feat: frankenphp

Caddyfile

@@ -0,0 +1,49 @@
+localhost {
+	php_server {
+        worker index.php
+	}
+
+	log {
+		level ERROR
+		output stderr
+	}
+
+    encode gzip
+
+    redir /.well-known/carddav /remote.php/dav 301
+    redir /.well-known/caldav /remote.php/dav 301
+
+    # Rule: Maps most RFC 8615 compliant well-known URIs to our main frontend controller (/index.php) by default
+    @wellKnown {
+        path "/.well-known/"
+        not {
+            path /.well-known/acme-challenge
+            path /.well-known/pki-validation
+        }
+    }
+    rewrite @wellKnown /index.php
+
+    rewrite /ocm-provider/ /index.php
+
+    @forbidden {
+        path /.htaccess
+        path /data/*
+        path /config/*
+        path /db_structure
+        path /.xml
+        path /README
+        path /3rdparty/*
+        path /lib/*
+        path /templates/*
+        path /occ
+        path /build
+        path /tests
+        path /console.php
+        path /autotest
+        path /issue
+        path /indi
+        path /db_
+        path /console
+    }
+    respond @forbidden 404
+}

apps/testing/appinfo/info.xml

@@ -16,6 +16,11 @@
 	<types>
 		<authentication/>
 	</types>
+
+	<commands>
+		<command>OCA\Testing\Command\StaticHunt</command>
+	</commands>
+
 	<category>monitoring</category>
 	<bugs>https://github.com/nextcloud/server/issues</bugs>
 	<dependencies>

apps/testing/composer/composer/autoload_classmap.php

@@ -9,6 +9,7 @@
     'Composer\\InstalledVersions' => $vendorDir . '/composer/InstalledVersions.php',
     'OCA\\Testing\\AlternativeHomeUserBackend' => $baseDir . '/../lib/AlternativeHomeUserBackend.php',
     'OCA\\Testing\\AppInfo\\Application' => $baseDir . '/../lib/AppInfo/Application.php',
+    'OCA\\Testing\\Command\\StaticHunt' => $baseDir . '/../lib/Command/StaticHunt.php',
     'OCA\\Testing\\Controller\\ConfigController' => $baseDir . '/../lib/Controller/ConfigController.php',
     'OCA\\Testing\\Controller\\LockingController' => $baseDir . '/../lib/Controller/LockingController.php',
     'OCA\\Testing\\Controller\\RateLimitTestController' => $baseDir . '/../lib/Controller/RateLimitTestController.php',

apps/testing/composer/composer/autoload_static.php

@@ -24,6 +24,7 @@ class ComposerStaticInitTesting
         'Composer\\InstalledVersions' => __DIR__ . '/..' . '/composer/InstalledVersions.php',
         'OCA\\Testing\\AlternativeHomeUserBackend' => __DIR__ . '/..' . '/../lib/AlternativeHomeUserBackend.php',
         'OCA\\Testing\\AppInfo\\Application' => __DIR__ . '/..' . '/../lib/AppInfo/Application.php',
+        'OCA\\Testing\\Command\\StaticHunt' => __DIR__ . '/..' . '/../lib/Command/StaticHunt.php',
         'OCA\\Testing\\Controller\\ConfigController' => __DIR__ . '/..' . '/../lib/Controller/ConfigController.php',
         'OCA\\Testing\\Controller\\LockingController' => __DIR__ . '/..' . '/../lib/Controller/LockingController.php',
         'OCA\\Testing\\Controller\\RateLimitTestController' => __DIR__ . '/..' . '/../lib/Controller/RateLimitTestController.php',

