Commit graph

9 commits

Author SHA1 Message Date
MichaIng
592eecdb7d
Add "Order" to assure that no parental "Allow" can grant access
Signed-off-by: MichaIng <micha@dietpi.com>
2019-09-26 12:37:07 +02:00
MichaIng
2411455088
Apache 2.5 will be released as 2.6
+ Ref: https://github.com/nextcloud/server/pull/16792/files#r315206147

Signed-off-by: Micha Felle <micha@dietpi.com>
2019-08-19 15:51:55 +02:00
MichaIng
a849b329a7
Use syntax with cases according to official docs
+ Ref: https://github.com/nextcloud/server/pull/16792/files#r315207691

Signed-off-by: Micha Felle <micha@dietpi.com>
2019-08-19 15:40:00 +02:00
MichaIng
e84cdc609a
Harden config protection .htaccess
+ Set "Satisfy All" whenever available, as well on Apache 2.4+. This is required to override possible "Satisfy Any" on parent dir, which otherwise would allow direct access to data, regardless of "Require" directive.
+ Set "Deny from all" as well whenever available, to block access regardless of which access control directive takes priority.
+ Assume Apache 2.2 only, if mod_authz_core and mod_access_compat are both not available, to avoid doubled directives. In this case set "Deny from all" directive only if the providing mod_authz_host module is available. "Satisfy" is a core directive on Apache 2.2.
+ Update Apache version strings. Regarding the used directives/modules, Apache 2.4 and 2.5 behave the same.
+ Add ordering spaces to better reflect the nested directives and to match style of other .htaccess files.

Fixes: #6449 (for the config directory)

Signed-off-by: Micha Felle <micha@dietpi.com>
2019-08-19 15:17:39 +02:00
Robert Scheck
25a2cb8c6e Only request "IndexIgnore" if mod_autoindex is loaded
Signed-off-by: Robert Scheck <robert@fedoraproject.org>
2017-02-20 13:09:15 +01:00
Lukas Reschke
20199dd168 Reference module with .c
Fixes https://github.com/owncloud/core/issues/13657
2015-01-28 13:15:32 +01:00
Lukas Reschke
2d2a4741ce Make files non executable
There is not much sense in having these files marked executable, we should avoid that.
2014-10-24 11:14:51 +02:00
Bjoern Schiessle
277f25222a if file doesn't exist, check parent folder 2014-06-14 10:14:07 +02:00
Lukas Reschke
c92a138489 Preventing access to the config folder
It isn't uncommon that admins create a backup file of the config (i.e. `config.php.bak`) before performing any changes. This would allow everybody to read the backup of the configuration file which contain several secret and critical values.

I don't believe this is worth a backport or getting added to the installer. It's just a nice to have. People that create public readable backups of their configuration are the one to blame, not us :-)
2014-04-24 08:33:58 +02:00