Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

htaccess allowing access files by extension?

Tags:

I saw several htaccess example disabling some files to access:

<Files ~ "\.(js|sql)$">    order deny,allow    deny from all </Files> 

for example, this prevents to access all .JS and .SQL files, the others are enabled. I want the contrary! I want those files to be ENABLED, all others to be prevented. How to achieve this?

like image 630
user893856 Avatar asked Oct 16 '11 21:10

user893856


People also ask

What should htaccess file permissions be?

What permissions should the file have? 644 permissions are usually fine for an . htaccess file. When you create the file on the server, it should already have these permissions set, so there is most likely nothing to change.

What is the file extension for htaccess?

Unlike other types of files, these don't contain a file name; they look like this, with just the file extension: . htaccess.

How do I access .htaccess file?

htaccess file is located in the root directory of your WordPress site. Depending on your hosting provider, the root directory may be a folder labelled public_html, www, htdocs, or httpdocs. You can locate it by using File Manager in your hosting account's cpanel.


1 Answers

Vorapsak's answer is almost correct. It's actually

order allow,deny <Files ~ "\.(js|sql)$">    allow from all </Files> 

You need the order directive at the top (and you don't need anything else).

The interesting thing is, it seems we can't just negate the regex in FilesMatch, which is... weird, especially since the "!" causes no server errors or anything. Well, duh.


and a bit of explanation:

The order cause tells the server about its expected default behaviour. The

 order allow,deny 

tells the server to process the "allow" directives first: if a request matches any allow directive, it's marked as okay. Then the "deny" directives are evaulated: if a request matches any deny directives, it's denied (it doesn't matter if it was allowed in the first pass). If no matches were found, the file is denied.

The directive

 order deny,allow 

works the opposite way: first the server processes the "deny" directives: if a request matches, it's marked to be denied. Then the "allow" directives are evaulated: if a request matches an allow directive, it's allowed in, even if it matches a deny directive earlier. If a request matches nothing, the file is allowed.

In this specific case, the server first tries to match the allow directives: it sees that js and sql files are allowed, so a request to foo.js goes through; a request to bar.php matches no directives, so it's denied.

If we swap the directive to "order deny,allow", then foo.js will go through (for being a js), and bar.php will also go through, as it matches no patterns.


oh and, one more thing: directives in a section (i.e. < Files> and < Directory>) are always evaulated after the main body of the .htaccess file, overwriting it. That's why Vorapsak's solution did not work as inteded: the main .htaccess denied the request, then the < Files> order was processed, and it allowed the request.

Htaccess is magic of the worst kind, but there's logic to it.

like image 139
SáT Avatar answered Nov 19 '22 04:11

SáT