FilesMatch指令纯粹基于文件名。它不会查看路径部分。

如果要在root .htaccess文件中指定指令来控制子目录，可以使用 mod_rewrite 。

尝试这个：

  RewriteRule ^ uploads /.* \。（php | rb | py）$  -  [F，L，NC ] 
 

上面的内容会阻止任何以.php或.rb或.py结尾的文件，在/ uploads目录或其子目录。例如，它将阻止：

• /uploads/something.php


• / uploads / something /more.php

请注意，重写规则中没有前导斜杠。您需要在指令中使用的路径将根据其放置位置而有所不同。上述指令（如果放在文档根目录的.htaccess文件中）将适用于文件根目录下的名为 uploads 的文件。

尽管上述内容可以解答您的问题，但只允许仅使用特定文件，而不是尝试阻止文件，这将更为安全。通常，服务器将执行不同于您列出的扩展名的文件。

您可以这样做：

  RewriteCond％{REQUEST_URI} ^ / uploads [NC] 
 RewriteCond％{REQUEST_URI}！\。（jpe？g | png | gif）$ [NC] 
 RewriteRule。*  -  [F，L] 
 

如上所述，如果请求URI以/ upload开始，但不以指定的扩展名结尾，则被禁止。您可以将扩展名更改为适合您需要的任何扩展。但是，这样，您可以根据需要允许扩展，而不是发现太晚，您错过了阻止一个。

此规则（从您的问题）

  RewriteRule ^（uploads / \.php） -  [F，L，NC] 
 

将阻止

• /uploads/.php


• /uploads/.phpmore

但它不允许目录名称和文件扩展名之间的任何内容。 / p>

如果要使用rewirte规则，您可能需要了解有关regexp的更多信息。当我需要查找某些东西时，我经常会参考 www.regular-expressions.info 。

For some application, users are able to upload their own files. Since this can be very large files, they are allowed to upload them via their own FTP client.

Of course I wouldn't like them to upload some PHP files with which they can access all other files on the server. One of the ways I want to prevent this behavior is by denying access to specific file types (like php, rb, py, etc.) only in these folders.

I have found ways to deny access to folders, to files, to files in folders, but nothing about file types in folders.

I tried combining what I've found, like:

<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>

changing to

<Files uploads/ "\.inc$">
Order allow,deny
Deny from all
</Files>

or alternative ways

RewriteRule ^(\.php) - [F,L,NC] 

to

RewriteRule ^(uploads/\.php) - [F,L,NC]

However, I can't find out what syntax I should use.

So, for example, I could have the following (basic example):

/index.php
/uploads/
  hack.php
  hack.rb
  hack.py
  pony.jpg

I want hack.php/rb/py to be unavailable, but everything else to be available. What syntax should I use?

The FilesMatch directive works purely on filenames. It doesn't look at the path portion at all.

If you want to specify directives in the root .htaccess file to control a subdirectory, you can use mod_rewrite.

Try this:

RewriteRule ^uploads/.*\.(php|rb|py)$ - [F,L,NC]

The above will block any filename ending in .php or .rb or .py in the /uploads directory or its subdirectories. For example, it will block:

• /uploads/something.php
• /uploads/something/more.php

Note that there is no leading slash in the rewrite rule. The path that you need to use in the directive will be different depending on where it's placed. The above directive, if placed in the document root's .htaccess file, will work for files in a directory called uploads that is directly beneath document root.

While the above answers your question, it would be safer to allow only specific files rather than trying to block files. Often a server will execute files with extensions other than the ones you've listed.

You could do something like this:

RewriteCond %{REQUEST_URI} ^/uploads [NC]
RewriteCond %{REQUEST_URI} !\.(jpe?g|png|gif)$ [NC]
RewriteRule .* - [F,L]

With the above, if the request URI begins with /uploads but does not end with one of the specified extensions, then it is forbidden. You can change the extensions to whatever suits your needs. But that way, you can permit extensions as needed rather than finding out too late that you missed blocking one.

This rule (from your question)

RewriteRule ^(uploads/\.php) - [F,L,NC]

will block

• /uploads/.php
• /uploads/.phpmore

but it does not allow for anything between the directory name and the file extension.

If you are going to use rewirte rules, you might want to learn more about regexp. I often refer to www.regular-expressions.info when I need to look up something.