Data folder accessible if "Satisfy Any" is set #6449
Description
Rewards are always welcome thou, but it is not me that fell above this: https://help.nextcloud.com/t/htaccess-warning-while-configuration-should-be-ok/20280/17?u=michaing
Steps to reproduce
- Set up Nextcloud on Apache2 without pretty URLs and data directory inside nextcloud root.
- Ensure
.htaccessfiles are used as expected to prevent access to data folder. - Add
Satisfy Anyto nextcloud vhost/config file as mentioned in admin manual as necessary in some cases: https://docs.nextcloud.com/server/12/admin_manual/installation/source_installation.html#additional-apache-configurations - Try to access to some file inside data folder by using it's direct URL.
Expected behaviour
Access should be forbidden.
Actual behaviour
Access works very well.
- Pretty URLs lead to redirection of requests to nextcloud base URL. But e.g. access to
/data/index.htmlis still possible.
Server configuration
Operating system: Raspbian/Debian Stretch
Web server: Apache/2.4.25
Database: MariaDB 10.1
PHP version: 7.0.19-1
Nextcloud version: 12.0.2
Updated from an older Nextcloud/ownCloud or fresh install: updated
Where did you install Nextcloud from: downloads.nextcloud.com
Signing status:
Signing status
No errors have been found.
List of activated apps:
App list
Enabled:
- activity: 2.5.2
- apporder: 0.4.0
- calendar: 1.5.3
- contacts: 1.5.3
- dav: 1.3.0
- federatedfilesharing: 1.2.0
- files: 1.7.2
- files_sharing: 1.4.0
- files_trashbin: 1.2.0
- files_versions: 1.5.0
- gallery: 17.0.0
- impersonate: 1.0.1
- logreader: 2.0.0
- lookup_server_connector: 1.0.0
- nextcloud_announcements: 1.1
- notifications: 2.0.0
- oauth2: 1.0.5
- ownnote: 1.08
- polls: 0.7.3
- previewgenerator: 1.0.6
- provisioning_api: 1.2.0
- serverinfo: 1.2.0
- sharerenamer: 1.3
- tasks: 0.9.5
- twofactor_backupcodes: 1.1.1
- updatenotification: 1.2.0
- workflowengine: 1.2.0
Disabled:
- admin_audit
- comments
- encryption
- federation
- files_external
- files_pdfviewer
- files_texteditor
- files_videoplayer
- firstrunwizard
- imprint
- password_policy
- sharebymail
- survey_client
- systemtags
- theming
- user_external
- user_ldap
Nextcloud configuration:
Config report
{
"system": {
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"localhost",
"my.domain.org"
],
"datadirectory": "\/mnt\/sda\/ncdata", #Tested with manual created data directory + test files inside nextcloud root and with occ maintenance:update:htaccess to create correct .htaccess file inside.
"dbtype": "mysql",
"version": "12.0.2.0",
"memcache.local": "\\OC\\Memcache\\APCu",
"filelocking.enabled": true,
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "\/var\/run\/redis\/redis.sock",
"port": 0,
"dbindex": 0,
"password": "***REMOVED SENSITIVE VALUE***",
"timeout": 1.5
},
"dbname": "nextcloud",
"dbhost": "localhost",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"instanceid": "ocv2j0skx6hk",
"loglevel": 3,
"logtimezone": "Europe\/Berlin",
"trashbin_retention_obligation": "disabled",
"versions_retention_obligation": "disabled",
"skeletondirectory": "",
"defaultapp": "apporder",
"maintenance": false,
"overwrite.cli.url": "https:\/\/my.domain.org\/nextcloud",
"htaccess.RewriteBase": "\/nextcloud", #Tested without pretty URLs, as they redirect access tries to all files besides at least index.html inside data directory.
"mail_smtpmode": "smtp",
"mail_smtpauthtype": "LOGIN",
"mail_smtpsecure": "tls",
"mail_from_address": "my.mail",
"mail_domain": "gmx.de",
"mail_smtpauth": 1,
"mail_smtphost": "mail.gmx.net",
"mail_smtpport": "587",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
},
"apps": {
"activity": {
"enabled": "yes",
"installed_version": "2.5.2",
"notify_email_calendar": "0",
"notify_email_calendar_event": "0",
"notify_email_calendar_todo": "0",
"notify_email_favorite": "0",
"notify_email_file_changed": "0",
"notify_email_file_created": "0",
"notify_email_file_deleted": "0",
"notify_email_file_downloaded": "0",
"notify_email_file_restored": "0",
"notify_email_public_links": "0",
"notify_email_remote_share": "0",
"notify_email_shared": "0",
"notify_setting_batchtime": "604800",
"notify_setting_self": "1",
"notify_setting_selfemail": "0",
"notify_stream_calendar": "1",
"notify_stream_calendar_event": "1",
"notify_stream_calendar_todo": "1",
"notify_stream_favorite": "1",
"notify_stream_file_changed": "1",
"notify_stream_file_created": "1",
"notify_stream_file_deleted": "1",
"notify_stream_file_downloaded": "1",
"notify_stream_file_favorite": "0",
"notify_stream_file_restored": "1",
"notify_stream_public_links": "1",
"notify_stream_remote_share": "1",
"notify_stream_shared": "1",
"types": "filesystem"
},
"apporder": {
"enabled": "yes",
"installed_version": "0.4.0",
