[TYPO3-dev] bug 10502 - IPmaskList - shows just white page instead of BE-Login
Martin Kutschker
masi-no at spam-typo3.org
Fri Feb 20 11:58:57 CET 2009
Steffen Kamper schrieb:
> Hi,
>
> Martin Kutschker schrieb:
>> Steffen Kamper schrieb:
>>> Hi Daniel,
>>>
>>> i can confirm this.
>>>
>>> The problem occurs in init.php where this condition is true all the
>>> time:
>>>
>>> if (trim($TYPO3_CONF_VARS['BE']['IPmaskList']) &&
>>> !(defined('TYPO3_cliMode') && TYPO3_cliMode))
>>
>> But I think this is ok. A misconfigured security measure should result
>> in a denied access.
>>
> yes, it's ok.
>
>
>> Of course a blank screen is never helpful. TYPO3 should send the
>> appropriate HTTP header for "access denied" and log the configuration
>> error.
>>
>> Masi
>
> yeah. This is done without access:
> header('Status: 404 Not Found'); // Send Not Found header - if the
> webserver can make use of it...
> header('Location: http://'); // Just point us away from here...
> exit; // ... and exit good!
>
> better would be to display a message instead redirect to empty url.
If display a message we should send 403 Forbidden. If we want to conceal
the BE then 404 without a message is fine. Though I'd remove the illegal
Location header.
Masi
More information about the TYPO3-dev
mailing list