summaryrefslogtreecommitdiffstats
path: root/lib/private/Setup.php
diff options
context:
space:
mode:
authorMichaIng <28480705+MichaIng@users.noreply.github.com>2019-08-19 15:09:44 +0200
committerGitHub <noreply@github.com>2019-08-19 15:09:44 +0200
commitdcbf8fa8e31007d95a9651ab478d81074412fb7c (patch)
tree1b4b867a05097d6988da86bee438252a2102c3ea /lib/private/Setup.php
parentb73df01945983c1deffe68b0964115fb8dddb4f9 (diff)
downloadnextcloud-server-dcbf8fa8e31007d95a9651ab478d81074412fb7c.tar.gz
nextcloud-server-dcbf8fa8e31007d95a9651ab478d81074412fb7c.zip
Harden data protection .htaccess
+ Set "Satisfy All" whenever available, as well on Apache 2.4+. This is required to override possible "Satisfy Any" on parent dir, which otherwise would allow direct access to data, regardless of "Require" directive. + Set "Deny from all" as well whenever available, to block access regardless of which access control directive takes priority. + Assume Apache 2.2 only, if mod_authz_core and mod_access_compat are both not available, to avoid doubled directives. In this case set "Deny from all" directive only if the providing mod_authz_host module is available. "Satisfy" is a core directive on Apache 2.2. + Update Apache version strings. Regarding the used directives/modules, Apache 2.4 and 2.5 behave the same. + Add ordering spaces to better reflect the nested directives and to match style of other .htaccess files. Fixes: https://github.com/nextcloud/server/issues/6449 Signed-off-by: Micha Felle <micha@dietpi.com>
Diffstat (limited to 'lib/private/Setup.php')
-rw-r--r--lib/private/Setup.php24
1 files changed, 16 insertions, 8 deletions
diff --git a/lib/private/Setup.php b/lib/private/Setup.php
index d7c6df3535a..024d0754c61 100644
--- a/lib/private/Setup.php
+++ b/lib/private/Setup.php
@@ -542,19 +542,27 @@ class Setup {
//Require all denied
$now = date('Y-m-d H:i:s');
$content = "# Generated by Nextcloud on $now\n";
- $content.= "# line below if for Apache 2.4\n";
+ $content.= "# Section for Apache 2.4 and 2.5\n";
$content.= "<ifModule mod_authz_core.c>\n";
- $content.= "Require all denied\n";
+ $content.= " Require all denied\n";
+ $content.= "</ifModule>\n";
+ $content.= "<ifModule mod_access_compat.c>\n";
+ $content.= " Deny from all\n";
+ $content.= " Satisfy All\n";
$content.= "</ifModule>\n\n";
- $content.= "# line below if for Apache 2.2\n";
+ $content.= "# Section for Apache 2.2\n";
$content.= "<ifModule !mod_authz_core.c>\n";
- $content.= "deny from all\n";
- $content.= "Satisfy All\n";
+ $content.= " <ifModule !mod_access_compat.c>\n";
+ $content.= " <ifModule mod_authz_host.c>\n";
+ $content.= " Deny from all\n";
+ $content.= " </ifModule>\n";
+ $content.= " Satisfy All\n";
+ $content.= " </ifModule>\n";
$content.= "</ifModule>\n\n";
- $content.= "# section for Apache 2.2 and 2.4\n";
+ $content.= "# Section for Apache 2.2 to 2.5\n";
$content.= "<ifModule mod_autoindex.c>\n";
- $content.= "IndexIgnore *\n";
- $content.= "</ifModule>\n";
+ $content.= " IndexIgnore *\n";
+ $content.= "</ifModule>";
$baseDir = \OC::$server->getConfig()->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data');
file_put_contents($baseDir . '/.htaccess', $content);