拒绝访问特定文件类型的特定目录文件类型、目录
对于某些应用程序,用户可以上传自己的文件。因为这可能是非常大的文件,他们被允许上传他们通过自己的FTP客户端。
For some application, users are able to upload their own files. Since this can be very large files, they are allowed to upload them via their own FTP client.
当然,我不希望他们上传一些PHP文件,使他们能够访问服务器上的所有其他文件。一个我想prevent方式这一行为是拒绝访问特定文件类型(如PHP,RB,PY等),只有在这些文件夹中。
Of course I wouldn't like them to upload some PHP files with which they can access all other files on the server. One of the ways I want to prevent this behavior is by denying access to specific file types (like php, rb, py, etc.) only in these folders.
我已经找到了拒绝访问的文件夹,给文件,在文件夹中的文件,但没有任何有关文件夹中的文件类型。
I have found ways to deny access to folders, to files, to files in folders, but nothing about file types in folders.
我试着结合我所发现,这样的:
I tried combining what I've found, like:
<Files ~ ".inc$">
Order allow,deny
Deny from all
</Files>
更改为
<Files uploads/ ".inc$">
Order allow,deny
Deny from all
</Files>
或替代方法
RewriteRule ^(.php) - [F,L,NC]
到
RewriteRule ^(uploads/.php) - [F,L,NC]
不过,我无法找到我应该使用什么样的语法。
However, I can't find out what syntax I should use.
因此,例如,我可以有以下的(基本的例子):
So, for example, I could have the following (basic example):
/index.php
/uploads/
hack.php
hack.rb
hack.py
pony.jpg
我想hack.php / RB / PY不可用,但一切可用。我应该使用什么语法?
I want hack.php/rb/py to be unavailable, but everything else to be available. What syntax should I use?
推荐答案
在FilesMatch指令适用纯粹的文件名。它不看路部分都没有。
The FilesMatch directive works purely on filenames. It doesn't look at the path portion at all.
如果你想在根.htaccess文件中指定的指令来控制一个子目录,您可以使用的mod_rewrite 。
If you want to specify directives in the root .htaccess file to control a subdirectory, you can use mod_rewrite.
试试这个:
RewriteRule ^uploads/.*.(php|rb|py)$ - [F,L,NC]
以上将阻止以.php或.RB的.py或在/上传目录或子目录结尾的文件名。例如,它会阻止:
The above will block any filename ending in .php or .rb or .py in the /uploads directory or its subdirectories. For example, it will block:
/uploads/something.php /uploads/something/more.php需要注意的是,在重写规则没有斜线。你需要在指令中使用的路径将是不同取决于它被放置。上面的指令,如果放在文档根目录的.htaccess文件,将工作文件名为目录的上传的是直接的文档根目录下。
Note that there is no leading slash in the rewrite rule. The path that you need to use in the directive will be different depending on where it's placed. The above directive, if placed in the document root's .htaccess file, will work for files in a directory called uploads that is directly beneath document root.
虽然上述回答你的问题,这将是安全,让只有特定的文件,而不是试图阻止的文件。通常,服务器会扩展,而不是您所列出的其他执行文件。
While the above answers your question, it would be safer to allow only specific files rather than trying to block files. Often a server will execute files with extensions other than the ones you've listed.
您可以做这样的事情:
RewriteCond %{REQUEST_URI} ^/uploads [NC]
RewriteCond %{REQUEST_URI} !.(jpe?g|png|gif)$ [NC]
RewriteRule .* - [F,L]
使用上述情况,如果请求的URI开始/上传,但与指定的扩展名之一并没有结束,那么它是被禁止的。您可以更改的任何适合您需要的扩展。但这种方式,您可以根据需要,而不是发现得太晚,你错过了阻断一个允许扩展。
With the above, if the request URI begins with /uploads but does not end with one of the specified extensions, then it is forbidden. You can change the extensions to whatever suits your needs. But that way, you can permit extensions as needed rather than finding out too late that you missed blocking one.
该规则(从你的问题)
RewriteRule ^(uploads/.php) - [F,L,NC]
将阻止
/uploads/.php /uploads/.phpmore,但它不容许的目录名和文件扩展名之间的任何东西。
but it does not allow for anything between the directory name and the file extension.
如果您要使用rewirte规则,你可能想了解更多关于正则表达式。我常常把 www.regular-EX pressions.info 当我需要仰视的东西。
If you are going to use rewirte rules, you might want to learn more about regexp. I often refer to www.regular-expressions.info when I need to look up something.
