I'm trying to let my .htaccess file to force the download a specific *.zip file contained in the root of the website.
Basically, loading my page the user will download automatically my *.zip file without even seeing the Directory Listing.
Here's my .htaccess file:
### MAIN DEFAULTS
Options +ExecCGI -Indexes
DirectoryIndex file.zip
DefaultLanguage en-US
AddDefaultCharset UTF-8
ServerSignature Off
### FORCE FILE TO DOWNLOAD INSTEAD OF APPEAR IN BROWSER
AddType application/octet-stream .zip
AddType application/zip .zip
I can download the file, but the latter has no extension and it's called download.
How can I fix this?
Thanks
-RJ
Add this line to the end of your .htaccess file:
Header set Content-disposition "attachment; filename=file.zip;"
Related
Apache2's mod autoindex allows to include a header and a readme files, that I configured this way in the directory's .htaccess:
ReadMeName footer.html
HeaderName header.php
For some obscure reason, the header file is not read if it is a .php. I renamed it to header.html and in the htaccess too:
HeaderName header.html
and it worked perfectly (even when in .html it included <?php ?> markups)
Why does apache do hat, and is there a way to fix it?
Per the manual on mod_autoindex / HeaderName directive:
Filename must resolve to a document with a major content type of
text/* (e.g., text/html, text/plain, etc.). This means that filename
may refer to a CGI script if the script's actual file type (as opposed
to its output) is marked as text/html...
...while a .php file's content-type is defined as application/x-httpd-php, even if the script's output is by default text/html. However, there's hope yet. You can actually get the PHP parsed by adding the following combo into your .htaccess before your HeaderName directive:
AddHandler application/x-httpd-php .php
AddType text/html .php
Neither of the two on their own will do the job. I presume that here Apache (tested on 2.4) first sets a handler and parses the .php file, and then agrees to understand that the output type is majorly text/html indeed. I'm calling this quirky, but it's working!
So, I moved into a new host. I was using some code in my htaccess to parse css files as PHP. But in this new host, it didn't work. I googled and googled and tried every code I find. All single of them didn't work. Here's some of codes I've tried:
AddHandler application/x-httpd-php .css
AddHandler application/x-httpd-php5 .css
AddHandler application/x-httpd-php53 .css
AddType application/x-httpd-php .css
My PHP version is 5.3.22 and my webhost is using Linux. But they all didn't work. Please help.
From Parse js/css as a PHP file using htaccess
You should just need to add this to your htaccess
<FilesMatch "\.css$">
SetHandler application/x-httpd-php
Header set Content-type "text/css"
</FilesMatch>
If you're getting a 500 Internal Server Error with the Header line, make sure you have mod_headers enabled in your apache config, if mod_headers is not installed and your provider will not install/enable it, you will need to rename your css file to .php and add into your new php file
header("Content-type: text/css");
I just tried making a folder called "style.css" and put a file inside called "index.php" and it works in chrome!
Of course you need to put header("Content-type: text/css"); in the php file and I'm not sure how well it works in other browsers or email clients
Rightio...I am about to add an image upload to my site. After reading some security blogs I have added the following to my htaccess file.
ForceType application/octet-stream
<FilesMatch "(?i)\.jpe?g$">
ForceType image/jpeg
</FilesMatch>
<FilesMatch "(?i)\.gif$">
ForceType image/gif
</FilesMatch>
<FilesMatch "(?i)\.png$">
ForceType image/png
</FilesMatch>
When I browse to a PHP page it downloads the file.php instead of showing the page in the browser.
Any ideas would be much appreciated.
I am working on MAMP locally.
Many thanks
Lewis
When I browse to a PHP page it downloads the file.php instead of showing the page in the browser
That's because you have this line:
ForceType application/octet-stream
by itself, without any condition. That means, everything should have the mime-type application/octet-stream, which browsers see and understand as binary content that should be downloaded. Not sure how this is a security improvement as it makes it so your entire site can be downloaded and viewed as code, as opposed to any dynamically generated content.
You have to put that .htaccess code in a directory that only has image files. If you don't have your images in their own directory, create a directory for them and put them there (and update any links to them).
I have a very interesting problem related to Deflate Compression, Apache (htaccess), and CSS files.
