Commit graph

109 commits

Author SHA1 Message Date
Dan Callahan
8797590099
Correct mistaken regex wildcard in .htaccess
Fixes #8578

Signed-off-by: Dan Callahan <dan.callahan@gmail.com>
2018-02-28 13:50:54 +00:00
Robert Scheck
7583615bab Handle SSL certificate verifications for others than Let's Encrypt
Do no longer (wrongly) rewrite URLs like

  * http://example.net/.well-known/pki-validation/file.txt (Comodo)
  * http://example.net/.well-known/pki-validation/fileauth.txt (DigiCert, Thawte, GeoTrust)
  * http://example.net/.well-known/pki-validation/gsdv.txt (GlobalSign)
  * http://example.net/.well-known/pki-validation/starfield.htm (Starfield, GoDaddy)
  * http://example.net/.well-known/pki-validation/swisssign-check.txt (SwissSign)

for automated SSL certificate verifications. All (common commercial)
certificate authorities (CA) except Let's Encrypt (via ACME) seem to
use "pki-validation" rather "acme-challenge" for their domain control
validation (DCV).

Signed-off-by: Robert Scheck <robert@fedoraproject.org>
2018-02-05 15:33:42 +01:00
Lukas Reschke
bff6c8aafc
Move X-Frame-Options into PHP
The public calendar view should be embeddable and we can't do that if the .htaccess sets a global X-Frame-Options.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-03-26 17:26:11 +02:00
Flole998
075d39e61a Fix for Win Clients sometimes not connecting
Fix for Win Clients sometimes not connecting
2017-02-03 23:47:18 +01:00
Jörn Friedrich Dreyer
9802c5cdd8
Cache js, css and woff files for a week (#26591)
increases the cache duration for css and js files from 2 hours to half a year. Should they change the versionhash changes as well and a new file is fetched. Half a year should be long enough for oc updates.

Also allows caching woff files for 7 days. Currently, there is no versionhash available, but pressing F5 will also refresh the woff files.
2016-11-14 16:52:28 +01:00
Joas Schilling
a3c8534b7b
Make sure memory limit is > post size and upload filesize 2016-09-13 16:50:36 +02:00
Lukas Reschke
35743c187d
Also cache WOFF, SVG and GIF 2016-08-08 17:39:53 +02:00
Martin
1059315e09 .htaccess update making two rules non-capturing 2016-06-03 16:34:26 +02:00
Lukas Reschke
52add798d4 Do not automatically try to enable index.php-less URLs (#24539)
The current logic for mod_rewrite relies on the fact that people have properly configured ownCloud, basically it reads from the `overwrite.cli.ur
l` entry and then derives the `RewriteBase` from it.

This usually works. However, since the ownCloud packages seem to install themselves at `/owncloud` (because subfolders are cool or so…) _a lot_ of people have just created a new Virtual Host for it or have simply symlinked the path etc.

This means that `overwrite.cli.url` is wrong, which fails hard if it is used as RewriteBase since Apache does not know where it should serve files from. In the end the ownCloud instance will not be accessible anymore and users will be frustrated. Also some shared hosters like 1&1 (because using shared hosters is so awesome… ;-)) have somewhat dubious Apache configurations or use versions of mod_rewrite from the mediveal age. (because updating is money or so…)

Anyhow. This makes this explicitly an opt-in configuration flag. If `htaccess.RewriteBase` is set then it will configure index.php-less URLs, if
admins set that after installation and don't want to wait until the next ownCloud version they can run `occ maintenance:update:htaccess`.

For ownCloud 9.0 we also have to add a repair step to make sure that instances that already have a RewriteBase configured continue to use it by copying it into the config file. That way all existing URLs stay valid. That one is not in this PR since this is unneccessary in master.

Effectively this reduces another risk of breakage when updating from ownCloud 8 to ownCloud 9.

Fixes https://github.com/owncloud/core/issues/24525, https://github.com/owncloud/core/issues/24426 and probably some more.
2016-05-12 09:43:26 +02:00
Lukas Reschke
24abe1e1e1 Use raw PATH_INFO
PATH_INFO will be empty at this point and thus the logic in base.php did not catch this. Changing this to "getRawPathInfo" will ensure that the path info is properly read.

