mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Harden data protection .htaccess 

+ Set "Satisfy All" whenever available, as well on Apache 2.4+. This is required to override possible "Satisfy Any" on parent dir, which otherwise would allow direct access to data, regardless of "Require" directive.
+ Set "Deny from all" as well whenever available, to block access regardless of which access control directive takes priority.
+ Assume Apache 2.2 only, if mod_authz_core and mod_access_compat are both not available, to avoid doubled directives. In this case set "Deny from all" directive only if the providing mod_authz_host module is available. "Satisfy" is a core directive on Apache 2.2.
+ Update Apache version strings. Regarding the used directives/modules, Apache 2.4 and 2.5 behave the same.
+ Add ordering spaces to better reflect the nested directives and to match style of other .htaccess files.

Fixes: https://github.com/nextcloud/server/issues/6449

Signed-off-by: Micha Felle <micha@dietpi.com>
This commit is contained in:
MichaIng 2019-08-19 15:09:44 +02:00 committed by GitHub
parent b73df01945
commit dcbf8fa8e3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
lib/private/Setup.php
View File

@ -542,19 +542,27 @@ class Setup {
//Require all denied
$now = date('Y-m-d H:i:s');
$content = "# Generated by Nextcloud on $now\n";
$content.= "# line below if for Apache 2.4\n";
$content.= "# Section for Apache 2.4 and 2.5\n";
$content.= "<ifModule mod_authz_core.c>\n";
$content.= "Require all denied\n";
$content.= "</ifModule>\n\n";
$content.= "# line below if for Apache 2.2\n";
$content.= "<ifModule !mod_authz_core.c>\n";
$content.= "deny from all\n";
$content.= "Satisfy All\n";
$content.= "</ifModule>\n\n";
$content.= "# section for Apache 2.2 and 2.4\n";
$content.= "<ifModule mod_autoindex.c>\n";
$content.= "IndexIgnore *\n";
$content.= " Require all denied\n";
$content.= "</ifModule>\n";
$content.= "<ifModule mod_access_compat.c>\n";
$content.= " Deny from all\n";
$content.= " Satisfy All\n";
$content.= "</ifModule>\n\n";
$content.= "# Section for Apache 2.2\n";
$content.= "<ifModule !mod_authz_core.c>\n";
$content.= " <ifModule !mod_access_compat.c>\n";
$content.= " <ifModule mod_authz_host.c>\n";
$content.= " Deny from all\n";
$content.= " </ifModule>\n";
$content.= " Satisfy All\n";
$content.= " </ifModule>\n";
$content.= "</ifModule>\n\n";
$content.= "# Section for Apache 2.2 to 2.5\n";
$content.= "<ifModule mod_autoindex.c>\n";
$content.= " IndexIgnore *\n";
$content.= "</ifModule>";
$baseDir = \OC::$server->getConfig()->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data');
file_put_contents($baseDir . '/.htaccess', $content);