Does a .txt file get indexed? How to prevent this? - .htaccess

I've got a .txt file that I'm using to store chat info. what I'm trying to figure out is how to prevent this page from getting indexed as I'm creating a more friendly version using tthat info. So I have chat.txt where it is recorded then I have pretty-chat-history.php in which I echo that page within my actual page. Is there a way to prevent chat.txt from being picked up?

Add to the htaccess file:
<FilesMatch "(chat.txt)$">
Order allow,deny
deny from all
</FilesMatch>

Related

Setting up .htaccess for the first time

Totally lost on how to set up a .htaccess file, bunch of stuff and only been able to redirect and set index.
I have a site https://subdomain.domain.com/views/list.html and I want it to show up as https://subdomain.domain.comIve been able to hide the views/list.html from that main page with DirectoryIndex views/list.html but when i come back to it from within the website it still shows up as subfolder.Also is it possible for other subfolder files to not show up as subfolder but as something else? e.g. https://subdomain.domain.com/views/add.html show up as https://subdomain.domain.com/addproduct
Have you thought about trying PHP indexing? Make a folder structure and place the indexer in the correct folder. As for the subbing, it should be possible, least from what I recall.

RegEx to find images with specific word in the file name in htaccess with filesmatch

i am trying to find a right RegEx. I want to protect all jpg images with a specific word in the file name with FilesMatch. The Word schould be "Preview", i need this and i need the same to find all images without the "Preview" in the file name.
<FilesMatch "!=preview\jpg">
Order Deny,Allow
Deny from all
Allow from development.url.com
Allow from 85.13.139.234
</FilesMatch>
<FilesMatch "==preview\jpg">
Order Deny,Allow
Deny from all
Allow from development.url.com
Allow from 85.13.139.234
</FilesMatch>
Like this, one is != "Preview" and one is == "Preview" ;) And a third one to select all jpg images would be also great :)
Thanks :)
You can use a Files directive to do the regular expression matches:
<Files ~ "preview">...</Files>

File security using htaccess blocking regular pdf file

I read this artcile on file upload security, but now it seems that a valid pdf I uploaded is being given access forbidden after implenting this htaccess on top of the other security methods mentioned:
deny from all
<Files ~ "^\w+\.(gif|jpe?g|png|pdf|doc|docx|txt|rtf|ppt|pptx|xls|mp4|mov|mp3|mpg|mpeg)$">
order deny,allow
allow from all
</Files>
The file name looks like this:
Company-apv-A4-Solarpanels_ABC-RH.pdf
Which should be fine because the htaccess is meant to prevent the doubled extension attack if I understand correctly. Hope someone can help!
I just came across this while researching a solution for something else. But, to make an easier solution, since you basically wanted to prevent all double extensions, you should use this:
Order Allow,Deny
<FilesMatch "^[^.]+\.(gif|jpe?g|png|pdf|doc|docx|txt|rtf|ppt|pptx|xls|mp4|mov|mp3|mpg|mpeg)$">
Allow from all
</FilesMatch>
More to the point and simpler. Using FilesMatch (as FilesMatch utilizes REGEX better and more than Files does) it uses the 'Order Allow, Deny' directive which means, match allow or deny, if not matching either, then deny. So this denies all except what's allowed.
[^.] means any character 'not' a literal period. So that covers pretty much everything that you were wanting to achieve. Just remember that these rules do no allow for upper case file extensions. Some people use older apps that create upper case file extensions, so you may want to include those as well.
I'm not sure how well the '/i' case insensitivity works with Files or FilesMatch so you may want to do character classes like this:
([Jj][Pp][Ee]?[Gg]|[Pp][Nn][Gg]|[Gg][Ii][Ff]|[Pp][Dd][Ff])
and so on.
Why not:
SetEnvIf Request_URI "(^|/)[-\w]+\.(gif|jpe?g|png|pdf|doc|docx|txt|rtf|ppt|pptx|xls|mp4|mov|mp3|mpg|mpeg)$" allowed
<Files *>
Order deny,allow
Deny from all
Allow from env=allowed
</Files>
Also note that I dropped the mandatory leading ^ as you surely want to allow access to these extensions in subdirs and [-\w]+ as - is not in \w.
I would just start my regexp \.(gif... as you really only need to check the extension for what you want. Up to you.

How do I use .htaccess to limit file uploads to .pdf?

I have a simple upload form that allows a file to be uploaded to a folder in the site. I don't want to allow anything but .pdf files to be uploaded. However, I cannot modify the form at all to limit the upload. And I can't use PHP on the back end to limit it either. Javascript is unsecure because a user can turn it off. How can I limit the upload to a .pdf file with .htaccess?
As far as I know, it isn't possible. You could, however, restrict the files being returned, and force their mime type to be application/pdf, so they will be treated like PDFs, even if they aren't. If this was combined with JavaScript, it would help honest users (ex, if someone accidentally selects a .jpg they will get a warning right away), and it will make attacks more difficult.
It seems like the third-party mod_upload might be able to help, though.
To restrict the output types, you could use a .htaccess file similar to this:
# Prevent request to non-.pdf files
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} ! \.pdf$
RewriteRule (.*) $1 [F]
# Tell the browser that this is a PDF
Header set Content-Type application/pdf
# Hint that the browser shouldn't try to auto-detect the content type
Header set X-Content-Type-Options nosniff
(note: I wrote those from memory, so make sure to test them before you trust them…)

Include file (header) using htaccess

I want to include a certain file with every page-call.
For simplicity, assume I have a header which should be pre-pended to every file.
(Eg. a php script which checks all sorts of user agent stuff.)
I could use mod_rewrite to send all requests to this file, and then use PHP to include the requested page into the file, but that could be a headache with paths and whatnot, and I would rather not use mod_rewrite if not needed.
I recall there being a 'include' call in htaccess, but the only thing I can find in a search is ServerSideIncludes - which is not what I need. SSI (I gather) scans the document looking for a call, whereas I need to include this file before going onto the file being called.
Aside from SSI's there's also a PHP-specific option for including header/footer file with every PHP page so this solution may be too limit for you:
In .htaccess:
php_value auto_prepend_file /www/root/header.php
php_value auto_append_file /www/root/footer.php

Resources