From 648ff7322f07bab24f3954511263c9f3d666efa6 Mon Sep 17 00:00:00 2001
From: Evgeniy Antonyuk <antonyuk.evgenyiy@onlyoffice.com>
Date: Fri, 17 Mar 2023 12:25:33 +0300
Subject: [PATCH 01/10] Fix the owner of the logrotate config (#591)

---
 run-document-server.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/run-document-server.sh b/run-document-server.sh
index 91a96b574..fef8dfd11 100755
--- a/run-document-server.sh
+++ b/run-document-server.sh
@@ -601,7 +601,7 @@ else
   update_welcome_page
 fi
 
-find /etc/${COMPANY_NAME} -exec chown ds:ds {} \;
+find /etc/${COMPANY_NAME} ! -path '*logrotate*' -exec chown ds:ds {} \;
 
 #start needed local services
 for i in ${LOCAL_SERVICES[@]}; do

From f455bdf433aa54b8d78a252eeb4277262d23f9d3 Mon Sep 17 00:00:00 2001
From: Evgeniy Antonyuk <antonyuk.evgenyiy@onlyoffice.com>
Date: Thu, 6 Apr 2023 15:18:10 +0500
Subject: [PATCH 02/10] fix Bug 59826 - Fix database creation without
 onlyoffice owner (#597)

* fix Bug 59826 - Fix database creation without onlyoffice owner

* Fix an unnecessary space
---
 Dockerfile             | 3 +--
 run-document-server.sh | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index b7987126e..e5d89d8f4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -57,9 +57,8 @@ RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \
     sed 's|\(application\/zip.*\)|\1\n    application\/wasm wasm;|' -i /etc/nginx/mime.types && \
     pg_conftool $PG_VERSION main set listen_addresses 'localhost' && \
     service postgresql restart && \
-    sudo -u postgres psql -c "CREATE DATABASE $ONLYOFFICE_VALUE;" && \
     sudo -u postgres psql -c "CREATE USER $ONLYOFFICE_VALUE WITH password '$ONLYOFFICE_VALUE';" && \
-    sudo -u postgres psql -c "GRANT ALL privileges ON DATABASE $ONLYOFFICE_VALUE TO $ONLYOFFICE_VALUE;" && \ 
+    sudo -u postgres psql -c "CREATE DATABASE $ONLYOFFICE_VALUE OWNER $ONLYOFFICE_VALUE;" && \
     service postgresql stop && \
     service redis-server stop && \
     service rabbitmq-server stop && \
diff --git a/run-document-server.sh b/run-document-server.sh
index fef8dfd11..c7235dc01 100755
--- a/run-document-server.sh
+++ b/run-document-server.sh
@@ -358,9 +358,8 @@ create_postgresql_cluster(){
 }
 
 create_postgresql_db(){
-  sudo -u postgres psql -c "CREATE DATABASE $DB_NAME;"
   sudo -u postgres psql -c "CREATE USER $DB_USER WITH password '"$DB_PWD"';"
-  sudo -u postgres psql -c "GRANT ALL privileges ON DATABASE $DB_NAME TO $DB_USER;"
+  sudo -u postgres psql -c "CREATE DATABASE $DB_NAME OWNER $DB_USER;"
 }
 
 create_db_tbl() {

From 4499ca1d34f516e061626d300a01199dd4a5f1b5 Mon Sep 17 00:00:00 2001
From: Semyon Bezrukov <semen.bezrukov@onlyoffice.com>
Date: Mon, 10 Apr 2023 15:10:23 +0300
Subject: [PATCH 03/10] Fix deb package link (#599)

