0

I am new to editing .htaccess file I have a .htaccess file that was created for me a while ago but now I have added a new feture to my site to allow people to download pdf files but it appears my .htaccess file is preventing the script from running and giving 403 error but if I type the URL directly into the browser it downloads here is my .htaccess file

# ----------------------------------------------------------------------
# Default Lang and Basic Security Behavior
# ----------------------------------------------------------------------
# X-Powered-By hidden by default nobody will notice if you're using PHP or ASP or whatever
Header unset X-Powered-By
# Set by default UTF-8 charset
AddDefaultCharset UTF-8
# Engilsh language for this files, change it for your needs
AddLanguage en-GB .html .htm .css .js
# Set the default charset for every feed methods
AddCharset utf-8 .atom .css .js .json .rss .vtt .xml
# UK timezone, change it for your needs
SetEnv TZ   Europe/London
# Don not allow any pages to be framed - Defends against CSRF
Header set X-Frame-Options SAMEORIGIN
# Turn on IE8-IE9 XSS prevention tools
Header set X-XSS-Protection "1; mode=block"
# Only allow JavaScript from the same domain to be run.
# Don not allow inline JavaScript to run.
Header set X-Content-Security-Policy "allow 'self';"
# Prevent mime based attacks
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
# Disable server sign
ServerSignature Off
# drop Range header when more than 5 ranges. CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
# LIMIT UPLOAD FILE SIZE TO PROTECT AGAINST DOS ATTACK. Bytes, 0-2147483647(2GB)
LimitRequestBody 2147483647
#
#
# 301 Redirect Old File
Redirect 301 /list /property-list
# ----------------------------------------------------------------------
# Better website experience for IE users. We care of them LOL
# ----------------------------------------------------------------------
# Force the latest IE version, in various cases when it may fall back to IE7 mode
# futher details: github.com/rails/rails/commit/123eb25#commitcomment-118920
# Use ChromeFrame if it's installed for a better experience for the poor IE folks
<IfModule mod_headers.c>
  Header set X-UA-Compatible "IE=Edge,chrome=1"
  # mod_headers cannnot match by content-type, but we don't want to send this header on *everything*...
  <FilesMatch "\.(js|css|gif|png|jpe?g|pdf|xml|oga|ogg|m4a|ogv|mp4|m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|appcache|manifest|htc|crx|oex|xpi|safariextz|vcf)$" >
    Header unset X-UA-Compatible
  </FilesMatch>
  # Header set P3P "policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CUR ADM DEV OUR BUS""
  # OR THIS, SIMPLER
  # Header set P3P "policyref="/w3c/p3p.xml""
</IfModule>
#
#
# ----------------------------------------------------------------------
# Cross-domain AJAX requests, ENABLE CSRF first (see above)
# ----------------------------------------------------------------------
# Serve cross-domain Ajax requests, disabled by default. Enable-cors.org
# code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
#  <IfModule mod_headers.c>
#    Header set Access-Control-Allow-Origin "*"
#  </IfModule>
#
#
# ----------------------------------------------------------------------
# CORS-enabled images (@crossorigin)
# ----------------------------------------------------------------------
# Send CORS headers if browsers request them; enabled by default for images.
# futher details:
# - developer.mozilla.org/en/CORS_Enabled_Image
# - blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
# - hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/
# - wiki.mozilla.org/Security/Reviews/crossoriginAttribute
<IfModule mod_setenvif.c>
  <IfModule mod_headers.c>
    # mod_headers, y u no match by Content-Type?!
    <FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$">
      SetEnvIf Origin ":" IS_CORS
      Header set Access-Control-Allow-Origin "*" env=IS_CORS
    </FilesMatch>
  </IfModule>
</IfModule>
#
# ----------------------------------------------------------------------
# Webfont access
# ----------------------------------------------------------------------
# Allow access from all domains for webfonts.Alternatively you could only whitelist your
# subdomains like "subdomain.example.com".
<IfModule mod_headers.c>
  <FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css)$">
    Header set Access-Control-Allow-Origin "*"
  </FilesMatch>
</IfModule>
