[TYPO3-v4] Automatically enabled install tool
Helmut Hummel
helmut.hummel at typo3.org
Tue Aug 2 23:52:38 CEST 2011
Hi,
there have been a lot of discussions about automatically enabling the
install tool and I regularly fought against it.
Now it has been merged into 4.6beta and I'm a bit tired of fighting
against it.
That is the status (AFAIK):
1. The install tool (still is) a great danger for a TYPO3 installation.
TYPO3 sites have been hacked because the install tool was
(permanently) available (of course not only because of that).
2. If an admin clicks on the install backend module he install tool is
enabled for 1h (independently of a logged in admin user)
3. While it is easy to enable, the disable button is still hidden in
the user settings.
From a admin user perspective it is of course nicer/ easier this way
and it is much more integrated into the backend.
What I do not like about it:
I tells the wrong message.
1. It looks like a normal module now, but it's not.
2. There's no information/ confirmation any more that accessing/
activating the install could be something dangerous.
3. Disabling the install tool is much more complicated than enabling it.
4. If I accidently click on the install tool menu item (although
wanted to go to the log module), I enable it, exposing the
TYPO3 installation to an unnecessary risk.
I kindly ask to rethink this decision, or at least implement it in a way
which does not make the install tool look like a regular backend module.
It is not.
Thanks.
Kind regards,
Helmut
--
Helmut Hummel
TYPO3 Security Team Leader, TYPO3 v4 Core Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-project-v4
mailing list