I have two CSS files on my server. One is called styles.php and has dynamic values added based on database values through mod_rewrite in the styles/ directory (it is rewritten from styles.php to site.css and there is a text/css header at the beginning of the file). I also have a regular old css file with static content that doesn't change in the same directory called styles.css.
I've wanted to add compression to my site so I added the following line to start compressing my css and js files. I added this to the root_directory for my website.
<ifModule mod_deflate.c>
<filesMatch "\.(js|css)$">
SetOutputFilter DEFLATE
</filesMatch>
</ifModule>
Well initially that didn't work. So I changed this line in the root htaccess file from this to the next thing. (this code below is located at the top of the file)
AddType application/x-httpd-php5 .html .php
AddType application/x-httpd-php5 .html .php .js .css
Then my js and one of the css files started to be compressed (verified with YSlow.....yay!). The odd thing was the css file that was being rewritten was being compressed (the styles.php file) but the styles.css file (the static one) was no longer being read by the browser. As soon as I deleted ".css" from that AddType line the browser started reading the file again and my css returned to normal, however it was no longer being compressed through apache.
Any thoughts on why a static css file is not being read by the browser if I add the type? I tried it with just text/css instead of .css and it was not compressing the file (but the browser interpreted it).
UPDATE:
I added this to the root htaccess file. We have compressed, interpretted sweetness now.
<filesMatch "\.css$">
FileETag None
<ifModule mod_headers.c>
Header set Content-type "text/css"
</ifModule>
</filesMatch>
When you run a CSS file through the PHP pre-processor, PHP will automatically output it as a text/html file, via default headers, since you're not manually specifying it. So really, your browser is receiving a file with a .css extension which has headers claiming it's an HTML file, so it's trying to interpret it as HTML rather than CSS.
If your CSS file actually needs to be run as PHP and there is PHP in it, you need to re-issue the appropriate file type so when it output, it's still CSS:
<?php
header('Content-type: text/css');
?>
You can't just send a CSS file through PHP and expect it to work exactly the same. If you're not actually pre-processing it with PHP, then you shouldn't be sending it through there.
As for the deflation issue, I could never actually get mod_deflate to work personally (no idea why). I had to use mod_gzip instead.
How do i prevent php files from being downloaded "illegally" like through the browser. And what are some ways someone can use to download the php files?
You can't really avoid files from being downloaded if your application is not secure. The following example allows a malicious user to view any file on your server:
<?php
readfile($_GET['file']);
?>
If you want to prevent Apache from exposing the source code if something is wrong with PHP, add this in your httpd.conf / .htaccess:
# In case there is no PHP, deny access to php files (for safety)
<IfModule !php5_module>
<FilesMatch "\.(php|phtml)$">
Order allow,deny
Deny from all
</FilesMatch>
</IfModule>
# the following should be added if you want to parse .php and .phtml file as PHP
# .phps will add syntax highlighting to the file when requesting it with a browser
<IfModule php5_module>
AddType text/html .php .phtml .phps
AddHandler application/x-httpd-php .php .phtml
AddHandler application/x-httpd-php-source .phps
</IfModule>
Under normal circumstances, nobody is able to download PHP source code, since it is executed on the server. The webserver recognizes PHP scripts and passes them to PHP. The result is then passed back to the browser of the requesting user. The situation you described can only be achieved, if the webserver configuration is really messed up.
<?php
header('Content-disposition: attachment; filename=http://www.victim.com/phpfile.php');
header('Content-type: application/pdf');
readfile('http://www.victim.com/phpfile.php');
?>
Under normal circumstances, nobody is able to download PHP source code (same as the other answer), But if you have a file with a different extension example : page1.bak and you have a page1.php, the page.bak gets downloaded if you just put in the url ht..//.../page1
I have confirmed this with PHP version 5.3.10-1ubuntu3.2 and Apache/2.2.22
In summary avoid putting your config or test files in the production directory unless you want them to be downloaded in raw state.
The Option Multiview should also be disabled in apache2.conf or httpd.conf to avoid defaulting to returning "near-like" filename.
You never download the php file from a web server running php. You can donwload the HTML delivered from the php like in this answer. You don't get php script you get HTML + JavaScript (if some)
<?php
header('Content-disposition: attachment;
filename=http://www.victim.com/phpfile.php');
header('Content-type: application/pdf');
readfile('http://www.victim.com/phpfile.php');
?>