Rightio...I am about to add an image upload to my site. After reading some security blogs I have added the following to my htaccess file.
ForceType application/octet-stream
<FilesMatch "(?i)\.jpe?g$">
ForceType image/jpeg
</FilesMatch>
<FilesMatch "(?i)\.gif$">
ForceType image/gif
</FilesMatch>
<FilesMatch "(?i)\.png$">
ForceType image/png
</FilesMatch>
When I browse to a PHP page it downloads the file.php instead of showing the page in the browser.
Any ideas would be much appreciated.
I am working on MAMP locally.
Many thanks
Lewis
When I browse to a PHP page it downloads the file.php instead of showing the page in the browser
That's because you have this line:
ForceType application/octet-stream
by itself, without any condition. That means, everything should have the mime-type application/octet-stream, which browsers see and understand as binary content that should be downloaded. Not sure how this is a security improvement as it makes it so your entire site can be downloaded and viewed as code, as opposed to any dynamically generated content.
You have to put that .htaccess code in a directory that only has image files. If you don't have your images in their own directory, create a directory for them and put them there (and update any links to them).
Related
I'm trying to let my .htaccess file to force the download a specific *.zip file contained in the root of the website.
Basically, loading my page the user will download automatically my *.zip file without even seeing the Directory Listing.
Here's my .htaccess file:
### MAIN DEFAULTS
Options +ExecCGI -Indexes
DirectoryIndex file.zip
DefaultLanguage en-US
AddDefaultCharset UTF-8
ServerSignature Off
### FORCE FILE TO DOWNLOAD INSTEAD OF APPEAR IN BROWSER
AddType application/octet-stream .zip
AddType application/zip .zip
I can download the file, but the latter has no extension and it's called download.
How can I fix this?
Thanks
-RJ
Add this line to the end of your .htaccess file:
Header set Content-disposition "attachment; filename=file.zip;"
i have had a search around but haven't been able to find a similar problem.
When i add the following to my htaccess file (i want to restrict upload types to my server)
ForceType application/octet-stream
Header set Content-Disposition attachment
<FilesMatch "(?i)\.(doc?x|txt|xls?x|csv|pdf|ppt?x|zip|gif|jpe?g|png)$">
ForceType none
Header unset Content-Disposition
</FilesMatch>
Header set X-Content-Type-Options nosniff
I then refresh my page it then opens the download dialog box instead of showing the php page. I though it might be the deflate mod compressing the htaccess onto 1 line but im not so sure now.
could anyone point me in the right direction?
Thanks
Thanks to the comments above i have sorted the problem. it was my mistake
I have a very interesting problem related to Deflate Compression, Apache (htaccess), and CSS files.
I have two CSS files on my server. One is called styles.php and has dynamic values added based on database values through mod_rewrite in the styles/ directory (it is rewritten from styles.php to site.css and there is a text/css header at the beginning of the file). I also have a regular old css file with static content that doesn't change in the same directory called styles.css.
I've wanted to add compression to my site so I added the following line to start compressing my css and js files. I added this to the root_directory for my website.
<ifModule mod_deflate.c>
<filesMatch "\.(js|css)$">
SetOutputFilter DEFLATE
</filesMatch>
</ifModule>
Well initially that didn't work. So I changed this line in the root htaccess file from this to the next thing. (this code below is located at the top of the file)
AddType application/x-httpd-php5 .html .php
AddType application/x-httpd-php5 .html .php .js .css
Then my js and one of the css files started to be compressed (verified with YSlow.....yay!). The odd thing was the css file that was being rewritten was being compressed (the styles.php file) but the styles.css file (the static one) was no longer being read by the browser. As soon as I deleted ".css" from that AddType line the browser started reading the file again and my css returned to normal, however it was no longer being compressed through apache.
Any thoughts on why a static css file is not being read by the browser if I add the type? I tried it with just text/css instead of .css and it was not compressing the file (but the browser interpreted it).
UPDATE:
I added this to the root htaccess file. We have compressed, interpretted sweetness now.
<filesMatch "\.css$">
FileETag None
<ifModule mod_headers.c>
Header set Content-type "text/css"
</ifModule>
</filesMatch>
When you run a CSS file through the PHP pre-processor, PHP will automatically output it as a text/html file, via default headers, since you're not manually specifying it. So really, your browser is receiving a file with a .css extension which has headers claiming it's an HTML file, so it's trying to interpret it as HTML rather than CSS.
If your CSS file actually needs to be run as PHP and there is PHP in it, you need to re-issue the appropriate file type so when it output, it's still CSS:
<?php
header('Content-type: text/css');
?>
You can't just send a CSS file through PHP and expect it to work exactly the same. If you're not actually pre-processing it with PHP, then you shouldn't be sending it through there.
As for the deflation issue, I could never actually get mod_deflate to work personally (no idea why). I had to use mod_gzip instead.
I have a folder called "files" I have a .htaccess file in there which job is to determine if the file is going to be "downloaded" or just viewed (NOT EXECUTED (.txt, .php etc) But I want image files to be viewed, as they are... images! So they shouldn't be downloaded.
I tried with
Header set Content-Disposition attachment
Header set Content-Type application/octet-stream
But that give me an error
How do I set up this rules?
Download files.
Show images (if Images, of course, show .pdf documents etc).
View (DONT EXECUTE!) .php, .txt etc.
Is this a secure method, by the way?
First set download code for all then add code for specific file like image and PDF
<Files *.*>
ForceType applicaton/octet-stream
</Files>
<Files *.jpeg>
ForceType image/jpeg
</Files>
<Files *.jpg>
ForceType image/jpeg
</Files>
<Files *.pdf>
ForceType application/pdf
</Files>
I currently have a Movable Type blog where the pages do not have any file extensions...so example.com/entries/this-is-my-entry
I added DefaultType text/html, so Apache knows if there isn't any extension on the end of the file to display as HTML. That works great.
Now the problem is I have PHP code in the HTML. The page won't render the PHP code if there is no extension. However, when I publish the entries with a .html extension....the PHP code works perfectly.
I have AddHandler php5-script .html to tell Apache to display PHP in the HTML files. I'm guessing, if there isn't any file extension, it doesn't know to render the PHP code, because it is expecting files with a .html extension...is there a way to say any file that doesn't have an extension can use PHP?
I'm doing the same implementation for my personal MT blog, with the entries having no file extension. (The theory being that I could switch to other techniques in the future without being hampered by extensions like .html, .php, etc.)
You can accomplish this by setting your default type to be PHP:
DefaultType application/x-httpd-php
All PHP files are interpreted at first as HTML, so this works even for files with no PHP in them.
Maybe you can try using <FileMatch> directive? Something like
<FilesMatch "^[^\.]$">
ForceType application/x-httpd-php
</FilesMatch>
There is nothing directly corresponding to DefaultType for AddHandler, but you can hack around it in a fairly ugly way:
<FilesMatch "^(?!.*\..+)">
SetHandler php5-script
</FilesMatch>