I read this artcile on file upload security, but now it seems that a

Question

0

Asked: May 30, 20262026-05-30T18:45:03+00:00 2026-05-30T18:45:03+00:00

I read this artcile on file upload security, but now it seems that a

0

I read this artcile on file upload security, but now it seems that a valid pdf I uploaded is being given access forbidden after implenting this htaccess on top of the other security methods mentioned:

deny from all
<Files ~ "^\w+\.(gif|jpe?g|png|pdf|doc|docx|txt|rtf|ppt|pptx|xls|mp4|mov|mp3|mpg|mpeg)$">
order deny,allow
allow from all
</Files>

The file name looks like this:
Company-apv-A4-Solarpanels_ABC-RH.pdf

Which should be fine because the htaccess is meant to prevent the doubled extension attack if I understand correctly. Hope someone can help!

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-30T18:45:04+00:00

Why not:

SetEnvIf Request_URI "(^|/)[-\w]+\.(gif|jpe?g|png|pdf|doc|docx|txt|rtf|ppt|pptx|xls|mp4|mov|mp3|mpg|mpeg)$" allowed

<Files *>
   Order deny,allow
   Deny from all
   Allow from env=allowed
</Files>

Also note that I dropped the mandatory leading ^ as you surely want to allow access to these extensions in subdirs and [-\w]+ as - is not in \w.

I would just start my regexp \.(gif… as you really only need to check the extension for what you want. Up to you.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I read this artcile on file upload security, but now it seems that a

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply