tweak rewrite conditions in htaccess

David Christofas · David Christofas · commit 35c7d4161135 · 2023-02-01T15:00:36.000+01:00
This change hardens the rewrite rules to match the exact paths we want and not any subpaths e.g. `/somefolder/status.php`. Thanks to Terry Franklin, Matt Harris, Hayden Barker and Colin Smith (aka yoloClin) from Radiant Security (https://radiant.security) for reporting this.
diff --git a/changelog/unreleased/tweak-htaccess.md b/changelog/unreleased/tweak-htaccess.md
@@ -0,0 +1,5 @@
+Enhancement: Tweak rewrite conditions in .htaccess
+
+Changed the RewriteCond rules in the `.htaccess` file to match the expected paths.
+
+https://github.com/owncloud/core/pull/40584
diff --git a/lib/private/Setup.php b/lib/private/Setup.php
@@ -497,20 +497,20 @@ public static function updateHtaccess() {
 			$content .= "\n  RewriteRule ^favicon.ico$ core/img/favicon.ico [L]";
 			$content .= "\n  RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]";
 			$content .= "\n  RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]";
-			$content .= "\n  RewriteCond %{REQUEST_FILENAME} !\\.(css|js|svg|gif|png|html|ttf|woff|ico|jpg|jpeg|json|properties)$";
-			$content .= "\n  RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$";
-			$content .= "\n  RewriteCond %{REQUEST_FILENAME} !/robots.txt";
-			$content .= "\n  RewriteCond %{REQUEST_FILENAME} !/remote.php";
-			$content .= "\n  RewriteCond %{REQUEST_FILENAME} !/public.php";
-			$content .= "\n  RewriteCond %{REQUEST_FILENAME} !/cron.php";
-			$content .= "\n  RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php";
-			$content .= "\n  RewriteCond %{REQUEST_FILENAME} !/status.php";
-			$content .= "\n  RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php";
-			$content .= "\n  RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php";
-			$content .= "\n  RewriteCond %{REQUEST_FILENAME} !/updater/";
-			$content .= "\n  RewriteCond %{REQUEST_FILENAME} !/ocs-provider/";
-			$content .= "\n  RewriteCond %{REQUEST_FILENAME} !/ocm-provider/";
-			$content .= "\n  RewriteCond %{REQUEST_URI} !^/.well-known/(acme-challenge|pki-validation)/.*";
+			$content .= "\n  RewriteCond %{REQUEST_URI} !\\.(css|js|svg|gif|png|html|ttf|woff|ico|jpg|jpeg|json|properties)$";
+			$content .= "\n  RewriteCond %{REQUEST_URI} !^/core/img/favicon\\.ico$";
+			$content .= "\n  RewriteCond %{REQUEST_URI} !^/robots\\.txt$";
+			$content .= "\n  RewriteCond %{REQUEST_URI} !^/remote\\.php";
+			$content .= "\n  RewriteCond %{REQUEST_URI} !^/public\\.php";
+			$content .= "\n  RewriteCond %{REQUEST_URI} !^/cron\\.php";
+			$content .= "\n  RewriteCond %{REQUEST_URI} !^/core/ajax/update\\.php";
+			$content .= "\n  RewriteCond %{REQUEST_URI} !^/status\\.php$";
+			$content .= "\n  RewriteCond %{REQUEST_URI} !^/ocs/v1\\.php";
+			$content .= "\n  RewriteCond %{REQUEST_URI} !^/ocs/v2\\.php";
+			$content .= "\n  RewriteCond %{REQUEST_URI} !^/updater/";
+			$content .= "\n  RewriteCond %{REQUEST_URI} !^/ocs-provider/";
+			$content .= "\n  RewriteCond %{REQUEST_URI} !^/ocm-provider/";
+			$content .= "\n  RewriteCond %{REQUEST_URI} !^/\\.well-known/(acme-challenge|pki-validation)/.*";
 			$content .= "\n  RewriteRule . index.php [PT,E=PATH_INFO:$1]";
 			$content .= "\n  RewriteBase " . $rewriteBase;
 			$content .= "\n  <IfModule mod_env.c>";
