2

I want to deny direct access to some sensitive files in my root application (e.g: log,sh, ini ...etc). and for this reasons I have used the following directive in my main .htaccess:

<FilesMatch  "\.(htaccess|htpasswd|ini|log|sh|inc|bak|md|txt|lock|phar|bat)$|action.bat|composer.json|VERSION.*">
  Require all denied
</FilesMatch>

the wierd thing is that it work perfectly fo all files listed in the FileMatch except files with (.bat) extention, which I did not figure yet whythey still downloadable using direct URL access. Configuration:

  • OS: Windows 10
  • Stack: XAMPP

XAMPP components version:

  • Apache 2.4.39
  • MariaDB 10.1.38
  • PHP 7.3.4 (VC15 X86 64bit thread safe) + PEAR
  • phpMyAdmin 4.8.5
  • OpenSSL 1.1.0g
  • XAMPP Control Panel Version 3.2.3.

Update:

actually I discover that the Pattern Matching works with all ".bat" files except the ones with name "action" ! if I change the name to anything else (lets say "action1" ) it works just fine.

GENE
  • 21
  • 2
  • 1
    Presumably the reason for adding `action.bat` specifically was because this file was not blocked with the existing regex that simply blocked all `.bat` files? (Note: by adding `action.bat` to the regex, as you have done, you are blocking `.action.bat` (dot prefix) - so this isn't actually helping.) – MrWhite Dec 26 '19 at 11:32

2 Answers2

0

The regular expression you have should work. You should be able to also delete action.bat| and it should function the same. If your file does not end with .bat, that might be causing issues.

A simplified explanation of what it does:

\.(htaccess|htpasswd|ini|log|sh|inc|bak|md|txt|lock|phar|bat)$
|||                                                          |
||^Any string within brackets (separated with | as "or")     |
|^Any character or . when escaped     End of filename marker ^
^Escape character

Try restarting your server, ensure you're working in the correct directory and make sure there isn't anything else working against the rules you're establishing in this .htaccess.

Sašo
  • 1,494
  • 2
  • 10
  • 14
  • Thanks for your explanation. actually the extra full name "action.bat" is just to insurance purpose. for the file it ended with ".bat" extention. indeed I discover that the Pattern Matching works with all ".bat" files except with the ones with name "action" ! if I change the name to anything else (lets say "action1" ) it works just fine. – GENE Dec 26 '19 at 10:59
0

You can add following to your vhost file

To deny specific files access

<Files *.bat>
    Order allow,deny
    Deny from all
</Files>

You can add your extension type according to your requirements.

Community
  • 1
Sukhjinder Singh
  • 1,994
  • 2
  • 9
  • 17
  • Actually I discover that the Pattern Matching works with all ".bat" files except with the ones with name "action" ! if I change the name to anything else (let's say "action1" ) it works just fine. – GENE Dec 26 '19 at 11:01
  • Thank you, I have tried your Directive. and as i have already mentioned, the files with "action.bat" name still accessible. – GENE Dec 26 '19 at 11:06
  • 1
    Access control with `Order` and `Deny` is deprecated in Apache 2.4, see [https://httpd.apache.org/docs/2.4/upgrading.html](https://httpd.apache.org/docs/2.4/upgrading.html#access). – Freddy Dec 26 '19 at 12:03