From e84cdc609a87d46db737e1dbdc5680321ce6939d Mon Sep 17 00:00:00 2001 From: MichaIng <28480705+MichaIng@users.noreply.github.com> Date: Mon, 19 Aug 2019 15:17:39 +0200 Subject: Harden config protection .htaccess + Set "Satisfy All" whenever available, as well on Apache 2.4+. This is required to override possible "Satisfy Any" on parent dir, which otherwise would allow direct access to data, regardless of "Require" directive. + Set "Deny from all" as well whenever available, to block access regardless of which access control directive takes priority. + Assume Apache 2.2 only, if mod_authz_core and mod_access_compat are both not available, to avoid doubled directives. In this case set "Deny from all" directive only if the providing mod_authz_host module is available. "Satisfy" is a core directive on Apache 2.2. + Update Apache version strings. Regarding the used directives/modules, Apache 2.4 and 2.5 behave the same. + Add ordering spaces to better reflect the nested directives and to match style of other .htaccess files. Fixes: #6449 (for the config directory) Signed-off-by: Micha Felle --- config/.htaccess | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) (limited to 'config') diff --git a/config/.htaccess b/config/.htaccess index 853aed187d3..192cdd2aa93 100644 --- a/config/.htaccess +++ b/config/.htaccess @@ -1,14 +1,23 @@ -# line below if for Apache 2.4 +# Section for Apache 2.4 and 2.5 -Require all denied + Require all denied + + + Deny from all + Satisfy All -# line below if for Apache 2.2 +# Section for Apache 2.2 -deny from all + + + Deny from all + + Satisfy All + -# section for Apache 2.2 and 2.4 +# Section for Apache 2.2 to 2.5 -IndexIgnore * + IndexIgnore * -- cgit v1.2.3 From a849b329a74186d2b2ff79af4b14fa511d010802 Mon Sep 17 00:00:00 2001 From: MichaIng <28480705+MichaIng@users.noreply.github.com> Date: Mon, 19 Aug 2019 15:40:00 +0200 Subject: Use syntax with cases according to official docs + Ref: https://github.com/nextcloud/server/pull/16792/files#r315207691 Signed-off-by: Micha Felle --- config/.htaccess | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'config') diff --git a/config/.htaccess b/config/.htaccess index 192cdd2aa93..857df9bbbac 100644 --- a/config/.htaccess +++ b/config/.htaccess @@ -1,23 +1,23 @@ # Section for Apache 2.4 and 2.5 - + Require all denied - - + + Deny from all Satisfy All - + # Section for Apache 2.2 - - - + + + Deny from all - + Satisfy All - - + + # Section for Apache 2.2 to 2.5 - + IndexIgnore * - + -- cgit v1.2.3 From 241145508844532d2d0f530c0dc09cce1aad4ba0 Mon Sep 17 00:00:00 2001 From: MichaIng <28480705+MichaIng@users.noreply.github.com> Date: Mon, 19 Aug 2019 15:51:55 +0200 Subject: Apache 2.5 will be released as 2.6 + Ref: https://github.com/nextcloud/server/pull/16792/files#r315206147 Signed-off-by: Micha Felle --- config/.htaccess | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'config') diff --git a/config/.htaccess b/config/.htaccess index 857df9bbbac..eda29a03ee9 100644 --- a/config/.htaccess +++ b/config/.htaccess @@ -1,4 +1,4 @@ -# Section for Apache 2.4 and 2.5 +# Section for Apache 2.4 to 2.6 Require all denied @@ -17,7 +17,7 @@ -# Section for Apache 2.2 to 2.5 +# Section for Apache 2.2 to 2.6 IndexIgnore * -- cgit v1.2.3 From 592eecdb7d6b469515cb4231056a8208a548d0aa Mon Sep 17 00:00:00 2001 From: MichaIng Date: Thu, 26 Sep 2019 12:37:07 +0200 Subject: Add "Order" to assure that no parental "Allow" can grant access Signed-off-by: MichaIng --- config/.htaccess | 2 ++ 1 file changed, 2 insertions(+) (limited to 'config') diff --git a/config/.htaccess b/config/.htaccess index eda29a03ee9..13ca28758cf 100644 --- a/config/.htaccess +++ b/config/.htaccess @@ -3,6 +3,7 @@ Require all denied + Order Allow,Deny Deny from all Satisfy All @@ -11,6 +12,7 @@ + Order Allow,Deny Deny from all Satisfy All -- cgit v1.2.3