Refs #4499 This should fix the issue with htaccess files being incorrect.

Todo: create Update file to re-create all htaccess files.

1 files changed, 141 insertions, 29 deletions

diff --git a/plugins/Installation/ServerFilesGenerator.php b/plugins/Installation/ServerFilesGenerator.php
index 48300a34f7..c5b7baf85b 100644
--- a/plugins/Installation/ServerFilesGenerator.php
+++ b/plugins/Installation/ServerFilesGenerator.php
@@ -8,53 +8,79 @@
  */
 namespace Piwik\Plugins\Installation;
 
-use Piwik\Filesystem;
+use Piwik\SettingsServer;
 
 class ServerFilesGenerator
 {
-
     /**
      * Generate Apache .htaccess files to restrict access
      */
     public static function createHtAccessFiles()
     {
-        // deny access to these folders
-        $directoriesToProtect = array(
-            '/config',
-            '/core',
-            '/lang',
-            '/tmp',
-        );
-        foreach ($directoriesToProtect as $directoryToProtect) {
-            Filesystem::createHtAccess(PIWIK_INCLUDE_PATH . $directoryToProtect, $overwrite = true);
-        }
-
-        // Allow/Deny lives in different modules depending on the Apache version
-        $allow = "<IfModule mod_access.c>\nAllow from all\nRequire all granted\n</IfModule>\n".
-                 "<IfModule !mod_access_compat>\n<IfModule mod_authz_host.c>\nAllow from all\nRequire all granted\n</IfModule>\n</IfModule>\n".
-                 "<IfModule mod_access_compat>\nAllow from all\nRequire all granted\n</IfModule>\n".
-                 "<IfModule !mod_authz_host.c>\nSatisfy any</IfModule>\n";
-        $deny = "<IfModule mod_access.c>\nDeny from all\nRequire all denied\n</IfModule>\n".
-                "<IfModule !mod_access_compat>\n<IfModule mod_authz_host.c>\nDeny from all\nRequire all denied\n</IfModule>\n</IfModule>\n".
-                "<IfModule mod_access_compat>\nDeny from all\nRequire all denied\n</IfModule>\n";
+        $denyAll = self::getDenyAllHtaccessContent();
+        $allow = self::getAllowHtaccessContent();
 
         // more selective allow/deny filters
-        $allowAny = "<Files \"*\">\n" . $allow . "\n</Files>\n";
-        $allowStaticAssets = "<Files ~ \"\\.(test\.php|gif|ico|jpg|png|svg|js|css|htm|html|swf)$\">\n" . $allow . "\n</Files>\n";
-        $denyDirectPhp = "<Files ~ \"\\.(php|php4|php5|inc|tpl|in|twig)$\">\n" . $deny . "</Files>\n";
+        $allowAny =
+            "# Allow any file in this directory\n" .
+            "<Files \"*\">\n" .
+                $allow . "\n" .
+            "</Files>\n";
+
+        $allowStaticAssets =
+            "# Allow to serve static files which are safe\n" .
+            "<Files ~ \"\\.(test\.php|gif|ico|jpg|png|svg|js|css|htm|html|swf|mp3|mp4|wav|ogg|avi)$\">\n" .
+                 $allow . "\n" .
+            "</Files>\n";
 
         $directoriesToProtect = array(
             '/js'        => $allowAny,
-            '/libs'      => $denyDirectPhp . $allowStaticAssets,
-            '/vendor'    => $denyDirectPhp . $allowStaticAssets,
-            '/plugins'   => $denyDirectPhp . $allowStaticAssets,
-            '/misc/user' => $denyDirectPhp . $allowStaticAssets,
+            '/libs'      => $denyAll . $allowStaticAssets,
+            '/vendor'    => $denyAll . $allowStaticAssets,
+            '/plugins'   => $denyAll . $allowStaticAssets,
+            '/misc/user' => $denyAll . $allowStaticAssets,
+        );
+        foreach ($directoriesToProtect as $directoryToProtect => $content) {
+            self::createHtAccess(PIWIK_INCLUDE_PATH . $directoryToProtect, $overwrite = true, $content);
+        }
+
+        // deny access to these folders
+        $directoriesToProtect = array(
+            '/config' => $denyAll,
+            '/core' => $denyAll,
+            '/lang' => $denyAll,
+            '/tmp' => $denyAll,
         );
         foreach ($directoriesToProtect as $directoryToProtect => $content) {
-            Filesystem::createHtAccess(PIWIK_INCLUDE_PATH . $directoryToProtect, $overwrite = true, $content);
+            self::createHtAccess(PIWIK_INCLUDE_PATH . $directoryToProtect, $overwrite = true, $content);
+        }
+    }
+
+    static public function createHtAccessDenyAll($path)
+    {
+        self::createHtAccess($path, $overwrite = false, self::getDenyAllHtaccessContent());
+    }
+
+    /**
+     * Create .htaccess file in specified directory
+     *
+     * Apache-specific; for IIS @see web.config
+     *
+     * @param string $path without trailing slash
+     * @param bool $overwrite whether to overwrite an existing file or not
+     * @param string $content
+     */
+    public static function createHtAccess($path, $overwrite = true, $content)
+    {
+        if (SettingsServer::isApache()) {
+            $file = $path . '/.htaccess';
+            if ($overwrite || !file_exists($file)) {
+                @file_put_contents($file, $content);
+            }
         }
     }
 
+
     /**
      * Generate IIS web.config files to restrict access
      *
@@ -81,6 +107,11 @@ class ServerFilesGenerator
           <add fileExtension=".php5" allowed="false" />
           <add fileExtension=".inc" allowed="false" />
           <add fileExtension=".in" allowed="false" />
+          <add fileExtension=".csv" allowed="false" />
+          <add fileExtension=".pdf" allowed="false" />
+          <add fileExtension=".log" allowed="false" />
+          <add fileExtension=".htm" allowed="false" />
+          <add fileExtension=".html" allowed="false" />
         </fileExtensions>
       </requestFiltering>
     </security>
@@ -134,4 +165,85 @@ class ServerFilesGenerator
             @file_put_contents(PIWIK_DOCUMENT_ROOT . $file, '');
         }
     }
+
+    /**
+     * @return string
+     */
+    protected static function getDenyAllHtaccessContent()
+    {
+        $deny = self::getDenyHtaccessContent();
+        $denyAll =
+            "# First, deny access to all files in this directory\n" .
+            "<Files \"*\">\n" .
+            $deny . "\n" .
+            "</Files>\n";
+
+        return $denyAll;
+    }
+
+
+    /**
+     * @return string
+     */
+    protected static function getDenyHtaccessContent()
+    {
+# Source: https://github.com/phpbb/phpbb/pull/2386/files#diff-f72a38c4bec79cc6ded3f8e435d6bd55L11
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+        $deny = <<<HTACCESS_DENY
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		Order Deny,Allow
+		Deny from All
+	</IfVersion>
+	<IfVersion >= 2.4>
+		Require all denied
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		Order Deny,Allow
+		Deny from All
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+</IfModule>
+HTACCESS_DENY;
+        return $deny;
+    }
+
+    /**
+     * @return string
+     */
+    protected static function getAllowHtaccessContent()
+    {
+        $allow = <<<HTACCESS_ALLOW
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		Order Allow,Deny
+		Allow from All
+	</IfVersion>
+	<IfVersion >= 2.4>
+		Require all granted
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		Order Allow,Deny
+		Allow from All
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		Require all granted
+	</IfModule>
+</IfModule>
+HTACCESS_ALLOW;
+        return $allow;
+    }
+
 }