From 5212fa3fa76b3cef3fc862e75dfd66fbb5ada688 Mon Sep 17 00:00:00 2001
From: Frank Karlitschek <frank@owncloud.org>
Date: Thu, 21 Jun 2012 14:18:43 +0200
Subject: [PATCH] check if the data directory is accessible via http. Show a
big security warning if yes
---
lib/util.php | 41 ++++++++++++++++++++++++++++++++++++
settings/admin.php | 2 ++
settings/css/settings.css | 8 +++++--
settings/templates/admin.php | 13 ++++++++++++
4 files changed, 62 insertions(+), 2 deletions(-)
diff --git a/lib/util.php b/lib/util.php
index 1eeb70aca6..58d6ab1be7 100644
--- a/lib/util.php
+++ b/lib/util.php
@@ -417,5 +417,46 @@ class OC_Util {
else $value = htmlentities($value, ENT_QUOTES, 'UTF-8'); //Specify encoding for PHP<5.4
return $value;
}
+
+
+
+
+
+ /**
+ * Check if the htaccess file is working buy creating a test file in the data directory and trying to access via http
+ */
+ public static function ishtaccessworking() {
+
+ // testdata
+ $filename='/htaccesstest.txt';
+ $testcontent='testcontent';
+
+ // creating a test file
+ $testfile = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ).'/'.$filename;
+ $fp = @fopen($testfile, 'w');
+ @fwrite($fp, $testcontent);
+ @fclose($fp);
+
+ // accessing the file via http
+ $url = OC_Helper::serverProtocol(). '://' . OC_Helper::serverHost() . OC::$WEBROOT.'/data'.$filename;
+ $fp = @fopen($url, 'r');
+ $content=@fread($fp, 2048);
+ @fclose($fp);
+
+ // cleanup
+ @unlink($testfile);
+
+ // does it work ?
+ if($content==$testcontent) {
+ return(false);
+ }else{
+ return(true);
+ }
+
+ }
+
+
+
+
}
diff --git a/settings/admin.php b/settings/admin.php
index 88aae5bdb6..a6928bf82d 100644
--- a/settings/admin.php
+++ b/settings/admin.php
@@ -15,6 +15,7 @@ OC_App::setActiveNavigationEntry( "admin" );
$tmpl = new OC_Template( 'settings', 'admin', 'user');
$forms=OC_App::getForms('admin');
+$htaccessworking=OC_Util::ishtaccessworking();
$entries=OC_Log_Owncloud::getEntries(3);
function compareEntries($a,$b){
@@ -24,6 +25,7 @@ usort($entries, 'compareEntries');
$tmpl->assign('loglevel',OC_Config::getValue( "loglevel", 2 ));
$tmpl->assign('entries',OC_Util::sanitizeHTML($entries));
+$tmpl->assign('htaccessworking',$htaccessworking);
$tmpl->assign('forms',array());
foreach($forms as $form){
$tmpl->append('forms',$form);
diff --git a/settings/css/settings.css b/settings/css/settings.css
index 6e9d2432e4..f45fa9bc01 100644
--- a/settings/css/settings.css
+++ b/settings/css/settings.css
@@ -48,7 +48,11 @@ li.active { color:#000; }
small.externalapp { color:#FFF; background-color:#BBB; font-weight:bold; font-size:6pt; padding:4px; border-radius: 4px;}
span.version { margin-left:3em; color:#ddd; }
-/* LOF */
+/* LOG */
#log { white-space:normal; }
/* Don't show blank images */
-img[src=""] { display:none}
\ No newline at end of file
+img[src=""] { display:none}
+
+/* ADMIN */
+span.securitywarning {color:#C33; font-weight:bold; }
+
diff --git a/settings/templates/admin.php b/settings/templates/admin.php
index d167f2780e..9f839cf749 100644
--- a/settings/templates/admin.php
+++ b/settings/templates/admin.php
@@ -4,8 +4,21 @@
* See the COPYING-README file.
*/
$levels=array('Debug','Info','Warning','Error','Fatal');
+
+if(!$_['htaccessworking']) {
+ ?>
+ <fieldset class="personalblock">
+ <legend><strong><?php echo $l->t('Security Warning');?></strong></legend>
+
+ <span class="securitywarning">Your data directory and your files are probably accessible from the internet. The .htaccess file that ownCloud provides is not working. We strongly suggest that you configure your webserver in a way that the data directory is no longer accessible or you move the data directory outside the webserver document root.</span>
+
+ </fieldset>
+ <?php
+}
?>
+
+
<?php foreach($_['forms'] as $form){
echo $form;
};?>
--
GitLab