---
 .github/workflows/4testing-build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/4testing-build.yml b/.github/workflows/4testing-build.yml
index 683bb80f7..4c5c4a10b 100644
--- a/.github/workflows/4testing-build.yml
+++ b/.github/workflows/4testing-build.yml
@@ -124,7 +124,7 @@ jobs:
           BUILD_NUMBER=${{ github.event.inputs.build }}
 
           export PRODUCT_EDITION
-          export PACKAGE_VERSION=${PRODUCT_VERSION}-${BUILD_NUMBER}~stretch
+          export PACKAGE_VERSION=${PRODUCT_VERSION}-${BUILD_NUMBER}
           export PACKAGE_BASEURL=${{ secrets.REPO_BASEURL }}/${BUILD_CHANNEL}
           export BUILD_CHANNEL
           export PLATFORM

From 44eb6c45f2d769869911ecc2c104780aa3a50ffe Mon Sep 17 00:00:00 2001
From: Semyon Bezrukov <semen.bezrukov@onlyoffice.com>
Date: Fri, 14 Apr 2023 20:32:04 +0300
Subject: [PATCH 04/10] Fix deb package link (#602)

---
 .github/workflows/4testing-build.yml | 2 +-
 .github/workflows/stable-build.yml   | 4 ++--
 Makefile                             | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/4testing-build.yml b/.github/workflows/4testing-build.yml
index 4c5c4a10b..d88bbdebd 100644
--- a/.github/workflows/4testing-build.yml
+++ b/.github/workflows/4testing-build.yml
@@ -125,7 +125,7 @@ jobs:
 
           export PRODUCT_EDITION
           export PACKAGE_VERSION=${PRODUCT_VERSION}-${BUILD_NUMBER}
-          export PACKAGE_BASEURL=${{ secrets.REPO_BASEURL }}/${BUILD_CHANNEL}
+          export PACKAGE_BASEURL=${{ secrets.REPO_BASEURL }}
           export BUILD_CHANNEL
           export PLATFORM
           export DOCKERFILE=Dockerfile
diff --git a/.github/workflows/stable-build.yml b/.github/workflows/stable-build.yml
index d0cc97063..7063e4e49 100644
--- a/.github/workflows/stable-build.yml
+++ b/.github/workflows/stable-build.yml
@@ -114,11 +114,11 @@ jobs:
         run: |
            set -eux
            export PRODUCT_EDITION=${{ matrix.edition }}
-           export PACKAGE_BASEURL=${{ secrets.REPO_BASEURL }}/test
+           export PACKAGE_BASEURL=${{ secrets.REPO_BASEURL }}
            export DOCKERFILE=Dockerfile
            export BASE_IMAGE=ubuntu:20.04
            export PG_VERSION=12
            export TAG=${{ github.event.inputs.tag }}
-           export PACKAGE_VERSION=$( echo ${TAG} |  sed -E 's/(.*)\./\1-/')~stretch
+           export PACKAGE_VERSION=$( echo ${TAG} |  sed -E 's/(.*)\./\1-/')
            docker buildx bake -f docker-bake.hcl documentserver-ucs --push
         shell: bash
diff --git a/Makefile b/Makefile
index 99b749b27..546e5cc55 100644
--- a/Makefile
+++ b/Makefile
@@ -12,7 +12,7 @@ COMPANY_NAME_ESC = $(subst -,,$(COMPANY_NAME_LOW))
 
 PACKAGE_NAME := $(COMPANY_NAME_LOW)-$(PRODUCT_NAME)$(PRODUCT_EDITION)
 PACKAGE_VERSION ?= $(PRODUCT_VERSION)-$(BUILD_NUMBER)~stretch
-PACKAGE_BASEURL ?= https://s3.eu-west-1.amazonaws.com/repo-doc-onlyoffice-com/server/linux/debian/$(BUILD_CHANNEL)
+PACKAGE_BASEURL ?= https://s3.eu-west-1.amazonaws.com/repo-doc-onlyoffice-com/server/linux/debian
 
 ifeq ($(BUILD_CHANNEL),$(filter $(BUILD_CHANNEL),nightly test))
 	DOCKER_TAG := $(PRODUCT_VERSION).$(BUILD_NUMBER)

