Use temporary htaccesstest.txt for data dir security check

This commit is contained in:
Vincent Petry 2016-06-09 11:59:42 +02:00
parent 7f3f06cdd9
commit eb34e95fd3
No known key found for this signature in database
GPG Key ID: AF8F9EFC56562186
4 changed files with 31 additions and 16 deletions

View File

@ -197,7 +197,7 @@
}
var afterCall = function(xhr) {
var messages = [];
if (xhr.status !== 403 && xhr.status !== 307 && xhr.status !== 301 && xhr.responseText === '') {
if (xhr.status !== 403 && xhr.status !== 307 && xhr.status !== 301 && xhr.responseText !== '') {
messages.push({
msg: t('core', 'Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. We strongly suggest that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root.'),
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
@ -208,7 +208,7 @@
$.ajax({
type: 'GET',
url: OC.linkTo('', oc_dataURL+'/.ocdata'),
url: OC.linkTo('', oc_dataURL+'/htaccesstest.txt?t=' + (new Date()).getTime()),
complete: afterCall
});
return deferred.promise();

View File

@ -103,7 +103,7 @@ describe('OC.SetupChecks tests', function() {
it('should return an error if data directory is not protected', function(done) {
var async = OC.SetupChecks.checkDataProtected();
suite.server.requests[0].respond(200);
suite.server.requests[0].respond(200, {'Content-Type': 'text/plain'}, 'file contents');
async.done(function( data, s, x ){
expect(data).toEqual([

View File

@ -1160,19 +1160,8 @@ class OC_Util {
return $encoded;
}
/**
* Check if the .htaccess file is working
* @param \OCP\IConfig $config
* @return bool
* @throws Exception
* @throws \OC\HintException If the test file can't get written.
*/
public function isHtaccessWorking(\OCP\IConfig $config) {
if (\OC::$CLI || !$config->getSystemValue('check_for_working_htaccess', true)) {
return true;
}
public function createHtaccessTestFile(\OCP\IConfig $config) {
// php dev server does not support htaccess
if (php_sapi_name() === 'cli-server') {
return false;
@ -1180,7 +1169,7 @@ class OC_Util {
// testdata
$fileName = '/htaccesstest.txt';
$testContent = 'testcontent';
$testContent = 'This is used for testing whether htaccess is properly enabled to disallow access from the outside. This file can be safely removed.';
// creating a test file
$testFile = $config->getSystemValue('datadirectory', OC::$SERVERROOT . '/data') . '/' . $fileName;
@ -1196,6 +1185,28 @@ class OC_Util {
}
fwrite($fp, $testContent);
fclose($fp);
}
/**
* Check if the .htaccess file is working
* @param \OCP\IConfig $config
* @return bool
* @throws Exception
* @throws \OC\HintException If the test file can't get written.
*/
public function isHtaccessWorking(\OCP\IConfig $config) {
if (\OC::$CLI || !$config->getSystemValue('check_for_working_htaccess', true)) {
return true;
}
$testContent = $this->createHtaccessTestFile($config);
if ($testContent === false) {
return false;
}
$fileName = '/htaccesstest.txt';
$testFile = $config->getSystemValue('datadirectory', OC::$SERVERROOT . '/data') . '/' . $fileName;
// accessing the file via http
$url = \OC::$server->getURLGenerator()->getAbsoluteURL(OC::$WEBROOT . '/data' . $fileName);

View File

@ -264,3 +264,7 @@ if ($updaterAppPanel) {
$template->assign('forms', $formsAndMore);
$template->printPage();
$util = new \OC_Util();
$util->createHtaccessTestFile(\OC::$server->getConfig());