2

I'm having a problem with .htaccess and PHP-files in a sub folder. What I'm trying to achieve is to prevent anyone from being able to access any file in my sub folder - BUT I want my index.php to be able to access those files.

DOCROOT/subfolder -> www.somewebsite.com/subfolder/somefile.php
-> Access Denied

BUT

[index.php]
<form action="/subfolder/somefile.php">
...
</form>
-> Success!

I would love to solve this by just using .htaccess. I tried deny from alland also some RewriteRules but those Rules also kill any request from index.php. I tried

Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from somewebsite.com
Satisfy Any

but the request from index.php is being denied. Can anyone help, please?

Urmir
  • 21
  • 1
  • 2

3 Answers3

1

This is a misconception that people have. Just because you're linking to PHP files from another PHP file doesn't mean the index.php file is accessing them. The end-user/browser is still accessing them, it's just it's being told where to go by your index.php file. Has absolutely nothing to do with how it's being accessed. In both of your cases, they're being accessed by the browser.

The best you can do is to look at the referer field. It can be easily forged to get around this, but it's the only thing you can do.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(example.com|127\.0\.0\.1) [NC]
RewriteRule ^subfolder/ - [L,F]

where "example.com" is your site.

Jon Lin
  • 142,182
  • 29
  • 220
  • 220
  • Sidenote Q: Using `RewriteCond %{HTTP_REFERER}` is more reliable than `$_SERVER['HTTP_REFERER']` and can't be manipulated? As per http://stackoverflow.com/a/6023980/ – Funk Forty Niner Nov 04 '14 at 18:48
  • @Fred-ii- PHP's `$_SERVER['HTTP_REFERER']` is populated by apache, and comes from the same place that stores the vale of the `%{HTTP_REFERER}` rewrite variable. They both come from the `Referer:` field of the HTTP request header. They're both the same. – Jon Lin Nov 04 '14 at 18:53
  • It seems this doesn't work. The files in my subfolder are easily accessible by just typing somewebsite.com/subfolder/somefile.php. – Urmir Nov 04 '14 at 18:58
  • As stated in the link in my comment above: *"Using `HTTP_REFERER` isn't reliable, it's value is dependent on the HTTP `Referer` header sent by the browser or client application to the server and therefore can't be trusted."* - so I'm just wondering whether that's the best solution. Yet, wondering if it makes a difference if it comes from `.htaccess` or from PHP script and whether one if more reliable than the other, the one being in `.htaccess` that is. – Funk Forty Niner Nov 04 '14 at 18:59
  • @Fred-ii- If you need to know where someone clicked on a link, without tracking everything on the server side with cookies or something, there is no other way. Likewise, there is no difference between using the rewrite condition's variable or the PHP variable *because they both come from exactly the same place*. – Jon Lin Nov 04 '14 at 19:05
  • @Urmir where did you put those rules? In your document root? If you put them in your "subfolder", then you need to get rid of the `subfolder/` part of the regex. – Jon Lin Nov 04 '14 at 19:06
  • It's in the subfolder. I removed the `subfolder/`part but files are still accessible: `RewriteRule ^/ - [L,F]`. Regex patterns aren't really my strong suite. – Urmir Nov 04 '14 at 19:14
0
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.hello.com/index.php
RewriteRule .*subfolder/somefile\.php - [NC,F]

The second line checks whether the visitor is not coming from a certain url. The 3rd line blocks them from accessing somefile.php

FuzzyTree
  • 32,014
  • 3
  • 54
  • 85
0

In your .htaccess you could redirect any requests to files inside that directory other than index.php as follows:

<directory "DOCROOT/subfolder">
    RewriteCond %{REQUEST_FILENAME} !=/DOCROOT/subfolder/index.php
    RewriteRule ^/(.+)$ redirect.php [L]
</directory>
Brandon Johnson
  • 161
  • 10
  • 2
    `` containers are not allowed in a htaccess file, since an htaccess file is already a per-directory context. – Jon Lin Nov 04 '14 at 19:07
  • Getting internal server error 500. And not sure if I'm understanding your answer correctly - your code blocks the access to any files except for index.php in the same subfoler, right? – Urmir Nov 04 '14 at 19:08
  • Sorry, my mistake. You could put the above inside your virtual host configuration, or you could just take out the directory tags and put the contents into an .htaccess file inside DOCROOT/subfolder – Brandon Johnson Nov 04 '14 at 19:12