[TYPO3-english] is TYPO3 moving away from global extensions?
Philipp Gampe
philipp.gampe at typo3.org
Fri Mar 30 20:39:19 CEST 2012
Hi Sergey,
Sergey Alexandrov wrote:
> Hi Philipp,
>
> On 3/30/2012 1:11 PM, Philipp Gampe wrote:
>> Please don't tell you do this on your production server. As an example,
>> I do remember the serious security hole in phpadmin extension
>> which allowed to do nasty stuff even ext. was not installed.... I don't
>> really want to keep old versions of anything on the production server.
>> What is the problem? If somebody has write access the change the symlink,
>> the has write access for the web files too ;)
>> But I would remove old versions once I change the symlinks.
> The problem is that a bad guy could potentially access those via direct
> link, like
> domain.tld/typo3conf/ext/sources/extensions/ext_name/whatever.php and if
> whatever.php
> has a major security flaw ... you understand ;)
> You create a symlink to an ext. folder, all files inside are 444 or even
> 400 ;)
What is not true. Symlinks do not have access rights, instead the access
right of the *target* are in effect.
You can always do typo3/ext/whatever so what is the difference.
>>> A shell script does not care about 2, 3, 300 or 5000 :)
>
> Anyway, if you want to have a global folder again (it has not
> disappeared), I suggest to not have this in the source, but expect such a
> folder either on web root (I dislike this) or in as something like
> typo3conf/globalext/ which then can be a symlink out of the web root, into
> you sources folder.
>
> Well, I already have global folder /typo3/ext, why I need an another one?
> ;) Yeah, to separate TYPO3 from ext ... I choose not to :) I'm old and
> lazy guy :)
That has been said, it is inside the source folder where user content does
not belong to. typo3/ and t3lib/ may only have contents from shipped from
typo3.org. It was an architectural fault from the very beginning to have
this folder inside the source.
>>> No, I don't have to ... if I see DB changes during ext.
>>> updating/upgrading (sure on the dev. server) a simple php
>>> script helps me to walk through all databases and alter/add new
>>> tables/fields if necessary.
>> What is the problem of using the same script to change the symlink?
> Because you never know which extension particular site uses. If not all
> of them OR you want to keep client's own ext. in the "local" folder,
> making them unavailable for others,
> you'll have to create all those symlinks ... and just see no reason to
> do that!
Sound like we have a different attitude towards architectural concepts. So
lets stop here, because I do not think we will find an "agreement".
I will not support an architecture that (IMHO) might leads to insecure
designs (by the means of laziness), but instead favor a strong separation of
concerns.
Best regards
--
Philipp Gampe – PGP-Key 0AD96065 – TYPO3 UG Bonn/Köln
Documentation – linkvalidator
TYPO3 .... inspiring people to share!
More information about the TYPO3-english
mailing list