I have a question. I want to give one customer FTP access to the CSS folder of my webshop. I tried to prevent running PHP in this folder, but its not working. I think my problem is, that i dont want to add another .htaccess in the css folder. I must handle this with the .htaccess file from the main directory.
I tried this
RewriteRule ^css/*\.php$ /404.php [NC,L]
... but its not working. My server is executing php files in the css folder.
Does somebody know how i can prevent executing php files located in subfolders? A better solution would be, to allow only text/css in specific folder.
Info: Im using Plesk.
A better way to do it would be to just switch PHP off in that directory if you don't want it running... though granted this would mean that additional .htaccess file. However it would also prevent PHP from running in anything like .phtml files as well - I'd say it's more foolproof than just 404-ing anything.php.
You can set PHP boolean type settings, in .htaccess, with php_flag
In this case, in the relevant .htaccess file:
php_flag engine off
As Mike Rockett points out - since the user has FTP access to that folder you'll need to change ownership of the .htaccess file (CHOWN) to prevent the user tampering with or removing it.
You need to use regular expressions, and not wildcards. Replace the * with (.*):
RewriteEngine on
RewriteRule ^css/(.*).php$ /404.php [NC,L]
You can use the following as an alternative:
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_URI} ^/css/
RewriteRule (.*).php /404.php [L]
I would recommend, however, that you make it clear that access to the file is denied:
RewriteRule (.*).php - [F,L]
Related
I've been searching and testing as many different ways to do this as I can but nothing seems to be working. In a nut shell, I'm streaming audio, but the path is obfuscated via a rewritecond rule. I don't want direct access via the browser to the streaming file, but PHP still needs access to the file to stream it. Here is the streaming URL:
www.test.com/audio/32478576
The "audio" directory doesn't exist. I'm using .htaccess to redirect it to the streaming script. Here are the .htaccess bits:
RewriteRule ^/?audio/([\d]+)/?$ serve.php?id=$1 [L,QSA]
All that works great. So, I figured that all that would be needed to deny access to the file would be to add the following to my .htaccss file:
<Files ~ "audio/">
order allow,deny
deny from all
</Files>
That didn't work. I was still able to get the audio to stream directly from the browser.
Perhaps this is not possible - trying to do what I want it to do. What am I missing? .htaccess is not my strength by any means, but I still think it's possible. I just don't have the right code or things in the right order, perhaps. Any help is greatly appreciated. Thanks.
UPDATE:
There may be something wrong with my server setup. I did a basic test with the following Rewrite:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)test.com/.*$ [NC]
RewriteRule test\.php$ - [F]
But I still had direct access to the test.php file. But - I shouldn't, right? Perhaps something is incorrectly set on my server?
<directory> and <files> directives apply to the filesystem. Since /audio directory does not exist, the <Files ~ "audio/"> has no effect.
<Location> directive applies to Urls, and may work.
In a different approach, if Apache version is 2.4, it can be done as it is described in this documentation page http://httpd.apache.org/docs/current/howto/access.html.
As I understand you want to prevent serve.php from being accessed outside your domain test.com. If so then, the HTTP_REFERRER should be a url containing test.com.
The HTTP_REFERRER can be checked from htaccess using code that prevents hot linking of media files. This link: https://mediatemple.net/community/products/dv/204644230/prevent-hotlinking-with-a-htaccess-file describes how to prevent hot linking of media files. The code given in the link can be modified to prevent hot linking of your serve.php file. The following code should work:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)test.com/.*$ [NC]
RewriteRule audio/.+$ - [F]
How am I able to hide a .php extension in an URL address, so that this address:
http://www.thesite.com/somefile.php
would look like:
http://www.thesite.com/somefile
without the use of the .htaccess file. The reason for that being because I have many directories and would want to hide the extension on all those files in every directory. I have tried to set expose_php to off, and this still fails with error 404.
I am using PHP 5.3.10 and Apache server.
Although you specifically said no, using the .htaccess file would remove the .php extension from all PHP files in all subdirectories in a site. I think that is what you are going for.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.php
</IfModule>
Putting that into the .htaccess file will remove all the .php file extensions. Or you could put it directly into the webserver's configuration files.
You can achieve this with URL rewriting. If you don't want to use .htaccess, you can write the rule in your host configuration file.
It seems I am stuck. I have found answers, but I can't get them to work.
I am working on this website. I use a switch to determine what content should be visible. I use the variable $page.
The links with this method are not good for SEO so I want them to be /example instead of index.php?page=example.
I have looked at all the different answers to this on StackOverflow, but I can't get any solutions to work. There are no errors coming up and the site will show just fine, but the rewrite doesn't work.
I have tried on both my servers on servage.net and one.com
Any suggestions? :D would be much appreciated!
Try adding this to the .htaccess file in your web document root folder (often public_html or htdocs), then point your browser to example.com/somepage:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^./]+)/?$ page=$1 [L,R]
Once you are satisfied that the redirect works, you can change the R to R=301 to make it permanent.
