[TYPO3-ect] Securing typo3conf

Søren Andersen hacksaw at zpeed.dk
Tue Aug 26 11:37:05 CEST 2008


Hi Torino

Which setup and constants files are you worried about being publicly
accessed?
As I see it, only extensions come with their default setup and constans TS
code, that can be publicly accessed. Since these files are readable in the
TER, there should be no security problem there.
The only way I could imagine this being a problem, would be if you created
your own extension, and started putting passwords in the default TS
configuration of the extension, and that would be very bad!

- Søren Andersen

-----Oprindelig meddelelse-----
Fra: typo3-team-extension-coordination-bounces at lists.netfielders.de
[mailto:typo3-team-extension-coordination-bounces at lists.netfielders.de] På
vegne af Tonix (Antonio Nati)
Sendt: 26. august 2008 11:31
Til: typo3-team-extension-coordination at lists.netfielders.de
Emne: [TYPO3-ect] Securing typo3conf


I've the feeling /typo3conf should be totally forbidden for any web 
access, because it contains too much files (i.e. constants, setup)  
which should not be accessed directly from web.

So I deny access to /typo3conf in my website configuration, and all 
works, except for some routines which must be explicited enabled.
Up to now (for what I'm using now), paths I must enable are:

    * /typo3conf/ext/sr_freecap/pi1/captcha.php
    * /typo3conf/ext/sr_freecap/pi2/newFreeCap.js
    * /typo3conf/ext/dam_frontend/pushfile.php

But I have some questions:

    * how is generally considered the security of /typo3conf path?
    * should be introduced a zone where plugins should place
      routines/files which should be generally accessible? Should exist
      another place (i.e. like /typo3public/ or /typo3conf/public/)
      where extensions should automatically place any file which is
      accessed directly from web, denying instead any direct access to
      /typo3conf?

Thanks,

Tonino

-- 
------------------------------------------------------------
        Inter at zioni            Interazioni di Antonio Nati 
   http://www.interazioni.it      tonix at interazioni.it           
------------------------------------------------------------

_______________________________________________
TYPO3-team-extension-coordination mailing list
TYPO3-team-extension-coordination at lists.netfielders.de
http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-team-extension-co
ordination



More information about the TYPO3-team-extension-coordination mailing list