#
#
# ----------------------------------------------------------------------
# Proper MIME type for all files
# ----------------------------------------------------------------------
# JavaScript
# Normalize to standard type (it is sniffed in IE anyways)
# futher details: tools.ietf.org/html/rfc4329#section-7.2
AddType application/javascript         js jsonp
AddType application/json               json
#
# Audio
#
AddType audio/ogg                      oga ogg
AddType audio/mp4                      m4a f4a f4b
#
# Video
#
AddType video/ogg                      ogv
AddType video/mp4                      mp4 m4v f4v f4p
AddType video/webm                     webm
AddType video/x-flv                    flv
#
# SVG
# Required for svg webfonts on iPad
# futher details: twitter.com/FontSquirrel/status/14855840545
#
AddType     image/svg+xml              svg svgz
AddEncoding gzip                       svgz
#
# Webfonts
#
AddType application/vnd.ms-fontobject  eot
AddType application/x-font-ttf         ttf ttc
AddType font/opentype                  otf
AddType application/x-font-woff        woff
#
# Assorted types
#
AddType image/x-icon                        ico
AddType image/webp                          webp
AddType text/cache-manifest                 appcache manifest
AddType text/x-component                    htc
AddType application/xml                     rss atom xml rdf
AddType application/x-chrome-extension      crx
AddType application/x-opera-extension       oex
AddType application/x-xpinstall             xpi
AddType application/octet-stream            safariextz
AddType application/pdf                     pdf
AddType application/x-web-app-manifest+json webapp
AddType text/x-vcard                        vcf
AddType application/x-shockwave-flash       swf
AddType text/vtt                            vtt
#
#
# ----------------------------------------------------------------------
# Allow concatenation from within specific js and css files
# ----------------------------------------------------------------------
# e.g. Inside of script.combined.js you could have
#   <!--#include file="libs/jquery-1.5.0.min.js" -->
#   <!--#include file="plugins/jquery.idletimer.js" -->
# and they would be included into this single file.
# This is not in use in the boilerplate as it stands. You may
# choose to use this technique if you do not have a build process.
#<FilesMatch "\.combined\.js$">
#  Options +Includes
#  AddOutputFilterByType INCLUDES application/javascript application/json
#  SetOutputFilter INCLUDES
#</FilesMatch>
#<FilesMatch "\.combined\.css$">
#  Options +Includes
#  AddOutputFilterByType INCLUDES text/css
#  SetOutputFilter INCLUDES
#</FilesMatch>
#
#
# ----------------------------------------------------------------------
# Gzip compression
# ----------------------------------------------------------------------
<IfModule mod_gzip.c>
    mod_gzip_on       Yes
    mod_gzip_dechunk  Yes
    mod_gzip_item_include file      .(html?|txt|css|js|php|pl)$
    mod_gzip_item_include handler   ^cgi-script$
    mod_gzip_item_include mime      ^text/.*
    mod_gzip_item_include mime      ^application/x-javascript.*
    mod_gzip_item_exclude mime      ^image/.*
    mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>
<IfModule mod_deflate.c>
  # Force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/
  <IfModule mod_setenvif.c>
    <IfModule mod_headers.c>
      SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
      RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
    </IfModule>
  </IfModule>
  # Compress all output labeled with one of the following MIME-types
  <IfModule mod_filter.c>
    AddOutputFilterByType DEFLATE application/atom+xml \
                                  application/javascript \
                                  application/json \
                                  application/rss+xml \
                                  application/vnd.ms-fontobject \
                                  application/x-font-ttf \
                                  application/xhtml+xml \
                                  application/xml \
                                  font/opentype \
                                  image/svg+xml \
                                  image/x-icon \
                                  text/css \
                                  text/html \
                                  text/plain \
                                  text/x-component \
                                  text/xml
  </IfModule>
</IfModule>
