Release OpenProject 16.6.4

Author: oliverguenther

.github/workflows/continuous-delivery.yml

@@ -17,11 +17,13 @@ jobs:
     steps:
       - name: Trigger Flavours workflow
         env:
-          TOKEN: ${{ secrets.OPENPROJECT_CI_TOKEN }}
+          TOKEN: ${{ secrets.OPENPROJECTCI_FLAVOUR_TRIGGER_TOKEN }}
           REPOSITORY: opf/openproject-flavours
           WORKFLOW_ID: ci.yml
+          REF_NAME: ${{ github.ref_name }}
         run: |
+          PAYLOAD=$(jq -n --arg ref "$REF_NAME" '{"ref": "dev", "inputs": {"ref": $ref}}')
           curl -i --fail-with-body -H"authorization: Bearer $TOKEN" \
             -XPOST -H"Accept: application/vnd.github.v3+json" \
             https://api.github.com/repos/$REPOSITORY/actions/workflows/$WORKFLOW_ID/dispatches \
-            -d '{"ref": "dev", "inputs": { "ref" : "${{ github.ref_name }}" }}'
+            -d "$PAYLOAD"

.github/workflows/create-merge-from-previous-release-branch-pr.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
     - id: find_previous_release
       env:
-        GITHUB_TOKEN: ${{ secrets.OPENPROJECT_CI_GH_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.OPENPROJECTCI_GH_CORE_PAT }}
         GITHUB_REPOSITORY: ${{ github.repository }}
       run: |
         BRANCH=$(curl -H "Authorization: token $GITHUB_TOKEN" \
@@ -29,7 +29,7 @@ jobs:
         echo "branch=${BRANCH}" >> $GITHUB_OUTPUT
     - id: find_latest_release
       env:
-        GITHUB_TOKEN: ${{ secrets.OPENPROJECT_CI_GH_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.OPENPROJECTCI_GH_CORE_PAT }}
         GITHUB_REPOSITORY: ${{ github.repository }}
       run: |
         BRANCH=$(curl -H "Authorization: token $GITHUB_TOKEN" \
@@ -152,4 +152,4 @@ jobs:
             fi
           fi
         env:
-          GITHUB_TOKEN: ${{ secrets.OPENPROJECT_CI_GH_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.OPENPROJECTCI_GH_CORE_PAT }}

.github/workflows/create-merge-release-into-dev-pr.yml

@@ -16,7 +16,7 @@ jobs:
     steps:
     - id: find_latest_release
       env:
-        GITHUB_TOKEN: ${{ secrets.OPENPROJECT_CI_GH_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.OPENPROJECTCI_GH_CORE_PAT }}
         GITHUB_REPOSITORY: ${{ github.repository }}
       run: |
         BRANCH=$(curl -H "Authorization: token $GITHUB_TOKEN" \
@@ -107,4 +107,4 @@ jobs:
             fi
           fi
         env:
-          GITHUB_TOKEN: ${{ secrets.OPENPROJECT_CI_GH_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.OPENPROJECTCI_GH_CORE_PAT }}

.github/workflows/docker-release.yml

@@ -23,15 +23,18 @@ jobs:
           ref: ${{ github.ref }}
       - name: Compute tags and branch
         id: compute
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          INPUT_TAG: ${{ inputs.tag }}
         run: |
-          if [[ ${{ github.event_name }} == 'push' ]]; then
+          if [[ "$EVENT_NAME" == 'push' ]]; then
             # Tag push e.g. refs/tags/v16.3.0 => v16.3.0
             TAG_REF="${GITHUB_REF#refs/tags/}"
             BRANCH_REF="$GITHUB_REF"
-          elif [[ ${{ github.event_name }} == 'workflow_dispatch' && -n "${{ inputs.tag }}" ]]; then
+          elif [[ "$EVENT_NAME" == 'workflow_dispatch' && -n "$INPUT_TAG" ]]; then
             # Manual dispatch with tag
-            TAG_REF="${{ inputs.tag }}"
-            BRANCH_REF="${{ inputs.tag }}"
+            TAG_REF="$INPUT_TAG"
+            BRANCH_REF="$INPUT_TAG"
           else
             # Fallback to dev
             TAG_REF="dev"
@@ -58,11 +61,13 @@ jobs:
     steps:
       - name: Trigger Helm charts release
         env:
-          TOKEN: ${{ secrets.OPENPROJECT_CI_TOKEN }}
+          TOKEN: ${{ secrets.OPENPROJECTCI_HELM_CHARTS_TRIGGER_TOKEN }}
           REPOSITORY: opf/helm-charts
           WORKFLOW_ID: core_release.yml
+          TAG: ${{ needs.compute-inputs.outputs.tag }}
         run: |
+          PAYLOAD=$(jq -n --arg tag "$TAG" '{"ref": "main", "inputs": {"tag": $tag}}')
           curl -i --fail-with-body -H"authorization: Bearer $TOKEN" \
             -XPOST -H"Accept: application/vnd.github.v3+json" \
             https://api.github.com/repos/$REPOSITORY/actions/workflows/$WORKFLOW_ID/dispatches \
-            -d '{"ref": "main", "inputs": { "tag" : "${{ needs.compute-inputs.outputs.tag }}" }}'
+            -d "$PAYLOAD"