apps/testing/lib/Command/StaticHunt.php

@@ -0,0 +1,110 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Testing\Command;
+
+use OCP\App\IAppManager;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class StaticHunt extends Command {
+	private const array SKIP_REGEX = [
+		'@/templates/.+.php$@',
+		'@/ajax/.+.php$@',
+		'@/register_command.php$@',
+	];
+
+	public function __construct(
+		private IAppManager $appManager,
+	) {
+		parent::__construct();
+	}
+
+	protected function configure() {
+		$this
+			->setName('testing:static-hunt')
+			->setDescription('Hunt for static properties in classes');
+	}
+
+
+	protected function execute(InputInterface $input, OutputInterface $output): int {
+		$folders = [
+			'' => __DIR__ . '/../../../../lib/private/legacy',
+			'\\OC' => __DIR__ . '/../../../../lib/private',
+			'\\OC\\Core' => __DIR__ . '/../../../../core',
+		];
+		$apps = $this->appManager->getAllAppsInAppsFolders();
+		foreach ($apps as $app) {
+			$info = $this->appManager->getAppInfo($app);
+			if (!isset($info['namespace'])) {
+				continue;
+			}
+			$folders['\\OCA\\' . $info['namespace']] = $this->appManager->getAppPath($app) . '/lib';
+		}
+		$stats = [
+			'classes' => 0,
+			'properties' => 0,
+		];
+		foreach ($folders as $namespace => $folder) {
+			$this->scanFolder($folder, $namespace, $output, $stats);
+		}
+
+		$output->writeln('<info>Found ' . $stats['properties'] . ' static properties spread among ' . $stats['classes'] . ' classes</info>');
+
+		return 0;
+	}
+
+	private function scanFolder(string $folder, string $namespace, OutputInterface $output, array &$stats): void {
+		$folder = realpath($folder);
+		$output->writeln('Folder ' . $folder, OutputInterface::VERBOSITY_VERBOSE);
+		foreach ($this->recursiveGlob($folder) as $filename) {
+			try {
+				$filename = realpath($filename);
+				if (($namespace === '\\OC') && str_contains($filename, 'lib/private/legacy')) {
+					// Skip legacy in OC as it’s scanned with an empty namespace separately
+					continue;
+				}
+				foreach (self::SKIP_REGEX as $skipRegex) {
+					if (preg_match($skipRegex, $filename)) {
+						continue 2;
+					}
+				}
+				$classname = $namespace . substr(str_replace('/', '\\', substr($filename, strlen($folder))), 0, -4);
+				$output->writeln('Class ' . $classname, OutputInterface::VERBOSITY_VERBOSE);
+				if (!class_exists($classname)) {
+					continue;
+				}
+				$rClass = new \ReflectionClass($classname);
+				$staticProperties = $rClass->getStaticProperties();
+				if (empty($staticProperties)) {
+					continue;
+				}
+				$stats['classes']++;
+				$output->writeln('<info># ' . str_replace(\OC::$SERVERROOT, '', $filename) . " $classname</info>");
+				foreach ($staticProperties as $property => $value) {
+					$propertyObject = $rClass->getProperty($property);
+					$stats['properties']++;
+					$output->write("$propertyObject");
+				}
+				$output->writeln('');
+			} catch (\Throwable $t) {
+				$output->writeln("$t");
+			}
+		}
+	}
+
+	private function recursiveGlob(string $path, int $depth = 1): \Generator {
+		$pattern = $path . str_repeat('/*', $depth);
+		yield from glob($pattern . '.php');
+		if (!empty(glob($pattern, GLOB_ONLYDIR))) {
+			yield from $this->recursiveGlob($path, $depth + 1);
+		}
+	}
+}

index.php

@@ -10,6 +10,7 @@
 
 require_once __DIR__ . '/lib/versioncheck.php';
 
+use OC\Files\Filesystem;
 use OC\ServiceUnavailableException;
 use OC\User\LoginException;
 use OCP\HintException;
@@ -19,90 +20,124 @@
 use OCP\Template\ITemplateManager;
 use Psr\Log\LoggerInterface;
 
-try {
-	require_once __DIR__ . '/lib/base.php';
+require_once __DIR__ . '/lib/OC.php';
 
