diff options
author | MichaIng <28480705+MichaIng@users.noreply.github.com> | 2019-08-19 15:17:39 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-08-19 15:17:39 +0200 |
commit | e84cdc609a87d46db737e1dbdc5680321ce6939d (patch) | |
tree | 4638ccb227f79d691ef1d05b660cd996a514da19 /config | |
parent | dcbf8fa8e31007d95a9651ab478d81074412fb7c (diff) | |
download | nextcloud-server-e84cdc609a87d46db737e1dbdc5680321ce6939d.tar.gz nextcloud-server-e84cdc609a87d46db737e1dbdc5680321ce6939d.zip |
Harden config protection .htaccess
+ Set "Satisfy All" whenever available, as well on Apache 2.4+. This is required to override possible "Satisfy Any" on parent dir, which otherwise would allow direct access to data, regardless of "Require" directive.
+ Set "Deny from all" as well whenever available, to block access regardless of which access control directive takes priority.
+ Assume Apache 2.2 only, if mod_authz_core and mod_access_compat are both not available, to avoid doubled directives. In this case set "Deny from all" directive only if the providing mod_authz_host module is available. "Satisfy" is a core directive on Apache 2.2.
+ Update Apache version strings. Regarding the used directives/modules, Apache 2.4 and 2.5 behave the same.
+ Add ordering spaces to better reflect the nested directives and to match style of other .htaccess files.
Fixes: #6449 (for the config directory)
Signed-off-by: Micha Felle <micha@dietpi.com>
Diffstat (limited to 'config')
-rw-r--r-- | config/.htaccess | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/config/.htaccess b/config/.htaccess index 853aed187d3..192cdd2aa93 100644 --- a/config/.htaccess +++ b/config/.htaccess @@ -1,14 +1,23 @@ -# line below if for Apache 2.4 +# Section for Apache 2.4 and 2.5 <ifModule mod_authz_core.c> -Require all denied + Require all denied +</ifModule> +<ifModule mod_access_compat.c> + Deny from all + Satisfy All </ifModule> -# line below if for Apache 2.2 +# Section for Apache 2.2 <ifModule !mod_authz_core.c> -deny from all + <ifModule !mod_access_compat.c> + <ifModule mod_authz_host.c> + Deny from all + </ifModule> + Satisfy All + </ifModule> </ifModule> -# section for Apache 2.2 and 2.4 +# Section for Apache 2.2 to 2.5 <ifModule mod_autoindex.c> -IndexIgnore * + IndexIgnore * </ifModule> |