[TYPO3-dev] Info disclosure from extension folders

Christian Reiter cr at cxd.de
Wed Oct 25 23:20:23 CEST 2006


Yes, this kind of filesmatch statement is exactly what I meant. It only
needs one entry in the httpd.conf. The Drupal example also covers CVS files,
which is a good idea as they may contain interesting information especially
in CVS/Root
The same is true of .svn foolders.
On newer versions of Apache you can use modifiers in the Filesmatch regex
which helps with the many different spellings for "ChangeLog"
"changelog.txt" etc.
Moving the files around is not necessary.

Greetings,

Christian Reiter

"Christopher Torgalson" <bedlamhotel at gmail.com> schrieb im Newsbeitrag
news:mailman.33107.1161794165.20124.typo3-dev at lists.netfielders.de...
> On 10/25/06, Martin Kutschker <Martin.Kutschker at n0spam-blackbox.net>
wrote:
> > christian reiter schrieb:
> > >
> > > Therefore it is perhaps  a good idea  to configure Apache so  that it
does
> > > not deliver this information.
> > >
> > > Just forbidding access to all typo3conf/ext is of course not the
solution:)
> > > However there is no reason why it should be possible to display the
> > > ext_tables.sql, the changelogs etc in the browser. When people make
> > > extensions themselves of course it also possible to find out some
> > > information by identifiying the extension name from the comments in
the HTML
> > > source of a page where a plugin is located and then looking at the
> > > ext_tables.sql, wizard_form.html... etc.  - all of this information
should
> > > really be private.
> >
> > The current file system layout makes it impossible to distinguish
between
> > files that must be delivered by the Webserver PHP-scripts, certain
images,
> > CSS-files and other web resources) and other data (PHP classes, setup
and
> > configuration data).
> >
> > IMHO this should be addresses in TYPO3 5.0, but in the meantime you can
> > hide only specific files (eg "typo3conf/localconf.php" or generic file
> > names like "ChangeLog"), but I think it's a lot of trouble to protect
all
> > those files and directories with Apache directives.
>
> Really? Drupal's .htaccess file ships with this entry:
>
> <FilesMatch
"(\.(engine|inc|install|module|sh|.*sql|theme|tpl(\.php)?|xtmpl)|code-style\
.pl|Entries.*|Repository|Root)$">
>   Order deny,allow
>   Deny from all
> </FilesMatch>
>
> ...and it works--files can be accessed by local scripts but not, as
> far as I can see, in any other way. Did I misunderstand what you
> meant?
>
>
> -- 
> Christopher Torgalson






More information about the TYPO3-dev mailing list