mod rewrite: Prevent Access to Hidden Files

Forum Moderators: phranque

Message Too Old, No Replies

mod rewrite: Prevent Access to Hidden Files

Routine from 2007,obtained with help from WebmasterWorld, not working

AlexK

5:13 pm on Sep 26, 2009 (gmt 0)

A routine to prevent attempts to access (non-existent) hidden-files on the server, implemented within httpd.conf, appears not to be working. The code is very short:


#
# reject requests for ``/.?' (hidden files)
# 2007-03-08 added -AK
#
 RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /\.
 RewriteRule .*  -   [L,forbidden]

There were two similar reports today in error_log:

[Sat Sep 26 15:50:15 2009] [error] [client 87.78.xx.xx] Request exceeded the limit of 10 internal redirects...
[Sat Sep 26 04:52:01 2009] [error] [client 119.73.xx.xx] Request exceeded the limit of 10 internal redirects...

...and in access_log two similar attempts:

87.78.xx.xx - - [26/Sep/2009:15:50:15 +0100] "GET /.svn/entries HTTP/1.1" 500 - "-" "Python-urllib/2.6" In:- Out:-:-pct. "-"
119.73.xx.xx - - [26/Sep/2009:04:52:01 +0100] "GET /.../HSP-UniDriverSoftware-WinME-12.0300.0018.zip.php HTTP/1.1" 500 - "-" "Mozilla/4.0 (compatible;...

The rewrite code looks fine to me. Can anyone spot the error, please?

jdMorgan

6:23 pm on Sep 26, 2009 (gmt 0)

That code isn't very efficient, but it shouldn't cause the error you are seeing. I suspect you've got a problem with a different 403 rule.

You can clean up your rule and make it more robust with:


RewriteRule ^([^/]+/)*\. - [F]

This 'protects' .htaccess, .htpasswd, etc. in *any* subdirectory.
Note that [L] used with [F] is redundant.

Look for another [forbidden] or [F] access-control rule that might match the URL-path of your custom 403 error document, and make sure that your custom error document's URL-path is excluded from that rule (otherwise it will loop).

Jim

Caterham

7:02 pm on Sep 27, 2009 (gmt 0)

You should have


<FilesMatch "^\.ht">
  Order allow,deny
  Deny from all
</FilesMatch>

already in your httpd.conf. Why don't you modify that to fit your needs instead of brothering with inefficient approaches?

AlexK

7:50 pm on Sep 28, 2009 (gmt 0)

Yeah, thanks for that, Caterham, but Jim has already smacked this one hard on the head (thanks, Jim). The error msg suggests a loop, possibly involving custom 403 docs, and I need most to trace that down.