[TYPO3-dev] Info disclosure from extension folders
Martin Kutschker
martin.kutschker-n0spam at no5pam-blackbox.net
Thu Oct 26 11:35:09 CEST 2006
Christopher Torgalson schrieb:
>>
>> IMHO this should be addresses in TYPO3 5.0, but in the meantime you can
>> hide only specific files (eg "typo3conf/localconf.php" or generic file
>> names like "ChangeLog"), but I think it's a lot of trouble to protect all
>> those files and directories with Apache directives.
>
> Really? Drupal's .htaccess file ships with this entry:
>
> <FilesMatch
> "(\.(engine|inc|install|module|sh|.*sql|theme|tpl(\.php)?|xtmpl)|code-style\.pl|Entries.*|Repository|Root)$">
>
> Order deny,allow
> Deny from all
> </FilesMatch>
>
> ...and it works--files can be accessed by local scripts but not, as
> far as I can see, in any other way. Did I misunderstand what you
> meant?
I think this is horrible. Why should I waste Apaches resource which has
to make this check for every file access when I can have it for free
with an intelligent directory layout.
Soryy, but I'm not interested in this.
Masi
More information about the TYPO3-dev
mailing list