.github/workflows/downstream-ci.yml

@@ -7,9 +7,7 @@ on:
     paths-ignore:
       - 'docs/**'
       - 'help/**'
-  # We run this in the less privileged mode to allow external PRs to use this workflow.
-  # This means the workflow will be executed on the base branch, making sure only our own workflow logic is used.
-  pull_request_target:
+  pull_request:
     types: [opened, reopened, synchronize]
     branches:
       - dev
@@ -33,9 +31,13 @@ jobs:
     steps:
       - name: Trigger SaaS Tests
         env:
-          TOKEN: ${{ secrets.OPENPROJECT_CI_TOKEN }}
+          TOKEN: ${{ secrets.OPENPROJECTCI_GH_SAAS_WORKFLOW_PAT }}
           REPOSITORY: opf/saas-openproject
           WORKFLOW_ID: test-saas.yml
+          EVENT_NAME: ${{ github.event_name }}
+          BASE_REF: ${{ github.base_ref }}
+          HEAD_REF: ${{ github.event.pull_request.head.ref }}
+          REF_NAME: ${{ github.ref_name }}
         # ref:
         #   * on push this will be `dev` or a specific release branch (e.g. release/16.1) - there is always a matching branch for that downstream
         #   * on pull_request we use the PR branch's base (e.g. dev or a release branch) to match the above
@@ -47,13 +49,13 @@ jobs:
           REF=''
           CORE_REF=''
 
-          if [ "${{ github.event_name }}" = "pull_request_target" ]; then
+          if [ "$EVENT_NAME" = "pull_request" ]; then
             echo The workflow was triggered by a pull request targetting the dev or a release branch
-            REF="${{ github.base_ref }}"
-            CORE_REF="${{ github.event.pull_request.head.ref }}"
+            REF="$BASE_REF"
+            CORE_REF="$HEAD_REF"
           else
             echo The workflow was triggered by a push to the dev or a release branch
-            REF="${{ github.ref_name }}"
+            REF="$REF_NAME"
             CORE_REF="$REF"
           fi
 
@@ -62,7 +64,7 @@ jobs:
             exit 0
           fi
 
-          PAYLOAD=$(printf '{"ref": "%s", "inputs": {"core_ref": "%s"}}' "$REF" "$CORE_REF")
+          PAYLOAD=$(jq -n --arg ref "$REF" --arg core_ref "$CORE_REF" '{"ref": $ref, "inputs": {"core_ref": $core_ref}}')
           OUTPUT_FILE=/tmp/request-output
 
           echo "Triggering $WORKFLOW_ID workflow on $REPOSITORY branch '$REF', which will check out core branch '$CORE_REF'"

app/models/attachment.rb

@@ -234,8 +234,21 @@ def set_digest(file)
     self.digest = Digest::MD5.file(file.path).hexdigest
   end
 
+  ##
+  # Detects the content type of a file based on its actual content.
+  # This method always relies on file content detection (via the `file` command)
+  # and never uses filename-based narrowing (MimeType.narrow_type) to ensure
+  # security-sensitive types like SVG are correctly identified even when the
+  # filename extension doesn't match the actual content.
+  #
+  # @param file_path [String] Path to the file to analyze
+  # @param fallback [String] Default content type if detection fails
+  # @return [String] The detected content type
   def self.content_type_for(file_path, fallback = OpenProject::ContentTypeDetector::SENSIBLE_DEFAULT)
-    content_type = OpenProject::MimeType.narrow_type file_path, OpenProject::ContentTypeDetector.new(file_path).detect
+    # Always use ContentTypeDetector which analyzes file content, not filename
+    # Do NOT use MimeType.narrow_type here as it could incorrectly narrow
+    # security-sensitive types (e.g., SVG with .png extension -> image/png)
+    content_type = OpenProject::ContentTypeDetector.new(file_path).detect
     content_type || fallback
   end
 

