[TYPO3-core] RFC: allow access from private nets
Michael Stucki
michael at typo3.org
Sun Jan 21 02:35:09 CET 2007
I think I received two +1s already, but didn't forget the change after
this time.
So here is a repost, there's no need to review it. If nobody objects, I
will commit this patch at the beginning of next week.
- michael
Michael Stucki wrote:
> Hi Martin,
>
> I think that instead of allowing a whole network to access the install tool,
> it would be much better to allow access based on the existance of a simple
> file.
>
> The attached patch removes the IP check in the install tool and just checks
> for the existance of typo3conf/ENABLE_INSTALL_TOOL instead.
>
> This is very useful for mass hosters who share one TYPO3 source for many
> sites. Also it allows install tool access without having to edit the source
> code.
>
> I don't see any problems with the change since you still need filesystem
> access. Opinions?
>
> Regards, michael
>
> PS: If you have an idea how to improve the dirname(dirname(dirname(...)))
> call, please let me know.
>
>> The code in typo3/install/index.php checks if the access comes from
>> localhost (127.0.0.1) or from the private net class C (192.168.0.0).
>>
>> But it prevents access from private nets of class A (10.0.0.0) or B
>> (172.16.0.0).
>>
>> See http://www.faqs.org/rfcs/rfc1918.html.
>>
>> BT: http://bugs.typo3.org/view.php?id161
>>
>> Solution add this to the check:
>>
>> substr($_SERVER['REMOTE_ADDR'],0,3)!=0.' &&
>> substr($_SERVER['REMOTE_ADDR'],0,7)!=72.16.'
>>
>> I think there are other checks for 192.168.* which should be changed
>> accordingly.
>>
>> Masi
>
>
> ------------------------------------------------------------------------
>
> diff -ru TYPO3core.orig/typo3/install/index.php TYPO3core/typo3/install/index.php
> --- TYPO3core.orig/typo3/install/index.php 2005-11-23 17:11:37.000000000 +0100
> +++ TYPO3core/typo3/install/index.php 2006-06-07 15:46:35.000000000 +0200
> @@ -40,9 +40,13 @@
> // Insert some security here, if you don't trust the Install Tool Password:
> // **************************************************************************
>
> - // This checks for my own IP at home. You can just remove the if-statement.
> -if (1==0 || (substr($_SERVER['REMOTE_ADDR'],0,7)!='192.168' && $_SERVER['REMOTE_ADDR']!='127.0.0.1')) {
> - die("In the source distribution of TYPO3, the install script is disabled by a die() function call.<br/><b>Fix:</b> Open the file typo3/install/index.php and remove/out-comment the line that outputs this message!");
> +error_reporting (E_ALL ^ E_NOTICE);
> +$PATH_thisScript = str_replace('//','/', str_replace('\\','/', (php_sapi_name()=='cgi'||php_sapi_name()=='isapi' ||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])? ($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_FILENAME']:$_SERVER['SCRIPT_FILENAME'])));
> +
> + // Only allow Install Tool access if the file "typo3conf/ENABLE_INSTALL_TOOL" is found
> +$enableInstallToolFile = dirname(dirname(dirname($PATH_thisScript))).'/typo3conf/ENABLE_INSTALL_TOOL';
> +if (1==2 || !@is_file($enableInstallToolFile)) {
> + die('The Install Tool is locked by a die() function call.<br /><br /><strong>Fix:</strong> Create a file typo3conf/ENABLE_INSTALL_TOOL<br />This file may simply be empty.<br /><br />For security reasons, it is highly recommended to rename<br />or delete this file after the operation is finished.');
> }
>
>
--
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: restrict_install_tool_v3.diff
Url: http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20070121/a890af53/attachment.diff
More information about the TYPO3-team-core
mailing list