For some application, users are able to upload their own files. Since this can be very large files, they are allowed to upload them via their own FTP client.
对于某些应用程序,用户可以上传自己的文件。由于这可能是非常大的文件,因此允许他们通过自己的FTP客户端上传它们。
Of course I wouldn't like them to upload some PHP files with which they can access all other files on the server. One of the ways I want to prevent this behavior is by denying access to specific file types (like php, rb, py, etc.) only in these folders.
当然我不希望他们上传一些PHP文件,用它们可以访问服务器上的所有其他文件。我想要阻止此行为的方法之一是拒绝仅在这些文件夹中访问特定文件类型(如php,rb,py等)。
I have found ways to deny access to folders, to files, to files in folders, but nothing about file types in folders.
我找到了拒绝访问文件夹,文件,文件夹中文件的方法,但没有关于文件夹中文件类型的访问。
I tried combining what I've found, like:
我试着结合我发现的东西,比如:
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
changing to
换到
<Files uploads/ "\.inc$">
Order allow,deny
Deny from all
</Files>
or alternative ways
或替代方式
RewriteRule ^(\.php) - [F,L,NC]
to
至
RewriteRule ^(uploads/\.php) - [F,L,NC]
However, I can't find out what syntax I should use.
但是,我找不到我应该使用的语法。
So, for example, I could have the following (basic example):
所以,例如,我可以有以下(基本示例):
/index.php
/uploads/
hack.php
hack.rb
hack.py
pony.jpg
I want hack.php/rb/py to be unavailable, but everything else to be available. What syntax should I use?
我希望hack.php / rb / py不可用,但其他一切都可用。我应该使用什么语法?
3 个解决方案
#1
16
The FilesMatch directive works purely on filenames. It doesn't look at the path portion at all.
FilesMatch指令完全适用于文件名。它根本不看路径部分。
If you want to specify directives in the root .htaccess file to control a subdirectory, you can use mod_rewrite.
如果要在根.htaccess文件中指定指令来控制子目录,可以使用mod_rewrite。
Try this:
尝试这个:
RewriteRule ^uploads/.*\.(php|rb|py)$ - [F,L,NC]
The above will block any filename ending in .php or .rb or .py in the /uploads directory or its subdirectories. For example, it will block:
以上将阻止/ uploads目录或其子目录中以.php或.rb或.py结尾的任何文件名。例如,它将阻止:
- /uploads/something.php
- /uploads/something.php
- /uploads/something/more.php
- /uploads/something/more.php
Note that there is no leading slash in the rewrite rule. The path that you need to use in the directive will be different depending on where it's placed. The above directive, if placed in the document root's .htaccess file, will work for files in a directory called uploads that is directly beneath document root.
请注意,重写规则中没有前导斜杠。您需要在指令中使用的路径将根据其放置位置而有所不同。如果将上述指令放在文档根目录的.htaccess文件中,则该指令将适用于直接位于文档根目录下的名为uploads的目录中的文件。
While the above answers your question, it would be safer to allow only specific files rather than trying to block files. Often a server will execute files with extensions other than the ones you've listed.
虽然上面回答了你的问题,但是只允许特定文件而不是试图阻止文件会更安全。通常,服务器将执行扩展名不同于您列出的扩展名的文件。
You could do something like this:
你可以这样做:
RewriteCond %{REQUEST_URI} ^/uploads [NC]
RewriteCond %{REQUEST_URI} !\.(jpe?g|png|gif)$ [NC]
RewriteRule .* - [F,L]
With the above, if the request URI begins with /uploads but does not end with one of the specified extensions, then it is forbidden. You can change the extensions to whatever suits your needs. But that way, you can permit extensions as needed rather than finding out too late that you missed blocking one.
如上所述,如果请求URI以/ uploads开头但不以指定的扩展名之一结束,则禁止它。您可以将扩展名更改为适合您需要的扩展名。但是这样,你可以根据需要允许扩展,而不是发现你错过了阻止扩展。
This rule (from your question)
这个规则(来自你的问题)
RewriteRule ^(uploads/\.php) - [F,L,NC]
will block
会阻止
- /uploads/.php
- /uploads/.php
- /uploads/.phpmore
- /uploads/.phpmore
but it does not allow for anything between the directory name and the file extension.
但它不允许目录名和文件扩展名之间的任何内容。
If you are going to use rewirte rules, you might want to learn more about regexp. I often refer to www.regular-expressions.info when I need to look up something.
如果您打算使用reirte规则,您可能想要了解有关regexp的更多信息。当我需要查找某些内容时,我经常会参考www.regular-expressions.info。
#2
19
You can put a .htaccess in the upload directory. The directives will then apply to this directory and the directories below only. See How directives are applied for details.
