For some application, users are able to upload their own files. Since this can be very large files, they are allowed to upload them via their own FTP client.
Of course I wouldn't like them to upload some PHP files with which they can access all other files on the server. One of the ways I want to prevent this behavior is by denying access to specific file types (like php, rb, py, etc.) only in these folders.
I have found ways to deny access to folders, to files, to files in folders, but nothing about file types in folders.
I tried combining what I've found, like:
<Files ~ ".inc$">
Order allow,deny
Deny from all
</Files>
changing to
<Files uploads/ ".inc$">
Order allow,deny
Deny from all
</Files>
or alternative ways
RewriteRule ^(.php) - [F,L,NC]
to
RewriteRule ^(uploads/.php) - [F,L,NC]
However, I can't find out what syntax I should use.
So, for example, I could have the following (basic example):
/index.php
/uploads/
hack.php
hack.rb
hack.py
pony.jpg
I want hack.php/rb/py to be unavailable, but everything else to be available. What syntax should I use?
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…