"order": "[\"\/nextcloud\/index.php\/apps\/activity\/\",\"\/nextcloud\/index.php\/apps\/files\/\",\"\/nextcloud\/index.php\/apps\/gallery\/\",\"\/nextcloud\/index.php\/apps\/contacts\/\",\"\/nextcloud\/index.php\/apps\/calendar\/\",\"\/nextcloud\/index.php\/apps\/tasks\/\",\"\/nextcloud\/index.php\/apps\/ownnote\/\",\"\/nextcloud\/index.php\/apps\/polls\/\"]",
"types": ""
},
"backgroundjob": {
"lastjob": "20"
},
"calendar": {
"enabled": "yes",
"installed_version": "1.5.3",
"types": ""
},
"comments": {
"enabled": "no",
"installed_version": "1.2.0",
"types": "logging"
},
"contacts": {
"enabled": "yes",
"installed_version": "1.5.3",
"types": ""
},
"core": {
"backgroundjobs_mode": "cron",
"installedat": "1496402497.1163",
"lastcron": "1505128503",
"lastupdateResult": "[]",
"lastupdatedat": "1505127887",
"moveavatarsdone": "yes",
"oc.integritycheck.checker": "[]",
"previewsCleanedUp": "1",
"public_files": "files_sharing\/public.php",
"public_webdav": "dav\/appinfo\/v1\/publicwebdav.php",
"scss.variables": "d41d8cd98f00b204e9800998ecf8427e",
"shareapi_allow_resharing": "no",
"shareapi_enforce_links_password": "yes",
"updater.secret.created": "1503506277",
"vendor": "nextcloud"
},
"dav": {
"enabled": "yes",
"installed_version": "1.3.0",
"types": "filesystem"
},
"federatedfilesharing": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": ""
},
"federation": {
"enabled": "no",
"installed_version": "1.2.0",
"types": "authentication"
},
"files": {
"cronjob_scan_files": "500",
"enabled": "yes",
"installed_version": "1.7.2",
"types": "filesystem"
},
"files_downloadactivity": {
"enabled": "no",
"installed_version": "1.1.1",
"types": "filesystem"
},
"files_pdfviewer": {
"enabled": "no",
"installed_version": "1.1.1",
"ocsid": "166049",
"types": ""
},
"files_sharing": {
"enabled": "yes",
"installed_version": "1.4.0",
"lookupServerUploadEnabled": "no",
"types": "filesystem"
},
"files_texteditor": {
"enabled": "no",
"installed_version": "2.4.1",
"ocsid": "166051",
"types": ""
},
"files_trashbin": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": "filesystem"
},
"files_versions": {
"enabled": "yes",
"installed_version": "1.5.0",
"types": "filesystem"
},
"files_videoplayer": {
"enabled": "no",
"installed_version": "1.1.0",
"types": ""
},
"firstrunwizard": {
"enabled": "no",
"installed_version": "2.1",
"types": "logging"
},
"gallery": {
"enabled": "yes",
"installed_version": "17.0.0",
"types": ""
},
"impersonate": {
"enabled": "yes",
"installed_version": "1.0.1",
"types": ""
},
"imprint": {
"content": "test test",
"enabled": "no",
"installed_version": "0.2.5",
"position-guest": "header-right",
"position-login": "header-right",
"position-user": "header-right",
"types": ""
},
"logreader": {
"enabled": "yes",
"installed_version": "2.0.0",
"levels": "00011",
"ocsid": "170871",
"types": ""
},
"lookup_server_connector": {
"enabled": "yes",
"installed_version": "1.0.0",
"types": "authentication"
},
"nextcloud_announcements": {
"enabled": "yes",
"installed_version": "1.1",
"pub_date": "Sat, 10 Dec 2016 00:00:00 +0100",
"types": "logging"
},
"notifications": {
"enabled": "yes",
"installed_version": "2.0.0",
"types": "logging"
},
"oauth2": {
"enabled": "yes",
"installed_version": "1.0.5",
"types": "authentication"
},
"ownbackup": {
"enabled": "no",
"installed_version": "17.5.0",
"types": ""
},
"ownnote": {
"enabled": "yes",
"folder": "ownNotes",
"installed_version": "1.08",
"types": ""
},
"password_policy": {
"enabled": "no",
"installed_version": "1.2.2",
"types": ""
},
"polls": {
"enabled": "yes",
"installed_version": "0.7.3",
"types": ""
},
"previewgenerator": {
"enabled": "yes",
"installed_version": "1.0.6",
"types": "filesystem"
},
"provisioning_api": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": "prevent_group_restriction"
},
"rainloop": {
"enabled": "no",
"installed_version": "5.0.1",
"rainloop-autologin": "1",
"types": ""
},
"serverinfo": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": ""
},
"sharebymail": {
"enabled": "no",
"installed_version": "1.2.0",
"types": "filesystem"
},
"sharerenamer": {
"enabled": "yes",
"installed_version": "1.3",
"types": ""
},
"survey_client": {
"enabled": "no",
"installed_version": "1.0.0",
"types": ""
},
"systemtags": {
"enabled": "no",
"installed_version": "1.2.0",
"types": "logging"
},
"tasks": {
"enabled": "yes",
"installed_version": "0.9.5",
"types": ""
},
"theming": {
"enabled": "no",
"installed_version": "1.3.0",
"types": "logging"
},
"twofactor_backupcodes": {
"enabled": "yes",
"installed_version": "1.1.1",
"types": ""
},
"updatenotification": {
"core": "12.0.2.0",
"enabled": "yes",
"installed_version": "1.2.0",
"types": "",
"update_check_errors": "0"
},
"workflowengine": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": "filesystem"
}
}
}
Are you using external storage, if yes which one: no
Are you using encryption: no
Are you using an external user-backend, if yes which one: no
Client configuration
Browser: Opera 49 + Edge 40.15 were tested.
Operating system:
Logs
Web server error log
none
Nextcloud log (data/nextcloud.log)
none
Browser log
nene