Merge pull request #16792 from MichaIng/patch-1

Harden data and config protection .htaccess
2019-12-19 11:26:12 +01:00 · 2019-12-19 11:26:12 +01:00 · 5d9fd7ba0c
parent 79b9be7ebf 4384806f61
commit 5d9fd7ba0c
2 changed files with 46 additions and 25 deletions
--- a/config/.htaccess
+++ b/config/.htaccess
@ -1,14 +1,25 @@
-# line below if for Apache 2.4
-<ifModule mod_authz_core.c>
-Require all denied
-</ifModule>
+# Section for Apache 2.4 to 2.6
+<IfModule mod_authz_core.c>
+  Require all denied
+</IfModule>
+<IfModule mod_access_compat.c>
+  Order Allow,Deny
+  Deny from all
+  Satisfy All
+</IfModule>

-# line below if for Apache 2.2
-<ifModule !mod_authz_core.c>
-deny from all
-</ifModule>
+# Section for Apache 2.2
+<IfModule !mod_authz_core.c>
+  <IfModule !mod_access_compat.c>
+    <IfModule mod_authz_host.c>
+      Order Allow,Deny
+      Deny from all
+    </IfModule>
+    Satisfy All
+  </IfModule>
+</IfModule>

-# section for Apache 2.2 and 2.4
-<ifModule mod_autoindex.c>
-IndexIgnore *
-</ifModule>
+# Section for Apache 2.2 to 2.6
+<IfModule mod_autoindex.c>
+  IndexIgnore *
+</IfModule>
--- a/lib/private/Setup.php
+++ b/lib/private/Setup.php
@ -556,19 +556,29 @@ class Setup {
 		//Require all denied
 		$now = date('Y-m-d H:i:s');
 		$content = "# Generated by Nextcloud on $now\n";
-		$content .= "# line below if for Apache 2.4\n";
-		$content .= "<ifModule mod_authz_core.c>\n";
-		$content .= "Require all denied\n";
-		$content .= "</ifModule>\n\n";
-		$content .= "# line below if for Apache 2.2\n";
-		$content .= "<ifModule !mod_authz_core.c>\n";
-		$content .= "deny from all\n";
-		$content .= "Satisfy All\n";
-		$content .= "</ifModule>\n\n";
-		$content .= "# section for Apache 2.2 and 2.4\n";
-		$content .= "<ifModule mod_autoindex.c>\n";
-		$content .= "IndexIgnore *\n";
-		$content .= "</ifModule>\n";
+		$content .= "# Section for Apache 2.4 to 2.6\n";
+		$content .= "<IfModule mod_authz_core.c>\n";
+		$content .= "  Require all denied\n";
+		$content .= "</IfModule>\n";
+		$content .= "<IfModule mod_access_compat.c>\n";
+		$content .= "  Order Allow,Deny\n";
+		$content .= "  Deny from all\n";
+		$content .= "  Satisfy All\n";
+		$content .= "</IfModule>\n\n";
+		$content .= "# Section for Apache 2.2\n";
+		$content .= "<IfModule !mod_authz_core.c>\n";
+		$content .= "  <IfModule !mod_access_compat.c>\n";
+		$content .= "    <IfModule mod_authz_host.c>\n";
+		$content .= "      Order Allow,Deny\n";
+		$content .= "      Deny from all\n";
+		$content .= "    <IifModule>\n";
+		$content .= "    Satisfy All\n";
+		$content .= "  </IfModule>\n";
+		$content .= "</IfModule>\n\n";
+		$content .= "# Section for Apache 2.2 to 2.6\n";
+		$content .= "<IfModule mod_autoindex.c>\n";
+		$content .= "  IndexIgnore *\n";
+		$content .= "</IfModule>";

 		$baseDir = \OC::$server->getConfig()->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data');
 		file_put_contents($baseDir . '/.htaccess', $content);