I read this artcile on file upload security, but now it seems that a valid pdf I uploaded is being given access forbidden after implenting this htaccess on top of the other security methods mentioned:
deny from all
<Files ~ "^\w+\.(gif|jpe?g|png|pdf|doc|docx|txt|rtf|ppt|pptx|xls|mp4|mov|mp3|mpg|mpeg)$">
order deny,allow
allow from all
</Files>
The file name looks like this:
Company-apv-A4-Solarpanels_ABC-RH.pdf
Which should be fine because the htaccess is meant to prevent the doubled extension attack if I understand correctly. Hope someone can help!
I just came across this while researching a solution for something else. But, to make an easier solution, since you basically wanted to prevent all double extensions, you should use this:
Order Allow,Deny
<FilesMatch "^[^.]+\.(gif|jpe?g|png|pdf|doc|docx|txt|rtf|ppt|pptx|xls|mp4|mov|mp3|mpg|mpeg)$">
Allow from all
</FilesMatch>
More to the point and simpler. Using FilesMatch (as FilesMatch utilizes REGEX better and more than Files does) it uses the 'Order Allow, Deny' directive which means, match allow or deny, if not matching either, then deny. So this denies all except what's allowed.
[^.] means any character 'not' a literal period. So that covers pretty much everything that you were wanting to achieve. Just remember that these rules do no allow for upper case file extensions. Some people use older apps that create upper case file extensions, so you may want to include those as well.
I'm not sure how well the '/i' case insensitivity works with Files or FilesMatch so you may want to do character classes like this:
([Jj][Pp][Ee]?[Gg]|[Pp][Nn][Gg]|[Gg][Ii][Ff]|[Pp][Dd][Ff])
and so on.
Why not:
SetEnvIf Request_URI "(^|/)[-\w]+\.(gif|jpe?g|png|pdf|doc|docx|txt|rtf|ppt|pptx|xls|mp4|mov|mp3|mpg|mpeg)$" allowed
<Files *>
Order deny,allow
Deny from all
Allow from env=allowed
</Files>
Also note that I dropped the mandatory leading ^ as you surely want to allow access to these extensions in subdirs and [-\w]+ as - is not in \w.
I would just start my regexp \.(gif... as you really only need to check the extension for what you want. Up to you.
Related
I've got a .txt file that I'm using to store chat info. what I'm trying to figure out is how to prevent this page from getting indexed as I'm creating a more friendly version using tthat info. So I have chat.txt where it is recorded then I have pretty-chat-history.php in which I echo that page within my actual page. Is there a way to prevent chat.txt from being picked up?
Add to the htaccess file:
<FilesMatch "(chat.txt)$">
Order allow,deny
deny from all
</FilesMatch>
i am trying to find a right RegEx. I want to protect all jpg images with a specific word in the file name with FilesMatch. The Word schould be "Preview", i need this and i need the same to find all images without the "Preview" in the file name.
<FilesMatch "!=preview\jpg">
Order Deny,Allow
Deny from all
Allow from development.url.com
Allow from 85.13.139.234
</FilesMatch>
<FilesMatch "==preview\jpg">
Order Deny,Allow
Deny from all
Allow from development.url.com
Allow from 85.13.139.234
</FilesMatch>
Like this, one is != "Preview" and one is == "Preview" ;) And a third one to select all jpg images would be also great :)
Thanks :)
You can use a Files directive to do the regular expression matches:
<Files ~ "preview">...</Files>
I guess this was a very common and simple .htaccess rewrite rule, however I wasn't able to google a solution for it.
So, the question is in the title already, how can I rewrite the address to change it from example.com/contact.htm to example.com/contact? The rule would of course not be only for just the contact.htm but for any page in the website. No need to worry about GET variables, since I won't be using any.
[ Also, do you think this is or might be considered a good practice or not really relevant? ]
Thanks.
Try this:
Options +FollowSymLinks
RewriteEngine On
RewriteRule ^contact.htm$ /contact
This should serve contact.html when requesting example.com/contact/
You could consider using MultiViews. You'll need to load the content negotiation module and turn MultiViews on, then Apache will automatically look for a file with an extension (there's a priority list in case you have both .html and .htm files with the same name for instance).
