diff options
| author | MichaIng <28480705+MichaIng@users.noreply.github.com> | 2019-08-19 15:09:44 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-08-19 15:09:44 +0200 |
| commit | dcbf8fa8e31007d95a9651ab478d81074412fb7c (patch) | |
| tree | 1b4b867a05097d6988da86bee438252a2102c3ea /config | |
| parent | b73df01945983c1deffe68b0964115fb8dddb4f9 (diff) | |
| download | nextcloud-server-dcbf8fa8e31007d95a9651ab478d81074412fb7c.tar.gz nextcloud-server-dcbf8fa8e31007d95a9651ab478d81074412fb7c.zip | |
Harden data protection .htaccess
+ Set "Satisfy All" whenever available, as well on Apache 2.4+. This is required to override possible "Satisfy Any" on parent dir, which otherwise would allow direct access to data, regardless of "Require" directive.
+ Set "Deny from all" as well whenever available, to block access regardless of which access control directive takes priority.
+ Assume Apache 2.2 only, if mod_authz_core and mod_access_compat are both not available, to avoid doubled directives. In this case set "Deny from all" directive only if the providing mod_authz_host module is available. "Satisfy" is a core directive on Apache 2.2.
+ Update Apache version strings. Regarding the used directives/modules, Apache 2.4 and 2.5 behave the same.
+ Add ordering spaces to better reflect the nested directives and to match style of other .htaccess files.
Fixes: https://github.com/nextcloud/server/issues/6449
Signed-off-by: Micha Felle <micha@dietpi.com>
Diffstat (limited to 'config')
0 files changed, 0 insertions, 0 deletions