#
#
# ----------------------------------------------------------------------
# Expires headers (for better cache control)
# ----------------------------------------------------------------------
# These are pretty far-future expires headers.
# They assume you control versioning with filename-based cache busting
# Additionally, consider that outdated proxies may miscache
# futher details: www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
# If you don nott use filenames to version, lower the CSS and JS to something like "access plus 1 week".
# 1 YEAR - does not change often
<FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav)$">
  ExpiresDefault A29030400
</FilesMatch>
<IfModule mod_expires.c>
  ExpiresActive on
#
# Perhaps better to whitelist expires rules? Perhaps.
#
  ExpiresDefault                          "access plus 1 month"
#
# cache.appcache needs re-requests in FF 3.6 (thanks Remy ~Introducing HTML5)
#
  ExpiresByType text/cache-manifest       "access plus 0 seconds"
#
# Your document html
#
ExpiresByType text/html                 "access plus 0 seconds"
#
# Data
#
  ExpiresByType text/xml                  "access plus 0 seconds"
  ExpiresByType application/xml           "access plus 0 seconds"
  ExpiresByType application/json          "access plus 0 seconds"
#
# Feed
#
  ExpiresByType application/rss+xml       "access plus 1 hour"
  ExpiresByType application/atom+xml      "access plus 1 hour"
#
# Favicon (cannot be renamed)
#
  ExpiresByType image/x-icon              "access plus 1 month"
#
# Media: images, video, audio
#
  ExpiresByType image/gif                 "access plus 1 month"
  ExpiresByType image/png                 "access plus 1 month"
  ExpiresByType image/jpeg                "access plus 1 month"
  ExpiresByType video/ogg                 "access plus 1 month"
  ExpiresByType audio/ogg                 "access plus 1 month"
  ExpiresByType video/mp4                 "access plus 1 month"
  ExpiresByType video/webm                "access plus 1 month"
#
# HTC files  (css3pie)
#
  ExpiresByType text/x-component          "access plus 1 month"
#
# Webfonts
#
  ExpiresByType application/x-font-ttf    "access plus 1 month"
  ExpiresByType font/opentype             "access plus 1 month"
  ExpiresByType application/x-font-woff   "access plus 1 month"
  ExpiresByType image/svg+xml             "access plus 1 month"
  ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
#
# CSS and JavaScript
#
  ExpiresByType text/css                  "access plus 1 year"
  ExpiresByType application/javascript    "access plus 1 year"
</IfModule>
#
#
# ----------------------------------------------------------------------
# Prevent mobile network providers from modifying your site
# ----------------------------------------------------------------------
# The following header prevents modification of your code over 3G on some
# European providers.
# This is the official 'bypass' suggested by O2 in the UK.
<IfModule mod_headers.c>
    Header set Cache-Control "no-transform"
</IfModule>
#
#
# ----------------------------------------------------------------------
# ETag removal
# ----------------------------------------------------------------------
# FileETag None is not enough for every server.
<IfModule mod_headers.c>
  Header unset ETag
</IfModule>
# Since we are sending far-future expires, we don not need ETags for
# static content.
# futher details: developer.yahoo.com/performance/rules.html#etags
FileETag None
#
#
# ----------------------------------------------------------------------
# Stop screen flicker in IE on CSS rollovers
# ----------------------------------------------------------------------
# The following directives stop screen flicker in IE on CSS rollovers - in
# combination with the "ExpiresByType" rules for images (see above).
BrowserMatch "MSIE" brokenvary=1
BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1
BrowserMatch "Opera" !brokenvary
SetEnvIf brokenvary 1 force-no-vary
#
#
# ----------------------------------------------------------------------
# Set Keep-Alive Header
# ----------------------------------------------------------------------
# Keep-Alive allows the server to send multiple requests through one
# TCP-connection. Be aware of possible disadvantages of this setting. Turn on
# if you serve a lot of static content.
<IfModule mod_headers.c>
    Header set Connection Keep-Alive
</IfModule>
#
#
# ----------------------------------------------------------------------
# Cookie setting from iframes
# ----------------------------------------------------------------------
# Allow cookies to be set from iframes (for IE only)
# If needed, specify a path or regex in the Location directive.
 <IfModule mod_headers.c>
   Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""
 </IfModule>
#
#
<IfModule mod_rewrite.c>

