marking the patched file read-only..." - chmod 0440 /var/www/html/wp-admin/update-core.php - fi -} - # Main function function main() { # Removes trailing zero if found @@ -53,13 +42,6 @@ function main() { return 0 else echo "> Identified 'WordPress ${WP_VERSION}'" - - # This will apply patch once and again only if container is recreated - if [ ! -f "/var/www/patch-applied" ]; then - disableUpdatesPatch - touch "/var/www/patch-applied" - fi - fi } diff --git a/rootfs/usr/local/bin/wp-apply-patch b/rootfs/usr/local/bin/wp-apply-patch new file mode 100755 index 0000000..d207db4 --- /dev/null +++ b/rootfs/usr/local/bin/wp-apply-patch @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +set -e + +# Applies patch for preventing WordPress updates +function main() { + PATCH_FILE="${1:?PATCH_FILE is required}" + TARGET_FILE="${2:?TARGET_FILE is required}" + + if [ ! -f "${PATCH_FILE}" ]; then + echo "> No such file [PATCH]: ${PATCH_FILE}" + return 1 + fi + + if [ ! -f "${TARGET_FILE}" ]; then + echo "> No such file [TARGET]: ${TARGET_FILE}" + return 1 + fi + + echo "> Loading patch ${PATCH_FILE}" + echo " Patching '${TARGET_FILE}'..." + patch --verbose "${TARGET_FILE}" <"${PATCH_FILE}" + + MARK_READ_ONLY="${3:-true}" + if [ "${MARK_READ_ONLY}" = "true" ]; then + # This is done in order to prevent WordPress overwriting the file + echo " Marking the patched file read-only..." + chmod 0440 "${TARGET_FILE}" + fi + + return 0 +} + +# Usage: main /etc/wp-mods/wp-admin-update-core.patch /var/www/html/wp-admin/update-core.php ?true|false +main "${@}" +exit $?