Syncing .htaccess files appears to break external storage

[nickian]

I'm running ownCloud on Apache. To begin, can someone explain why syncing .htaccess files might be a security risk or a liability in another way? Don't .htaccess files only apply to the directory they are in? For example, why would an .htaccess file here interfere with something in ownCloud's config?

/www/owncloud/data/user/files/website/.htaccess

I noticed an issue with external storage after syncing a folder that is a backup of a web site. It contains one or more .htaccess files (I had to override the default blacklisting of these). After this folder was uploaded, I immediately noticed a 404 error in the console when trying to click on an external storage folder.

Thanks

btw, this on PHP 5.5.6 and ownCloud 8.2.2.

[MorrisJobke]

cc @LukasReschke

The answer then would also fit nicely in the documentation - cc @carlaschroder ;)

[LukasReschke]

I'm running ownCloud on Apache. To begin, can someone explain why syncing .htaccess files might be a security risk or a liability in another way? Don't .htaccess files only apply to the directory they are in? For example, why would an .htaccess file here interfere with something in ownCloud's config?

Somebody could upload a .htaccess file to /www/owncloud/data/user/files/website/.htaccess, then open mycloud.com/data/user/files/website/test.php and have test.php in their user folder executed => The malicious user can do anything they want in the ownCloud. => Pwned.

Since many people don't harden their server appropriately the upload of .htaccess files is forbidden by default.

[PVince81]

I think we should still make sure that external storage properly skips the files instead of failing hard.

@nickian is there any log output from the external storage failure?

[nickian]

@LukasReschke, thanks. I'm trying to replicate this example to understand this better, but it's not working. For example, I created a folder in my files called "website" and put an .htaccess file and a test.php file. .htaccess has:

Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)$ test.php [L]

But it's not running the script. I'm still landing on the ownCloud "forbidden" page when I go to: mydomain.com/data/nick/files/website/

Couldn't I also add this to my Apache .conf file for the virtual host to prevent these from ever running?

<Location /path/to/owncloud/data/user/nick/files> 
    AllowOverride None 
</Location>

Thanks

[carlaschroder]

This sounds like a nice edge case to me, that belongs in the doc Wiki https://github.com/owncloud/documentation/wiki.

[carlaschroder]

Which means someone who is not me writes it and puts it there :)

[blizzz]

Is here anything left to do?

[carlaschroder]

@blizzz Not for me.

[michaelstingl]

oC docs clearly recommends to store data outside of /www/owncloud/. Then .htaccess shouldn't be an issue. Might be a problem on shared hosting where everything needs to be in /www/owncloud/.

[adriansuter]

Could you please add an option to allow the sync of .htaccess files - with warnings and on-your-own-risk messages? I mean, when datadirectory is set in config.php and points to a directory outside the web-accessible scope, then it is absolutely safe to sync an .htaccess file. Or am I wrong?

Another possibility, which may be better but needs more work to do, is a simple base64 encode/decode for all filenames synced to the server. Directory names do not have to be encoded/decoded.

Or instead of just ignoring some files, you could add some sort of mapping for some filenames. That is, a user could define a mapping like .htacces => --htaccess-- which would rename the file on upload and on download. At the same time, the --htaccess-- filename would be added to the ignore list. Otherwise there would be a problem, when there is an -htaccess locally stored. But this is maybe a little bit complicated an could lead to abuse/error/mis-understanding.

I would vote for the first approach.

Any other ideas?

[PVince81]

Storing files with a different name is currently not possible with lots of complications as a lot of code relies on the name being the same.

@adriansuter isn't it possible already do remove htaccess from the blacklist by redefining the `blacklisted_files' to an empty array in config.php ?

[adriansuter]

@PVince81 Thanks for your answer. Yes, if I change that in the config.php, I can upload an .htaccess file using the web application. But the desktop app (Windows 10) unfortunately has still blacklisted the .htaccess file. I can not change that in the preferences of the desktop app.

[PVince81]

Really ? I thought the desktop app had that setting @guruz

[adriansuter]

There is a file (on my machine it is under C:\Program Files (x86)\ownCloud\sync-exclude.lst), which contains the exclude rule for .htaccess files. But in the app it is not possible to remove this rule.

[adriansuter]

Just opened a new issue in the owncloud client repository.

See https://github.com/owncloud/client/issues/6144#issue-271880127

[PVince81]

Closing then, use the blacklist setting in config.php to allow .htaccess on the server

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.