    <IfModule mod_negotiation.c>
        Options -MultiViews
    </IfModule>

    RewriteEngine On

    ##
    ## You may need to uncomment the following line for some hosting environments,
    ## if you have installed to a subdirectory, enter the name here also.
    ##
    # RewriteBase /

    ##
    ## Uncomment following lines to force HTTPS.
    ##
    # RewriteCond %{HTTPS} off
    # RewriteRule (.*) https://%{SERVER_NAME}/$1 [L,R=301]
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    # Canonical www redirect
    # RewriteCond %{HTTP_HOST} !^www\.
    # RewriteRule (.*) https://www.%{HTTP_HOST}/$1 [R,L]
    ## Remove Bad Bots from crawling ##
    # IF THE UA STARTS WITH THESE
    # Block spambots
    #
    RewriteCond %{HTTP_USER_AGENT} ^(aesop_com_spiderman|alexibot|backweb|bandit|batchftp|bigfoot) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(black.?hole|blackwidow|blowfish|botalot|buddy|builtbottough|bullseye) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(cheesebot|cherrypicker|chinaclaw|collector|copier|copyrightcheck) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(cosmos|crescent|curl|custo|da|diibot|disco|dittospyder|dragonfly) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(drip|easydl|ebingbong|ecatch|eirgrabber|emailcollector|emailsiphon) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(emailwolf|erocrawler|exabot|eyenetie|filehound|flashget|flunky) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(frontpage|getright|getweb|go.?zilla|go-ahead-got-it|gotit|grabnet) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(grafula|harvest|hloader|hmview|httplib|httrack|humanlinks|ilsebot) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(infonavirobot|infotekies|intelliseek|interget|iria|jennybot|jetcar) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(joc|justview|jyxobot|kenjin|keyword|larbin|leechftp|lexibot|lftp|libweb) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(likse|linkscan|linkwalker|lnspiderguy|lwp|magnet|mag-net|markwatch) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(mata.?hari|memo|microsoft.?url|midown.?tool|miixpc|mirror|missigua) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(mister.?pix|moget|mozilla.?newt|nameprotect|navroad|backdoorbot|nearsite) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(net.?vampire|netants|netcraft|netmechanic|netspider|nextgensearchbot) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(attach|nicerspro|nimblecrawler|npbot|octopus|offline.?explorer) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(offline.?navigator|openfind|outfoxbot|pagegrabber|papa|pavuk) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(pcbrowser|php.?version.?tracker|pockey|propowerbot|prowebwalker) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(psbot|pump|queryn|recorder|realdownload|reaper|reget|true_robot) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(repomonkey|rma|internetseer|sitesnagger|siphon|slysearch|smartdownload) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(snake|snapbot|snoopy|sogou|spacebison|spankbot|spanner|sqworm|superbot) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(superhttp|surfbot|asterias|suzuran|szukacz|takeout|teleport) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(telesoft|the.?intraformant|thenomad|tighttwatbot|titan|urldispatcher) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(turingos|turnitinbot|urly.?warning|vacuum|vci|voideye|whacker) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(libwww-perl|widow|wisenutbot|wwwoffle|xaldon|xenu|zeus|zyborg|anonymouse) [NC,OR]
    #
    ## STARTS WITH WEB
    #
    RewriteCond %{HTTP_USER_AGENT} ^web(zip|emaile|enhancer|fetch|go.?is|auto|bandit|clip|copier|master|reaper|sauger|site.?quester|whack) [NC,OR]
    #
    ## ANYWHERE IN UA -- GREEDY REGEX
    #
    RewriteCond %{HTTP_USER_AGENT} ^.*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures).*$ [NC]
    #
    ## ISSUE 403 / SERVE ERRORDOCUMENT
    #
    RewriteRule . - [F,L]
    #1
    ## Useragents starting with
    #
    RewriteCond %{HTTP_USER_AGENT} ^atraxbot [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Azureus [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^geohasher [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^PycURL [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Python-urllib [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^research-scan-bot [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Sosospider [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Wget [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^xenu [NC,OR]
    #
    ## User agents contains string
    #
    RewriteCond %{HTTP_USER_AGENT} ^.*casper [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*goblox [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^.*sun4u [NC]
    RewriteRule ^(.*)$ - [F]
    #
    ## Disable blank UA
    ## Blank UA and Referer
    #
    RewriteCond %{HTTP_REFERER} ^$ [NC]
    RewriteCond %{HTTP_USER_AGENT} ^$ [NC]
    RewriteRule .* - [F,L]
    #
    ## Prevent use of specified methods in HTTP Request
    #
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
    #
    ## Block out use of illegal or unsafe characters in the HTTP Request
    #
    RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
    #
    ## Block out use of illegal or unsafe characters in the Referer Variable of the HTTP Request
    ## RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
    ## Block out use of illegal or unsafe characters in any cookie associated with the HTTP Request
    #
    RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
    #
    ## Block out use of illegal characters in URI or use of malformed URI
    #
    RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
    #
    ## Block out  use of empty User Agent Strings
    ## NOTE - disable this rule if your site is integrated with Payment Gateways such as PayPal
    ## RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
    ## Block out  use of illegal or unsafe characters in the User Agent variable
    #
    RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
    #
    ## Measures to block out  SQL injection attacks
    #
    RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|"|'|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
    #
    ## Block out  reference to localhost/loopback/127.0.0.1 in the Query String
    #
    RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
    #
    ## Block out  use of illegal or unsafe characters in the Query String variable
    #
    RewriteCond %{QUERY_STRING} ^.*(<|>|'|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
    #2
    ########## Begin - File injection protection, by SigSiu.net
    RewriteCond %{REQUEST_METHOD} GET
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
    RewriteRule .* - [F]
    ########## End - File injection protection
    #
    #
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
    #
    # proc/self/environ? no way!
    #
    RewriteCond %{QUERY_STRING} proc\/self\/environ [NC,OR]
    #
    ## PHP-CGI Vulnerability
    #
    RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC]
    RewriteRule (.*) - [F,L]

