check if the data directory is accessible via http. Show a big security warning if yes

lib/util.php

@@ -420,18 +420,57 @@ class OC_Util {
 		}
 	}
 	
-	/**
+	/**
-	 * @brief Public function to sanitize HTML
+	 * @brief Public function to sanitize HTML
-	 *
+	 *
 	 * This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page.
 	 * 
 	 * @param string or array of strings
-	 * @return array with sanitized strings or a single sinitized string, depends on the input parameter.
+	 * @return array with sanitized strings or a single sinitized string, depends on the input parameter.
 	 */
-	public static function sanitizeHTML( &$value ){
+	public static function sanitizeHTML( &$value ){
-		if (is_array($value) || is_object($value)) array_walk_recursive($value,'OC_Util::sanitizeHTML');
+		if (is_array($value) || is_object($value)) array_walk_recursive($value,'OC_Util::sanitizeHTML');
-		else $value = htmlentities($value, ENT_QUOTES, 'UTF-8'); //Specify encoding for PHP<5.4
+		else $value = htmlentities($value, ENT_QUOTES, 'UTF-8'); //Specify encoding for PHP<5.4
 		return $value;
 	}
 
+
+        /**
+         * Check if the htaccess file is working buy creating a test file in the data directory and trying to access via http
+         */
+        public static function ishtaccessworking() {
+
+		// testdata
+		$filename='/htaccesstest.txt';
+		$testcontent='testcontent';
+
+		// creating a test file
+                $testfile = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ).'/'.$filename;
+                $fp = @fopen($testfile, 'w');
+                @fwrite($fp, $testcontent);
+                @fclose($fp);
+
+		// accessing the file via http
+                $url = OC_Helper::serverProtocol(). '://'  . OC_Helper::serverHost() . OC::$WEBROOT.'/data'.$filename;
+                $fp = @fopen($url, 'r');
+                $content=@fread($fp, 2048);
+                @fclose($fp);
+
+		// cleanup
+		@unlink($testfile);
+
+		// does it work ?
+		if($content==$testcontent) {
+			return(false);
+		}else{
+			return(true);
+
+		}
+
+        }
+
+
+
+
+
 }

settings/admin.php

@@ -15,6 +15,7 @@ OC_App::setActiveNavigationEntry( "admin" );
 
 $tmpl = new OC_Template( 'settings', 'admin', 'user');
 $forms=OC_App::getForms('admin');
+$htaccessworking=OC_Util::ishtaccessworking();
 
 $entries=OC_Log_Owncloud::getEntries(3);
 function compareEntries($a,$b){
@@ -24,6 +25,7 @@ usort($entries, 'compareEntries');
 
 $tmpl->assign('loglevel',OC_Config::getValue( "loglevel", 2 ));
 $tmpl->assign('entries',$entries);
+$tmpl->assign('htaccessworking',$htaccessworking);
 $tmpl->assign('forms',array());
 foreach($forms as $form){
 	$tmpl->append('forms',$form);

settings/css/settings.css

@@ -48,5 +48,8 @@ li.active { color:#000; }
 small.externalapp { color:#FFF; background-color:#BBB; font-weight:bold; font-size:6pt; padding:4px; border-radius: 4px;}
 span.version { margin-left:3em; color:#ddd; }
 
-/* LOF */
+/* LOG */
 #log { white-space:normal; }
+
+/* ADMIN */
+span.securitywarning {color:#C33; font-weight:bold; }

settings/templates/admin.php

@@ -6,6 +6,21 @@
 $levels=array('Debug','Info','Warning','Error','Fatal');
 ?>
 
+<?php
+
+if(!$_['htaccessworking']) {
+?>
+<fieldset class="personalblock">
+	<legend><strong><?php echo $l->t('Security Warning');?></strong></legend>
+
+	<span class="securitywarning">Your data directory and your files are probably accessible from the internet. The .htaccess file that ownCloud provides is not working. We strongly suggest that you configure your webserver in a way that the data directory is no longer accessible or you move the data directory outside the webserver document root.</span>
+	
+</fieldset>	
+<?php	
+}
+?>
+
+
 <?php foreach($_['forms'] as $form){
 	echo $form;
 };?>