Reputation: 1070
File security using htaccess blocking regular pdf file
I read this artcile on file upload security, but now it seems that a valid pdf I uploaded is being given access forbidden after implenting this htaccess on top of the other security methods mentioned:
deny from all
<Files ~ "^\w+\.(gif|jpe?g|png|pdf|doc|docx|txt|rtf|ppt|pptx|xls|mp4|mov|mp3|mpg|mpeg)$">
order deny,allow
allow from all
</Files>
The file name looks like this: Company-apv-A4-Solarpanels_ABC-RH.pdf
Which should be fine because the htaccess is meant to prevent the doubled extension attack if I understand correctly. Hope someone can help!
Upvotes: 0
Views: 1358
Answers (2)
Reputation: 1264
I just came across this while researching a solution for something else. But, to make an easier solution, since you basically wanted to prevent all double extensions, you should use this:
Order Allow,Deny
<FilesMatch "^[^.]+\.(gif|jpe?g|png|pdf|doc|docx|txt|rtf|ppt|pptx|xls|mp4|mov|mp3|mpg|mpeg)$">
Allow from all
</FilesMatch>
More to the point and simpler. Using FilesMatch (as FilesMatch utilizes REGEX better and more than Files does) it uses the 'Order Allow, Deny' directive which means, match allow or deny, if not matching either, then deny. So this denies all except what's allowed.
[^.] means any character 'not' a literal period. So that covers pretty much everything that you were wanting to achieve. Just remember that these rules do no allow for upper case file extensions. Some people use older apps that create upper case file extensions, so you may want to include those as well.
I'm not sure how well the '/i' case insensitivity works with Files or FilesMatch so you may want to do character classes like this:
([Jj][Pp][Ee]?[Gg]|[Pp][Nn][Gg]|[Gg][Ii][Ff]|[Pp][Dd][Ff])
and so on.
Upvotes: 1
Reputation: 10888
Why not:
SetEnvIf Request_URI "(^|/)[-\w]+\.(gif|jpe?g|png|pdf|doc|docx|txt|rtf|ppt|pptx|xls|mp4|mov|mp3|mpg|mpeg)$" allowed
<Files *>
Order deny,allow
Deny from all
Allow from env=allowed
</Files>
Also note that I dropped the mandatory leading ^ as you surely want to allow access to these extensions in subdirs and [-\w]+ as - is not in \w.
I would just start my regexp \.(gif... as you really only need to check the extension for what you want. Up to you.
Upvotes: 0
Related Questions
- Wordpress protect file if not logged in
- htaccess - Deny access to pdf files in folders
- Htaccess - Allow access to file only from pdf.js
- Prevent direct access to a PDF on a PHP secured website
- Restrict access to file - PDF.JS
- Deny direct access of a pdf file but allow when user logged in
- htaccess: disallow all pdf files but allow from php script (file download script)
- Blocking Pdf Files From Direct Access Using .htaccess
- Protect PDF docs from being directly accessed in URL
- Showing PDF's with blocking direct link (.htaccess)