From dcbf8fa8e31007d95a9651ab478d81074412fb7c Mon Sep 17 00:00:00 2001
From: MichaIng <28480705+MichaIng@users.noreply.github.com>
Date: Mon, 19 Aug 2019 15:09:44 +0200
Subject: [PATCH] Harden data protection .htaccess

+ Set "Satisfy All" whenever available, as well on Apache 2.4+. This is required to override possible "Satisfy Any" on parent dir, which otherwise would allow direct access to data, regardless of "Require" directive.
+ Set "Deny from all" as well whenever available, to block access regardless of which access control directive takes priority.
+ Assume Apache 2.2 only, if mod_authz_core and mod_access_compat are both not available, to avoid doubled directives. In this case set "Deny from all" directive only if the providing mod_authz_host module is available. "Satisfy" is a core directive on Apache 2.2.
+ Update Apache version strings. Regarding the used directives/modules, Apache 2.4 and 2.5 behave the same.
+ Add ordering spaces to better reflect the nested directives and to match style of other .htaccess files.

Fixes: https://github.com/nextcloud/server/issues/6449

Signed-off-by: Micha Felle <micha@dietpi.com>
---
 lib/private/Setup.php | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/lib/private/Setup.php b/lib/private/Setup.php
index d7c6df3535..024d0754c6 100644
--- a/lib/private/Setup.php
+++ b/lib/private/Setup.php
@@ -542,19 +542,27 @@ class Setup {
 		//Require all denied
 		$now =  date('Y-m-d H:i:s');
 		$content = "# Generated by Nextcloud on $now\n";
-		$content.= "# line below if for Apache 2.4\n";
+		$content.= "# Section for Apache 2.4 and 2.5\n";
 		$content.= "<ifModule mod_authz_core.c>\n";
-		$content.= "Require all denied\n";
-		$content.= "</ifModule>\n\n";
-		$content.= "# line below if for Apache 2.2\n";
-		$content.= "<ifModule !mod_authz_core.c>\n";
-		$content.= "deny from all\n";
-		$content.= "Satisfy All\n";
-		$content.= "</ifModule>\n\n";
-		$content.= "# section for Apache 2.2 and 2.4\n";
-		$content.= "<ifModule mod_autoindex.c>\n";
-		$content.= "IndexIgnore *\n";
+		$content.= "  Require all denied\n";
 		$content.= "</ifModule>\n";
+		$content.= "<ifModule mod_access_compat.c>\n";
+		$content.= "  Deny from all\n";
+		$content.= "  Satisfy All\n";
+		$content.= "</ifModule>\n\n";
+		$content.= "# Section for Apache 2.2\n";
+		$content.= "<ifModule !mod_authz_core.c>\n";
+		$content.= "  <ifModule !mod_access_compat.c>\n";
+		$content.= "    <ifModule mod_authz_host.c>\n";
+		$content.= "      Deny from all\n";
+		$content.= "    </ifModule>\n";
+		$content.= "    Satisfy All\n";
+		$content.= "  </ifModule>\n";
+		$content.= "</ifModule>\n\n";
+		$content.= "# Section for Apache 2.2 to 2.5\n";
+		$content.= "<ifModule mod_autoindex.c>\n";
+		$content.= "  IndexIgnore *\n";
+		$content.= "</ifModule>";
 
 		$baseDir = \OC::$server->getConfig()->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data');
 		file_put_contents($baseDir . '/.htaccess', $content);