htaccess allowing access files by extension?

前端 未结 3 541
借酒劲吻你
借酒劲吻你 2021-01-31 19:36

I saw several htaccess example disabling some files to access:


   order deny,allow
   deny from all

3条回答
  •  失恋的感觉
    2021-01-31 20:17

    Vorapsak's answer is almost correct. It's actually

    order allow,deny
    
       allow from all
    
    

    You need the order directive at the top (and you don't need anything else).

    The interesting thing is, it seems we can't just negate the regex in FilesMatch, which is... weird, especially since the "!" causes no server errors or anything. Well, duh.


    and a bit of explanation:

    The order cause tells the server about its expected default behaviour. The

     order allow,deny
    

    tells the server to process the "allow" directives first: if a request matches any allow directive, it's marked as okay. Then the "deny" directives are evaulated: if a request matches any deny directives, it's denied (it doesn't matter if it was allowed in the first pass). If no matches were found, the file is denied.

    The directive

     order deny,allow
    

    works the opposite way: first the server processes the "deny" directives: if a request matches, it's marked to be denied. Then the "allow" directives are evaulated: if a request matches an allow directive, it's allowed in, even if it matches a deny directive earlier. If a request matches nothing, the file is allowed.

    In this specific case, the server first tries to match the allow directives: it sees that js and sql files are allowed, so a request to foo.js goes through; a request to bar.php matches no directives, so it's denied.

    If we swap the directive to "order deny,allow", then foo.js will go through (for being a js), and bar.php will also go through, as it matches no patterns.


    oh and, one more thing: directives in a section (i.e. < Files> and < Directory>) are always evaulated after the main body of the .htaccess file, overwriting it. That's why Vorapsak's solution did not work as inteded: the main .htaccess denied the request, then the < Files> order was processed, and it allowed the request.

    Htaccess is magic of the worst kind, but there's logic to it.

提交回复
热议问题