Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update nginx-root.conf.sample #12146

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Update nginx-root.conf.sample #12146

wants to merge 3 commits into from

Conversation

tofuSCHNITZEL
Copy link

☑️ Resolves

  • prevents access to grunt, package and composer files that could help an attacker to get information about the system (used packages, version etc.)

@github-actions GitHub Actions
Copy link
Contributor

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

@tflidd
Copy link
Contributor

tflidd commented Sep 25, 2024

You speak of code files? That is then also in the official repositories, no? You can just get the version of a setup from https://example.com/status.php

@tofuSCHNITZEL
Copy link
Author

You speak of code files? That is then also in the official repositories, no? You can just get the version of a setup from https://example.com/status.php

not sure what you are refering to.
These additions tto the nginx.conf prevent information disclosure of the nextcloud installation and were recomended to me after a security audit of my nextcloud install.

@provokateurin
Copy link
Member

Hiding these files will not make your setup more secure. The versions of any part of Nextcloud can be found out in multiple ways which can then be used to figure out the content of these files since everything is publicly available.
Also see https://nextcloud.com/security/threat-model/#version-disclosure

@tflidd
Copy link
Contributor

tflidd commented Oct 1, 2024

Perhaps some of the packaging info can be removed after the packages are built. (most of the files you excluded already reside in folders that are excluded as well).

@provokateurin
Copy link
Member

Those files are kept for legal/license reasons to trace back dependencies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
feedback-requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tofuSCHNITZEL @tflidd @provokateurin