From c61323257ba3be23aebebe99eecfa3a2cc4aad3d Mon Sep 17 00:00:00 2001
From: Evgeniy Antonyuk <antonyuk.evgenyiy@onlyoffice.com>
Date: Thu, 20 Apr 2023 20:27:35 +0500
Subject: [PATCH 05/10] Use the default supervisord configuration (#608)

* Use a unix socket by default

* Use the default supervisord configuration

* Return the init.d supervisor file
---
 config/supervisor/supervisord.conf | 27 ---------------------------
 run-document-server.sh             |  2 --
 2 files changed, 29 deletions(-)
 delete mode 100644 config/supervisor/supervisord.conf

diff --git a/config/supervisor/supervisord.conf b/config/supervisor/supervisord.conf
deleted file mode 100644
index 27ef6348a..000000000
--- a/config/supervisor/supervisord.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-; supervisor config file
-
-[inet_http_server]
-port = 127.0.0.1:9001
-
-[supervisord]
-logfile=/var/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log)
-pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
-childlogdir=/var/log/supervisor            ; ('AUTO' child log dir, default $TEMP)
-
-; the below section must remain in the config file for RPC
-; (supervisorctl/web interface) to work, additional interfaces may be
-; added by defining them in separate rpcinterface: sections
-[rpcinterface:supervisor]
-supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
-
-[supervisorctl]
-serverurl = http://localhost:9001 ; use a unix:// URL  for a unix socket
-
-; The [include] section can just contain the "files" setting.  This
-; setting can list multiple files (separated by whitespace or
-; newlines).  It can also contain wildcards.  The filenames are
-; interpreted as relative to this file.  Included files *cannot*
-; include files themselves.
-
-[include]
-files = /etc/supervisor/conf.d/*.conf
diff --git a/run-document-server.sh b/run-document-server.sh
index c7235dc01..ed7c6651d 100755
--- a/run-document-server.sh
+++ b/run-document-server.sh
@@ -494,8 +494,6 @@ update_nginx_settings(){
 update_supervisor_settings(){
   # Copy modified supervisor start script
   cp ${SYSCONF_TEMPLATES_DIR}/supervisor/supervisor /etc/init.d/
-  # Copy modified supervisor config
-  cp ${SYSCONF_TEMPLATES_DIR}/supervisor/supervisord.conf /etc/supervisor/supervisord.conf
   sed "s/COMPANY_NAME/${COMPANY_NAME}/g" -i ${SYSCONF_TEMPLATES_DIR}/supervisor/ds/*.conf
   cp ${SYSCONF_TEMPLATES_DIR}/supervisor/ds/*.conf etc/supervisor/conf.d/
 }

From 708684ccc1096f4ef1131ec0d16ea5c1c635fcdf Mon Sep 17 00:00:00 2001
From: Semyon Bezrukov <semen.bezrukov@onlyoffice.com>
Date: Tue, 25 Apr 2023 18:01:14 +0300
Subject: [PATCH 06/10] Trace build commands (#609)

* Trace build commands

* Small fix
---
 Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index e5d89d8f4..6f935dec1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,6 +9,8 @@ ENV LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_ALL=en_US.UTF-8 DEBIAN_FRONTEND=nonint
 
 ARG ONLYOFFICE_VALUE=onlyoffice
 
+SHELL ["/bin/sh", "-x", "-c"]
+
 RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \
     apt-get -y update && \
     apt-get -yq install wget apt-transport-https gnupg locales lsb-release && \

From 4c5e5f20ee08e79ba2398f6bca4174456daf3304 Mon Sep 17 00:00:00 2001
From: Alexey Golubev <alexey.golubev@onlyoffice.com>
Date: Tue, 2 May 2023 13:25:36 +0500
Subject: [PATCH 07/10] Revert "Trace build commands (#609)"

