problem with <FilesMatch> to prevent certain uploads

Problems with the Windows version of XAMPP, questions, comments, and anything related.

problem with <FilesMatch> to prevent certain uploads

Postby spacewalker » 15. April 2014 09:25

Hello,

I use XAMPP v.1.8.2 with Apache2.4 and Win2008R2

I have a directory structure like this:
c:\xampp\htdocs\users\ [document root][uploader.html][uploader.php]
c:\xampp\htdocs\users\user1 [.htaccess]
c:\xampp\htdocs\users\user2 [.htaccess]
c:\xampp\htdocs\users\userX [.htaccess]

I need to upload files to the user directories.
This is done with uploader.html, here the usere can select a file to be uploaed and the directory to which the file is uploadted (eg. upload : http://www.myserver.com/user1/data.zip)
Each user directory is password protected using a .htaccess file that points to a .htpasswd file.

My question is:
How can I prevent a user to upload certain filetypes file like .exe, .com, .vbs, .php, etc.?

I did some searching and I have found many articles that recommend to use <filesMatch> for this purpose.
So I have add the following to the end of httpd.conf:

<Directory c:/xamp/htdocs/users/user1>
<FilesMatch "(?i)\.(exe|com|vbs|php|php3?|phtml)$">
Order Deny,Allow
Deny from All
</FilesMatch>
</Directory>

And I have tried this:

<FilesMatch "\.(php|.exe|php3|phtml)$">
Order Deny,Allow
Deny from All
</FilesMatch>


I have restarted the Apache service.
But still I can upload evil.exe to the user1 directory.

thanks
spacewalker
 
Posts: 13
Joined: 25. July 2013 09:46
Operating System: Windows 2008R2

Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 30 guests