Deny access to specific file types in specific directory
For some application, users are able to upload their own files. Since this can be very large files, they are allowed to upload them via their own FTP client.
Of course I wouldn't like them to upload some PHP files with which they can access all other files on the server. One of the ways I want to prevent this behavior is by denying access to specific file types (like php, rb, py, etc.) only in these folders.
I have found ways to deny access to folders, to files, to files in folders, but nothing about file types in folders.
I tried combining what I've found, like:
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
changing to
<Files uploads/ "\.inc$">
Order allow,deny
Deny from all
</Files>
or alternative ways
RewriteRule ^(\.php) - [F,L,NC]
to
RewriteRule ^(uploads/\.php) - [F,L,NC]
However, I can't find out what syntax I should use.
So, for example, I could have the following (basic example):
/index.php
/uploads/
hack.php
hack.rb
hack.py
pony.jpg
I want hack.php/rb/py to be unavailable, but everything else to be available. What syntax should I use?
Answer
You can put a .htaccess in the upload directory. The directives will then apply to this directory and the directories below only. See How directives are applied for details.
So, a .htaccess with FilesMatch can restrict access for files matching *.inc, *.php and so on, when it is in the public directory
<FilesMatch "\.(?:inc|php|py|rb)$">
Order allow,deny
Deny from all
</FilesMatch>