Merge pull request #16792 from MichaIng/patch-1

Harden data and config protection .htaccess

Author: rullzer

config/.htaccess

@@ -1,14 +1,25 @@
-# line below if for Apache 2.4
-<ifModule mod_authz_core.c>
-Require all denied
-</ifModule>
+# Section for Apache 2.4 to 2.6
+<IfModule mod_authz_core.c>
+  Require all denied
+</IfModule>
+<IfModule mod_access_compat.c>
+  Order Allow,Deny
+  Deny from all
+  Satisfy All
+</IfModule>
 
-# line below if for Apache 2.2
-<ifModule !mod_authz_core.c>
-deny from all
-</ifModule>
+# Section for Apache 2.2
+<IfModule !mod_authz_core.c>
+  <IfModule !mod_access_compat.c>
+    <IfModule mod_authz_host.c>
+      Order Allow,Deny
+      Deny from all
+    </IfModule>
+    Satisfy All
+  </IfModule>
+</IfModule>
 
-# section for Apache 2.2 and 2.4
-<ifModule mod_autoindex.c>
-IndexIgnore *
-</ifModule>
+# Section for Apache 2.2 to 2.6
+<IfModule mod_autoindex.c>
+  IndexIgnore *
+</IfModule>

lib/private/Setup.php

@@ -556,19 +556,29 @@ public static function protectDataDirectory() {
 		//Require all denied
 		$now = date('Y-m-d H:i:s');
 		$content = "# Generated by Nextcloud on $now\n";
-		$content .= "# line below if for Apache 2.4\n";
-		$content .= "<ifModule mod_authz_core.c>\n";
-		$content .= "Require all denied\n";
-		$content .= "</ifModule>\n\n";
-		$content .= "# line below if for Apache 2.2\n";
-		$content .= "<ifModule !mod_authz_core.c>\n";
-		$content .= "deny from all\n";
-		$content .= "Satisfy All\n";
-		$content .= "</ifModule>\n\n";
-		$content .= "# section for Apache 2.2 and 2.4\n";
-		$content .= "<ifModule mod_autoindex.c>\n";
-		$content .= "IndexIgnore *\n";
-		$content .= "</ifModule>\n";
+		$content .= "# Section for Apache 2.4 to 2.6\n";
+		$content .= "<IfModule mod_authz_core.c>\n";
+		$content .= "  Require all denied\n";
+		$content .= "</IfModule>\n";
+		$content .= "<IfModule mod_access_compat.c>\n";
+		$content .= "  Order Allow,Deny\n";
+		$content .= "  Deny from all\n";
+		$content .= "  Satisfy All\n";
+		$content .= "</IfModule>\n\n";
+		$content .= "# Section for Apache 2.2\n";
+		$content .= "<IfModule !mod_authz_core.c>\n";
+		$content .= "  <IfModule !mod_access_compat.c>\n";
+		$content .= "    <IfModule mod_authz_host.c>\n";
+		$content .= "      Order Allow,Deny\n";
+		$content .= "      Deny from all\n";
+		$content .= "    <IifModule>\n";
+		$content .= "    Satisfy All\n";
+		$content .= "  </IfModule>\n";
+		$content .= "</IfModule>\n\n";
+		$content .= "# Section for Apache 2.2 to 2.6\n";
+		$content .= "<IfModule mod_autoindex.c>\n";
+		$content .= "  IndexIgnore *\n";
+		$content .= "</IfModule>";
 
 		$baseDir = \OC::$server->getConfig()->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data');
 		file_put_contents($baseDir . '/.htaccess', $content);