Merge pull request #2513 from nextcloud/fix-htaccess-checks

Properly check the data dir

2 files changed, 4 insertions, 3 deletions

diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js
index 4764efc035d..4d2097a5b5d 100644
--- a/core/js/setupchecks.js
+++ b/core/js/setupchecks.js
@@ -198,7 +198,8 @@
 			}
 			var afterCall = function(xhr) {
 				var messages = [];
-				if (xhr.status !== 403 && xhr.status !== 307 && xhr.status !== 301 && xhr.responseText !== '') {
+				// .ocdata is an empty file in the data directory - if this is readable then the data dir is not protected
+				if (xhr.status === 200 && xhr.responseText === '') {
 					messages.push({
 						msg: t('core', 'Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. We strongly suggest that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root.'),
 						type: OC.SetupChecks.MESSAGE_TYPE_ERROR
@@ -209,7 +210,7 @@
 
 			$.ajax({
 				type: 'GET',
-				url: OC.linkTo('', oc_dataURL+'/htaccesstest.txt?t=' + (new Date()).getTime()),
+				url: OC.linkTo('', oc_dataURL+'/.ocdata?t=' + (new Date()).getTime()),
 				complete: afterCall,
 				allowAuthErrors: true
 			});
diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js
index 5b2a7881df9..faa8a2bf277 100644
--- a/core/js/tests/specs/setupchecksSpec.js
+++ b/core/js/tests/specs/setupchecksSpec.js
@@ -103,7 +103,7 @@ describe('OC.SetupChecks tests', function() {
 		it('should return an error if data directory is not protected', function(done) {
 			var async = OC.SetupChecks.checkDataProtected();
 
-			suite.server.requests[0].respond(200, {'Content-Type': 'text/plain'}, 'file contents');
+			suite.server.requests[0].respond(200, {'Content-Type': 'text/plain'}, '');
 
 			async.done(function( data, s, x ){
 				expect(data).toEqual([