Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Rules for NextCloud installs (and possibly OwnCloud). #982
Here are the rules to allow NextCloud (and likely OwnCloud) to be able to work. They are from #899.
As I was making this PR, I noticed that many of the rules are just turning off other rules. I would like for them to specifically target the variables being used, and try to make them more exact. But they are still fairly decent. (I'm just putting this here to remind myself of this).
I added some notes to each rule, to show more of what it is doing. And fixed the formatting. They should be up to par with the Contributing.md.
added a commit
this pull request
Dec 29, 2017
I finally took the time to take a closer look at this.
This is very good. Clean and systematic.
There are a few minor questions and requests, you might be
Thank's once again for this PR. If you have a response to this,
Yes, I can go ahead and fix these. That "Testing for upload fix" was just there to see if anyone could get that variable based fix to work. But I'm going to put it up to the top with just the 4 lines of code that are actually needed. Give me a few and I'll upload the fixes.
Ya, no problem. As for the block choosing 9012 rather than 9003, at first I wanted to jump a few blocks in case someone else was using those. And I picked 9012 because 12 devs made nextcloud. Kind of random, but that's why. If you'd like it moved it to 9003, I can do that. I can do the same with dokuwiki, and make it 9004.
Oh, and feel free to reword the comments as needed.
We are nearly there. The ordering of actions in the rules does not adhere to the contributing standard. Most of the rules need to be modified, mainly the disruptive action needs to be moved upwards, after the phase declaration. Also,
SecMarker tags must be quoted using double quotes.
I think it can be merged after that. Very good job!
Feb 5, 2018
1 check passed
referenced this pull request
Feb 5, 2018
Thanks for merging this.
@fzipi, after seeing @dune73 's edits, I'm getting a much better idea of what you meant on the rule reordering. I agree with you about a tool that could be used for checking (and possibly fixing) rules. It wouldn't be very hard to do in perl or something like that. I may even write up something, unless you have already started writing such a tool. (I wrote a quick tool to check for trailing white spaces before git commits, as the failed builds were annoying me).
Also, @dune73, I'm not sure if Nextcloud changed the password changing setup, or maybe I missed something. But rule 9003500 needs a change so it won't block passwords. And another rule was needed for user password changes. Here's the changes on line 266 and on:
@@ -264,8 +264,11 @@ ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2" # Change Password and Setting up a new user/password +# /index.php/settings/users +# /index.php/settings/users/users +# /index.php/settings/users/changepassword -SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \ +SecRule REQUEST_FILENAME "@rx /index.php/settings/users(|/users|/changepassword)$" \ "id:9003500,\ phase:2,\ pass,\ @@ -274,6 +277,16 @@ ctl:ruleRemoveTargetByTag=CRS;ARGS:newuserpassword,\ ctl:ruleRemoveTargetByTag=CRS;ARGS:password" +SecRule REQUEST_FILENAME "@endsWith /index.php/settings/personal/changepassword" \ + "id:9003510,\ + phase:2,\ + pass,\ + t:none,\ + nolog,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:password,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:oldpassword,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:newpassword,\ + ctl:ruleRemoveTargetByTag=CRS;ARGS:newpassword-clone" SecMarker END-NEXTCLOUD-ADMIN
Thank you for the update @bagley, I'll incorporate that in the other PR.
As for the script: @fzipi's work together with @fgsch's contribution is what you should base yourself on. It would help the project and other contributors a big deal. Please don't revert to perl, if you can do it in python. And yes, contributing this would be awesome (on top of two very nice rule exclusion packages you contributed).