search

panakour / oc-backup-plugin

Backup system for October CMS
MIT License
18 stars 14 forks source link

Error 404 when downloading archive files #9

Closed damsfx closed 6 years ago

damsfx commented 6 years ago

When pressing archive download button it result in an error 404.

domain.tld/storage/app/panakour-backup/2018-02-07-12-33-31.zip
is blocked by October's default .htaccess file on apache servers.

    ##
    ## White listed folders
    ##
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_FILENAME} !/.well-known/*
    RewriteCond %{REQUEST_FILENAME} !/storage/app/uploads/.*
    RewriteCond %{REQUEST_FILENAME} !/storage/app/media/.*
    RewriteCond %{REQUEST_FILENAME} !/storage/temp/public/.*
    RewriteCond %{REQUEST_FILENAME} !/themes/.*/(assets|resources)/.*
    RewriteCond %{REQUEST_FILENAME} !/plugins/.*/(assets|resources)/.*
    RewriteCond %{REQUEST_FILENAME} !/modules/.*/(assets|resources)/.*
    RewriteRule !^index.php index.php [L,NC]

Temporary workaround :

panakour commented 6 years ago

@damsfx Thank you for the feedback. So it will be ok if I will change the path to /storage/app/uploads/panakour-backup/... ?

damsfx commented 6 years ago

@panakour , I think that all folders under a path in the white list will be ok.

If the folder is under /storage/app/media/, archives files will be visible under the media manager of October's backend.

panakour commented 6 years ago

with the new version it should be ok. I will close this issue now and feel free to open new one if the problem exist.

MaTToX3 commented 4 years ago

The "issue" still remains however I would advise you not to include that path in your .htacces or nginx config. This exposes the backup file to the world - if anyone ever guess the URL to file, one can download it.

damsfx commented 4 years ago

... however I would advise you not to include that path in your .htacces or nginx config.

Sure!
Like I said, it's a temporary workaround.

This exposes the backup file to the world - if anyone ever guess the URL to file, one can download it.

With a URL generator script and CURL it doesn't take long to sort the response codes (200 vs 404), and in this case, get the links to the backups.

The only solution would be to create routes that are only accessible to administrators!?