-	OC::handleRequest();
-} catch (ServiceUnavailableException $ex) {
-	Server::get(LoggerInterface::class)->error($ex->getMessage(), [
-		'app' => 'index',
-		'exception' => $ex,
-	]);
+\OC::boot();
 
-	//show the user a detailed error page
-	Server::get(ITemplateManager::class)->printExceptionErrorPage($ex, 503);
-} catch (HintException $ex) {
+function cleanupStaticCrap(): void {
+	// FIXME needed because these use a static var
+	\OC_Hook::clear();
+	\OC_Util::$styles = [];
+	\OC_Util::$headers = [];
+	\OC_User::setIncognitoMode(false);
+	\OC_User::$_setupedBackends = [];
+	\OC_App::reset();
+	\OC_Helper::reset();
+	Filesystem::reset();
+}
+
+$handler = static function () {
 	try {
-		Server::get(ITemplateManager::class)->printErrorPage($ex->getMessage(), $ex->getHint(), 503);
-	} catch (Exception $ex2) {
+		cleanupStaticCrap();
+		OC::init();
+		OC::handleRequest();
+	} catch (ServiceUnavailableException $ex) {
+		Server::get(LoggerInterface::class)->error($ex->getMessage(), [
+			'app' => 'index',
+			'exception' => $ex,
+		]);
+
+		//show the user a detailed error page
+		Server::get(ITemplateManager::class)->printExceptionErrorPage($ex, 503);
+	} catch (HintException $ex) {
+		try {
+			Server::get(ITemplateManager::class)->printErrorPage($ex->getMessage(), $ex->getHint(), 503);
+		} catch (Exception $ex2) {
+			try {
+				Server::get(LoggerInterface::class)->error($ex->getMessage(), [
+					'app' => 'index',
+					'exception' => $ex,
+				]);
+				Server::get(LoggerInterface::class)->error($ex2->getMessage(), [
+					'app' => 'index',
+					'exception' => $ex2,
+				]);
+			} catch (Throwable $e) {
+				// no way to log it properly - but to avoid a white page of death we try harder and ignore this one here
+			}
+
+			//show the user a detailed error page
+			Server::get(ITemplateManager::class)->printExceptionErrorPage($ex, 500);
+		}
+	} catch (LoginException $ex) {
+		$request = Server::get(IRequest::class);
+		/**
+		 * Routes with the @CORS annotation and other API endpoints should
+		 * not return a webpage, so we only print the error page when html is accepted,
+		 * otherwise we reply with a JSON array like the SecurityMiddleware would do.
+		 */
+		if (stripos($request->getHeader('Accept'), 'html') === false) {
+			http_response_code(401);
+			header('Content-Type: application/json; charset=utf-8');
+			echo json_encode(['message' => $ex->getMessage()]);
+			exit();
+		}
+		Server::get(ITemplateManager::class)->printErrorPage($ex->getMessage(), $ex->getMessage(), 401);
+	} catch (MaxDelayReached $ex) {
+		$request = Server::get(IRequest::class);
+		/**
+		 * Routes with the @CORS annotation and other API endpoints should
+		 * not return a webpage, so we only print the error page when html is accepted,
+		 * otherwise we reply with a JSON array like the BruteForceMiddleware would do.
+		 */
+		if (stripos($request->getHeader('Accept'), 'html') === false) {
+			http_response_code(429);
+			header('Content-Type: application/json; charset=utf-8');
+			echo json_encode(['message' => $ex->getMessage()]);
+			exit();
+		}
+		http_response_code(429);
+		Server::get(ITemplateManager::class)->printGuestPage('core', '429');
+	} catch (Exception $ex) {
+		Server::get(LoggerInterface::class)->error($ex->getMessage(), [
+			'app' => 'index',
+			'exception' => $ex,
+		]);
+
+		//show the user a detailed error page
+		Server::get(ITemplateManager::class)->printExceptionErrorPage($ex, 500);
+	} catch (Error $ex) {
 		try {
 			Server::get(LoggerInterface::class)->error($ex->getMessage(), [
 				'app' => 'index',
 				'exception' => $ex,
 			]);
-			Server::get(LoggerInterface::class)->error($ex2->getMessage(), [
-				'app' => 'index',
-				'exception' => $ex2,
-			]);
-		} catch (Throwable $e) {
-			// no way to log it properly - but to avoid a white page of death we try harder and ignore this one here
-		}
+		} catch (Error $e) {
+			http_response_code(500);
+			header('Content-Type: text/plain; charset=utf-8');
+			print("Internal Server Error\n\n");
+			print("The server encountered an internal error and was unable to complete your request.\n");
+			print("Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.\n");
+			print("More details can be found in the webserver log.\n");
 
