Skip to content

Restrict access to upload folders (.htaccess)

Jump to bottom Edit New page
RussH edited this page May 6, 2021 · 25 revisions

To restrict accessing / executing php or other scripts from uploads or other restricted folders, use this code in .htaccess file put in that upload folder. If possible please have ownership of this .htaccess file as root and not your web server to prevent overwriting.

This is syntax for an Apache webserver.

1. Ownership

Ensure your upload directory is owned by whatever process runs your web server (usually www-data or apache) - and ensure permissions are set to 755 AND NOT 777!

I would set htaccess to be r/w by owner (root) and read by group/world

chmod 644 .htaccess

chown apache:apache -R uploads/
chmod 755 -R uploads/

2 .htaccess

Generally, htaccess is owned by the web process (www-data or apache) however in this instance as opencats will not rewrite it, it's more secure if .htaccess is owned and writable by root only.

# Don't list directory contents
IndexIgnore *
# Disable script execution
AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .php9 .pl .py .js .jsp .asp .htm .html .shtml .sh .cgi

Options -ExecCGI -Indexes

# Only the following file extensions are allowed (pdf, rtf, odf, doc, docx, txt, wpd)
Order Allow,Deny
Deny from all

<FilesMatch "\.([Pp][Dd][Ff]|[Dd][Oo][Cc][Xx]?|[Rr][Tt][Ff]|[Oo][Dd][Ff]|[Tt][Xx][Tt]|[Ww][Pp][Dd])$">

Allow from all
</FilesMatch>

# Block double extensions from being uploaded or accessed
<FilesMatch ".*\.([^.]+)\.([a-zA-Z0-9]+)$">
Order Deny,Allow
Deny from all
</FilesMatch>

Notes

Note the syntax for htaccess changed from Apache 2.2 to Apache 2.4 - so use the correct syntax for your version of apache. Examples of the change in syntax;

On Apache 2.2 Version

<Directory /var/www/html>
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>

On Apache 2.4 Version this would be

<Directory /var/www/html>

Options Indexes Includes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>

Please ensure you are using the correct syntax.

Finally of course - test, test, test.. once you add your htaccess file, please try to upload valid and invalid files.

User support for OpenCATS and Developer slack group

Please join the discussion - everyone's input is welcome and needed if we're to make this application kick-ass! If you need access to the slack channel, email RussH

Add a custom sidebar
Clone this wiki locally