[TYPO3-ect] Securing typo3conf
Søren Andersen
hacksaw at zpeed.dk
Tue Aug 26 11:37:05 CEST 2008
Hi Torino
Which setup and constants files are you worried about being publicly
accessed?
As I see it, only extensions come with their default setup and constans TS
code, that can be publicly accessed. Since these files are readable in the
TER, there should be no security problem there.
The only way I could imagine this being a problem, would be if you created
your own extension, and started putting passwords in the default TS
configuration of the extension, and that would be very bad!
- Søren Andersen
-----Oprindelig meddelelse-----
Fra: typo3-team-extension-coordination-bounces at lists.netfielders.de
[mailto:typo3-team-extension-coordination-bounces at lists.netfielders.de] På
vegne af Tonix (Antonio Nati)
Sendt: 26. august 2008 11:31
Til: typo3-team-extension-coordination at lists.netfielders.de
Emne: [TYPO3-ect] Securing typo3conf
I've the feeling /typo3conf should be totally forbidden for any web
access, because it contains too much files (i.e. constants, setup)
which should not be accessed directly from web.
So I deny access to /typo3conf in my website configuration, and all
works, except for some routines which must be explicited enabled.
Up to now (for what I'm using now), paths I must enable are:
* /typo3conf/ext/sr_freecap/pi1/captcha.php
* /typo3conf/ext/sr_freecap/pi2/newFreeCap.js
* /typo3conf/ext/dam_frontend/pushfile.php
But I have some questions:
* how is generally considered the security of /typo3conf path?
* should be introduced a zone where plugins should place
routines/files which should be generally accessible? Should exist
another place (i.e. like /typo3public/ or /typo3conf/public/)
where extensions should automatically place any file which is
accessed directly from web, denying instead any direct access to
/typo3conf?
Thanks,
Tonino
--
------------------------------------------------------------
Inter at zioni Interazioni di Antonio Nati
http://www.interazioni.it tonix at interazioni.it
------------------------------------------------------------
_______________________________________________
TYPO3-team-extension-coordination mailing list
TYPO3-team-extension-coordination at lists.netfielders.de
http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-team-extension-co
ordination
More information about the TYPO3-team-extension-coordination
mailing list