summaryrefslogtreecommitdiffstats
path: root/.htaccess
Commit message (Collapse)AuthorAgeFilesLines
...
* | Add X-Download-Options and X-Permitted-Cross-Domain-PoliciesLukas Reschke2016-01-121-0/+2
| | | | | | | | Two small security hardenings for our IE users and those with Adobe products. Aligns it more with https://github.com/twitter/secureheaders#secureheaders---
* | Remove CSP stuff from .htaccessLukas Reschke2016-01-081-7/+0
| | | | | | :cry: Seems like Apache is inconsistent fun between versions. Let's remove it thus for now.
* | always check if the csp is emptyJörn Friedrich Dreyer2016-01-081-1/+1
| |
* | Use setifempty to please incompatible httpd versionsLukas Reschke2016-01-081-3/+6
| | | | | | | | Some httpd versions have problem with the old logic leading to resourced served with multiple headers.
* | Merge pull request #20966 from knox/masterThomas Müller2016-01-071-0/+2
|\ \ | | | | | | Do not rewrite letsencrypt .well-known URI
| * \ Merge branch 'master' into mastermbi2015-12-301-4/+0
| |\ \
| * | | Do not rewrite letsencrypt .well-known URImbi2015-12-081-0/+1
| | | |
| * | | Merge branch 'master' into mastermbi2015-12-081-0/+5
| |\ \ \
| * | | | Allow .well-known URI for letsencryptmbi2015-12-051-0/+1
| | | | | | | | | | | | | | | | | | | | See https://letsencrypt.readthedocs.org/en/latest/using.html#webroot
* | | | | Allow ico files to be served staticallyMorris Jobke2016-01-061-1/+1
| |_|/ / |/| | |
* | | | Merge pull request #20878 from ↵Thomas Müller2015-12-111-1/+0
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | owncloud/proper-htaccess-support-in-code-signing-checker Also run .htaccess routine when installing on another system than Apache
| * | | | Remove version check out of .htaccessLukas Reschke2015-12-081-1/+0
| | |/ / | |/| | | | | | | | | | This can now be achieved using the new code signing.
* / | | Add DirectorySlash to dynamic .htaccess writeLukas Reschke2015-12-081-3/+0
|/ / / | | | | | | | | | | | | | | | | | | | | | When `DirectorySlash off` is set then Apache will not lookup folders anymore. This is required for example when we use the rewrite directives on an existing path such as `/core/search`. By default Apache would load `/core/search/` instead `/core/search` so the redirect would fail here. This leads however to the problem that URLs such as `localhost/owncloud` would not load anymore while `localhost/owncloud/` would. This has caused problems such as https://github.com/owncloud/core/pull/21015 With this change we add the `DirectorySlash off` directive only when the `.htaccess` is writable to the dynamic part of it. This would also make `localhost/owncloud` work again as it would trigger the 404 directive which triggers the redirect in base.php.
* | | Allow .ico filesLukas Reschke2015-12-071-0/+1
| | | | | | | | | | | | Makes `/core/img/favicon.ico` accessible again via web.
* | | Add CSP header to static resourcesLukas Reschke2015-12-071-0/+4
|/ / | | | | | | Fixes https://github.com/owncloud/core/issues/16164
* | fix indentationMorris Jobke2015-12-021-4/+4
| |
* | Append PATH_INFO to ensure that file can be loaded on updateLukas Reschke2015-12-011-3/+2
| |
* | Disable MultiView + DirectorySlashLukas Reschke2015-12-011-1/+5
| | | | | | | | Required for routes that might otherwise collide with existing folders on the system
* | Set "SetEnv" within base `.htaccess` fileLukas Reschke2015-12-011-13/+12
| | | | | | | | mod_rewrite as used by the front controller may require a `RewriteBase` in case the installation is done using an alias. Since we cannot enforce a writable `.htaccess` file this will move the `front_controller_active` environment variable into the main .htaccess file. If administrators decide to have this one not writable they can still enable this feature by setting the `front_controller_active` environment variable within the Apache config.
* | Support pretty URLsLukas Reschke2015-12-011-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | This changeset allows ownCloud to run with pretty URLs, they will be used if mod_rewrite and mod_env are available. This means basically that the `index.php` in the URL is not shown to the user anymore. Also the not deprecated functions to generate URLs have been modified to support this behaviour, old functions such as `filePath` will still behave as before for compatibility reasons. Examples: http://localhost/owncloud/index.php/s/AIDyKbxiRZWAAjP => http://localhost/owncloud/s/AIDyKbxiRZWAAjP http://localhost/owncloud/index.php/apps/files/ => http://localhost/owncloud/apps/files/ Due to the way our CSS and JS is structured the .htaccess uses some hacks for the final result but could be worse... And I was just annoyed by all that users crying for the removal of `index.php` ;-)
* | Update .well-known redirects to the new dav endpointThomas Müller2015-11-181-2/+2
| | | | | | | | This reverts commit 68321efd29184fbc1bef409ec41f9b38501116ef.
* | Revert "Update .well-known redirects to the new dav endpoint"Thomas Müller2015-11-181-2/+2
| | | | | | | | This reverts commit d831c255ea726b8e8aaa0b3c1a8186808b82f73e.
