Security: htaccess inside data folder

[PeopleInside]

RainLoop version, browser, OS:

CentOs - Firefox

Expected behavior and actual behavior:

The default content of .htaccess inside is not protecting if the Apache version is 2.4 (modern)

Steps to reproduce the problem:

By default install you will get an alert in the admin panel that alert you the data folder si not secure (readable), the documentation doesn't help to fix this for Apache. https://www.rainloop.net/docs/installation/

Solution for Apache 2.4 is replace or just add the content inside .htaccess

deny from all

with

Require all denied

also the guide should be updated with information about how to solve the issue on Apache.

[universalhandle]

For what it's worth, when I downloaded it via wget https://www.rainloop.net/repository/webmail/rainloop-community-latest.zip (version 1.12.0), the zip contained no .htaccess files at all.

[PeopleInside]

Seems topic on GitHub and also email to support are no more replied... maybe the owner is busy but i am asking about the security of the product... also maybe will be important consider if there are an issue no one will reply. Maybe... from what I can see. I tried to send an email to support many days ago and no replies, also here on GitHub I cannot see big replies activity.

Sad to see this because the software looks like to be nice and good. I do not know how much secure is.

[ThomasEBoland]

Two months later, same problem exists in aws instance of Ubuntu 18.04.1 with Apache 2.4. No .htaccess files in community-latest.zip downloaded and installed today. I got around it by adding

  <Directory "/var/www/rainloop/data" >
    Require all denied
  </Directory>

in my /etc/apache2/sites-available/000.conf. I could have used .htaccess, I choose to use the conf file instead.