[Typo3-dev] Extension and resources (images, ...) and security
Steffen Mueller
steffen at davis.kommwiss.fu-berlin.de
Thu May 13 11:15:30 CEST 2004
On 13.05.2004 09:58 Daniel Brün wrote:
> Hi folks!
>
> I already posted this on the english list quite a while ago. Maybe it's
> worth to think about it.
>
> Say you have an FE-extension that brings its own set of small Jpegs
> (e.g. for buttons) or other resources that have to be accessible from
> the outside world.
> Where do you place them? When put into ext/my_ext/res, for instance,
> then this directory has to be "open", so the browser can access
> www.mydomain.com/typo3conf/ext/my_ext/res/example.jpg ?!
>
> Of course this is the case in most installations.
>
> BUT: As most FE-ext-files are only included by other scripts, the
> directory not necessarily has to be opened for the outside world, right?
> This would prevent people from being able to check out which extensions
> there are installed on my system, which would increase security.
>
> A possible solution could be to implement a mechanism that copies the
> necessary extension-resources to fileadmin/extres/my_ext/...
>
Hi.
Restrict the permissions of the /typo3conf directory with .htaccess:
<--- snip
Order Deny,Allow
Deny from all
snap --->
This will deny any user to access /typo3conf and its subdirectories.
--
cheers,
Steffen
----------------------------------------------------------
"Education is man's going forward from cocksure ignorance
to thoughtful uncertainty." (Don Clarks' Scrapbook)
----------------------------------------------------------
More information about the TYPO3-dev
mailing list