How can I disable specific file type uploads globally in Apache?
I am unaware of anything that would stop uploads (if using sftp or something else), from Apache, though if using PHP for the uploads, then the file extensions can be disabled.
Likely there would be some setting in whatever SSH/FTP server one is using.
However, from Apache there are various ways of disabling execution of files from given directories, using things like FilesMatch / deny from all, or SetHandler / None. These could be in .htaccess files or in httpd.conf.
See https://stackoverflow.com/questions/5689423/how-to-ban-all-executable-files-on-apache for a similar discussion.
Related videos on Youtube
Michiel Pater
Hi, My name is Michiel, I am owner and lead developer at Tradosoft. You can find more information about me on my Portfolio and on LinkedIn. Michiel
Updated on September 18, 2022Comments
-
Michiel Pater almost 2 years
In order to secure my webserver, I would like to block specific file types from being uploaded globally, independent of what FTP users configure in their webpages.
Is there a way to globally block specific file types from being uploaded (such as PHP files) in Apache?
-
dawud over 9 yearsWhat do you want to prevent? execution of those files? is it an option to mount the target filesystem
noexec
? -
Michiel Pater over 9 yearsI would like to prevent visitors from uploading PHP (and other) files through PHP file upload.
-
dawud over 9 yearsAgain, PHP is plain text, what do you want to prevent? what would be allowed?
-
Michiel Pater over 9 yearsPHP can access the mailserver and use it for spamming.
-
NuTTyX over 9 yearsAre you serving PHP on your Apache? If not, disable that module and also similars like cgi. If you do serve PHP, just do not allow your users to upload files to the DocumentRoot of your Apache. If you serve PHP and your users need to upload files to the DocumentRoot of your Apache... well, I'd go to force a
text/plain
response on the Apache for your users files.
-