Preventing DIRECT access to files

Forum Moderators: phranque

Message Too Old, No Replies

Preventing DIRECT access to files

kkonline

1:45 pm on Sep 19, 2007 (gmt 0)

I am using mod rewrite rules for redirecting. An example of the rule is as below

RewriteRule ^/?(1)/([0-9]+)/([0-9]+)/([a-zA-Z])$ dir/index.php?sid=$1&catid=$2&page=$3&alphabet=$4

Now someone who knows that there exists a folder dir can write
example.com/dir/index.php access the file although it requires sid, catid, page and alphabet as a must. I want to prohibit this.

writing example.com/dir/index.php should give a notice "wrong url come thru proper redirection" but example.com/1/1/1/ should redirect to correct path without any errors. How to do this?

[edited by: eelixduppy at 6:21 pm (utc) on Sep. 19, 2007]

phranque

9:22 pm on Sep 19, 2007 (gmt 0)

you could use something like RewriteCond %{REQUEST_URI} to test for the existence or absence of required parameters and serve the appropriate error page when necessary.

jdMorgan

9:28 pm on Sep 19, 2007 (gmt 0)

This rule will generate a 403-Forbidden response *only* if that URL-path is requested directly by the client, and not as the result of your existing rule:


RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /dir/index\.php[^\ ]*\ HTTP/
RewriteRule ^dir/index\.php$ - [F]

THE_REQUEST is the browser's entire HTTP request header, example:

GET /dir/index.php?sid=123&catid=5&page=1&alphabet=en

Jim

[edited by: jdMorgan at 9:34 pm (utc) on Sep. 19, 2007]

kkonline

3:28 am on Sep 20, 2007 (gmt 0)

Hi, the code i wrote
[php]<Location /dir>
Order Allow,Deny
Deny from all
</Location>[/php]can also be included in the mod rewrite rule (.htaccess file in the root) It gives me 500 internal error

I did not get where to include the above code in .htaccess.
my .htaccess(in root) is as below

[php]Options +FollowSymLinks All
RewriteEngine On

# -FrontPage-

IndexIgnore .htaccess */.?* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName mysite.org
AuthUserFile /home/mysite/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/mysite/public_html/_vti_pvt/service.grp
RewriteCond %{HTTP_HOST} ^mysite.net$ [OR]
RewriteCond %{HTTP_HOST} ^www.mysite.net$
RewriteRule ^(.*)$ [mysite.org...] [R=301,L]

RewriteCond %{HTTP_HOST} ^mysite.org$ [OR]
RewriteCond %{HTTP_HOST} ^www.mysite.org$
RewriteRule ^/?$ [mysite.org...] [R=302,L]

RewriteRule ^/?(1)/(form)$ dir/index.php
RewriteRule ^/?(1)/(form)/$ dir/index.php
[/php]

can you tell me where to include the code i wrote as i am getting 500 internal error. In error logs i get
[Thu Sep 20 08:31:16 2007] [alert] [client x.x.x.x] /home/mysite/public_html/.htaccess: <Location not allowed here

g1smd

11:24 am on Sep 20, 2007 (gmt 0)

One question. Are you sure that you want one of the rules to be a 302 redirect?

That is a very dangerous situation that can cause Duplicate Content issues.

jdMorgan

12:41 pm on Sep 20, 2007 (gmt 0)

You may not use the <Location> container in .htaccess files. Use is restricted to http.conf and conf.d, etc.

I do not know what the meaning of the [php] and [/php] tags in your post are, but they are not valid in .htaccess files either.

Put the new RewriteRule above your last two rule, after the RewriteRules you are using to do the 'domain' redirects.

Jim