rewrite rule in htaccess with multiple parameter

Question

I have a problem with my download file due to some wrong coding in htaccess,here is my htaccess code for this url

URL:

https//www.example.com/download.php?fil=`<?php echo $nm ; ?>`&fpath=`<?php echo $fpath ; ?>`&ntid=`<?php echo $ntid ; ?>`

$nm= b5fgh68dsk3nlxz.pdf , 
$fpath= ..uploads/45 ,
$ntid= 146

now htaccess is

RewriteEngine ON
RewriteRule ^n9/([a-zA-Z0-9!@#$-_]*)/([a-zA-Z0-9!@#$-_]*)/([0-9]+)$     download.php?fil=$1&fpath=$2&ntid=$3

now problem is normally without htaccess files can download easily but with the htaccess download couldn't established

url looks after htaccess

https://www.example.com/n9/b5fgh68dsk3nlxz.pdf/..uploads/45/146

Answer 1

That ..uploads part also looks like a possible vulnerability allowing people to get the source of possibly any file on the server if you're not careful. But if your download.php file takes precautions before giving them the file contents, I'd seek a workaround to preserve your slashes. From your PHP file which is generating the link, I'd do:

<?php
function base64url_encode($data) { 
return rtrim(strtr(base64_encode($data), '+/', '-_'), '='); 
} 
?>
<a href="https://www.example.com/n9/<?php echo base64url_encode($nm) ; ?>/<?php echo base64url_encode($fpath); ?>/<?php echo base64url_encode($ntid); ?>">download</a>

Then from your download.php on the top I'd use:

<?php 
function base64url_decode($data) { 
return base64_decode(str_pad(strtr($data, '-_', '+/'), strlen($data) % 4, '=', STR_PAD_RIGHT)); 
}
if(isset($_GET['fil']))$_GET['fil']=base64url_decode($_GET['fil']); 
if(isset($_GET['fpath']))$_GET['fpath']=base64url_decode($_GET['fpath']); 
if(isset($_GET['ntid']))$_GET['ntid']=base64url_decode($_GET['ntid']);
?>

Finally, use can get by with the following clean .htaccess:

RewriteRule ^n9/([a-zA-Z0-9_-]+)/([a-zA-Z0-9_-]+)/([a-zA-Z0-9_-]+)$ download.php?fil=$1&fpath=$2&ntid=$3