-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider Satisfy all
in data/.htaccess
#14356
Comments
Proposal at #14359 |
That said I don't have any strong feelings towards or against this… |
@jnweiger This was reported by somebody to our security ML who had basically the following additional config to what we have in our Debian 7 packages for 8.0:
The However, to make the life of future users easier and make the risk of misconfiguration as low as possible I proposed this change here. What do you think? Makes this sense? |
@LukasReschke where did the 'Satisfy Any' come from? I don't see it Linux packages. |
That's the user's own setting in addition with the packages. |
Only question is, what if someone puts their auth code in the server configs, not in the |
Well.. It's kinda the purpose that /data/ is never accessible even if you configure it like that by mistake in your server config ;) |
See #14359 for the actual change. |
Wait, data/.htaccess, not just .htaccess. Doh! |
😄 |
For best security I'd recommend to configure the data folder somewhere outside of any webserver tree. |
Should we add
Satisfy all
indata/.htaccess
to prevent potential mistakes where somebody protected their ownCloud instance with a Basic Auth login and forgot to properly configure thedata
dir manually again?As per https://wiki.apache.org/httpd/BypassAuthenticationOrAuthorizationRequirements:
From my PoV this wouldn't really hurt and it seems to work locally.
Opinions?
The text was updated successfully, but these errors were encountered: