From f47d203215eb9c065df3fa330be6d24d24546771 Mon Sep 17 00:00:00 2001
From: Michael Kaufmann <d00p@froxlor.org>
Date: Fri, 26 Aug 2022 14:14:00 +0200
Subject: [PATCH] block access to more folders to enhance security

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
---
 lib/Froxlor/Cron/Http/Apache.php   | 11 ++++++++---
 lib/Froxlor/Cron/Http/Lighttpd.php |  9 +++++++--
 lib/Froxlor/Cron/Http/Nginx.php    |  9 +++++++--
 3 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/lib/Froxlor/Cron/Http/Apache.php b/lib/Froxlor/Cron/Http/Apache.php
index 18a75547..3dfea921 100644
--- a/lib/Froxlor/Cron/Http/Apache.php
+++ b/lib/Froxlor/Cron/Http/Apache.php
@@ -156,8 +156,13 @@ class Apache extends HttpConfigBase
 				}
 
 				if (!$is_redirect) {
+					if (Settings::Get('system.froxlordirectlyviahostname')) {
+						$relpath = "/";
+					} else {
+						$relpath = "/".basename(Froxlor::getInstallDir());
+					}
 					// protect lib/userdata.inc.php
-					$this->virtualhosts_data[$vhosts_filename] .= '  <Directory "' . rtrim(Froxlor::getInstallDir(), "/") . '/lib/">' . "\n";
+					$this->virtualhosts_data[$vhosts_filename] .= '  <Directory "' . rtrim($relpath, "/") . '/lib/">' . "\n";
 					$this->virtualhosts_data[$vhosts_filename] .= '    <Files "userdata.inc.php">' . "\n";
 					if (Settings::Get('system.apache24') == '1') {
 						$this->virtualhosts_data[$vhosts_filename] .= '    Require all denied' . "\n";
@@ -168,14 +173,14 @@ class Apache extends HttpConfigBase
 					$this->virtualhosts_data[$vhosts_filename] .= '    </Files>' . "\n";
 					$this->virtualhosts_data[$vhosts_filename] .= '  </Directory>' . "\n";
 					// protect bin/
-					$this->virtualhosts_data[$vhosts_filename] .= '  <Directory "' . rtrim(Froxlor::getInstallDir(), "/") . '/bin/">' . "\n";
+					$this->virtualhosts_data[$vhosts_filename] .= '  <DirectoryMatch ~ "' . rtrim($relpath, "/") . '/(bin|cache|logs|node_modules|tests|vendor)/">' . "\n";
 					if (Settings::Get('system.apache24') == '1') {
 						$this->virtualhosts_data[$vhosts_filename] .= '    Require all denied' . "\n";
 					} else {
 						$this->virtualhosts_data[$vhosts_filename] .= '    Order deny,allow' . "\n";
 						$this->virtualhosts_data[$vhosts_filename] .= '    deny from all' . "\n";
 					}
-					$this->virtualhosts_data[$vhosts_filename] .= '  </Directory>' . "\n";
+					$this->virtualhosts_data[$vhosts_filename] .= '  </DirectoryMatch>' . "\n";
 
 					// create fcgid <Directory>-Part (starter is created in apache_fcgid)
 					if (Settings::Get('system.mod_fcgid_ownvhost') == '1' && Settings::Get('system.mod_fcgid') == '1') {
diff --git a/lib/Froxlor/Cron/Http/Lighttpd.php b/lib/Froxlor/Cron/Http/Lighttpd.php
index e0e498e8..d954c569 100644
--- a/lib/Froxlor/Cron/Http/Lighttpd.php
+++ b/lib/Froxlor/Cron/Http/Lighttpd.php
@@ -121,12 +121,17 @@ class Lighttpd extends HttpConfigBase
 				}
 
 				if (!$is_redirect) {
+					if (Settings::Get('system.froxlordirectlyviahostname')) {
+						$relpath = "/";
+					} else {
+						$relpath = "/".basename(Froxlor::getInstallDir());
+					}
 					// protect lib/userdata.inc.php
-					$this->lighttpd_data[$vhost_filename] .= '  $HTTP["host"] =~ "' . rtrim(Froxlor::getInstallDir(), "/") . '/lib" {' . "\n";
+					$this->lighttpd_data[$vhost_filename] .= '  $HTTP["url"] =~ "' . rtrim($relpath, "/") . '/lib" {' . "\n";
 					$this->lighttpd_data[$vhost_filename] .= '    url.access-deny = ("userdata.inc.php")' . "\n";
 					$this->lighttpd_data[$vhost_filename] .= '  }' . "\n";
 					// protect bin/
-					$this->lighttpd_data[$vhost_filename] .= '  $HTTP["host"] =~ "' . rtrim(Froxlor::getInstallDir(), "/") . '/bin" {' . "\n";
+					$this->lighttpd_data[$vhost_filename] .= '  $HTTP["url"] =~ "^' . rtrim($relpath, "/") . '/(bin|cache|logs|node_modules|tests|vendor)" {' . "\n";
 					$this->lighttpd_data[$vhost_filename] .= '    url.access-deny = ("")' . "\n";
 					$this->lighttpd_data[$vhost_filename] .= '  }' . "\n";
 
diff --git a/lib/Froxlor/Cron/Http/Nginx.php b/lib/Froxlor/Cron/Http/Nginx.php
index 1de54bf3..91f82de0 100644
--- a/lib/Froxlor/Cron/Http/Nginx.php
+++ b/lib/Froxlor/Cron/Http/Nginx.php
@@ -214,13 +214,18 @@ class Nginx extends HttpConfigBase
 					$this->nginx_data[$vhost_filename] .= "\t" . 'location / {' . "\n";
 					$this->nginx_data[$vhost_filename] .= "\t" . '}' . "\n";
 
+					if (Settings::Get('system.froxlordirectlyviahostname')) {
+						$relpath = "/";
+					} else {
+						$relpath = "/".basename(Froxlor::getInstallDir());
+					}
 					// protect lib/userdata.inc.php
-					$this->nginx_data[$vhost_filename] .= "\t" . 'location = ' . rtrim(Froxlor::getInstallDir(), "/") . '/lib/userdata.inc.php {' . "\n";
+					$this->nginx_data[$vhost_filename] .= "\t" . 'location = ' . rtrim($relpath, "/") . '/lib/userdata.inc.php {' . "\n";
 					$this->nginx_data[$vhost_filename] .= "\t" . '    deny all;' . "\n";
 					$this->nginx_data[$vhost_filename] .= "\t" . '}' . "\n";
 
 					// protect bin/
-					$this->nginx_data[$vhost_filename] .= "\t" . 'location = ' . rtrim(Froxlor::getInstallDir(), "/") . '/bin {' . "\n";
+					$this->nginx_data[$vhost_filename] .= "\t" . 'location ~ ' . rtrim($relpath, "/") . '/(bin|cache|logs|node_modules|tests|vendor) {' . "\n";
 					$this->nginx_data[$vhost_filename] .= "\t" . '    deny all;' . "\n";
 					$this->nginx_data[$vhost_filename] .= "\t" . '}' . "\n";
 				}