summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVincent Petry <pvince81@owncloud.com>2016-06-07 18:23:19 +0200
committerVincent Petry <pvince81@owncloud.com>2016-06-07 18:36:13 +0200
commitfb087a026167d0c0db4af9634657a52dfaf011de (patch)
treed8687620c34a5d07bffa3f3e6db144c2dfb39cad
parentbf917d7063ed9328a8d367343ac2a6574917ddfb (diff)
downloadnextcloud-server-fb087a026167d0c0db4af9634657a52dfaf011de.tar.gz
nextcloud-server-fb087a026167d0c0db4af9634657a52dfaf011de.zip
Use temporary htaccesstest.txt for data dir security check
-rw-r--r--core/js/setupchecks.js4
-rw-r--r--core/js/tests/specs/setupchecksSpec.js2
-rw-r--r--lib/private/legacy/util.php37
-rw-r--r--settings/admin.php4
4 files changed, 31 insertions, 16 deletions
diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index 4cc50e51ae6..f987c9f04e6 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -197,7 +197,7 @@
}
var afterCall = function(xhr) {
var messages = [];
- if (xhr.status !== 403 && xhr.status !== 307 && xhr.status !== 301 && xhr.responseText === '') {
+ if (xhr.status !== 403 && xhr.status !== 307 && xhr.status !== 301 && xhr.responseText !== '') {
messages.push({
msg: t('core', 'Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. We strongly suggest that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root.'),
type: OC.SetupChecks.MESSAGE_TYPE_ERROR
@@ -208,7 +208,7 @@
$.ajax({
type: 'GET',
- url: OC.linkTo('', oc_dataURL+'/.ocdata'),
+ url: OC.linkTo('', oc_dataURL+'/htaccesstest.txt?t=' + (new Date()).getTime()),
complete: afterCall
});
return deferred.promise();
diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js
index 4931ca990da..172e6e27135 100644
--- a/core/js/tests/specs/setupchecksSpec.js
+++ b/core/js/tests/specs/setupchecksSpec.js
@@ -103,7 +103,7 @@ describe('OC.SetupChecks tests', function() {
it('should return an error if data directory is not protected', function(done) {
var async = OC.SetupChecks.checkDataProtected();
- suite.server.requests[0].respond(200);
+ suite.server.requests[0].respond(200, {'Content-Type': 'text/plain'}, 'file contents');
async.done(function( data, s, x ){
expect(data).toEqual([
diff --git a/lib/private/legacy/util.php b/lib/private/legacy/util.php
index b744db21238..a863348566e 100644
--- a/lib/private/legacy/util.php
+++ b/lib/private/legacy/util.php
@@ -1128,19 +1128,8 @@ class OC_Util {
return $encoded;
}
- /**
- * Check if the .htaccess file is working
- * @param \OCP\IConfig $config
- * @return bool
- * @throws Exception
- * @throws \OC\HintException If the test file can't get written.
- */
- public function isHtaccessWorking(\OCP\IConfig $config) {
-
- if (\OC::$CLI || !$config->getSystemValue('check_for_working_htaccess', true)) {
- return true;
- }
+ public function createHtaccessTestFile(\OCP\IConfig $config) {
// php dev server does not support htaccess
if (php_sapi_name() === 'cli-server') {
return false;
@@ -1148,7 +1137,7 @@ class OC_Util {
// testdata
$fileName = '/htaccesstest.txt';
- $testContent = 'testcontent';
+ $testContent = 'This is used for testing whether htaccess is properly enabled to disallow access from the outside. This file can be safely removed.';
// creating a test file
$testFile = $config->getSystemValue('datadirectory', OC::$SERVERROOT . '/data') . '/' . $fileName;
@@ -1164,6 +1153,28 @@ class OC_Util {
}
fwrite($fp, $testContent);
fclose($fp);
+ }
+
+ /**
+ * Check if the .htaccess file is working
+ * @param \OCP\IConfig $config
+ * @return bool
+ * @throws Exception
+ * @throws \OC\HintException If the test file can't get written.
+ */
+ public function isHtaccessWorking(\OCP\IConfig $config) {
+
+ if (\OC::$CLI || !$config->getSystemValue('check_for_working_htaccess', true)) {
+ return true;
+ }
+
+ $testContent = $this->createHtaccessTestFile($config);
+ if ($testContent === false) {
+ return false;
+ }
+
+ $fileName = '/htaccesstest.txt';
+ $testFile = $config->getSystemValue('datadirectory', OC::$SERVERROOT . '/data') . '/' . $fileName;
// accessing the file via http
$url = \OC::$server->getURLGenerator()->getAbsoluteURL(OC::$WEBROOT . '/data' . $fileName);
diff --git a/settings/admin.php b/settings/admin.php
index 6fb65b013e6..3ae7455b2ea 100644
--- a/settings/admin.php
+++ b/settings/admin.php
@@ -267,3 +267,7 @@ if ($updaterAppPanel) {
$template->assign('forms', $formsAndMore);
$template->printPage();
+
+$util = new \OC_Util();
+$util->createHtaccessTestFile(\OC::$server->getConfig());
+