1

I have an uploads folder with permissions set to 777 (cannot be changed).

In this, I allow trusted users to upload images.

I want to only allow .jpg .png and .gif files into this folder.

How can I do this (with .htaccess?)?

EDIT: Someone has said this is not secure. For it to be dangerous, the hacker would still need to get into the server to add files into the directory and execute them, for example using FTP, so it is not that dangerous I think.

David19801
  • 11,214
  • 25
  • 84
  • 127
  • You can't really provide any security with 777, see http://stackoverflow.com/questions/2338641/in-a-php-apache-linux-context-why-exactly-is-chmod-777-dangerous for reference. It's one of those things that should **strongly** prompt you to change host. – Viruzzo Dec 20 '11 at 14:30
  • How do you upload? If it is via a PHP Script, there is some mitigation available. @Virutto is right nevertheless. – Eugen Rieck Dec 20 '11 at 14:34
  • @Eugen The upload is using PHP to the images folder. It only works when I have 0777 set. – David19801 Dec 20 '11 at 14:37

1 Answers1

2

This is probably something that is better off enforced by the upload script itself - .htaccess only lets you control what users can access from the web server, it doesn't have any effect on what files are allowed to be created in the directory.

However, if you do simply want to limit viewing access to certain file types, you can do that:

Order Deny,Allow
Deny from all

<FilesMatch "\.(gif|jpe?g|png)$">
    Allow from all
</FilesMatch>

(Note that this has the side effect of denying access to the directory index listing, which you may or may not actually need. If you have direct links to all the files, then it doesn't matter.)