Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Platform
- Alfresco
- Alfresco Blog
- Upgrade Guide: Alfresco Transform Core 5.2.0 to 5....
angelborroy
Community Manager
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
an hour ago
This guide covers all configuration changes a sysop or developer needs to know when upgrading from 5.2.0 to 5.4.1. It includes security fixes, changed defaults, new environment variables, and framework upgrades.
Summary
| 5.2.0 | Tomcat multipart parameter hardening | |
| 5.2.1 | New ACTIVEMQ_URL_PARAMS env var separates connection parameters from broker URL |
|
| 5.2.3 | ImageMagick commandOptions parameter disabled by default (security) |
|
| 5.3.0 | LibreOffice blind SSRF prevention; new LIBREOFFICE_TEMPLATE_PROFILE_DIR default |
|
| 5.3.0 | /test endpoint disabled by default |
|
| 5.4.0 | Spring Boot upgraded to 4.x | |
| 5.4.0 | ImageMagick upgraded from 7.0.10 to 7.1.2; changed IMAGEMAGICK_ROOT / IMAGEMAGICK_DYN defaults |
5.2.0: Tomcat Multipart Parameter Hardening
Explicit limits are now set on Tomcat's multipart parser in application.yaml:
server:
tomcat:
max-part-count: 10000
max-part-header-size: 8192BPreviously these relied on Tomcat's internal defaults, which varied between Tomcat versions and left the engine exposed to DoS attacks via unbounded multipart part counts or oversized part headers.
Action required: None for standard deployments. If a custom client sends more than 10,000 form parts or part headers larger than 8 KB, the request will now be rejected.
5.2.1: New ACTIVEMQ_URL_PARAMS
The ActiveMQ broker URL configuration is now split into two env vars:
# Before 5.2.1
broker-url: ${ACTIVEMQ_URL:nio://localhost:61616}?jms.watchTopicAdvisories=false
# From 5.2.1
broker-url: ${ACTIVEMQ_URL:nio://localhost:61616}${ACTIVEMQ_URL_PARAMS:?jms.watchTopicAdvisories=false}| Env Var | Description | Default |
|---|---|---|
ACTIVEMQ_URL |
ActiveMQ broker URL (host + port only) | nio://localhost:61616 |
ACTIVEMQ_URL_PARAMS |
ActiveMQ connection parameters appended to the URL | ?jms.watchTopicAdvisories=false |
Action required: None if using the default. If you previously passed connection parameters inside ACTIVEMQ_URL (e.g. ACTIVEMQ_URL=nio://host:61616?jms.prefetchPolicy.all=100), move the parameters to ACTIVEMQ_URL_PARAMS to avoid duplication.
5.2.3: ImageMagick commandOptions Disabled by Default
The commandOptions request parameter, which allowed passing raw arguments to the ImageMagick CLI, is now disabled by default to prevent argument injection attacks.
| Env Var | Description | Default |
|---|---|---|
IMAGEMAGICK_COMMAND_OPTIONS_ENABLED |
Enable the deprecated commandOptions parameter |
false |
Action required: If any transform client passes commandOptions in its request, those transforms will silently drop the parameter unless IMAGEMAGICK_COMMAND_OPTIONS_ENABLED=true is set. Auditing usage of this parameter is strongly recommended; the parameter is deprecated and will be removed in a future release.
5.3.0: LibreOffice Blind SSRF Prevention
A new LibreOfficeProfileManager class provisions an isolated LibreOffice user profile at startup. A pre-defined registrymodifications.xcu file is written into the profile to block LibreOffice from resolving external links during document conversion, preventing blind Server-Side Request Forgery (SSRF) attacks.
The default value for LIBREOFFICE_TEMPLATE_PROFILE_DIR changed:
| Env Var | Before 5.3.0 | From 5.3.0 |
|---|---|---|
LIBREOFFICE_TEMPLATE_PROFILE_DIR |
(empty) | alfresco_default |
Action required: None for standard deployments. If you mount or override the LibreOffice user profile directory, verify the custom path is compatible with the new profile management logic in LibreOfficeProfileManager.
5.3.0: /test Endpoint Disabled by Default
The browser-based test page (served at http://<engine>:8090/) is now gated behind a configuration flag. The default is disabled, and the endpoint returns HTTP 403 Forbidden when accessed without the flag set.
What changed in engines/base/src/main/resources/application.yaml:
transform:
endpoint:
test:
enable: ${TEST_ENDPOINT_ENABLED:false} # was implicitly enabled before 5.3.0Action required:
For development and testing environments where the test UI is needed, set:
TEST_ENDPOINT_ENABLED=trueFor production deployments, leave it unset. The default false is the correct secure posture.
This change applies to all engines: tika, pdf-renderer, misc, libreoffice, imagemagick, and core-aio.
5.4.0: Spring Boot Upgraded to 4.x
Spring Boot was upgraded from 3.x to 4.x (current GA version is 4.0.6). This is a major framework version bump.
Action required: If you run a custom T-Engine that extends engines/base, update your parent POM or dependency on alfresco-base-t-engine to 5.4.0 or later. Review the Spring Boot 4.x migration guide if you use Spring Boot APIs directly in custom code.
5.4.0: ImageMagick Upgraded to 7.1.2
ImageMagick was upgraded from 7.0.10 to 7.1.2-13 in the Docker images. The default paths for the ImageMagick installation changed accordingly:
| Env Var | Before 5.4.0 | From 5.4.0 |
|---|---|---|
IMAGEMAGICK_ROOT |
/usr/lib64/ImageMagick-7.0.10 |
/usr/lib64/ImageMagick-7.1.2 |
IMAGEMAGICK_DYN |
/usr/lib64/ImageMagick-7.0.10/lib |
/usr/lib64/ImageMagick-7.1.2/lib |
The base Docker image also moved from EPEL 8 to EPEL 9 dependencies.
Action required:
- If you override
IMAGEMAGICK_ROOTorIMAGEMAGICK_DYNexplicitly, update the paths to reflect 7.1.2. - If you build a custom Docker image on top of the ImageMagick T-Engine, verify your EPEL repository configuration supports EPEL 9 packages.
- If you mount an external ImageMagick installation, update the path accordingly.
Labels:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
