Ubuntu
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
\n" . "\t" . $allow . "\n" . "\n";
$staticFileExtensions = ['gif', 'ico', 'jpg', 'png', 'svg', 'js', 'css', 'htm', 'html', 'mp3', 'mp4', 'wav', 'ogg', 'avi', 'ttf', 'eot', 'woff', 'woff2'];
$allowVueSourceMaps = !empty(Config::getInstance()->Development['allow_vue_sourcemaps']);
if ($allowVueSourceMaps) {
$staticFileExtensions[] = 'map';
}
$staticFileExtensionsPattern = implode('|', $staticFileExtensions);
$allowStaticAssets = "# Serve HTML files as text/html mime type - Note: requires mod_mime apache module!\n" . "\n" . " AddHandler text/html .html\n" . " AddHandler text/html .htm\n" . "\n\n" . "# Allow to serve static files which are safe\n" . "\n" . $allow . "\n" . "\n";
$noCachePreview = "\n# do not cache preview container files\n\n\nHeader set Cache-Control \"Cache-Control: private, no-cache, no-store\"\n\n";
$allowManifestFile = "# Allow to serve manifest.json\n" . "\n" . $allow . "\n" . "\n";
$directoriesToProtect = array('/js' => $allowAny . $noCachePreview, '/libs' => $denyAll . $allowStaticAssets, '/vendor' => $denyAll . $allowStaticAssets, '/plugins' => $denyAll . $allowStaticAssets . $allowManifestFile, '/misc' => $denyAll . $allowStaticAssets, '/node_modules' => $denyAll . $allowStaticAssets);
foreach ($directoriesToProtect as $directoryToProtect => $content) {
self::createHtAccess(PIWIK_INCLUDE_PATH . $directoryToProtect, $overwrite = \true, $content);
}
// deny access to these folders
$directoriesToProtect = array(PIWIK_USER_PATH . '/config' => $denyAll, PIWIK_INCLUDE_PATH . '/core' => $denyAll, PIWIK_INCLUDE_PATH . '/lang' => $denyAll, StaticContainer::get('path.tmp') => $denyAll);
if (!empty($GLOBALS['CONFIG_INI_PATH_RESOLVER']) && is_callable($GLOBALS['CONFIG_INI_PATH_RESOLVER'])) {
$file = call_user_func($GLOBALS['CONFIG_INI_PATH_RESOLVER']);
$directoriesToProtect[dirname($file)] = $denyAll;
}
$gitDir = PIWIK_INCLUDE_PATH . '/.git';
if (is_dir($gitDir) && is_writable($gitDir)) {
$directoriesToProtect[$gitDir] = $denyAll;
}
foreach ($directoriesToProtect as $directoryToProtect => $content) {
self::createHtAccess($directoryToProtect, $overwrite = \true, $content);
}
}
/**
* Create .htaccess file in specified directory
*
* Apache-specific; for IIS @see web.config
*
* .htaccess files are created on all webservers even Nginx, as sometimes Nginx knows how to handle .htaccess files
*
* @param string $path without trailing slash
* @param bool $overwrite whether to overwrite an existing file or not
* @param string $content
*/
protected static function createHtAccess($path, $overwrite, $content)
{
$file = $path . '/.htaccess';
$content = "# This file is auto generated by Matomo, do not edit directly\n# Please report any issue or improvement directly to the Matomo team.\n\n" . $content;
if ($overwrite || !file_exists($file)) {
@file_put_contents($file, $content, \LOCK_EX);
}
}
/**
* Generate IIS web.config files to restrict access
*
* Note: for IIS 7 and above
*/
protected static function createWebConfigFiles()
{
if (!SettingsServer::isIIS()) {
return;
}
@file_put_contents(PIWIK_INCLUDE_PATH . '/web.config', '
');
$additionForPlugins = '
';
$additionForMisc = '
';
// Deny direct access to .php files. Empty string means no custom additions/exclusions.
$directoriesToProtect = array('/libs' => '', '/vendor' => '', '/plugins' => $additionForPlugins, '/node_modules' => '', '/misc' => $additionForMisc);
foreach ($directoriesToProtect as $directoryToProtect => $additions) {
@file_put_contents(PIWIK_INCLUDE_PATH . $directoryToProtect . '/web.config', '
' . $additions . '
');
}
}
public static function deleteWebConfigFiles()
{
$path = PIWIK_INCLUDE_PATH;
@unlink($path . '/web.config');
@unlink($path . '/libs/web.config');
@unlink($path . '/vendor/web.config');
@unlink($path . '/plugins/web.config');
@unlink($path . '/node_modules/web.config');
@unlink($path . '/misc/web.config');
}
/**
* Generate default robots.txt, favicon.ico, etc. to suppress
* 404 (Not Found) errors in the web server logs, if Matomo
* is installed in the web root (or top level of subdomain).
*
* @see misc/crossdomain.xml
*/
public static function createWebRootFiles()
{
$filesToCreate = array('/robots.txt', '/favicon.ico');
foreach ($filesToCreate as $file) {
$path = PIWIK_DOCUMENT_ROOT . $file;
if (!file_exists($path)) {
@file_put_contents($path, '');
}
}
}
/**
* @return string
*/
protected static function getDenyAllHtaccessContent()
{
$deny = self::getDenyHtaccessContent();
$denyAll = "# First, deny access to all files in this directory\n" . "\n" . $deny . "\n" . "\n";
return $denyAll;
}
/**
* @return string
*/
public static function getDenyHtaccessContent()
{
# Source: https://github.com/phpbb/phpbb/pull/2386/files#diff-f72a38c4bec79cc6ded3f8e435d6bd55L11
# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
# module mod_authz_host to a new module called mod_access_compat (which may be
# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
# We could just conditionally provide both versions, but unfortunately Apache
# does not explicitly tell us its version if the module mod_version is not
# available. In this case, we check for the availability of module
# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
$deny = <<
\t
\t\tOrder Deny,Allow
\t\tDeny from All
\t
\t= 2.4>
\t\tRequire all denied
\t
\t
\t\tOrder Deny,Allow
\t\tDeny from All
\t
\t
\t\tRequire all denied
\t
HTACCESS_DENY;
return $deny;
}
/**
* @return string
*/
public static function getAllowHtaccessContent()
{
$allow = <<
\t
\t\tOrder Allow,Deny
\t\tAllow from All
\t
\t= 2.4>
\t\tRequire all granted
\t
\t
\t\tOrder Allow,Deny
\t\tAllow from All
\t
\t
\t\tRequire all granted
\t
HTACCESS_ALLOW;
return $allow;
}
/**
* Deletes all existing .htaccess files that Matomo may have created
*/
public static function deleteHtAccessFiles()
{
$files = Filesystem::globr(PIWIK_INCLUDE_PATH, ".htaccess");
// only delete files that match the list of directories we create htaccess files in
// (i.e. not the root /.htaccess)
$directoriesWithAutoHtaccess = array('/js', '/libs', '/vendor', '/plugins', '/misc', '/node_modules', '/config', '/core', '/lang', '/tmp');
foreach ($files as $file) {
foreach ($directoriesWithAutoHtaccess as $dirToDelete) {
// only delete the first .htaccess and not the ones in subdirectories
$pathToDelete = $dirToDelete . '/.htaccess';
if (strpos($file, $pathToDelete) !== \false) {
@unlink($file);
}
}
}
}
}