free
/
freedombone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix nextcloud leak of version information 

This could be of obvious use to adversaries
This commit is contained in:
Bob Mottram 2017-08-08 11:05:25 +01:00
parent 70813b5a65
commit 32d89e951f
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/freedombone-app-nextcloud
View File

@ -483,6 +483,15 @@ function install_nextcloud_main {
echo ' # Index' >> $nextcloud_nginx_site
echo ' index index.php;' >> $nextcloud_nginx_site
echo '' >> $nextcloud_nginx_site
# By default nextcloud advertises highly specific version information
# on status.php, which can obviously be used by adversaries.
# Blocking status.php prevents this information leak
echo ' location = /status.php {' >> $nextcloud_nginx_site
echo ' return 404;' >> $nextcloud_nginx_site
echo ' }' >> $nextcloud_nginx_site
echo '' >> $nextcloud_nginx_site
echo ' # PHP' >> $nextcloud_nginx_site
echo ' location ~ \.php {' >> $nextcloud_nginx_site
echo ' include snippets/fastcgi-php.conf;' >> $nextcloud_nginx_site
@ -539,6 +548,15 @@ function install_nextcloud_main {
echo ' # Index' >> $nextcloud_nginx_site
echo ' index index.php;' >> $nextcloud_nginx_site
echo '' >> $nextcloud_nginx_site
# By default nextcloud advertises highly specific version information
# on status.php, which can obviously be used by adversaries.
# Blocking status.php prevents this information leak
echo ' location = /status.php {' >> $nextcloud_nginx_site
echo ' return 404;' >> $nextcloud_nginx_site
echo ' }' >> $nextcloud_nginx_site
echo '' >> $nextcloud_nginx_site
echo ' # PHP' >> $nextcloud_nginx_site
echo ' location ~ \.php {' >> $nextcloud_nginx_site
echo ' include snippets/fastcgi-php.conf;' >> $nextcloud_nginx_site