[TYPO3-english] is TYPO3 moving away from global extensions?

Philipp Gampe philipp.gampe at typo3.org
Fri Mar 30 20:39:19 CEST 2012


Hi Sergey,

Sergey Alexandrov wrote:

> Hi Philipp,
> 
> On 3/30/2012 1:11 PM, Philipp Gampe wrote:
>> Please don't tell you do this on your production server. As an example,
>> I do remember the serious security hole in phpadmin extension
>> which allowed to do nasty stuff even ext. was not installed.... I don't
>> really want to keep old versions of anything on the production server.
>> What is the problem? If somebody has write access the change the symlink,
>> the has write access for the web files too ;)
>> But I would remove old versions once I change the symlinks.
> The problem is that a bad guy could potentially access those via direct
> link, like
> domain.tld/typo3conf/ext/sources/extensions/ext_name/whatever.php and if
> whatever.php
> has a major security flaw ... you understand ;)
> You create a symlink to an ext. folder, all files inside are 444 or even
> 400 ;)

What is not true. Symlinks do not have access rights, instead the access 
right of the *target* are in effect.

You can always do typo3/ext/whatever so what is the difference.

>>>  A shell script does not care about 2, 3, 300 or 5000 :)
> 
> Anyway, if you want to have a global folder again (it has not
> disappeared), I suggest to not have this in the source, but expect such a
> folder either on web root (I dislike this) or in as something like
> typo3conf/globalext/ which then can be a symlink out of the web root, into
> you sources folder.
> 
> Well, I already have global folder /typo3/ext, why I need an another one?
> ;) Yeah, to separate TYPO3 from ext ... I choose not to :) I'm old and
> lazy guy :)

That has been said, it is inside the source folder where user content does 
not belong to. typo3/ and t3lib/ may only have contents from shipped from 
typo3.org. It was an architectural fault from the very beginning to have 
this folder inside the source.

>>> No, I don't have to ... if I see DB changes during ext.
>>> updating/upgrading (sure on the dev. server) a simple php
>>> script helps me to walk through all databases and alter/add new
>>> tables/fields if necessary.
>> What is the problem of using the same script to change the symlink?
> Because you never know which extension particular site uses. If not all
> of them OR you want to keep client's own ext. in the "local" folder,
> making them unavailable for others,
> you'll have to create all those symlinks ... and just see no reason to
> do that!

Sound like we have a different attitude towards architectural concepts. So 
lets stop here, because I do not think we will find an "agreement".

I will not support an architecture that (IMHO) might leads to insecure 
designs (by the means of laziness), but instead favor a strong separation of 
concerns.

Best regards
-- 
Philipp Gampe – PGP-Key 0AD96065 – TYPO3 UG Bonn/Köln
Documentation – linkvalidator
TYPO3 .... inspiring people to share!



More information about the TYPO3-english mailing list