您可以将.htaccess放在上传目录中。然后,这些指令将仅适用于此目录和下面的目录。有关详细信息,请参见如何应用指令。
So, a .htaccess with FilesMatch can restrict access for files matching *.inc, *.php and so on, when it is in the public directory
因此,当文件位于公共目录中时,带有FilesMatch的.htaccess可以限制与* .inc,* .php等匹配的文件的访问权限
<FilesMatch "\.(?:inc|php|py|rb)$">
Order allow,deny
Deny from all
</FilesMatch>
#3
0
You can use The following easiest and one liner solution to deny access to certen file types:
您可以使用以下最简单和一个线性解决方案来拒绝访问certen文件类型:
RedirectMatch 403 ^/folder/.+\.(png|gif|js)$
This will return a 403 Access forbidden error for clients if they try to access /folder/file.extension .
如果客户端尝试访问/folder/file.extension,则会为客户端返回403 Access forbidden错误。
#1
16
The FilesMatch directive works purely on filenames. It doesn't look at the path portion at all.
FilesMatch指令完全适用于文件名。它根本不看路径部分。
If you want to specify directives in the root .htaccess file to control a subdirectory, you can use mod_rewrite.
如果要在根.htaccess文件中指定指令来控制子目录,可以使用mod_rewrite。
Try this:
尝试这个:
RewriteRule ^uploads/.*\.(php|rb|py)$ - [F,L,NC]
The above will block any filename ending in .php or .rb or .py in the /uploads directory or its subdirectories. For example, it will block:
以上将阻止/ uploads目录或其子目录中以.php或.rb或.py结尾的任何文件名。例如,它将阻止:
- /uploads/something.php
- /uploads/something.php
- /uploads/something/more.php
- /uploads/something/more.php
Note that there is no leading slash in the rewrite rule. The path that you need to use in the directive will be different depending on where it's placed. The above directive, if placed in the document root's .htaccess file, will work for files in a directory called uploads that is directly beneath document root.
请注意,重写规则中没有前导斜杠。您需要在指令中使用的路径将根据其放置位置而有所不同。如果将上述指令放在文档根目录的.htaccess文件中,则该指令将适用于直接位于文档根目录下的名为uploads的目录中的文件。
While the above answers your question, it would be safer to allow only specific files rather than trying to block files. Often a server will execute files with extensions other than the ones you've listed.
虽然上面回答了你的问题,但是只允许特定文件而不是试图阻止文件会更安全。通常,服务器将执行扩展名不同于您列出的扩展名的文件。
You could do something like this:
你可以这样做:
RewriteCond %{REQUEST_URI} ^/uploads [NC]
RewriteCond %{REQUEST_URI} !\.(jpe?g|png|gif)$ [NC]
RewriteRule .* - [F,L]
With the above, if the request URI begins with /uploads but does not end with one of the specified extensions, then it is forbidden. You can change the extensions to whatever suits your needs. But that way, you can permit extensions as needed rather than finding out too late that you missed blocking one.
如上所述,如果请求URI以/ uploads开头但不以指定的扩展名之一结束,则禁止它。您可以将扩展名更改为适合您需要的扩展名。但是这样,你可以根据需要允许扩展,而不是发现你错过了阻止扩展。
This rule (from your question)
这个规则(来自你的问题)
RewriteRule ^(uploads/\.php) - [F,L,NC]
will block
会阻止
- /uploads/.php
- /uploads/.php
- /uploads/.phpmore
- /uploads/.phpmore
but it does not allow for anything between the directory name and the file extension.
但它不允许目录名和文件扩展名之间的任何内容。
If you are going to use rewirte rules, you might want to learn more about regexp. I often refer to www.regular-expressions.info when I need to look up something.
如果您打算使用reirte规则,您可能想要了解有关regexp的更多信息。当我需要查找某些内容时,我经常会参考www.regular-expressions.info。
#2
19
You can put a .htaccess in the upload directory. The directives will then apply to this directory and the directories below only. See How directives are applied for details.
您可以将.htaccess放在上传目录中。然后,这些指令将仅适用于此目录和下面的目录。有关详细信息,请参见如何应用指令。
So, a .htaccess with FilesMatch can restrict access for files matching *.inc, *.php and so on, when it is in the public directory
因此,当文件位于公共目录中时,带有FilesMatch的.htaccess可以限制与* .inc,* .php等匹配的文件的访问权限
<FilesMatch "\.(?:inc|php|py|rb)$">
Order allow,deny
Deny from all
</FilesMatch>
#3
0
You can use The following easiest and one liner solution to deny access to certen file types:
您可以使用以下最简单和一个线性解决方案来拒绝访问certen文件类型:
RedirectMatch 403 ^/folder/.+\.(png|gif|js)$
This will return a 403 Access forbidden error for clients if they try to access /folder/file.extension .
如果客户端尝试访问/folder/file.extension,则会为客户端返回403 Access forbidden错误。