Not syncing htaccess files on 11.0.3

We have a lot of webprojects - each project have a htaccess file.

But the windows client ignore that files.

I cleared the “sync-exclude.lst” and checked the sync hidden files

When i try to sync or with “drag and drop” to move the htaccess upload in webbrowser:

Fatal webdav
Sabre\DAV\Exception\InsufficientStorage: HTTP/1.1 507 Insufficient Storage

[internal function] OCA\DAV\Connector\Sabre\QuotaPlugin->checkQuota('/SERVER/webproj...', Resource id #473, Object(OCA\DAV\Connector\Sabre\Directory), false)
/www/htdocs/ - line 105: call_user_func_array(Array, Array)
/www/htdocs/ - line 1070: Sabre\Event\EventEmitter->emit('beforeCreateFil...', Array)
/www/htdocs/ - line 525: Sabre\DAV\Server->createFile('SERVER/webproje...', Resource id #473, NULL)
[internal function] Sabre\DAV\CorePlugin->httpPut(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/www/htdocs/ - line 105: call_user_func_array(Array, Array)
/www/htdocs/ - line 479: Sabre\Event\EventEmitter->emit('method PUT', Array)
/www/htdocs/ - line 254: Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/www/htdocs/ - line 60: Sabre\DAV\Server->exec()
/www/htdocs/ - line 165: require_once('/www/htdocs/w01...')

It have to be 100% secure that ALL files are synchronized !!
At this moment its useless and we have to stay at dropbox.
Dropbox can handle all hidden “dot” files.

It is also blocked from server-side:

Problem is that you could change your webserver setting and it would be only secure if you ignored .htaccess-files in your data-folder. Not everybody can do that, so it is not possible by default.

Now it works.

I cleared “sync-exclude.lst” from windows client software

and changed the code in this files:

Now the message “Insufficient Storage” don’t come anymore.

But this exclusion is weird - because the primary function is to backup and sync files and not to use
as webspace??
Alternatively these files could be renamed to “example.htaccess” and reverse at local sync…

You could also connect some webspace via external storage feature. The main issue is that Nextcloud is a webapplication and if you use apache, these .htaccess-files could be interpreted and give anybody access without authentication.

You can put a feature request on the bugtracker to put an option that allows you to upload such files (if you have secured your apache-config or if you are using nginx).

Thanks for replying.

Question - is there example code of a malicious htaccess file to test on the own server if this vulnerable?

Stuff like:

<ifModule mod_authz_core.c>
  Require all granted

I’m not sure if there is a complete list of potential problems.

makes sense, don’t know why they have not implemented that already (now on 13 !!! )

1 Like