Fixes https://github.com/owncloud/core/issues/23199
2016-03-17 17:32:38 +01:00
Lukas Reschke
ee84017192 always_populate_raw_post_data has been removed with PHP 7.0 2016-03-15 11:28:14 +01:00
Lukas Reschke
2cfde7cd0b Duplicate block for PHP 7 2016-03-15 10:41:17 +01:00
Stephan Köninger
73a7c45dd4 Allow jpg files to be statically served
When using an background image in themes of type JPG, the current setting of owncloud's htaccess file does not allow to deliver these kinds of images as static content. Adding the file extensions as done in this commit, it works flawlessly.
2016-03-10 23:08:56 +01:00
Lukas Reschke
bc4a043a76 Add base rewrite rule only when RewriteBase is defined
In case Apache is configured with an `Alias` such as with the ownCloud packages the rewrite rules will fail when no valid RewriteBase is configured.
2016-03-09 15:13:07 +01:00
Lukas Reschke
0a624c0f1e Exclude ocs-provider from rewrite rule
Otherwise `localhost/ocs-provider/` cannot be accessed if mod_rewrite is install
ed. Only affects master.
2016-02-25 18:47:09 +01:00
Thomas Müller
e6a1e78149 Merge pull request #18194 from RealRancor/proxy_fcgi
Add mod_proxy_fcgi to .htaccess
2016-02-05 13:29:41 +01:00
Victor Dubiniuk
4ced903427 Do not rewrite updater requests 2016-01-28 20:04:56 +03:00
Lukas Reschke
4d0dcd3c53 Add X-Download-Options and X-Permitted-Cross-Domain-Policies
Two small security hardenings for our IE users and those with Adobe products. Aligns it more with https://github.com/twitter/secureheaders#secureheaders---
2016-01-12 10:37:16 +01:00
Lukas Reschke
28165876fc Remove CSP stuff from .htaccess
😢 Seems like Apache is inconsistent fun between versions. Let's remove it thus for now.
2016-01-08 11:31:42 +01:00
Jörn Friedrich Dreyer
047008e9e3 always check if the csp is empty 2016-01-08 11:08:38 +01:00
Lukas Reschke
1ae30d1d9c Use setifempty to please incompatible httpd versions
Some httpd versions have problem with the old logic leading to resourced served with multiple headers.
2016-01-08 11:08:37 +01:00
Thomas Müller
e307406486 Merge pull request #20966 from knox/master
Do not rewrite letsencrypt .well-known URI
2016-01-07 17:16:51 +01:00
Morris Jobke
2f53866668 Allow ico files to be served statically 2016-01-06 13:45:11 +01:00
mbi
63974992f9 Merge branch 'master' into master 2015-12-30 10:34:42 +01:00
Thomas Müller
f831d93f3f Merge pull request #20878 from owncloud/proper-htaccess-support-in-code-signing-checker
Also run .htaccess routine when installing on another system than Apache
2015-12-11 11:46:37 +01:00
mbi
1aff941be6 Do not rewrite letsencrypt .well-known URI 2015-12-08 21:11:38 +01:00
mbi
508c46a112 Merge branch 'master' into master 2015-12-08 21:02:52 +01:00
Lukas Reschke
235094ab54 Remove version check out of .htaccess
This can now be achieved using the new code signing.
2015-12-08 08:16:23 +01:00
Lukas Reschke
3bce1b20fe Add DirectorySlash to dynamic .htaccess write
When `DirectorySlash off` is set then Apache will not lookup folders anymore. This is required for example when we use the rewrite directives on an existing path such as  `/core/search`. By default Apache would load `/core/search/` instead `/core/search` so the redirect would fail here.