config/imagemagick/policy.xml

@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policymap [
+        <!ELEMENT policymap (policy)*>
+        <!ATTLIST policymap xmlns CDATA #FIXED "">
+        <!ELEMENT policy EMPTY>
+        <!ATTLIST policy xmlns CDATA #FIXED "">
+        <!ATTLIST policy domain NMTOKEN #REQUIRED>
+        <!ATTLIST policy name NMTOKEN #IMPLIED>
+        <!ATTLIST policy pattern CDATA #IMPLIED>
+        <!ATTLIST policy rights NMTOKEN #IMPLIED>
+        <!ATTLIST policy stealth NMTOKEN #IMPLIED>
+        <!ATTLIST policy value CDATA #IMPLIED>
+        ]>
+<!--
+  Creating a security policy that fits your specific local environment
+  before making use of ImageMagick is highly advised. You can find guidance on
+  setting up this policy at https://imagemagick.org/script/security-policy.php,
+  and it's important to verify your policy using the validation tool located
+  at https://imagemagick-secevaluator.doyensec.com/.
+
+
+  Web-safe ImageMagick security policy:
+
+  This security protocol designed for web-safe usage focuses on situations
+  where ImageMagick is applied in publicly accessible contexts, like websites.
+  It deactivates the capability to read from or write to any image formats
+  other than web-safe formats like GIF, JPEG, and PNG. Additionally, this
+  policy prohibits the execution of image filters and indirect reads, thereby
+  thwarting potential security breaches. By implementing these limitations,
+  the web-safe policy fortifies the safeguarding of systems accessible to
+  the public, reducing the risk of exploiting ImageMagick's capabilities
+  for potential attacks.
+-->
+<policymap>
+  <!-- Dynamically yield the CPU relative to the system load average. -->
+  <policy domain="resource" name="dynamic-throttle" value="false"/>
+  <!-- Force memory initialization by memory mapping select memory allocations. -->
+  <policy domain="cache" name="memory-map" value="anonymous"/>
+  <!-- Ensure all image data is fully flushed and synchronized to disk. -->
+  <policy domain="cache" name="synchronize" value="true"/>
+  <!-- Do not permit any delegates to execute. -->
+  <policy domain="delegate" rights="none" pattern="*"/>
+  <!-- Do not permit any image filters to load. -->
+  <policy domain="filter" rights="none" pattern="*"/>
+  <!-- Don't read/write from/to stdin/stdout. -->
+  <policy domain="path" rights="none" pattern="-"/>
+  <!-- don't read sensitive paths. -->
+  <policy domain="path" rights="none" pattern="/etc/*"/>
+  <!-- Indirect reads are not permitted. -->
+  <policy domain="path" rights="none" pattern="@*"/>
+  <!-- Deny all image modules and specifically exempt reading or writing web-safe image formats. -->
+  <policy domain="module" rights="none" pattern="*" />
+  <!-- Allow only web-safe image formats. -->
+  <policy domain="module" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
+  <!-- Disable PDF -->
+  <policy domain="coder" rights="none" pattern="PDF" />
+  <!-- CVE-2016–3714  https://imagetragick.com/ -->
+  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
+  <policy domain="coder" rights="none" pattern="URL" />
+  <policy domain="coder" rights="none" pattern="HTTPS" />
+  <policy domain="coder" rights="none" pattern="MVG" />
+  <policy domain="coder" rights="none" pattern="MSL" />
+  <policy domain="coder" rights="none" pattern="TEXT" />
+  <policy domain="coder" rights="none" pattern="SHOW" />
+  <policy domain="coder" rights="none" pattern="WIN" />
+  <policy domain="coder" rights="none" pattern="PLT" />
+</policymap>

config/initializers/log_slow_sql_queries.rb

@@ -42,8 +42,8 @@
       # Skip transaction that may be blocked
       next if data[:sql].match?(/BEGIN|COMMIT/)
 
-      # Skip tenant creation (load dump)
-      next if data[:sql][..120].include?("Dumped by pg_dump")
+      # Skip tenant creation (load dump sql which is around 300kB)
+      next if data[:sql][..120].include?("Dumped by pg_dump") || data[:sql].size > 200_000
 
       # Skip smaller durations
       duration = ((finish - start) * 1000).round(4)

config/initializers/mini_magick.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+require "mini_magick"
+
+# Ensure ImageMagick reads the project-local policy.xml (websafe)
+# ENV["MAGICK_CONFIGURE_PATH"] ||= Rails.root.join("config/imagemagick").to_s
+
+MiniMagick.configure do |config|
+  # configure MiniMagick CLI to use ImageMagick (not GraphicsMagick)
+  config.graphicsmagick = false
+  # also set the MAGICK_CONFIGURE_PATH for the CLI commands
+  config.cli_env = {
+    "MAGICK_CONFIGURE_PATH" => Rails.root.join("config/imagemagick").to_s
+  }
+end

docs/release-notes/16-6-4/README.md

@@ -0,0 +1,27 @@
+---
+title: OpenProject 16.6.4
+sidebar_navigation:
+    title: 16.6.4
+release_version: 16.6.4
+release_date: 2026-01-08
+---
+
+# OpenProject 16.6.4
+
+Release date: 2026-01-08
+
+We released OpenProject [OpenProject 16.6.4](https://community.openproject.org/versions/2248).
+The release contains several bug fixes and we recommend updating to the newest version.
+Below you will find a complete list of all changes and bug fixes.
+
+<!--more-->
+
+## Bug fixes and changes
+
+<!-- Warning: Anything within the below lines will be automatically removed by the release script -->
+<!-- BEGIN AUTOMATED SECTION -->
+
+- Bugfix: SVG attachments are interpreted as PNG \[[#70349](https://community.openproject.org/wp/70349)\]
+
+<!-- END AUTOMATED SECTION -->
+<!-- Warning: Anything above this line will be automatically removed by the release script -->