[TYPO3-dev] Info disclosure from extension folders

Martin Kutschker martin.kutschker-n0spam at no5pam-blackbox.net
Thu Oct 26 11:35:09 CEST 2006


Christopher Torgalson schrieb:
>>
>> IMHO this should be addresses in TYPO3 5.0, but in the meantime you can
>> hide only specific files (eg "typo3conf/localconf.php" or generic file
>> names like "ChangeLog"), but I think it's a lot of trouble to protect all
>> those files and directories with Apache directives.
> 
> Really? Drupal's .htaccess file ships with this entry:
> 
> <FilesMatch 
> "(\.(engine|inc|install|module|sh|.*sql|theme|tpl(\.php)?|xtmpl)|code-style\.pl|Entries.*|Repository|Root)$"> 
> 
>  Order deny,allow
>  Deny from all
> </FilesMatch>
> 
> ...and it works--files can be accessed by local scripts but not, as
> far as I can see, in any other way. Did I misunderstand what you
> meant?

I think this is horrible. Why should I waste Apaches resource which has 
to make this check for every file access when I can have it for free 
with an intelligent directory layout.

Soryy, but I'm not interested in this.

Masi



More information about the TYPO3-dev mailing list