[QA] hardened .htaccess breaks index.php-less setup when ownCloud URL has a subfolder

[jnweiger]

Seen with 10.12.0 (regression)

• Setup a fresh owncloud server running in a folder, e.g. https://localhost/breakme

• Login as e.g. admin user at the Web UI. Folder listing with skeleton files appears. OK

• Connect a desktop client. Initial sync succeeds. OK

• Change the setup to index.php - less URLs like this:

  occ config:system:set htaccess.RewriteBase --value /breakme
  occ maintenance:update:htaccess

• Login at the web UI no longer shows files. BAD

• Desktop client fails to sync. BAD 23-03-24 00:35:13:402 [ info sync.httplogger ]: "88320329-5295-4952-8197-cd963ca3d0af: Response: PROPFIND 405 (Error: Error transferring https://localhost/breakme/remote.php/dav/files/admin/ - server replied: Method Not Allowed,177ms)

Only the combination of both "index.php-less setup" and "base URL with a folder" is affected. Either one alone, or none of the two works fine.

[jnweiger]

Manual Workaround (when the RewriteBase is /breakme):

--- .htaccess.orig  2023-03-24 01:38:00.365951896 +0000
+++ .htaccess   2023-03-24 01:38:37.613819235 +0000
@@ -104,19 +104,19 @@
   RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
   RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
   RewriteCond %{REQUEST_URI} !\.(css|js|svg|gif|png|html|ttf|woff|ico|jpg|jpeg|json|properties)$
-  RewriteCond %{REQUEST_URI} !^/core/img/favicon\.ico$
-  RewriteCond %{REQUEST_URI} !^/robots\.txt$
-  RewriteCond %{REQUEST_URI} !^/remote\.php
-  RewriteCond %{REQUEST_URI} !^/public\.php
-  RewriteCond %{REQUEST_URI} !^/cron\.php
-  RewriteCond %{REQUEST_URI} !^/core/ajax/update\.php
-  RewriteCond %{REQUEST_URI} !^/status\.php$
-  RewriteCond %{REQUEST_URI} !^/ocs/v1\.php
-  RewriteCond %{REQUEST_URI} !^/ocs/v2\.php
-  RewriteCond %{REQUEST_URI} !^/updater/
-  RewriteCond %{REQUEST_URI} !^/ocs-provider/
-  RewriteCond %{REQUEST_URI} !^/ocm-provider/
-  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
+  RewriteCond %{REQUEST_URI} !^/breakme/core/img/favicon\.ico$
+  RewriteCond %{REQUEST_URI} !^/breakme/robots\.txt$
+  RewriteCond %{REQUEST_URI} !^/breakme/remote\.php
+  RewriteCond %{REQUEST_URI} !^/breakme/public\.php
+  RewriteCond %{REQUEST_URI} !^/breakme/cron\.php
+  RewriteCond %{REQUEST_URI} !^/breakme/core/ajax/update\.php
+  RewriteCond %{REQUEST_URI} !^/breakme/status\.php$
+  RewriteCond %{REQUEST_URI} !^/breakme/ocs/v1\.php
+  RewriteCond %{REQUEST_URI} !^/breakme/ocs/v2\.php
+  RewriteCond %{REQUEST_URI} !^/breakme/updater/
+  RewriteCond %{REQUEST_URI} !^/breakme/ocs-provider/
+  RewriteCond %{REQUEST_URI} !^/breakme/ocm-provider/
+  RewriteCond %{REQUEST_URI} !^/breakme/\.well-known/(acme-challenge|pki-validation)/.*
   RewriteRule . index.php [PT,E=PATH_INFO:$1]
   RewriteBase /breakme
   <IfModule mod_env.c>

[pako81]

Caused by https://github.com/owncloud/core/pull/40584

[IljaN]

So this is fixed if we prepend every rule which starts with !^ with $rewriteBase?

[pako81]

So we should probably prepend the RewriteConds in https://github.com/owncloud/core/blob/master/lib/private/Setup.php#L501-L513 with $rewriteBase ?

[IljaN]

yes

[jnweiger]

@mmattel this is a good entry for the known issues section in the release notes.

suggested Workaround:

• if this is your combination: please backup you .htaccess and use the backup in your production system again. This will fix the issue.