This assumes that mod_rewrite is both installed and activated for htaccess files.
If you are not sure, to check if mod_rewrite is installed, look at the list of installed modules in the output of phpinfo();
By default, mod_rewrite is not enabled for htaccess files. If you are managing your own server, open httpd.conf
and make sure that the webroot directory block contains one of these lines: AllowOverride FileInfo or AllowOverride All
Alright, so I've downloaded a CMS for a server I'm setting up and I have some difficulty with the path the files are on.
I have put the CMS in a subdirectory on my server as the root directory is already being used by another CMS. However, the CMS repeatedly uses "/" in the code to link to their files. For example, an image is found using this code:
<img src="/images/banner.png" />
As you know this will not work, because the link above redirects the request to the images folder in the root of the server, not the subdirectory. The CMS also came with a ".htaccess" file, so I immediately thought that I could redirect all requests made using the "/" character to the subdirectory on the server. This is the original ".htaccess" file:
RewriteEngine On
RewriteRule ^index.php(|/)$ content/.php
RewriteRule ^error.php(|/)$ content/error.php
RewriteRule ^housekeeping(|/)$ housekeeping/index.php
RewriteRule ^(|/)$ content/$1.php
RewriteRule ^([a-zA-Z0-9_-]+)(|/)$ content/$1.php
RewriteRule ^rd/([^/]+)(|/)$ /rd.php?id=$1
RewriteRule ^quickregister/start(|/)$ /register/start.php
RewriteRule ^quickregister/step2(|/)$ /register/step2.php
RewriteRule ^quickregister/step3(|/)$ /register/complete.php
RewriteRule ^community/online(|/)$ content/online.php
RewriteRule ^community/vip(|/)$ content/vip.php
RewriteRule ^credits/goldvip(|/)$ content/goldvip.php
RewriteRule ^home/(..*)$ content/home.php?u=$1
RewriteRule ^articles/(..*)$ content/articles.php?story=$1
ErrorDocument 403 /content/error.php
ErrorDocument 404 /content/error.php
I thought that by adding
RewriteRule ^/$ /subdirectory/
the requests to "/" would be redirected, but to no avail. I have checked the apache configuration and it seems that overwriting the config using htaccess files is enabled, so if anyone is able to help me out I'd be very happy.
Thanks in advance!
EDIT:
I came real close to a solution. I inserted this code just below "RewriteEngine on":
RewriteRule ^(.*)/(.*)$ /private_servers/strebbohotel/$2
This returned the following error page when visiting the url "http://mysite.com/private_servers/strebbohotel/content/.php":
Not Found
The requested URL /private_servers/strebbohotel/.php was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
As you can see, it skips the "content" subdirectory for some reason. I believe it has something to do with the other lines of the .htaccess file but I can't figure out which ones. It also could be that I need a more complex regex, but I'm not particularly good with it so if someone could help me further I'd be thankful.
You have to change the .htaccess file on yout root directory - and that will mess with the other CMS. The only solution that comes to my mind is to use combination of RewriteCond's:
RewriteCond %{HTTP_REFERER} my_better_cms_url_regex
RewriteCond %{REQUEST_URI} ^/images/.*$
RewriteRule ^.*$ /subdirectory/%{REQUEST_URI}
That should do the trick. If you want to customize it, refer to this cheatsheet (or simmilar). But be aware, that .htaccess in root directory is checked against ALL requests made to your subdir cms - therefore the need for second condition.
The .htaccess file in your CMS subdirectory would have no effect on requests made against the server root directory. You would need to add an .htaccess there.
Even then though, I don't know how you would differentiate requests from the CMS (like the image request in your example) from those intended for the application in the web root.
Does your CMS not have any configuration setting that allow you to specify a path the the files other than the web root?
You want to use:
RewriteBase /another_root_dir/
in the beginning of your .htaccess file
I am allowing people to upload their project files, I've tightened my security but I just need to get to the simple point. How can I stop execution of any files in the subdirectories they're uploading too?
I'm thinking .htaccess but I'd need to generate one for each new subdirectory (I think), would I need to scrap my current code and use a .php file to send headers to force DL on the file instead of running?
What do you think is an easy and safe solution for this? It just uploads to a subdirectory like uploads/~foo/bar.html or something, it looks nice that way so it'd be nice if it can stay like that format.
Put this in uploads/.htaccess:
RemoveType application/x-httpd-php .php
This will work for all subfolders. Also make sure you don't parse .htaccess in the users folders. This can be done by AllowOverride None in the main server config, or it can be done by not allowing uploads of .htaccess files in the first place.
If for example these uploaded files are in the directory "uploads" and subdirectories of it:
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_URI} \.php [NC]
RewriteCond %{REQUEST_URI} \/uploads\/
RewriteRule ^(.*)$ index.php [F,L]