Deny access to specific file types in specific directory

Dennis picture Dennis · Apr 19, 2013 · Viewed 39.3k times · Source

For some application, users are able to upload their own files. Since this can be very large files, they are allowed to upload them via their own FTP client.

Of course I wouldn't like them to upload some PHP files with which they can access all other files on the server. One of the ways I want to prevent this behavior is by denying access to specific file types (like php, rb, py, etc.) only in these folders.

I have found ways to deny access to folders, to files, to files in folders, but nothing about file types in folders.

I tried combining what I've found, like:

<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>

changing to

<Files uploads/ "\.inc$">
Order allow,deny
Deny from all
</Files>

or alternative ways

RewriteRule ^(\.php) - [F,L,NC] 

to

RewriteRule ^(uploads/\.php) - [F,L,NC]

However, I can't find out what syntax I should use.

So, for example, I could have the following (basic example):

/index.php
/uploads/
  hack.php
  hack.rb
  hack.py
  pony.jpg

I want hack.php/rb/py to be unavailable, but everything else to be available. What syntax should I use?

Answer

Olaf Dietsche picture Olaf Dietsche · Apr 19, 2013

You can put a .htaccess in the upload directory. The directives will then apply to this directory and the directories below only. See How directives are applied for details.

So, a .htaccess with FilesMatch can restrict access for files matching *.inc, *.php and so on, when it is in the public directory

<FilesMatch "\.(?:inc|php|py|rb)$">
Order allow,deny
Deny from all
</FilesMatch>