    ##
    ## Black listed folders
    ##
    RewriteRule ^bootstrap/.* index.php [L,NC]
    RewriteRule ^config/.* index.php [L,NC]
    RewriteRule ^vendor/.* index.php [L,NC]
    RewriteRule ^storage/cms/.* index.php [L,NC]
    RewriteRule ^storage/logs/.* index.php [L,NC]
    RewriteRule ^storage/framework/.* index.php [L,NC]
    RewriteRule ^storage/temp/protected/.* index.php [L,NC]
    RewriteRule ^storage/app/uploads/protected/.* index.php [L,NC]

    ##
    ## White listed folders
    ##
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_FILENAME} !/.well-known/*
    RewriteCond %{REQUEST_FILENAME} !/storage/app/uploads/.*
    RewriteCond %{REQUEST_FILENAME} !/storage/app/media/.*
    RewriteCond %{REQUEST_FILENAME} !/storage/temp/public/.*
    RewriteCond %{REQUEST_FILENAME} !/themes/.*/(assets|resources)/.*
    RewriteCond %{REQUEST_FILENAME} !/plugins/.*/(assets|resources)/.*
    RewriteCond %{REQUEST_FILENAME} !/modules/.*/(assets|resources)/.*
    RewriteRule !^index.php index.php [L,NC]

    ##
    ## Block all PHP files, except index
    ##
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_FILENAME} \.php$
    RewriteRule !^index.php index.php [L,NC]

    ##
    ## Standard routes
    ##
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]

</IfModule>
# ----------------------------------------------------------------------
# A little more security
# ----------------------------------------------------------------------
# To avoid displaying the exact version number of Apache being used, add the
# following to httpd.conf (it will not work in .htaccess):
# ServerTokens Prod
IndexIgnore *
# "-Indexes" will have Apache block users from browsing folders without a
# default document Usually you should leave this activated, because you
# should not allow everybody to surf through every folder on your server (which
# includes rather private places like CMS system folders).
<IfModule mod_autoindex.c>
  Options -Indexes
  Options -ExecCGI
</IfModule>
# Block access to "hidden" directories or files whose names begin with a
# period. This includes directories used by version control systems such as
# Subversion or Git.
<IfModule mod_rewrite.c>
  RewriteCond %{SCRIPT_FILENAME} -d [OR]
  RewriteCond %{SCRIPT_FILENAME} -f
  RewriteRule "(^|/)\." - [F]
</IfModule>
# Block access to backup and source files. These files may be left by some
# text/html editors and pose a great security danger, when anyone can access
# them.
<FilesMatch "(\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$">
  Order allow,deny
  Deny from all
  Satisfy All
</FilesMatch>
AddHandler cgi-script .pl .py .asp .shtml .sh .cgi
# optional logging.
# CustomLog insert-path-and-name-of-log common env=bad-range
# If your server is not already configured as such, the following directive
# should be uncommented in order to set PHP is register_globals option to OFF.
# This closes a major security hole that is abused by most XSS (cross-site
# scripting) attacks. For more information: http://php.net/register_globals
#

