On 11.08.2010, at 00:02, Pauleman (DerPaul) wrote: > Hello all, > > just for fun I tested to download a file directly from the data location > of owncloud. I was surprised that there was no protection of the data > directory and also of the backup directory. Is there any idea to prevent > the direct access? > > Regards > > Pauleman
Hi, I think this is a very good point. Having an unprotected document directory in your webdirectory is a bad idea. I think we need some fancy logic for this problem. ownCloud should check if the current document directory is in the documentroot and accessibly from the internet. If no -> no problem. If yes try to automatically put a .htaccess in the directory and check with a fopen http request if access is still possible. If no -> problem solved. If yes -> big security problem and do nothing till the user fixes this security hole. Cheers Frank -- Frank Karlitschek [email protected] _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
