Not syncing htaccess files on 11.0.3

Marix · April 29, 2017, 10:27am

We have a lot of webprojects - each project have a htaccess file.

But the windows client ignore that files.

I cleared the “sync-exclude.lst” and checked the sync hidden files

When i try to sync or with “drag and drop” to move the htaccess upload in webbrowser:

Fatal webdav
Sabre\DAV\Exception\InsufficientStorage: HTTP/1.1 507 Insufficient Storage

[internal function] OCA\DAV\Connector\Sabre\QuotaPlugin->checkQuota('/SERVER/webproj...', Resource id #473, Object(OCA\DAV\Connector\Sabre\Directory), false)
/www/htdocs/nextcloud.mydomain.com/3rdparty/sabre/event/lib/EventEmitterTrait.php - line 105: call_user_func_array(Array, Array)
/www/htdocs/nextcloud.mydomain.com/3rdparty/sabre/dav/lib/DAV/Server.php - line 1070: Sabre\Event\EventEmitter->emit('beforeCreateFil...', Array)
/www/htdocs/nextcloud.mydomain.com/3rdparty/sabre/dav/lib/DAV/CorePlugin.php - line 525: Sabre\DAV\Server->createFile('SERVER/webproje...', Resource id #473, NULL)
[internal function] Sabre\DAV\CorePlugin->httpPut(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/www/htdocs/nextcloud.mydomain.com/3rdparty/sabre/event/lib/EventEmitterTrait.php - line 105: call_user_func_array(Array, Array)
/www/htdocs/nextcloud.mydomain.com/3rdparty/sabre/dav/lib/DAV/Server.php - line 479: Sabre\Event\EventEmitter->emit('method PUT', Array)
/www/htdocs/nextcloud.mydomain.com/3rdparty/sabre/dav/lib/DAV/Server.php - line 254: Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/www/htdocs/nextcloud.mydomain.com/apps/dav/appinfo/v1/webdav.php - line 60: Sabre\DAV\Server->exec()
/www/htdocs/nextcloud.mydomain.com/remote.php - line 165: require_once('/www/htdocs/w01...')
{main}

It have to be 100% secure that ALL files are synchronized !!
At this moment its useless and we have to stay at dropbox.
Dropbox can handle all hidden “dot” files.

tflidd · April 29, 2017, 7:28pm

It is also blocked from server-side:

Problem is that you could change your webserver setting and it would be only secure if you ignored .htaccess-files in your data-folder. Not everybody can do that, so it is not possible by default.

Marix · April 30, 2017, 12:04pm

Now it works.

I cleared “sync-exclude.lst” from windows client software

and changed the code in this files:
\apps\files\lib\Capabilities.php
\config\config.sample.php
\lib\private\Files\Filesystem.php

Now the message “Insufficient Storage” don’t come anymore.

But this exclusion is weird - because the primary function is to backup and sync files and not to use
as webspace??
Alternatively these files could be renamed to “example.htaccess” and reverse at local sync…

tflidd · April 30, 2017, 4:39pm

You could also connect some webspace via external storage feature. The main issue is that Nextcloud is a webapplication and if you use apache, these .htaccess-files could be interpreted and give anybody access without authentication.

You can put a feature request on the bugtracker to put an option that allows you to upload such files (if you have secured your apache-config or if you are using nginx).

Marix · May 2, 2017, 1:39pm

Thanks for replying.

Question - is there example code of a malicious htaccess file to test on the own server if this vulnerable?

tflidd · May 5, 2017, 11:49am

Stuff like:

<ifModule mod_authz_core.c>
  Require all granted
</ifModule>

I’m not sure if there is a complete list of potential problems.

n00b101 · July 25, 2018, 9:06pm

makes sense, don’t know why they have not implemented that already (now on 13 !!! )