[TYPO3-core] RFC: allow access from private nets

Michael Stucki michael at typo3.org
Wed Jun 7 21:50:21 CEST 2006


Hi Martin,

> Having this file in typo3conf won't help much for the hosters themselves.
> But it's great that we can avoid the fiddling with the code.

There are still other ways of doing it - see below.

>> I don't see any problems with the change since you still need filesystem
>> access. Opinions?
> 
> Has the installer access to t3lib? If so, it could read the file. If it
> finds IP ranges in it (like SYS[devIPmask]) it could verify the clients IP
> address against it. If no IP is found all addresses are allowed.

typo3/init.php is loaded at the very end of that script with the constant
TYPO3_enterInstallScript being set. I didn't dig further into this but
think that we cannot use any other classes at this stage...

(That's also the reason why I've copied PATH_thisScript to $PATH_thisScript
at the top of the script...)

> Why did you change the "1==0" comparison to "1==2"? IMHO this can be
> removed. Those who know PHP may change the code the way they like.

I removed it during testing and added it again at the end. No special reason
for replacing 0 with 2. However, I suggest to keep it because this offers
all possibilities for those mass-hosters like before (e.g. set 1==1 and the
die() will always appear, or vice versa comment out the die() to make sure
that it will never appear).

> We could add those mask to the debug IP range:
> 
> SYS[devIPmask] = '10.*,72.16.*,192.168.*,127.0.0.1'

Is it really useful to add any addresses besides localhost anyway? This
default value makes the debug() function unusable for intranets! (and btw.
I don't know where else these private nets are being used...)

Instead of extending it, I suggest to shorten it to 127.0.0.1 but finally
add "::1" (IPv6 pendant of 127.0.0.1).

- michael
-- 
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/



More information about the TYPO3-team-core mailing list