Highly unusual dot files in URLs

[szepeviktor]

Steps to reproduce

Simply upload and download files. I really do not know the purpose of dot files.

Expected behaviour

Use no dot files in URLs.

Actual behaviour

There are .ocdata and .file in URLs - maybe more dot files.

Server configuration

Operating system: Debian jessie

Web server: Apache 2.4

Database: MariaDB

PHP version: 7.3

Nextcloud version: 16

Dot files was invented to be hidden files.
Our webserver was configure to deny serving dot files.
Please consider removing dot files from all NextCloud URLs.
Thank you.

[szepeviktor]

Sample HTTP requests

• MOVE /remote.php/dav/uploads/szepeviktor/web-file-upload-5ea541edf30372798c0cc7e5acb07847-1567606511076/.file
• GET /data/.ocdata?t=1567588750193

[szepeviktor]

Yes, I know https://tools.ietf.org/html/rfc5785 but please do not use custom dot files in URLs.

[kesselb]

If the webserver is trying to answer this requests something is wrong with the setup anyway. Usually all requests are processed by nextcloud. Apache2 is only forwarding the requests to index.php, remote.php or public.php. The request for /data/.ocdata is a security check. If a request to this file is possible your data directory might be accessible. Usually for setup issues https://help.nextcloud.com is the best place.

[szepeviktor]

The request for /data/.ocdata is a security check.

Thank you, so this should fail. #2513

MOVE /remote.php/dav/uploads/szepeviktor/web-file-upload-5ea541edf30372798c0cc7e5acb07847-1567606511076/.file

Should this request succeed? Was it designed to be okay with a dot file?

[kesselb]

Thank you, so this should fail.

For most setups the answer is yes. If you setup a new nextcloud instance please use a different path (outside the document root). I agree with you that if someone blocks access to . files and the .htaccess is not working data might be exposed.

Should this request succeed? Was it designed to be okay with a dot file?

I think so.

[szepeviktor]

All right!

Then this issue is about considering avoiding dot files/URLs in NextCloud - like this /.file one.

[kesselb]

Then this issue is about considering avoiding dot files/URLs in NextCloud - like this /.file one.

Please use https://github.com/nextcloud/server/blob/master/.github/ISSUE_TEMPLATE/Feature_request.md for your first post then. There is nothing broken because of .file right? So "enhancement" is the appropriate label.

/remote.php/dav/uploads/szepeviktor/web-file-upload-5ea541edf30372798c0cc7e5acb07847-1567606511076/.file

#1283 added this .file uri. File uploads are done in chunks. During the upload a file is stored as .file in a folder with some unique identifier. Is the upload complete the file is renamed to the final destination and the folder deleted. It's like that for more than five years.

[rullzer]

The .file is a special aggregated file. For chunked uploads we move that file (which collects all the chunks) and move it to the final location.

We won't change this as it is used by all clients as well. So please update your htaccess file.

[szepeviktor]

Thank you.
Many would appreciate if you would add it the documentation.

[rullzer]

Thank you.
Many would appreciate if you would add it the documentation.

Would you be willing to shoot in a Pull Request there?

[szepeviktor]

Could you point out the proper page/section for me? (I am a 1 day old NextCloud user)