[TYPO3-english] is TYPO3 moving away from global extensions?

[Sergey Alexandrov]

Hi Philipp,

On 3/30/2012 1:11 PM, Philipp Gampe wrote:
> Please don't tell you do this on your production server. As an example,
> I do remember the serious security hole in phpadmin extension
> which allowed to do nasty stuff even ext. was not installed.... I don't
> really want to keep old versions of anything on the production server.
> What is the problem? If somebody has write access the change the symlink,
> the has write access for the web files too ;)
> But I would remove old versions once I change the symlinks.
The problem is that a bad guy could potentially access those via direct 
link, like 
domain.tld/typo3conf/ext/sources/extensions/ext_name/whatever.php and if 
whatever.php
has a major security flaw ... you understand ;)
You create a symlink to an ext. folder, all files inside are 444 or even 
400 ;)

>>  A shell script does not care about 2, 3, 300 or 5000 :)

Anyway, if you want to have a global folder again (it has not disappeared),
I suggest to not have this in the source, but expect such a folder either on
web root (I dislike this) or in as something like typo3conf/globalext/ which
then can be a symlink out of the web root, into you sources folder.

Well, I already have global folder /typo3/ext, why I need an another one? ;)
Yeah, to separate TYPO3 from ext ... I choose not to :) I'm old and lazy guy :)


>> No, I don't have to ... if I see DB changes during ext.
>> updating/upgrading (sure on the dev. server) a simple php
>> script helps me to walk through all databases and alter/add new
>> tables/fields if necessary.
> What is the problem of using the same script to change the symlink?
Because you never know which extension particular site uses. If not all 
of them OR you want to keep client's own ext. in the "local" folder, 
making them unavailable for others,
you'll have to create all those symlinks ... and just see no reason to 
do that!

Cheers,
Sergey