“EDIT”:
I deleted some posts, discussion about CLI / CGI-BIN Files now in BugBounty.
Copy from deleted Post/Comment. Still useful infos how the bug is “random”. :
did some more analysis. I have installed matomo on 2 different servers at different hosters (different Linux Versions etc.) .
On the newer one it seems all the htaccess file were created,
but on the old server half the htaccess files are missing.
So my first assumption that the file permissions were wrong and “no” htaccess was created is wrong. So like in your case randomly some files were not written, and the errors were suppressed by the @ Operator.
The file checker only tests a few files and does not check the directories. Also it does try to load the Files via http if its loadable, but not if the files are on the disc directly.
Also now i understand the logic of the htaccess . Basically its a mix of whitelist + blacklist in the folder.
Often its
a) Deny from All
b) Allow file extensions “static like .jpg, .css” etc. which are not executed by Server.
This will hide “.md” Documentation for example, as its not in the allowed list.
Also the node_modules, are actually not node.js Server Code, but its just used as a package-manager to install client-side JS Libraries (angular, vue, jquery) which again is used by plugins in the GUI of the Backend, some are moved or copied, some are used directly.
in /plugins/Widgets/CoreHome.php :: getJsFiles() is a listing which files are public and in usage.
there are also many node_modules files which are accessed directly from the browser, so these are not some development and deployment files, but public distributed files in the client.
This means the node_modules is a PUBLIC folder, as some files like …/jquery.js are loaded directly from it. My first assumption was that node_modules are only server-side scripts needed for node.js server.
The htaccess in the root folder probably is not generated automatically, but some providers create a default one, or in my case i use some settings for cache-expire, but its not managed by matomo.
you can search for existing htaccess files with the shell command in your matomo root directory:
find . -name “.htaccess”
On my “good” server i have .htaccess in following directories and they 90% work as intended.
./lang/.htaccess
./plugins/.htaccess
./tmp/.htaccess
./js/.htaccess
./vendor/.htaccess
./core/.htaccess
./config/.htaccess
./libs/.htaccess
./.htaccess
./node_modules/.htaccess
./misc/cron/.htaccess
./misc/user/.htaccess
On my “bad” server i have these .htaccess files, and one can compare what is “randomly” missing.
./plugins/.htaccess
./config/.htaccess
./.htaccess
./misc/cron/.htaccess
./misc/user/.htaccess
./lang/.htaccess
./js/.htaccess
./tmp/.htaccess
These .htaccess are all a different, so one should copy each from a good installation, for repairing.
But the question what’s the best way to “repair”. Is more philosophical how to handle with “this never happens” bugs .
The System-Check page could make a file-integrity check and see if files are missing, in reverse to the file-integrity if there are foreign files which should not be there:
The “good files” are defined in config/manifest.inc.php and has very detailed all essential files of matomo.
In reverse one could define a “missing” files list in the same way and check if the .htaccess files in the folders are missing and give a warning and maybe even allow to “repair” the files and do the creation of these files like done in the installation.
This should not be needed, but we have a sample size of 2 times, where this “cannot happen” bug is a serious problem, as now folders are public, which “in theory” are secured. but in practice are not.
As these bug is “randomly” skipping generation of .htaccess files , i am not even sure if my “good server” has all files .