.htaccess to deny access to most xml files

Question

I recently had a Joomla site hacked, so I'm trying to harden the site a bit. There's a section in the recommended .htaccess that restricts outside access to the xml files that come with extensions. However, it also keeps my sitemap.xml file from being accessed.

How do I allow a certain file whiles keeping the rest?

here's the default code:

<Files ~ "\.xml$">
 Order allow,deny
 Deny from all
 Satisfy all
</Files>

and my modification that caused a 500 error:

<Files ~ "(?!sitemap)\.xml$">
 Order allow,deny
 Deny from all
 Satisfy all
</Files>

Care to specify what the error message is? You'll find it in your error_log. — tylerl, Jul 31 '10 at 08:02

coredump · Answer 1 · 2010-07-29T16:33:44.543

3

You should use <FilesMatch> as documented here

Also, I think your regex should be (?<!sitemap)\.xml$ instead. Like this:

<FilesMatch "(?<!sitemap)\.xml$">
   Order allow,deny
   Deny from all
</FilesMatch>

edited Jul 29 '10 at 16:33

answered Jul 29 '10 at 12:52

coredump

12,573
2
34
53

Still cased a 500 error for me. – CEich Jul 31 '10 at 07:09
Invalid command 'Deny', perhaps misspelled or defined by a module not included in the server configuration – Black Dec 06 '18 at 09:29

score 1 · Accepted Answer · answered Feb 06 '11 at 04:24

1

The FilesMatch line has an extra "<". It should be:

<FilesMatch "(?!sitemap)\.xml$">

answered Feb 06 '11 at 04:24

Ap.Muthu

26
1

score 0 · Answer 3 · answered Jul 31 '10 at 07:11

0

I finally decided not to mess with the regex.

I added:

<Files ~  "sitemap\.xml$">
  Order allow,deny
  Allow from all  
</Files>

afterward and it works like a charm.

answered Jul 31 '10 at 07:11

CEich

123
1
4

Don't you mane "Deny from all" on line 3? – Peter Ajtai Aug 01 '10 at 21:25
no, putting this under the directive to deny all .xml files overrides the directive in this one case. Thus, though not as cool looking as the regex solution, it still works. – CEich Aug 03 '10 at 15:03

.htaccess to deny access to most xml files

3 Answers3