From e95055b2bdcd70568c4b4e21424800cab47a582b Mon Sep 17 00:00:00 2001
From: Frank Karlitschek <frank@owncloud.org>
Date: Thu, 21 Jun 2012 14:07:04 +0200
Subject: [PATCH] check if the data directory is accessible via http. Show a
 big security warning if yes

---
 lib/util.php                 | 53 +++++++++++++++++++++++++++++++-----
 settings/admin.php           |  2 ++
 settings/css/settings.css    |  5 +++-
 settings/templates/admin.php | 15 ++++++++++
 4 files changed, 67 insertions(+), 8 deletions(-)
 mode change 100644 => 100755 settings/admin.php
 mode change 100644 => 100755 settings/templates/admin.php

diff --git a/lib/util.php b/lib/util.php
index 7792f96d44..8a2d913109 100755
--- a/lib/util.php
+++ b/lib/util.php
@@ -420,18 +420,57 @@ class OC_Util {
 		}
 	}
 	
-	/**
-	 * @brief Public function to sanitize HTML
-	 *
+	/**
+	 * @brief Public function to sanitize HTML
+	 *
 	 * This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page.
 	 * 
 	 * @param string or array of strings
-	 * @return array with sanitized strings or a single sinitized string, depends on the input parameter.
+	 * @return array with sanitized strings or a single sinitized string, depends on the input parameter.
 	 */
-	public static function sanitizeHTML( &$value ){
-		if (is_array($value) || is_object($value)) array_walk_recursive($value,'OC_Util::sanitizeHTML');
-		else $value = htmlentities($value, ENT_QUOTES, 'UTF-8'); //Specify encoding for PHP<5.4
+	public static function sanitizeHTML( &$value ){
+		if (is_array($value) || is_object($value)) array_walk_recursive($value,'OC_Util::sanitizeHTML');
+		else $value = htmlentities($value, ENT_QUOTES, 'UTF-8'); //Specify encoding for PHP<5.4
 		return $value;
 	}
 
+
+        /**
+         * Check if the htaccess file is working buy creating a test file in the data directory and trying to access via http
+         */
+        public static function ishtaccessworking() {
+
+		// testdata
+		$filename='/htaccesstest.txt';
+		$testcontent='testcontent';
+
+		// creating a test file
+                $testfile = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ).'/'.$filename;
+                $fp = @fopen($testfile, 'w');
+                @fwrite($fp, $testcontent);
+                @fclose($fp);
+
+		// accessing the file via http
+                $url = OC_Helper::serverProtocol(). '://'  . OC_Helper::serverHost() . OC::$WEBROOT.'/data'.$filename;
+                $fp = @fopen($url, 'r');
+                $content=@fread($fp, 2048);
+                @fclose($fp);
+
+		// cleanup
+		@unlink($testfile);
+
+		// does it work ?
+		if($content==$testcontent) {
+			return(false);
+		}else{
+			return(true);
+
+		}
+
+        }
+
+
+
+
+
 }
diff --git a/settings/admin.php b/settings/admin.php
old mode 100644
new mode 100755
index a997bad4e3..8369ee64e0
--- a/settings/admin.php
+++ b/settings/admin.php
@@ -15,6 +15,7 @@ OC_App::setActiveNavigationEntry( "admin" );
 
 $tmpl = new OC_Template( 'settings', 'admin', 'user');
 $forms=OC_App::getForms('admin');
+$htaccessworking=OC_Util::ishtaccessworking();
 
 $entries=OC_Log_Owncloud::getEntries(3);
 function compareEntries($a,$b){
@@ -24,6 +25,7 @@ usort($entries, 'compareEntries');
 
 $tmpl->assign('loglevel',OC_Config::getValue( "loglevel", 2 ));
 $tmpl->assign('entries',$entries);
+$tmpl->assign('htaccessworking',$htaccessworking);
 $tmpl->assign('forms',array());
 foreach($forms as $form){
 	$tmpl->append('forms',$form);
diff --git a/settings/css/settings.css b/settings/css/settings.css
index df1e3cfd3c..80e96df5e6 100644
--- a/settings/css/settings.css
+++ b/settings/css/settings.css
@@ -48,5 +48,8 @@ li.active { color:#000; }
 small.externalapp { color:#FFF; background-color:#BBB; font-weight:bold; font-size:6pt; padding:4px; border-radius: 4px;}
 span.version { margin-left:3em; color:#ddd; }
 
-/* LOF */
+/* LOG */
 #log { white-space:normal; }
+
+/* ADMIN */
+span.securitywarning {color:#C33; font-weight:bold; }
diff --git a/settings/templates/admin.php b/settings/templates/admin.php
old mode 100644
new mode 100755
index 38c6042c82..a9f727d676
--- a/settings/templates/admin.php
+++ b/settings/templates/admin.php
@@ -6,6 +6,21 @@
 $levels=array('Debug','Info','Warning','Error','Fatal');
 ?>
 
+<?php
+
+if(!$_['htaccessworking']) {
+?>
+<fieldset class="personalblock">
+	<legend><strong><?php echo $l->t('Security Warning');?></strong></legend>
+
+	<span class="securitywarning">Your data directory and your files are probably accessible from the internet. The .htaccess file that ownCloud provides is not working. We strongly suggest that you configure your webserver in a way that the data directory is no longer accessible or you move the data directory outside the webserver document root.</span>
+	
+</fieldset>	
+<?php	
+}
+?>
+
+
 <?php foreach($_['forms'] as $form){
 	echo $form;
 };?>