发表新帖
发表新帖

htaccess allowing access files by extension?

前端 未结
关注
3 540
借酒劲吻你
借酒劲吻你 2021-01-31 19:36

I saw several htaccess example disabling some files to access:


   order deny,allow
   deny from all
相关标签:
3条回答
  • 耶瑟儿~
    2021-01-31 19:56

    You can change file permission to "600", so you can just access it via your script, and it will deny direct access.

    <?php
   // Read and write for owner, nothing for everybody else
   chmod("/somedir/somefile", 0600);
?>

    http://php.net/manual/en/function.chmod.php

    0 讨论(0)
  • 走了就别回头了
    2021-01-31 20:08

    Did you try setting a 

    deny from all

    outside (before) the tag, then changing the 

    deny from all

    to 

    allow from all

    inside? Something like

    deny from all
<Files ~ "\.(js|sql)$">
   order allow,deny
   allow from all
</Files>
    0 讨论(0)
  • 失恋的感觉
    2021-01-31 20:17

    Vorapsak's answer is almost correct. It's actually

    order allow,deny
<Files ~ "\.(js|sql)$">
   allow from all
</Files>

    You need the order directive at the top (and you don't need anything else).

    The interesting thing is, it seems we can't just negate the regex in FilesMatch, which is... weird, especially since the "!" causes no server errors or anything. Well, duh.

    and a bit of explanation:

    The order cause tells the server about its expected default behaviour. The 

     order allow,deny

    tells the server to process the "allow" directives first: if a request matches any allow directive, it's marked as okay. Then the "deny" directives are evaulated: if a request matches any deny directives, it's denied (it doesn't matter if it was allowed in the first pass). If no matches were found, the file is denied.

    The directive

     order deny,allow

    works the opposite way: first the server processes the "deny" directives: if a request matches, it's marked to be denied. Then the "allow" directives are evaulated: if a request matches an allow directive, it's allowed in, even if it matches a deny directive earlier. If a request matches nothing, the file is allowed.

    In this specific case, the server first tries to match the allow directives: it sees that js and sql files are allowed, so a request to foo.js goes through; a request to bar.php matches no directives, so it's denied.

    If we swap the directive to "order deny,allow", then foo.js will go through (for being a js), and bar.php will also go through, as it matches no patterns.

    oh and, one more thing: directives in a section (i.e. < Files> and < Directory>) are always evaulated after the main body of the .htaccess file, overwriting it. That's why Vorapsak's solution did not work as inteded: the main .htaccess denied the request, then the < Files> order was processed, and it allowed the request.

    Htaccess is magic of the worst kind, but there's logic to it.

    0 讨论(0)
 看不清?
提交回复
热议问题