script

title = "download"
url = "/download"
is_hidden = 0
robot_index = "index"
robot_follow = "follow"
==
<?php
function onStart(){
  use Cms\Classes\Theme;
    $theme =  Theme::getActiveTheme();
    $paths = Config::get('cms.themesPath', '/themes').'/'.$theme->getDirName();
    $name = Input::get('name');
    $actual_link = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http");
    $file = $actual_link .'://'. $_SERVER['HTTP_HOST'].'/themes/laratify-octobercms-octaskin/assets/pdf/'. $name;
    $path = $file; // the file made available for download via this PHP file
    $mm_type="application/octet-stream"; // modify accordingly to the file type of $path, but in most cases no need to do so
    header("Pragma: public");
    header("Expires: 0");
    header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
    header("Cache-Control: public");
    header("Content-Description: File Transfer");
    header("Content-Type: " . $mm_type);
    header("Content-Length: " .(string)  ( file_exists($path) && filesize (filesize($path))) );
    header('Content-Disposition: attachment; filename="'.basename($path).'"');
    header("Content-Transfer-Encoding: binary\n");

    readfile($path); // outputs the content of the file

exit();
    }

?>
==

I an trying not to break my site the pdf's are only available to logged in users, the script works fine with the bare minimum htaccess file but this is ubove my head

user2033464
  • 1
  • How exactly are you calling your download script? What URL are you using? Your download script appears to construct an absolute URL to `readfile()`, rather than a filesystem path - why? (What's the point of having `$path` and `$file` if you simply assign one to the other?) This looks like an "error", although not necessarily the cause of _the_ error you are currently experiencing (although could be). _Aside:_ How are you restricting download to "logged in users"? It looks like anyone could "type the URL directly"? (You should be setting the correct mime-type for download.) – MrWhite Oct 04 '20 at 00:14
  • Hi MrWhite the script gets called from
    , I have tried correcting the mine-type but had no effect, I think the $path and the $file were for testing which I have now corrected as for restricting the user has to loging before they can click the link for the pdf is there a better way I should do this
     – user2033464 Oct 04 '20 at 11:21
  • So, `download` is presumably routed through your front-controller? "I have tried correcting the mine-type but had no effect" - That is simply a best practise, it won't resolve this immediate problem. "user has to loging before they can click the link" - that's the thing, it looks like you are just protecting the link, not the file? – MrWhite Oct 04 '20 at 13:00
  • I can't see anything obvious in your "huge" `.htaccess` file that would block this? But we can't necessarily see (from the code you posted) the full request... Your form makes a POST request to `download` (relative URL) from the client. There's nothing in your `.htaccess` file that would seem to block this. This is then internally rewritten to your front-controller (`index.php`)... then what? – MrWhite Oct 04 '20 at 13:02
  • from what I have tried it appears to be at line 420 this RewriteRule ^(.*)$ - [F] so I'll need to translate this so I can understand what it is doing – user2033464 Oct 04 '20 at 13:54
  • What makes you think it's that line that is the problem? Yes, there are several blocking directives in your `.htaccess` file, however, they don't look like they would block this specific request - but there may be something happening that is not obvious from the code you posted. Line #420 simply blocks the request based on 12 user-agents - I don't see how that could be the problem here? The way your download script was written (which you say you've "changed") it would have triggered a 2nd HTTP request from PHP itself - it could have been this request that is being blocked. – MrWhite Oct 04 '20 at 14:58
  • I commented out that line and it now downloads the file how would you change the script file so that it uses a filesystem path rather than an absolute URL? – user2033464 Oct 04 '20 at 18:35
  • Just test another scenario and uncommented line 420 it stopped the pdf from downloading – user2033464 Oct 04 '20 at 19:51

0 Answers0