From dcbf8fa8e31007d95a9651ab478d81074412fb7c Mon Sep 17 00:00:00 2001 From: MichaIng <28480705+MichaIng@users.noreply.github.com> Date: Mon, 19 Aug 2019 15:09:44 +0200 Subject: Harden data protection .htaccess + Set "Satisfy All" whenever available, as well on Apache 2.4+. This is required to override possible "Satisfy Any" on parent dir, which otherwise would allow direct access to data, regardless of "Require" directive. + Set "Deny from all" as well whenever available, to block access regardless of which access control directive takes priority. + Assume Apache 2.2 only, if mod_authz_core and mod_access_compat are both not available, to avoid doubled directives. In this case set "Deny from all" directive only if the providing mod_authz_host module is available. "Satisfy" is a core directive on Apache 2.2. + Update Apache version strings. Regarding the used directives/modules, Apache 2.4 and 2.5 behave the same. + Add ordering spaces to better reflect the nested directives and to match style of other .htaccess files. Fixes: https://github.com/nextcloud/server/issues/6449 Signed-off-by: Micha Felle --- lib/private/Setup.php | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) (limited to 'lib/private/Setup.php') diff --git a/lib/private/Setup.php b/lib/private/Setup.php index d7c6df3535a..024d0754c61 100644 --- a/lib/private/Setup.php +++ b/lib/private/Setup.php @@ -542,19 +542,27 @@ class Setup { //Require all denied $now = date('Y-m-d H:i:s'); $content = "# Generated by Nextcloud on $now\n"; - $content.= "# line below if for Apache 2.4\n"; + $content.= "# Section for Apache 2.4 and 2.5\n"; $content.= "\n"; - $content.= "Require all denied\n"; + $content.= " Require all denied\n"; + $content.= "\n"; + $content.= "\n"; + $content.= " Deny from all\n"; + $content.= " Satisfy All\n"; $content.= "\n\n"; - $content.= "# line below if for Apache 2.2\n"; + $content.= "# Section for Apache 2.2\n"; $content.= "\n"; - $content.= "deny from all\n"; - $content.= "Satisfy All\n"; + $content.= " \n"; + $content.= " \n"; + $content.= " Deny from all\n"; + $content.= " \n"; + $content.= " Satisfy All\n"; + $content.= " \n"; $content.= "\n\n"; - $content.= "# section for Apache 2.2 and 2.4\n"; + $content.= "# Section for Apache 2.2 to 2.5\n"; $content.= "\n"; - $content.= "IndexIgnore *\n"; - $content.= "\n"; + $content.= " IndexIgnore *\n"; + $content.= ""; $baseDir = \OC::$server->getConfig()->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data'); file_put_contents($baseDir . '/.htaccess', $content); -- cgit v1.2.3