[TYPO3-core] RFC: allow access from private nets
Michael Stucki
michael at typo3.org
Wed Jun 7 15:54:22 CEST 2006
Hi Martin,
I think that instead of allowing a whole network to access the install tool,
it would be much better to allow access based on the existance of a simple
file.
The attached patch removes the IP check in the install tool and just checks
for the existance of typo3conf/ENABLE_INSTALL_TOOL instead.
This is very useful for mass hosters who share one TYPO3 source for many
sites. Also it allows install tool access without having to edit the source
code.
I don't see any problems with the change since you still need filesystem
access. Opinions?
Regards, michael
PS: If you have an idea how to improve the dirname(dirname(dirname(...)))
call, please let me know.
> The code in typo3/install/index.php checks if the access comes from
> localhost (127.0.0.1) or from the private net class C (192.168.0.0).
>
> But it prevents access from private nets of class A (10.0.0.0) or B
> (172.16.0.0).
>
> See http://www.faqs.org/rfcs/rfc1918.html.
>
> BT: http://bugs.typo3.org/view.php?id161
>
> Solution add this to the check:
>
> substr($_SERVER['REMOTE_ADDR'],0,3)!='10.' &&
> substr($_SERVER['REMOTE_ADDR'],0,7)!='172.16.'
>
> I think there are other checks for 192.168.* which should be changed
> accordingly.
>
> Masi
--
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: restrict_install_tool.diff
Type: text/x-diff
Size: 1841 bytes
Desc: not available
Url : http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20060607/5d13741d/attachment.bin
More information about the TYPO3-team-core
mailing list