Hi all, Could anybody point me in the right direction re a regular expression I try to implement as a <FilesMatch> directive in Apache 2.4 please? I would like to deny access to any files in a specific directory which file extension is not "whitelisted". The rule should be case insensitive. <Directory ... > <FilesMatch [WHITELIST] > Require all denied </FilesMatch> </Directory> I tried the following as [WHITELIST], but to no avail: "(?<!\.png|\.gif|\.jp?g)$" -> works, but is case insensitive "(?i:<!\.(png|gif|jp?g))$" -> does not match anything !"(?i:\.(png|gif|jp?g))$" -> does not match anything "(?i:<!\.png|\.gif|\.jp?g)$" -> does exactly the opposite (not negated) ...plus 100 combination, which all result in parsing errors :-) My understanding is, that ?i: means case insensitive and <! negates the expression. Any idea what am I doing wrong or how to achieve what I outlined above? Many thanks Michael
On Sat, 2016-11-05 at 10:45 +1100, Michael Schams via luv-main wrote:
<Directory ... > <FilesMatch [WHITELIST] > Require all denied </FilesMatch> </Directory>
Finally I ended up with the following solution, which seems to work well in Apache 2.4.x and is also easy to read: <Directory ... > <If "! %{REQUEST_URI} =~ /\.(png|gif|jpe?g)$/i" > Require all denied </If> </Directory> Cheers Michael
On Sat, Nov 05, 2016 at 10:45:09AM +1100, Michael Schams wrote:
Could anybody point me in the right direction re a regular expression I try to implement as a <FilesMatch> directive in Apache 2.4 please?
I would like to deny access to any files in a specific directory which file extension is not "whitelisted". The rule should be case insensitive.
There's two things you're doing wrong (well, one wrong and one overly complicated). First, instead of trying to create a negated match, set the default for that directory to denied, and then allow matching files. That's less complicated, so easier to get right. Second, you seem to be confused about the difference between shell globbing chars (wildcards) and regular expressions. They look similar in some ways, but they're not the same. This is a very common point of confusion, so you should spend some time reading up on them both. The Unix & Linux Stack Exchange site has lots of good questions and answers on the topic, and there's always the bash and shell programming guides. In particular, jp?g does not mean 'jp followed by any char and then a g'. it means 'j followed by an optional p and then a g'. You want 'jpe?g' instead, for 'jp followed by an optional e and then a g' e.g. something like this: <Directory ... > Require all denied <FilesMatch "\.(?i:png|gif|jpe?g)$"> Require all granted </FilesMatch> </Directory> Useful reference material: bash and other command line stuff: http://tldp.org/ - lots of useful guides, howtos and faqs. http://mywiki.wooledge.org/BashGuide http://mywiki.wooledge.org/BashFAQ also run 'man bash' and search for "Pattern Matching" Regular expressions: http://www.regular-expressions.info/ http://www.rexegg.com/regex-quickstart.html Stack Exchange Q&A sites: http://unix.stackexchange.com/ and http://askubuntu.com/ if you use ubuntu http://serverfault.com/ http://webmasters.stackexchange.com/ Wikipedia: https://en.wikipedia.org/wiki/Regular_expression https://en.wikipedia.org/wiki/Wildmat craig -- craig sanders <cas@taz.net.au>
On Sun, 2016-11-06 at 17:33 +1100, Craig Sanders via luv-main wrote:
On Sat, Nov 05, 2016 at 10:45:09AM +1100, Michael Schams wrote:
Could anybody point me in the right direction re a regular expression I try to implement as a <FilesMatch> directive in Apache 2.4 please? [...] First, instead of trying to create a negated match, set the default for that directory to denied, and then allow matching files. That's less complicated, so easier to get right.
Thanks Craig! This makes perfect sense and works like a charm. Cheers Michael
participants (2)
-
Craig Sanders -
Michael Schams