diff options
author | Vincent Petry <pvince81@owncloud.com> | 2016-06-07 18:23:19 +0200 |
---|---|---|
committer | Vincent Petry <pvince81@owncloud.com> | 2016-06-07 18:36:13 +0200 |
commit | fb087a026167d0c0db4af9634657a52dfaf011de (patch) | |
tree | d8687620c34a5d07bffa3f3e6db144c2dfb39cad | |
parent | bf917d7063ed9328a8d367343ac2a6574917ddfb (diff) | |
download | nextcloud-server-fb087a026167d0c0db4af9634657a52dfaf011de.tar.gz nextcloud-server-fb087a026167d0c0db4af9634657a52dfaf011de.zip |
Use temporary htaccesstest.txt for data dir security check
-rw-r--r-- | core/js/setupchecks.js | 4 | ||||
-rw-r--r-- | core/js/tests/specs/setupchecksSpec.js | 2 | ||||
-rw-r--r-- | lib/private/legacy/util.php | 37 | ||||
-rw-r--r-- | settings/admin.php | 4 |
4 files changed, 31 insertions, 16 deletions
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index 4cc50e51ae6..f987c9f04e6 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -197,7 +197,7 @@ } var afterCall = function(xhr) { var messages = []; - if (xhr.status !== 403 && xhr.status !== 307 && xhr.status !== 301 && xhr.responseText === '') { + if (xhr.status !== 403 && xhr.status !== 307 && xhr.status !== 301 && xhr.responseText !== '') { messages.push({ msg: t('core', 'Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. We strongly suggest that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root.'), type: OC.SetupChecks.MESSAGE_TYPE_ERROR @@ -208,7 +208,7 @@ $.ajax({ type: 'GET', - url: OC.linkTo('', oc_dataURL+'/.ocdata'), + url: OC.linkTo('', oc_dataURL+'/htaccesstest.txt?t=' + (new Date()).getTime()), complete: afterCall }); return deferred.promise(); diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index 4931ca990da..172e6e27135 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -103,7 +103,7 @@ describe('OC.SetupChecks tests', function() { it('should return an error if data directory is not protected', function(done) { var async = OC.SetupChecks.checkDataProtected(); - suite.server.requests[0].respond(200); + suite.server.requests[0].respond(200, {'Content-Type': 'text/plain'}, 'file contents'); async.done(function( data, s, x ){ expect(data).toEqual([ diff --git a/lib/private/legacy/util.php b/lib/private/legacy/util.php index b744db21238..a863348566e 100644 --- a/lib/private/legacy/util.php +++ b/lib/private/legacy/util.php @@ -1128,19 +1128,8 @@ class OC_Util { return $encoded; } - /** - * Check if the .htaccess file is working - * @param \OCP\IConfig $config - * @return bool - * @throws Exception - * @throws \OC\HintException If the test file can't get written. - */ - public function isHtaccessWorking(\OCP\IConfig $config) { - - if (\OC::$CLI || !$config->getSystemValue('check_for_working_htaccess', true)) { - return true; - } + public function createHtaccessTestFile(\OCP\IConfig $config) { // php dev server does not support htaccess if (php_sapi_name() === 'cli-server') { return false; @@ -1148,7 +1137,7 @@ class OC_Util { // testdata $fileName = '/htaccesstest.txt'; - $testContent = 'testcontent'; + $testContent = 'This is used for testing whether htaccess is properly enabled to disallow access from the outside. This file can be safely removed.'; // creating a test file $testFile = $config->getSystemValue('datadirectory', OC::$SERVERROOT . '/data') . '/' . $fileName; @@ -1164,6 +1153,28 @@ class OC_Util { } fwrite($fp, $testContent); fclose($fp); + } + + /** + * Check if the .htaccess file is working + * @param \OCP\IConfig $config + * @return bool + * @throws Exception + * @throws \OC\HintException If the test file can't get written. + */ + public function isHtaccessWorking(\OCP\IConfig $config) { + + if (\OC::$CLI || !$config->getSystemValue('check_for_working_htaccess', true)) { + return true; + } + + $testContent = $this->createHtaccessTestFile($config); + if ($testContent === false) { + return false; + } + + $fileName = '/htaccesstest.txt'; + $testFile = $config->getSystemValue('datadirectory', OC::$SERVERROOT . '/data') . '/' . $fileName; // accessing the file via http $url = \OC::$server->getURLGenerator()->getAbsoluteURL(OC::$WEBROOT . '/data' . $fileName); diff --git a/settings/admin.php b/settings/admin.php index 6fb65b013e6..3ae7455b2ea 100644 --- a/settings/admin.php +++ b/settings/admin.php @@ -267,3 +267,7 @@ if ($updaterAppPanel) { $template->assign('forms', $formsAndMore); $template->printPage(); + +$util = new \OC_Util(); +$util->createHtaccessTestFile(\OC::$server->getConfig()); + |