For some application, users are able to upload their own files. Since this can be very large files, they are allowed to upload them via their own FTP client.
Of course I wouldn't like them to upload some PHP files with which they can access all other files on the server. One of the ways I want to prevent this behavior is by denying access to specific file types (like php, rb, py, etc.) only in these folders.
I have found ways to deny access to folders, to files, to files in folders, but nothing about file types in folders.
I tried combining what I've found, like:
<Files ~ "\.inc$"> Order allow,deny Deny from all </Files>
changing to
<Files uploads/ "\.inc$"> Order allow,deny Deny from all </Files>
or alternative ways
RewriteRule ^(\.php) - [F,L,NC]
to
RewriteRule ^(uploads/\.php) - [F,L,NC]
However, I can't find out what syntax I should use.
So, for example, I could have the following (basic example):
/index.php /uploads/ hack.php hack.rb hack.py pony.jpg
I want hack.php/rb/py to be unavailable, but everything else to be available. What syntax should I use?
To block uploading of specific file types Select Sync. Select the Block upload of specific file types check box. Enter the file name extensions you want to block, for example: exe or mp3.
Right-click on Group Policy Projects and select New. Name the new GPO Disallowed File Extensions and then, click OK. In the right pane of the GPO management console, find the policy: "Disallowed File Extensions" and select Edit. Navigate to Computer Configuration > Preferences > Control Panel Settings > Folder Options.
The FilesMatch directive works purely on filenames. It doesn't look at the path portion at all.
If you want to specify directives in the root .htaccess file to control a subdirectory, you can use mod_rewrite.
Try this:
RewriteRule ^uploads/.*\.(php|rb|py)$ - [F,L,NC]
The above will block any filename ending in .php or .rb or .py in the /uploads directory or its subdirectories. For example, it will block:
Note that there is no leading slash in the rewrite rule. The path that you need to use in the directive will be different depending on where it's placed. The above directive, if placed in the document root's .htaccess file, will work for files in a directory called uploads that is directly beneath document root.
While the above answers your question, it would be safer to allow only specific files rather than trying to block files. Often a server will execute files with extensions other than the ones you've listed.
You could do something like this:
RewriteCond %{REQUEST_URI} ^/uploads [NC] RewriteCond %{REQUEST_URI} !\.(jpe?g|png|gif)$ [NC] RewriteRule .* - [F,L]
With the above, if the request URI begins with /uploads but does not end with one of the specified extensions, then it is forbidden. You can change the extensions to whatever suits your needs. But that way, you can permit extensions as needed rather than finding out too late that you missed blocking one.
This rule (from your question)
RewriteRule ^(uploads/\.php) - [F,L,NC]
will block
but it does not allow for anything between the directory name and the file extension.
If you are going to use rewirte rules, you might want to learn more about regexp. I often refer to www.regular-expressions.info when I need to look up something.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With