Support » Plugin: File Manager » WP File Manager (Pro) .htaccess defect

  • Hi,

    Couldn’t find a Github source for this and/or a PR.

    Your WP File Manager plugin, and probably the Pro verion as well, contains a defect. It writes a broken .htaccess file to wp-content/uploads/wp-file-manager-pro/fm_backup/.

    From file_folder_manager.php source, version 7.1.5, lines 75 – 86 write the .htaccess file:

    $myfile = $backup_dirname."/.htaccess";
    if(!file_exists($myfile)){
      $myfileHandle = @fopen($myfile, 'w+');
      if(!is_bool($myfileHandle)){
        $txt = '<FilesMatch "\.(zip|gz)$">';
        $txt .= "\nOrder allow,deny\n";
        $txt .= "Deny from all\n";
        $txt .= "</Files>";
        @fwrite($myfileHandle, $txt);
        @fclose($myfileHandle);
      }
    }
    

    There are two defects here:

    1. FilesMatch and Files don’t match. The latter must be FilesMatch too or start and end sections don’t belong to each other.
    2. Order allow,deny doesn’t work on Apache 2.4.6+ (1). This must be wrapped in an IfModule statement.

    (1) For an optimal .htaccess, rewrite FilesMatch to:

    <FilesMatch "\.(zip|gz)$">
    	# Apache 2.2
    	<IfModule !mod_authz_core.c>
    		Order Deny,Allow
    		Deny from all
    	</IfModule>
    
    	# Apache 2.4.6+
    	<IfModule mod_authz_core.c>
    		Require all denied
    	</IfModule>
    </FilesMatch>
    

    Taken from https://www.saotn.org/wordpress-htaccess-security-best-practices-apache-24/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support File Manager Support

    (@filemanagersupport)

    Hey @jan

    Thanks for higlighting the issue.

    We are Investigating the issue at our end and we will get back to you with an update on this shortly.

    Also, till the time we are checking the issue meanwhile we would request you to please send us a support ticket by using this link https://filemanagerpro.io/contact

    We will be able to better assist you with your issue by setting up a call.

    Rgds,
    Support Team

    Thread Starter Jan Reilink

    (@janr)

    Hello Support Team,

    In my opinion, this is not the way we should have support on WordPress plugins, but if it helps…

    Ticket Submitted Successfully!

    There is no need for setting up a call, you just need to fix your broken .htaccess.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.