This reverts commit 708684ccc1096f4ef1131ec0d16ea5c1c635fcdf.
---
 Dockerfile | 2 --
 1 file changed, 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 6f935dec1..e5d89d8f4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,8 +9,6 @@ ENV LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_ALL=en_US.UTF-8 DEBIAN_FRONTEND=nonint
 
 ARG ONLYOFFICE_VALUE=onlyoffice
 
-SHELL ["/bin/sh", "-x", "-c"]
-
 RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \
     apt-get -y update && \
     apt-get -yq install wget apt-transport-https gnupg locales lsb-release && \

From 989647852e4527bebf27e0dcd8ee08145ea63b2e Mon Sep 17 00:00:00 2001
From: Semyon Bezrukov <semen.bezrukov@onlyoffice.com>
Date: Wed, 24 May 2023 11:51:14 +0300
Subject: [PATCH 08/10] Fix deprecated set-output (#632)

---
 .github/workflows/4testing-build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/4testing-build.yml b/.github/workflows/4testing-build.yml
index d88bbdebd..def1e2c48 100644
--- a/.github/workflows/4testing-build.yml
+++ b/.github/workflows/4testing-build.yml
@@ -61,7 +61,7 @@ jobs:
             echo "None of the editions are selected."
             exit 1
           fi
-          echo "::set-output name=editions::$(jq -n -c --arg s "${EDITIONS[*]}" '($s|split(" "))')"
+          echo "editions=$(jq -n -c --arg s "${EDITIONS[*]}" '($s|split(" "))')" >> $GITHUB_OUTPUT
     outputs:
       editions: ${{ steps.matrix.outputs.editions }}
 

From 7d32cac40a7d0971e8c1d48925ed4793e12577c5 Mon Sep 17 00:00:00 2001
From: Danil Titarenko <77471369+danilapog@users.noreply.github.com>
Date: Thu, 25 May 2023 16:36:33 +0300
Subject: [PATCH 09/10] Add new stable images versioning principles (#633)

* Refactoring stable images release versioning

The new principle of stable docker images versioning: release numbering is now not by build number, but by serial number.

* Refactoring: fix non-example image pull tag
---
 .github/workflows/stable-build.yml | 20 ++++++++++++++++----
 docker-bake.hcl                    |  8 ++++++--
 production.dockerfile              |  6 +++---
 3 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/stable-build.yml b/.github/workflows/stable-build.yml
index 7063e4e49..9a197688a 100644
--- a/.github/workflows/stable-build.yml
+++ b/.github/workflows/stable-build.yml
@@ -8,6 +8,11 @@ on:
         description: 'Tag for release (ex. 1.2.3.45)'
         type: string
         required: true
+      release_number:
+        description: 'Sequence number of the release (ex. x.x.x.<number>)'
+        type: string
+        required: true
+        default: '1'
 
 env:
   COMPANY_NAME: "onlyoffice"
@@ -42,10 +47,12 @@ jobs:
         run: |
           set -eux
           VERSION=${{ github.event.inputs.tag }}
+          RELEASE_NUMBER=${{ github.event.inputs.release_number }}
           PRODUCT_EDITION=${{ matrix.edition }}
           TESTING_IMAGE=${COMPANY_NAME}/4testing-${PRODUCT_NAME}${PRODUCT_EDITION}
             export PRODUCT_EDITION
-            export TAG=${VERSION}
+            export PULL_TAG=${VERSION}
+            export TAG=${VERSION%.*}.${RELEASE_NUMBER}
             export SHORTER_TAG=${VERSION%.*}
             export SHORTEST_TAG=${VERSION%.*.*}
             docker buildx bake -f docker-bake.hcl ${{ matrix.images }} --push
@@ -82,8 +89,11 @@ jobs:
       - name: build image
         run: |
           set -eux
+          VERSION=${{ github.event.inputs.tag }}
+          RELEASE_NUMBER=${{ github.event.inputs.release_number }}
+          export PULL_TAG=${VERSION%.*}.${RELEASE_NUMBER}
           export PRODUCT_EDITION=${{ matrix.edition }}
-          export TAG=${{ github.event.inputs.tag }}
+          export TAG=${VERSION%.*}.${RELEASE_NUMBER}
           docker buildx bake -f docker-bake.hcl ${{ matrix.images }} --push
         shell: bash
 
