-
Notifications
You must be signed in to change notification settings - Fork 37
How to hide the data directory from external access #62
Comments
Also interested in this |
Hello all, |
I was under the same impression, that the data directory is not leaked but I wasn't quite sure. At least the warning produced by the RainLoop library must have some means to determine the fact and if they thought it was true, there might be some tricky way, I just couldn't find out. |
The warning disappeared after I blocked this url in the Chrome developer tools.
I don't have time to check the code, but I assume that a 403 is expected while nextcloud generates a 302 redirect. |
The code responsible for this in Rainloop is here: line 32
And as said previously, Nextcloud does reply to this by redirecting the request to the Files application. So Rainloop wrongly considers the data folder is open. |
And |
Yeah, ajax always follow redirects silently. It's part of the XMLHttpRequest and can't be overridden. I reasonable solution would be to check if the final response URL is the same as the original one (meaning redirects happened). I'm not sure if it is safe to treat redirect as a passed test tho. |
Or we may test the content of the retrieved file and see if this is what is expected (the current content of the VERSION file is "1.12.0"). What do you think? |
If we are going to verify the content, I think at least the "expected" content should not be a hard-coded string. Either retrieve its content via a legal method or get the version number from somewhere. If so, I think it's fine. |
Is there a fix now? |
|
Great, this is what I was unable to "figure out" based on the discussion. Thanks |
I've just discovered that web-folders after /data/_data_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx are fully readable without any authentication. |
I can't replicate this on my instance. |
Dear All, Because of the lack of time and as I was never the developer of Rainloop or of this plugin, I have decided to cease maintaining the plugin. If one of you is willing to fork the project and take the lead, I will assist the best I can. Best regards |
I have also made some tests and I ended up always on either RL or NC login page. |
@pierre-alain-b |
OK, summertime was good for thinking again and here I am back. I am going to look over this to fix this in NC14 version. Maybe not in the first NC14 version to be published today (not to prevent users from upgrading) but I will try to fix the threatening error message which is wrong. |
This isn't actually a security issue if you use an alternate location for data. nginx:
apache: Should work as it should use .htaccess to deny |
I am getting the same error message. What should I do with Apache2? |
So what about the fix? It has been nearly a year, has the developer managed to fix this error? |
There is no security issue it seems, it is mainly a UI glitch that is worrying. Do not hesitate to send a patch if you fixed this on your side, we will be happy to review any Merge Request. |
I wonder if this tip could be of use for identifying the redirection and handling it accordingly: |
Interesting, I will give it a try. |
@pierre-alain-b I had read previously that this error that pops up is a false positive. Are we still under the assumption that the analysis prior is still true? Also, is there anywhere that you or anyone else have posted thorough instructions regarding how to fix this error with Apache? Thanks for your work on this. |
To my knowledge yes. The issue is that, rather than rejecting the test, Nextcloud is offering the login page so the Rainloop tools wrongly interpretes that the folder is accessible. |
In my case my server answer with a 304, but is still forbidden. Is a false positive also? |
@AaronADev I was able to resolve this with Nginx by adding the following location block to my nginx.conf file:
This results in a 403 HTTP status code instead of a 302 redirect to the login page, which the test was interpreting as a failure. That approach should work with Apache as well. |
Good, this is a nice fix as well. |
Issue is still not fixed with 926ae7a . The workaround using nginx works as expected though. |
Hi, I understand this is not actually a security issue, but i'm wondering if there's a way to block the data folder using Traefik as the reverse-proxy manager? My installation seems to only have a .htaccess in nextcloud's html folder, would there be something to insert here? Thank you |
How can this be resolved using apache2? I've tried solutions discussed here but none seem to work. |
Yes, but we still have the warning... |
You guys, it's a WARNING. Just get over it. It's only your OCD that's the
issue.
…On Thu, Dec 30, 2021 at 12:58 AM Jordan D. ***@***.***> wrote:
Issue is still not fixed with 926ae7a
<926ae7a>
. The workaround using nginx works as expected though.
Yes, but we still have the warning...
—
Reply to this email directly, view it on GitHub
<#62 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABT3VMYW4FV6TLEFW53JD7TUTQGJDANCNFSM4FAYHSSA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you commented.Message ID:
***@***.***>
|
Hello, |
This is what I include in my NextCloud Apache Installations. Blocks the folder but does not get rid of the message:
|
Thanks a lot for this great plugin and for the ongoing maintenance.
Since I installed the latest update,when I'm going to the RainLoop admin panel, I'm getting a warning, that the data directory should be hidden from external access:
Is there some advise on how to do that for the integrated instance or is it even necessary in the Nextcloud context?
The text was updated successfully, but these errors were encountered: