[TYPO3-dev] bug 10502 - IPmaskList - shows just white page instead of BE-Login
Daniel Bruessler
danielb at typo3.org
Fri Feb 20 12:18:13 CET 2009
Hello Steffen and Martin,
ah so that's the problem! yes, a message would be a fallback-solution.
wouldn't it be better to just hide the debug() messages from the output
when the IP doesn't match -- or is this too complicated?
Cheers!
Daniel
> Steffen Kamper schrieb:
>> Hi,
>>
>> Martin Kutschker schrieb:
>>> Steffen Kamper schrieb:
>>>> Hi Daniel,
>>>>
>>>> i can confirm this.
>>>>
>>>> The problem occurs in init.php where this condition is true all the
>>>> time:
>>>>
>>>> if (trim($TYPO3_CONF_VARS['BE']['IPmaskList']) &&
>>>> !(defined('TYPO3_cliMode') && TYPO3_cliMode))
>>> But I think this is ok. A misconfigured security measure should result
>>> in a denied access.
>>>
>> yes, it's ok.
>>
>>
>>> Of course a blank screen is never helpful. TYPO3 should send the
>>> appropriate HTTP header for "access denied" and log the configuration
>>> error.
>>>
>>> Masi
>> yeah. This is done without access:
>> header('Status: 404 Not Found'); // Send Not Found header - if the
>> webserver can make use of it...
>> header('Location: http://'); // Just point us away from here...
>> exit; // ... and exit good!
>>
>> better would be to display a message instead redirect to empty url.
>
> If display a message we should send 403 Forbidden. If we want to conceal
> the BE then 404 without a message is fine. Though I'd remove the illegal
> Location header.
>
> Masi
More information about the TYPO3-dev
mailing list