Protect Upload Folder Files With Ampersand Problem

As you’ve stated, the B flag is required in this case. But this should be [B,L], not [BNC] as you’ve quoted a couple of times?

Not sure where you got [BNC] from, but that’s wholly invalid and would break an Apache server (500 Internal Server Error response). If you don’t see an error, using this invalid flag, then it’s possible you are on a LiteSpeed server, which quietly ignores the error and the directive does not run, allowing unrestricted access to the file (which seems to be what you are seeing here).

The B flag is required in order to re-encode the & (as %26) as captured from the requested decoded-URL before passing this to the query string, so that you pass the entire “filename” and not just the part before the &.

For example, if you request /wp-content/uploads/abc%26def.pdf and do not use the B flag then the resulting request will be:

checkloggedin.php?file=abc&def

That’s now effectively two URL parameters: file=abc and def=

With the B flag, the captured backreference is re-encoded and becomes:

checkloggedin.php?file=abc%26def

PHP/WordPress then decodes this to abc&def – the complete filename.

So, the complete rule should be:

RewriteCond %{REQUEST_FILENAME} -s
RewriteRule ^wp-content/uploads/(.*) checkloggedin.php?file=$1 [B,L]

The QSA flag is not required, unless you are passing additional query string parameters in your initial file request? The trailing $ on the RewriteRule pattern is not required either, since regex is greedy by default.

If this still does not work then the problem is with the checkloggedin.php script. But from what you say, this script is not even being called when using BNC – which is why I think you are on a LiteSpeed server (not Apache).

UPDATE:

An alternative method is to pass the filename as path-info instead of as a URL parameter in the query string. You are then not prone to URL-encoding issues associated with & (this is not a special character in the URL-path).

So, instead of the above rule, you would use the following instead in .htaccess:

RewriteCond %{REQUEST_FILENAME} -s
RewriteRule ^wp-content/uploads/(.*) checkloggedin.php/$1 [L]

The B flag is not required.

The URL-path matched by the RewriteRule pattern is already %-decoded (so it doesn’t matter whether the original request includes & or %26). The same “file” value is passed as path-info (additional pathname information) and is therefore available via the $_SERVER['PATH_INFO'] superglobal, instead of $_GET['file'].

So, in your script you would need to do something like the following instead to populate your $filename variable:

$filename = isset($_SERVER['PATH_INFO']) ? $_SERVER['PATH_INFO'] : null;

Related Posts:

  1. Place static HTML files in path below WordPress page
  2. htaccess rewrite for author query string when WP is in subfolder
  3. Remove year and month in URL using .htaccess
  4. Rewrite rule not working
  5. .htaccess redirects disappeared after re-saving permalinks
  6. Remove File Extension for Page Outside of WordPress
  7. WordPress URL/Folder ReWrite using Htaccess
  8. WordPress mod_rewrite is canceling/overwriting my other mod_rewrite rule
  9. How can i redirect one url to another url using .htaccess or add_rewrite_rule
  10. Override htacces rule only for specific directory
  11. mod_rewrite loop, redirecting http to https on certain section of wordpress blog
  12. blocking access to all post/tag URIs via htaccess
  13. Site in subfolder – all pages work except home
  14. htaccess, site and staging in subdirectories
  15. How to write .htaccess so that https is on for subpages only but not the home page
  16. How to create a redirect in the .htaccess file, with 2 exceptions
  17. 404 error Additionally 403 Forbidden error on a URL
  18. Custom rewrite rule, url returning 404
  19. mod_rewrite doesn’t work as I want even with JSON API Plugin disabled
  20. I have a page using a pretty url and a mod_rewrite rule matching it. I expected it to give an error but it’s working. Why?
  21. disable WordPress 404 for one specific page/folder to receive actual php errors
  22. .htaccess Non-‘www’ to ‘www’ Subdomain Redirection Only Works for Homepage
  23. How can I create a smarter .htaccess file that will add a directory?
  24. Rewriting subfolders to specific parent folder in WordPress
  25. Redirect WordPress site to a landing (construction) page using htaccess, with access to /wp-admin and /invoice
  26. htaccess redirect to path
  27. I can access subdirectory, but not files within it
  28. htaccess mod_rewrite not working
  29. Add-on domain works in WordPress but links still lead to subdomain
  30. Getting a 500 Internal Server Error on Laravel 5+ Ubuntu 14.04
  31. htaccess problem after saving Settings
  32. File and directory permissions
  33. htaccess https redirect from www to non-www
  34. Name-based virtual host configuration in Apache seems to cause a “500 Internal Server Error”
  35. Isolating WordPress to a subfolder
  36. Error:406 not acceptable
  37. What is the role of .htaccess file in WordPress?
  38. How can I code my plugin to safely modify .htaccess?
  39. Prevent users from browsing through the media galleries
  40. How to modify the .htaccess to force ssl on login and admin pages
  41. HTAccess stops me from accessing WordPress Dashboard links
  42. .htaccess rewrite rule puzzle
  43. Allow logged in users who doesn’t belong to whitelisted ips
  44. Best way to redirect site in subdirectory to root?
  45. Only expose routes with prefix /wp-json on WordPress using Apache
  46. WordPress rewrite rules don’t need ^?
  47. Missing slash after moving site to subfolder
  48. WildCard SSL with wordpress subdomain
  49. Hardening wordpress: blocking /includes with htaccess
  50. browser caching not disabled after disabling in .htaccess
  51. Restrict uploaded files into a custom folder to logged in users by htaccess: looking for Nginx – not only Apache – solution
  52. Transfer to HTTPS – mixed content on main page only [closed]
  53. Htaccess redirect after changing Language URL format
  54. .htaccess rule to redirect old URLs to new structure [closed]
  55. How do I test to ensure that my wp-config file is protected?
  56. Adding a SSL Certificate
  57. Add additional non-rewrite .htaccess directives on multisites via mod_rewrite_rules filter
  58. .htaccess Security Header Rules
  59. .htaccess in subdir gets ignored by WordPress’ own .htaccess in /
  60. Rules in .htaccess only if the requested URL is /wp-admin
  61. What to write in the htaccess in order to detect browser language and point accordingly?
  62. sitemap contains weird links and does not contain my pages [closed]
  63. how to redirect 301 my old search query string to wordpress search query string?
  64. How To Fix A Redirect Chain
  65. .htaccess RewriteCond excluding directories does not work when there is an .htaccess or php.ini in subdirectory
  66. Separate 404 page for WordPress in subfolder
  67. Weird behavior of Dashboard, must be core files
  68. Remove trailing slash after .html extension
  69. Does WP suppresses .htaccess if permalinks are disabled?
  70. How do I setup htaccess for 301 redirects, post Joomla to WordPress migration? [closed]
  71. Hide a subdirectory on my website hosting
  72. Can’t access WP site over WiFi network
  73. Creating a copy of a website in a subdirectory, wp-admin redirect problem
  74. I am new in word pres my font awesome is not allow
  75. htaccess redirect throws an error: PHP Catchable fatal error: Object of class WP_Error could not be converted to string
  76. WordPress permalinks confusion
  77. How do I reset a rewrite?
  78. Basic Auth .htaccess on wp-login, but allow logout from woocommerce
  79. Why my WordPress Site Asking for HTTP Authentication?
  80. htaccess redirects invalid request to home page not 404
  81. WordPress How to rewrite URL for custom pages
  82. How to properly give WordPress its own directory
  83. WordPress permalinks is wrong. It wants me to change my htaccess file. But then site crashes
  84. How to move wordpress website from hosting account to localhost
  85. Question with .htaccess and wp-login.php prevention
  86. WordPress RSS feed to external XML
  87. Does htaccess password keep search engines out?
  88. Pretty permalinks (again)
  89. htaccess old php pages to new wordpress ones
  90. different CNAME to corresponding subfolders
  91. block seacrh engines for all pages EXCEPT homepage
  92. Giving WordPress it’s own directory and using .htaccess Directory Index
  93. Allowing access to certain WordPress created pages or posts with htaccess / htpasswd
  94. Restrict download files from not generated Urls
  95. htaccess – Server Subdirectory With Different Name Than URL Subdirectory
  96. WordPress sections in htaccess kills FrontPage permissions
  97. Add rewrite endpoint and .htaccess
  98. How To Add CSP frame ancestors in WordPress Website? [closed]
  99. The connection to “domain” is not secure
  100. How do I modify each instance of setcookie?