[TYPO3-core] RFC: allow access from private nets
Michael Stucki
michael at typo3.org
Wed Jun 7 21:50:21 CEST 2006
Hi Martin,
> Having this file in typo3conf won't help much for the hosters themselves.
> But it's great that we can avoid the fiddling with the code.
There are still other ways of doing it - see below.
>> I don't see any problems with the change since you still need filesystem
>> access. Opinions?
>
> Has the installer access to t3lib? If so, it could read the file. If it
> finds IP ranges in it (like SYS[devIPmask]) it could verify the clients IP
> address against it. If no IP is found all addresses are allowed.
typo3/init.php is loaded at the very end of that script with the constant
TYPO3_enterInstallScript being set. I didn't dig further into this but
think that we cannot use any other classes at this stage...
(That's also the reason why I've copied PATH_thisScript to $PATH_thisScript
at the top of the script...)
> Why did you change the "1==0" comparison to "1==2"? IMHO this can be
> removed. Those who know PHP may change the code the way they like.
I removed it during testing and added it again at the end. No special reason
for replacing 0 with 2. However, I suggest to keep it because this offers
all possibilities for those mass-hosters like before (e.g. set 1==1 and the
die() will always appear, or vice versa comment out the die() to make sure
that it will never appear).
> We could add those mask to the debug IP range:
>
> SYS[devIPmask] = '10.*,72.16.*,192.168.*,127.0.0.1'
Is it really useful to add any addresses besides localhost anyway? This
default value makes the debug() function unusable for intranets! (and btw.
I don't know where else these private nets are being used...)
Instead of extending it, I suggest to shorten it to 127.0.0.1 but finally
add "::1" (IPv6 pendant of 127.0.0.1).
- michael
--
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
More information about the TYPO3-team-core
mailing list