For some application, users are able to upload their own files. Since this can be very large files, they are allowed to upload them via their own FTP client.
Of course I wouldn't like them to upload some PHP files with which they can access all other files on the server. One of the ways I want to prevent this behavior is by denying access to specific file types (like php, rb, py, etc.) only in these folders.
I have found ways to deny access to folders, to files, to files in folders, but nothing about file types in folders.
I tried combining what I've found, like:
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
changing to
<Files uploads/ "\.inc$">
Order allow,deny
Deny from all
</Files>
or alternative ways
RewriteRule ^(\.php) - [F,L,NC]
to
RewriteRule ^(uploads/\.php) - [F,L,NC]
However, I can't find out what syntax I should use.
So, for example, I could have the following (basic example):
/index.php
/uploads/
hack.php
hack.rb
hack.py
pony.jpg
I want hack.php/rb/py to be unavailable, but everything else to be available. What syntax should I use?
You can put a .htaccess in the upload
directory. The directives will then apply to this directory and the directories below only. See How directives are applied for details.
So, a .htaccess with FilesMatch
can restrict access for files matching *.inc
, *.php
and so on, when it is in the public
directory
<FilesMatch "\.(?:inc|php|py|rb)$">
Order allow,deny
Deny from all
</FilesMatch>