From e84cdc609a87d46db737e1dbdc5680321ce6939d Mon Sep 17 00:00:00 2001
From: MichaIng <28480705+MichaIng@users.noreply.github.com>
Date: Mon, 19 Aug 2019 15:17:39 +0200
Subject: [PATCH] Harden config protection .htaccess

+ Set "Satisfy All" whenever available, as well on Apache 2.4+. This is required to override possible "Satisfy Any" on parent dir, which otherwise would allow direct access to data, regardless of "Require" directive.
+ Set "Deny from all" as well whenever available, to block access regardless of which access control directive takes priority.
+ Assume Apache 2.2 only, if mod_authz_core and mod_access_compat are both not available, to avoid doubled directives. In this case set "Deny from all" directive only if the providing mod_authz_host module is available. "Satisfy" is a core directive on Apache 2.2.
+ Update Apache version strings. Regarding the used directives/modules, Apache 2.4 and 2.5 behave the same.
+ Add ordering spaces to better reflect the nested directives and to match style of other .htaccess files.

Fixes: #6449 (for the config directory)

Signed-off-by: Micha Felle <micha@dietpi.com>
---
 config/.htaccess | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/config/.htaccess b/config/.htaccess
index 853aed187d..192cdd2aa9 100644
--- a/config/.htaccess
+++ b/config/.htaccess
@@ -1,14 +1,23 @@
-# line below if for Apache 2.4
+# Section for Apache 2.4 and 2.5
 <ifModule mod_authz_core.c>
-Require all denied
+  Require all denied
+</ifModule>
+<ifModule mod_access_compat.c>
+  Deny from all
+  Satisfy All
 </ifModule>
 
-# line below if for Apache 2.2
+# Section for Apache 2.2
 <ifModule !mod_authz_core.c>
-deny from all
+  <ifModule !mod_access_compat.c>
+    <ifModule mod_authz_host.c>
+      Deny from all
+    </ifModule>
+    Satisfy All
+  </ifModule>
 </ifModule>
 
-# section for Apache 2.2 and 2.4
+# Section for Apache 2.2 to 2.5
 <ifModule mod_autoindex.c>
-IndexIgnore *
+  IndexIgnore *
 </ifModule>