[TYPO3-dev] Reintroducing config.baseURL = 1

Stig Nørgaard Færch snf at dkm.dk
Wed Sep 28 12:48:58 CEST 2011


Hi

We are investigating the possibility of reintroducing config.baseURL = 1
This setting was of security reasons removed from 3.8.1:
http://typo3.org/teams/security/security-bulletins/typo3-20051114-6/

We found this URL explaining the security problem:
http://lists.typo3.org/pipermail/typo3-dev/2009-September/037141.html

If we understand the security issue correctly, a check if 
$GLOBALS['TSFE']->domainStartPage is an INT would solve the problem.
Then if we understand domainStartPage correctly, baseURL will only be 
set to TYPO3_SITE_URL if a sys_domain record with that domain exists.
http://api.typo3.org/typo3v4/current/html/class_8tslib__pagegen_8php_source.html#l00119

Could that be a way to reintroduce config.baseURL = 1 ?

it could also be config.baseURL = auto
or config.baseURL = sys_domain

What do you think?

This was also sent to the Security Team.

/Stig




More information about the TYPO3-dev mailing list