file upload security, htaccess, and changing extensions

Question

Hello, all. I'm pretty new to web development, so please be gentle. Apologies if I'm posting a topic that's already been discussed; I searched but couldn't find quite what I was looking for in another thread.

Background: I have a site that allows file uploads, but once uploaded, they won't need to be viewed by anyone but me. I've implemented some security measures such as having the php upload script only allow certain extensions, chmoding uploaded files to 0644, and using -ExecCGI for various extensions in an htaccess file inside the uploads folder.

The questions (three of them; aren't you lucky):

1) I'd like to have my htaccess file rewrite php extensions as something else. I found a bit of code to do this, but can't seem to get it to work:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^PUT$ [OR]
RewriteCond %{REQUEST_METHOD} ^MOVE$
RewriteRule ^(.*)\.php /site_redone/uploads/$1.nophp

the site structure goes like this (at least for now while I'm redoing the site): mysite.com/site_redone/uploads

I know that the host of my shared server allows mod_rewrite. They're running php 5.2.10. Not sure if my problem is a path issue (I haven't quite grasped that part yet), but have tried various path permutations in the RewriteRule part to no avail.

2) I currently have the file names being appended with a kind of time stamp (time()) to prevent overwriting by a file of the same name, so for example, myfile.doc becomes myfile1252087685.doc. I can store the extension in a MySQL database and just rewrite the file name to end in .txt or something in my php upload script, but I'm not sure if that'll accomplish the same thing as the above mod_rewrite attempt.

3) Is there a way to put the htaccess file in a higher directory from the uploads folder so it can't get overwritten my some ne'erdowell while it's in the uploads folder? I only want it to affect the uploads folder, not the directory in which it's placed, though. I'm guessing this somehow involves using Directory, but I don't know how to do that. Did I mention I'm new at this?

Thanks in advance!

Answer 1

I think the RewriteRule regex matches against the whole path, not one relative to the location of the .htaccess file. Not sure about that though.

So you may want to try a regex like this:

^.*/([^/]*).php$

Or maybe:

^/site_redone/uploads/([^/]*)\.php$

I've never put a mod_rewrite RewriteRule in a subdirectory before, so the above is suggested for your top level .htaccess

I don't think <Directory> is allowed in .htaccess, but there's some other similar directive that works. (FilesMatch or something?)

Wait... didn't you say you want to deny web access to the whole folder? you can mod rewrite anythything that starts with /site_redone/uploads/ to a php script that displays an error page with an access denied http error code. So an expression like this: ^/site_redone/uploads/.*$

Answer 2

Well, it appears that what I was trying to do isn't actually possible, at least not the way I was trying to do it. I got some help on the modrewrite.com forum that informed me that because I'm using file uploads through an html form, the rewrite rule above won't be able to act on the file name. That code snippet above may be for, and I quote, "WebDAV or similar which is more like FTP." I'll have to stick with php to weed out the undesirables. Anyway, hope that helps someone!