@@ -113,12 +123,14 @@ jobs:
       - name: build UCS
         run: |
            set -eux
+           VERSION=${{ github.event.inputs.tag }}
+           RELEASE_NUMBER=${{ github.event.inputs.release_number }}
            export PRODUCT_EDITION=${{ matrix.edition }}
            export PACKAGE_BASEURL=${{ secrets.REPO_BASEURL }}
            export DOCKERFILE=Dockerfile
            export BASE_IMAGE=ubuntu:20.04
            export PG_VERSION=12
-           export TAG=${{ github.event.inputs.tag }}
-           export PACKAGE_VERSION=$( echo ${TAG} |  sed -E 's/(.*)\./\1-/')
+           export TAG=${VERSION%.*}.${RELEASE_NUMBER}
+           export PACKAGE_VERSION=$( echo ${VERSION} |  sed -E 's/(.*)\./\1-/')
            docker buildx bake -f docker-bake.hcl documentserver-ucs --push
         shell: bash
diff --git a/docker-bake.hcl b/docker-bake.hcl
index 28396a6bd..4082f4a0c 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -10,6 +10,10 @@ variable "SHORTEST_TAG" {
     default = ""
 }
 
+variable "PULL_TAG" {
+    default = ""
+}
+
 variable "COMPANY_NAME" {
     default = ""
 }
@@ -90,7 +94,7 @@ target "documentserver-stable" {
             equal("-ee",PRODUCT_EDITION) ? "docker.io/${COMPANY_NAME}4enterprise/${PREFIX_NAME}${PRODUCT_NAME}${PRODUCT_EDITION}:${TAG}": "",]
     platforms = ["linux/amd64", "linux/arm64"]
     args = {
-        "TAG": "${TAG}"
+        "PULL_TAG": "${PULL_TAG}"
         "COMPANY_NAME": "${COMPANY_NAME}"
         "PRODUCT_NAME": "${PRODUCT_NAME}"
         "PRODUCT_EDITION": "${PRODUCT_EDITION}"
@@ -121,7 +125,7 @@ target "documentserver-nonexample" {
     tags = [ "docker.io/${COMPANY_NAME}/${PRODUCT_NAME}${PREFIX_NAME}${PRODUCT_EDITION}:${TAG}-nonexample" ]
     platforms = ["linux/amd64", "linux/arm64"]
     args = {
-        "TAG": "${TAG}"
+        "PULL_TAG": "${PULL_TAG}"
         "COMPANY_NAME": "${COMPANY_NAME}"
         "PRODUCT_NAME": "${PRODUCT_NAME}"
         "PRODUCT_EDITION": "${PRODUCT_EDITION}"
diff --git a/production.dockerfile b/production.dockerfile
index 3c7b3bd6b..0706a58ac 100644
--- a/production.dockerfile
+++ b/production.dockerfile
@@ -1,15 +1,15 @@
 ### Arguments avavlivable only for FROM instruction ### 
-ARG TAG=latest
+ARG PULL_TAG=latest
 ARG COMPANY_NAME=onlyoffice
 ARG PRODUCT_EDITION=
 
 ### Build main-release ###
 
-FROM ${COMPANY_NAME}/4testing-documentserver${PRODUCT_EDITION}:${TAG} as documentserver-stable
+FROM ${COMPANY_NAME}/4testing-documentserver${PRODUCT_EDITION}:${PULL_TAG} as documentserver-stable
 