This leads however to the problem that URLs such as `localhost/owncloud` would not load anymore while `localhost/owncloud/` would. This has caused problems such as https://github.com/owncloud/core/pull/21015

With this change we add the `DirectorySlash off` directive only when the `.htaccess` is writable to the dynamic part of it. This would also make `localhost/owncloud` work again as it would trigger the 404 directive which triggers the redirect in base.php.
2015-12-08 08:10:55 +01:00
Lukas Reschke
37efc1d1e1 Allow .ico files
Makes `/core/img/favicon.ico` accessible again via web.
2015-12-07 17:15:04 +01:00
Lukas Reschke
7b9bc721e9 Add CSP header to static resources
Fixes https://github.com/owncloud/core/issues/16164
2015-12-07 15:50:09 +01:00
mbi
27f420e0a7 Allow .well-known URI for letsencrypt
See https://letsencrypt.readthedocs.org/en/latest/using.html#webroot
2015-12-05 23:22:26 +01:00
Morris Jobke
65b4d97a2a fix indentation 2015-12-02 10:51:52 +01:00
Lukas Reschke
a936107c5c Append PATH_INFO to ensure that file can be loaded on update 2015-12-01 20:15:45 +01:00
Lukas Reschke
f87dca95f1 Disable MultiView + DirectorySlash
Required for routes that might otherwise collide with existing folders on the system
2015-12-01 19:57:03 +01:00
Lukas Reschke
002e719789 Set "SetEnv" within base .htaccess file
mod_rewrite as used by the front controller may require a `RewriteBase` in case the installation is done using an alias. Since we cannot enforce a writable `.htaccess` file this will move the `front_controller_active` environment variable into the main .htaccess file. If administrators decide to have this one not writable they can still enable this feature by setting the `front_controller_active` environment variable within the Apache config.
2015-12-01 19:06:48 +01:00
Lukas Reschke
2515cb17be Support pretty URLs
This changeset allows ownCloud to run with pretty URLs, they will be used if mod_rewrite and mod_env are available. This means basically that the `index.php` in the URL is not shown to the user anymore.

Also the not deprecated functions to generate URLs have been modified to support this behaviour, old functions such as `filePath` will still behave as before for compatibility reasons.

Examples:
http://localhost/owncloud/index.php/s/AIDyKbxiRZWAAjP => http://localhost/owncloud/s/AIDyKbxiRZWAAjP
http://localhost/owncloud/index.php/apps/files/ => http://localhost/owncloud/apps/files/

Due to the way our CSS and JS is structured the .htaccess uses some hacks for the final result but could be worse... And I was just annoyed by all that users crying for the removal of `index.php` ;-)
2015-12-01 16:46:07 +01:00
Thomas Müller
7451e5bebc Update .well-known redirects to the new dav endpoint
This reverts commit 68321efd29.
2015-11-18 17:41:03 +01:00
Thomas Müller
68321efd29 Revert "Update .well-known redirects to the new dav endpoint"
This reverts commit d831c255ea.
2015-11-18 17:38:46 +01:00
Thomas Müller
d831c255ea Update .well-known redirects to the new dav endpoint 2015-11-18 17:37:07 +01:00
RealRancor
e30e6710dc Add mod_proxy_fcgi and mod_fastcgi to .htaccess 2015-11-17 22:01:36 +01:00
RealRancor
64cb226bfb Remove legacy non-working rewrites in .htaccess 2015-10-15 14:22:43 +02:00
Joas Schilling
6ca58cd856 Master is now 9.0.0 development 2015-10-14 07:40:06 +02:00
RealRancor
c3dfa3ccad Fix .htaccess: php_value should be integer 2015-09-29 17:08:20 +02:00
Morris Jobke
df81019a1e properly indent .htaccess 2015-08-16 15:40:03 +02:00
Frank Karlitschek
2eb9936d77 This will be 8.2 in the future 2015-07-01 10:06:26 -04:00
Lukas Reschke
5fdc1716d2 Merge pull request #15042 from wolfgangkarall/master
.htaccess RewriteRules: use permanent redirect for .well-known/(cal|card)dav, add 'L' flag
2015-03-30 16:22:36 +02:00
Lukas Reschke
9d1ce53cb1 Add some generic default headers as well via PHP 2015-03-26 22:32:57 +01:00
Wolfgang Karall
6cc50ecfab use permanent redirect for .well-known/(cal|card)dav, add 'L' flag 2015-03-19 21:31:50 +01:00
Lukas Reschke
bbd5f28415 Let users configure security headers in their Webserver
Doing this in the PHP code is not the right approach for multiple reasons:

1. A bug in the PHP code prevents them from being added to the response.
2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud)
3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations.

This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
2015-03-02 19:07:46 +01:00