* | Update .well-known redirects to the new dav endpointThomas Müller2015-11-181-2/+2
|/
* Remove legacy non-working rewrites in .htaccessRealRancor2015-10-151-2/+0
|
* Master is now 9.0.0 developmentJoas Schilling2015-10-141-1/+1
|
* Fix .htaccess: php_value should be integerRealRancor2015-09-291-1/+1
|
* properly indent .htaccessMorris Jobke2015-08-161-24/+24
|
* This will be 8.2 in the futureFrank Karlitschek2015-07-011-1/+1
|
* Merge pull request #15042 from wolfgangkarall/masterLukas Reschke2015-03-301-2/+2
|\ | | | | .htaccess RewriteRules: use permanent redirect for .well-known/(cal|card)dav, add 'L' flag
| * use permanent redirect for .well-known/(cal|card)dav, add 'L' flagWolfgang Karall2015-03-191-2/+2
| |
* | Add some generic default headers as well via PHPLukas Reschke2015-03-261-16/+21
|/
* Let users configure security headers in their WebserverLukas Reschke2015-03-021-0/+4
| | | | | | | | | | Doing this in the PHP code is not the right approach for multiple reasons: 1. A bug in the PHP code prevents them from being added to the response. 2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud) 3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations. This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
* Fix version revLukas Reschke2015-02-281-1/+1
|
* This is 8.0.1 nowFrank Karlitschek2015-02-281-1/+1
|
* Use "off" and "off" instead of true booleansLukas Reschke2015-02-231-1/+1
| | | | | | Apparently a boolean in php.ini is according to the documentation "on" or "off"… Fixes itself.
* Add expected values to default config as wellLukas Reschke2015-02-211-0/+1
|
* Setting default charset to UTF-8 in .htaccess and .user.iniFernando Rodriguez Sela2015-02-101-0/+1
|
* Reference module with `.c`Lukas Reschke2015-01-281-2/+2
| | | | Fixes https://github.com/owncloud/core/issues/13657
* Add check for `HTTP_RAW_POST_DATA` setting for >= 5.6Lukas Reschke2015-01-221-0/+1
| | | | | | PHP 5.6 otherwise throws notices for perfectly valid code which results in broken endpoints. Fixes https://github.com/owncloud/core/issues/13592
* Add version to .htaccessLukas Reschke2015-01-081-0/+1
| | | | | | | | | Currently if a user does not replace the .htaccess file with the new update this can lead to serious problems in case Apache is used as webserver. This commit adds the version to the .htaccess file and the update routine fails in case not the newest version is specified in there. This obviously means that every release has to update the version specified in .htaccess as well. But I see no better solution for it. Conflicts: lib/private/updater.php
* escape . in htaccess regex for CSS and JS HTTP headersMorris Jobke2015-01-051-1/+1
|
* blocked 3rdparty instead of l10nRobert Jäckel2014-11-271-1/+1
|
* restrict access to public files onlyRobert Jäckel2014-11-271-0/+2
| | | use mod_rewrite to pretend theese files are not existend for security purposes
* adding cache control headers for css and js - fixes #11496Thomas Müller2014-10-141-0/+5
|
* That file was accidentally commited. Partially revert ↵Lukas Reschke2014-06-161-3/+0
| | | | https://github.com/owncloud/core/commit/f2fc214ce0455ce9a9def36bd09285e82b5eabec
* Add deprecation notice to load* functionsLukas Reschke2014-06-161-0/+3
| | | | | | This functions are deprecated and/or removed since ownCloud 7. Additionally a issubdirectory check has been added here to prevent developers to use this function in a potentially insecure way. Port of https://github.com/owncloud/core/pull/9033
* Remove legacy routing codeLukas Reschke2014-06-051-1/+0
| | | | | | | | | | | | | | | | | | | The getfile routing code was absolutely legacy and not needed anymore. Additionally \OC::$REQUESTEDAPP was never set to the actually accessed application. This commit removes the legacy routing code and ensures that $REQUESTEDAPP is always set so that other applications (e.g. the firewall or a two-factor authentication) can intercept the currently accessed app. Testplan: [x] Installation works [x] Login with DB works [x] Logout works [x] Login with alternate backend works (tested with user_webdavauth) [x] Other apps are accessible [x] Redirect on login works (e.g. index.php?redirect_url=%2Fcore%2Findex.php%2Fsettings%2Fapps%3Finstalled) [x] Personal settings are accessible [x] Admin settings are accessible [x] Sharing files works [x] DAV works [x] OC::$REQUESTEDAPP contains the requested application and can be intercepted by other applications
* Remove trailing tabFelix Eckhofer2014-04-281-1/+1
|
* Escape literal dots in mod_rewrite regexesFelix Eckhofer2014-04-281-6/+6
|
* Remove .htaccess creation codeLukas Reschke2014-02-281-2/+0
| | | | | 1. We're maintaining the same code twice which leads inevitably to problems as this one. The createHtaccess routine is only used to use the correct paths to the 404 and 403 document. 2. Updating the ownCloud instance as described in our documentation (`Delete everything from your ownCloud installation directory, except data and config.`) will break the links to the ErrorDocuments anyways and show the default error handlers if ownCloud is not installed in the root directory.