 ### Build nonexample ###
  
-FROM ${COMPANY_NAME}/documentserver${PRODUCT_EDITION}:${TAG} as documentserver-nonexample
+FROM ${COMPANY_NAME}/documentserver${PRODUCT_EDITION}:${PULL_TAG} as documentserver-nonexample
 
 ARG COMPANY_NAME=onlyoffice
 ARG PRODUCT_NAME=documentserver

From 48add9dc896cca14eebc8ed302266a3b2ad942a9 Mon Sep 17 00:00:00 2001
From: Evgeniy Antonyuk <antonyuk.evgenyiy@onlyoffice.com>
Date: Fri, 26 May 2023 18:59:54 +0500
Subject: [PATCH 10/10] Add the ability to enable request filtering agent
 (#628)

---
 README.md              | 2 ++
 run-document-server.sh | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/README.md b/README.md
index 1364ab909..cfa9e46bd 100644
--- a/README.md
+++ b/README.md
@@ -196,6 +196,8 @@ Below is the complete list of parameters that can be set using environment varia
 - **JWT_HEADER**: Defines the http header that will be used to send the JSON Web Token. Defaults to `Authorization`.
 - **JWT_IN_BODY**: Specifies the enabling the token validation in the request body to the ONLYOFFICE Document Server. Defaults to `false`.
 - **WOPI_ENABLED**: Specifies the enabling the wopi handlers. Defaults to `false`.
+- **ALLOW_META_IP_ADDRESS**: Defines if it is allowed to connect meta IP address or not. Defaults to `false`.
+- **ALLOW_PRIVATE_IP_ADDRESS**: Defines if it is allowed to connect private IP address or not. Defaults to `false`.
 - **USE_UNAUTHORIZED_STORAGE**: Set to `true`if using selfsigned certificates for your storage server e.g. Nextcloud. Defaults to `false`
 - **GENERATE_FONTS**: When 'true' regenerates fonts list and the fonts thumbnails etc. at each start. Defaults to `true`
 - **METRICS_ENABLED**: Specifies the enabling StatsD for ONLYOFFICE Document Server. Defaults to `false`.
diff --git a/run-document-server.sh b/run-document-server.sh
index 967225a59..9a4d17486 100644
--- a/run-document-server.sh
+++ b/run-document-server.sh
@@ -92,6 +92,8 @@ JWT_HEADER=${JWT_HEADER:-Authorization}
 JWT_IN_BODY=${JWT_IN_BODY:-false}
 
 WOPI_ENABLED=${WOPI_ENABLED:-false}
+ALLOW_META_IP_ADDRESS=${ALLOW_META_IP_ADDRESS:-false}
+ALLOW_PRIVATE_IP_ADDRESS=${ALLOW_PRIVATE_IP_ADDRESS:-false}
 
 GENERATE_FONTS=${GENERATE_FONTS:-true}
 
@@ -344,6 +346,12 @@ update_ds_settings(){
     ${JSON} -I -e "if(this.wopi===undefined)this.wopi={}"
     ${JSON} -I -e "this.wopi.enable = true"
   fi
+
+  if [ "${ALLOW_META_IP_ADDRESS}" = "true" ] || [ "${ALLOW_PRIVATE_IP_ADDRESS}" = "true" ]; then
+    ${JSON} -I -e "if(this.services.CoAuthoring['request-filtering-agent']===undefined)this.services.CoAuthoring['request-filtering-agent']={}"
+    [ "${ALLOW_META_IP_ADDRESS}" = "true" ] && ${JSON} -I -e "this.services.CoAuthoring['request-filtering-agent'].allowMetaIPAddress = true"
+    [ "${ALLOW_PRIVATE_IP_ADDRESS}" = "true" ] && ${JSON} -I -e "this.services.CoAuthoring['request-filtering-agent'].allowPrivateIPAddress = true"
+  fi
 }
 
 create_postgresql_cluster(){