From 1f7f2903bc9761d917943422186f2e81bb7b6959 Mon Sep 17 00:00:00 2001 From: lionel Date: Wed, 24 Jun 2026 19:54:14 +0200 Subject: [PATCH 1/4] docs: security checklist + minimal example; clarify repo is docs-only TinyFileManager ships default creds (admin/admin@123, user/12345) and has had auth-bypass/upload CVEs. Document: change creds, pin a recent release, keep it behind a VPN/auth proxy on HTTPS, scope the mounted dir. Add an illustrative compose example (localhost-bound) and note no Dockerfile is included yet. --- README.md | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/README.md b/README.md index 10bad60..18bf0e6 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,41 @@ # docker-TinyFileManager The simplest way to use "Tiny File Manager" into a docker environment + +## Status + +This repository currently ships only documentation — no `Dockerfile` / `docker-compose.yml` +is included yet. A minimal example and the security checklist below are a starting point. + +## ⚠️ Security + +[TinyFileManager](https://github.com/prasathmani/tinyfilemanager) is a powerful single-file +PHP file manager. Misconfigured, it exposes your filesystem. Before exposing it: + +- **Change the default credentials immediately.** Stock builds ship with + `admin / admin@123` and `user / 12345` — anyone who finds the page can log in otherwise. +- **Pin a recent release.** Older versions have known authentication-bypass / upload CVEs; + always run an up-to-date `tinyfilemanager.php`. +- **Never expose it directly on the Internet.** Put it behind a VPN or a reverse proxy with + its own authentication (e.g. basic-auth / SSO), and serve it over HTTPS. +- **Scope the mounted directory.** Only mount the folder it must manage — never `/` or your + whole home directory. +- **Disable it if unused.** It is an interactive shell-into-your-files; treat it accordingly. + +## Minimal example (review before use) + +```yaml +# docker-compose.yml — illustrative, not a turnkey image +services: + tinyfilemanager: + image: php:8.3-apache # pin to a digest in production + ports: + - "127.0.0.1:8080:80" # bind to localhost; expose via a proxy with auth + volumes: + - ./app:/var/www/html # place a pinned tinyfilemanager.php (+ config) here + - ./data:/var/www/html/data # the directory it manages + restart: unless-stopped +``` + +1. Download a pinned `tinyfilemanager.php` release into `./app/`. +2. Edit its config to set strong credentials (and a per-deployment `$auth_users` / salt). +3. `docker compose up -d`, then reach it only through your authenticated proxy. From f435c7ce795f4c968d4de59a1f25a6545ac3633a Mon Sep 17 00:00:00 2001 From: lionel Date: Wed, 24 Jun 2026 22:12:18 +0200 Subject: [PATCH 2/4] feat: ship a hardened docker-compose.yml + CI; editorconfig; README MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - docker-compose.yml: localhost-bound (127.0.0.1:8080), scoped volumes, restart policy — a real starting point (was an inline example only). - CI validates the compose (docker compose config). .gitignore for runtime app/data. - .editorconfig; README: CI badge, Quick start referencing the file, updated Status. --- .editorconfig | 9 +++++++++ .github/workflows/ci.yml | 16 ++++++++++++++++ .gitignore | 3 +++ README.md | 25 +++++++++---------------- docker-compose.yml | 11 +++++++++++ 5 files changed, 48 insertions(+), 16 deletions(-) create mode 100644 .editorconfig create mode 100644 .github/workflows/ci.yml create mode 100644 .gitignore create mode 100644 docker-compose.yml diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..79621be --- /dev/null +++ b/.editorconfig @@ -0,0 +1,9 @@ +root = true + +[*] +charset = utf-8 +end_of_line = lf +insert_final_newline = true +trim_trailing_whitespace = true +indent_style = space +indent_size = 2 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..f90859c --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,16 @@ +name: CI + +on: + push: + pull_request: + +permissions: + contents: read + +jobs: + compose: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Validate docker-compose.yml + run: docker compose config -q diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..7841f62 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +# runtime data managed by the container +/app/ +/data/ diff --git a/README.md b/README.md index 18bf0e6..3c4d875 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,13 @@ # docker-TinyFileManager + +[![CI](https://github.com/ilionel/docker-TinyFileManager/actions/workflows/ci.yml/badge.svg)](https://github.com/ilionel/docker-TinyFileManager/actions/workflows/ci.yml) The simplest way to use "Tiny File Manager" into a docker environment ## Status -This repository currently ships only documentation — no `Dockerfile` / `docker-compose.yml` -is included yet. A minimal example and the security checklist below are a starting point. +This repo ships a hardened **`docker-compose.yml`** starting point and the security +checklist below. TinyFileManager itself (`tinyfilemanager.php`) is **not** bundled — you +provide a pinned copy (see Quick start). ## ⚠️ Security @@ -21,20 +24,10 @@ PHP file manager. Misconfigured, it exposes your filesystem. Before exposing it: whole home directory. - **Disable it if unused.** It is an interactive shell-into-your-files; treat it accordingly. -## Minimal example (review before use) - -```yaml -# docker-compose.yml — illustrative, not a turnkey image -services: - tinyfilemanager: - image: php:8.3-apache # pin to a digest in production - ports: - - "127.0.0.1:8080:80" # bind to localhost; expose via a proxy with auth - volumes: - - ./app:/var/www/html # place a pinned tinyfilemanager.php (+ config) here - - ./data:/var/www/html/data # the directory it manages - restart: unless-stopped -``` +## Quick start + +A hardened starting point is in [`docker-compose.yml`](docker-compose.yml) (bound to +`127.0.0.1`, scoped volumes, `restart: unless-stopped`). Then: 1. Download a pinned `tinyfilemanager.php` release into `./app/`. 2. Edit its config to set strong credentials (and a per-deployment `$auth_users` / salt). diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..15313ef --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,11 @@ +# Starting point for running TinyFileManager in a container. +# Review the Security section in README.md before exposing this anywhere. +services: + tinyfilemanager: + image: php:8.3-apache # pin to a digest in production + ports: + - "127.0.0.1:8080:80" # localhost only; expose via an auth proxy over HTTPS + volumes: + - ./app:/var/www/html # place a pinned tinyfilemanager.php (+ config) here + - ./data:/var/www/html/data # the directory it manages (scope it tightly) + restart: unless-stopped From 4128fe0c64935b542e8d241784bc3d2acb12bd19 Mon Sep 17 00:00:00 2001 From: lionel Date: Thu, 25 Jun 2026 20:18:12 +0200 Subject: [PATCH 3/4] chore: add Dependabot (weekly updates for actions, deps, base images) --- .github/dependabot.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..b44a890 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + - package-ecosystem: docker + directory: / + schedule: + interval: weekly From 6bb6744c91bc0b75988d428fc5405bcc0309cb07 Mon Sep 17 00:00:00 2001 From: lionel Date: Thu, 25 Jun 2026 21:51:07 +0200 Subject: [PATCH 4/4] docs: blank line after CI badge; fix tagline grammar + trailing space --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3c4d875..752334c 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,8 @@ # docker-TinyFileManager [![CI](https://github.com/ilionel/docker-TinyFileManager/actions/workflows/ci.yml/badge.svg)](https://github.com/ilionel/docker-TinyFileManager/actions/workflows/ci.yml) -The simplest way to use "Tiny File Manager" into a docker environment + +The simplest way to run [TinyFileManager](https://github.com/prasathmani/tinyfilemanager) in a Docker environment. ## Status