-		//show the user a detailed error page
+			throw $ex;
+		}
 		Server::get(ITemplateManager::class)->printExceptionErrorPage($ex, 500);
 	}
-} catch (LoginException $ex) {
-	$request = Server::get(IRequest::class);
-	/**
-	 * Routes with the @CORS annotation and other API endpoints should
-	 * not return a webpage, so we only print the error page when html is accepted,
-	 * otherwise we reply with a JSON array like the SecurityMiddleware would do.
-	 */
-	if (stripos($request->getHeader('Accept'), 'html') === false) {
-		http_response_code(401);
-		header('Content-Type: application/json; charset=utf-8');
-		echo json_encode(['message' => $ex->getMessage()]);
-		exit();
-	}
-	Server::get(ITemplateManager::class)->printErrorPage($ex->getMessage(), $ex->getMessage(), 401);
-} catch (MaxDelayReached $ex) {
-	$request = Server::get(IRequest::class);
-	/**
-	 * Routes with the @CORS annotation and other API endpoints should
-	 * not return a webpage, so we only print the error page when html is accepted,
-	 * otherwise we reply with a JSON array like the BruteForceMiddleware would do.
-	 */
-	if (stripos($request->getHeader('Accept'), 'html') === false) {
-		http_response_code(429);
-		header('Content-Type: application/json; charset=utf-8');
-		echo json_encode(['message' => $ex->getMessage()]);
-		exit();
-	}
-	http_response_code(429);
-	Server::get(ITemplateManager::class)->printGuestPage('core', '429');
-} catch (Exception $ex) {
-	Server::get(LoggerInterface::class)->error($ex->getMessage(), [
-		'app' => 'index',
-		'exception' => $ex,
-	]);
+};
 
-	//show the user a detailed error page
-	Server::get(ITemplateManager::class)->printExceptionErrorPage($ex, 500);
-} catch (Error $ex) {
-	try {
-		Server::get(LoggerInterface::class)->error($ex->getMessage(), [
-			'app' => 'index',
-			'exception' => $ex,
-		]);
-	} catch (Error $e) {
-		http_response_code(500);
-		header('Content-Type: text/plain; charset=utf-8');
-		print("Internal Server Error\n\n");
-		print("The server encountered an internal error and was unable to complete your request.\n");
-		print("Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.\n");
-		print("More details can be found in the webserver log.\n");
+if (function_exists('frankenphp_handle_request') && isset($_SERVER['FRANKENPHP_WORKER']) && $_SERVER['FRANKENPHP_WORKER'] === '1') {
+	$maxRequests = (int)($_SERVER['MAX_REQUESTS'] ?? 0);
+	for ($nbRequests = 0; !$maxRequests || $nbRequests < $maxRequests; ++$nbRequests) {
+		$keepRunning = \frankenphp_handle_request($handler);
 
-		throw $ex;
+		// Call the garbage collector to reduce the chances of it being triggered in the middle of a page generation
+		gc_collect_cycles();
+
+		if (!$keepRunning) {
+			break;
+		}
 	}
-	Server::get(ITemplateManager::class)->printExceptionErrorPage($ex, 500);
+} else {
+	$handler();
 }