I have a PDF section that I want to give users the option to either view the file in their browser, or download it to their computer. I do not want to duplicate the files so have hit upon the idea of using a query string to tell the server the force the file to download, e.g.
FileName
In my .htaccess file for the pdfs folder, what do I need to put force the file to download if the query string is present?
What I have at the moment forces every pdf to download (instead of view):
<Files *.pdf>
ForceType applicaton/octet-stream
</Files>
You can do something like this with mod_rewrite:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^view=download$
RewriteRule .*\.pdf$ - [L,T=applicaton/octet-stream]
http://httpd.apache.org/docs/current/rewrite/flags.html#flag_t
P.S.
Depending on your rewrite logic (if you have any) you may need to remove the L, flag.
The above rule will work for URLs that end with .pdf and having view=download as query string EXACTLY. This means that it will work for example.com/some/file/here/hello.pdf?view=download but will not work for example.com/some/file/here/hello.pdf?view=download&var1=param1. To have it working for such scenario as well you will have to adjust the rule accordingly (but considering the URL examples you have provided in your Question, it should not happen).
I have a folder structure like this /img/products/{product name}/ and then the sub folders hi, low, and thumb.
I want to use htacess to force-download any files in a 'hi' or 'low' subfolder (but not 'thumb').
I was hoping something like this would work:
<FilesMatch "\(.*)(\/hi|\/low)(.*)">
ForceType applicaton/octet-stream
</FilesMatch>
Now I'm not great with regex, but that seems to work in regex testers against paths like
/img/products/active/low/something.jpg
However it's not working on the site.
Any suggestions?
Thanks
Pete
This probably should have been a ServerFault question based on what I think that you're trying to do, but since you actually can't do what you're trying to do (the way I think you're trying to do it), I'll provide two alternatives; one that likely won't work, and another that involves a PHP script (which should hopefully be alright for you, since your question history shows you asking something about PHP before).
The Problem:
First, what I think you're trying to do, so you can correct me if I'm wrong:
# Apply ForceType to anything that's in a path that matches this
<FilesMatch "img/products/[^/]+/(hi|low)/[^/]+$">
ForceType applicaton/octet-stream
</FilesMatch>
However, this won't work, because FilesMatch only examines the filename, under the assumption that you could either appropriately place the .htaccess file, or combine the directive with a Directory statement in the server or virtual server configuration.
In your case though, this isn't possible (Well, I assume anyway, maybe you do have access to the necessary configurations, but since your question is tagged .htaccess I'm guessing probably not), given that copying a .htaccess file to every folder isn't realistic.
The Solutions:
As it turns out, mod_rewrite, along with performing all sorts of voodoo in the way of filename resolution, also gives you extensions of other Apache functionality that you would not necessarily have been able to use otherwise. Case in point, we can set the MIME type using the T flag, making the easiest solution this:
RewriteEngine On
# Force the MIME-type, but don't actually perform a rewrite
RewriteRule ^img/products/[^/]+/(hi|low)/[^/]+$ - [T=application/octet-stream]
This actually works pretty well, but chances are good that your Apache installation thinks that it knows better than you, and includes a mimes.types file in the main configuration that maps the jpg extension to image/jpeg. This value takes precedence over the RewriteRule, making it ineffective in that case.
The other solution is to create a small script that acts as the go-between, passing the appropriate headers and image data from the server to the client. You would then use mod_rewrite to pass the request on to that script:
RewriteEngine On
# For an added bit of sanity, make the test pattern even more restrictive
RewriteRule ^img/products/[A-Za-z._-]+/(hi|low)/[A-Za-z._-]\.[A-Za-z]+$ imageDownloader.php
As for the script itself, to keep this answer from getting ridiculously long, I suggest taking a look at this answer or one of the other questions on this topic, keeping in mind that it's imperative that you screen the filenames that can be downloaded for reasons of security. Note that you would be able to get the original request path from $_SERVER['REQUEST_URI'], and could use that to locate the proper image.