[TYPO3-core] RFC: allow access from private nets

Michael Stucki michael at typo3.org
Sun Jan 21 02:35:09 CET 2007


I think I received two +1s already, but didn't forget the change after 
this time.

So here is a repost, there's no need to review it. If nobody objects, I 
will commit this patch at the beginning of next week.

- michael

Michael Stucki wrote:
> Hi Martin,
> 
> I think that instead of allowing a whole network to access the install tool,
> it would be much better to allow access based on the existance of a simple
> file.
> 
> The attached patch removes the IP check in the install tool and just checks
> for the existance of typo3conf/ENABLE_INSTALL_TOOL instead.
> 
> This is very useful for mass hosters who share one TYPO3 source for many
> sites. Also it allows install tool access without having to edit the source
> code.
> 
> I don't see any problems with the change since you still need filesystem
> access. Opinions?
> 
> Regards, michael
> 
> PS: If you have an idea how to improve the dirname(dirname(dirname(...)))
> call, please let me know.
> 
>> The code in typo3/install/index.php checks if the access comes from
>> localhost (127.0.0.1) or from the private net class C (192.168.0.0).
>>
>> But it prevents access from private nets of class A (10.0.0.0) or B
>> (172.16.0.0).
>>
>> See http://www.faqs.org/rfcs/rfc1918.html.
>>
>> BT: http://bugs.typo3.org/view.php?id161
>>
>> Solution add this to the check:
>>
>> substr($_SERVER['REMOTE_ADDR'],0,3)!=0.' &&
>> substr($_SERVER['REMOTE_ADDR'],0,7)!=72.16.'
>>
>> I think there are other checks for 192.168.* which should be changed
>> accordingly.
>>
>> Masi
> 
> 
> ------------------------------------------------------------------------
> 
> diff -ru TYPO3core.orig/typo3/install/index.php TYPO3core/typo3/install/index.php
> --- TYPO3core.orig/typo3/install/index.php	2005-11-23 17:11:37.000000000 +0100
> +++ TYPO3core/typo3/install/index.php	2006-06-07 15:46:35.000000000 +0200
> @@ -40,9 +40,13 @@
>  // Insert some security here, if you don't trust the Install Tool Password:
>  // **************************************************************************
>  
> -	// This checks for my own IP at home. You can just remove the if-statement.
> -if (1==0 || (substr($_SERVER['REMOTE_ADDR'],0,7)!='192.168' && $_SERVER['REMOTE_ADDR']!='127.0.0.1'))	{
> -	die("In the source distribution of TYPO3, the install script is disabled by a die() function call.<br/><b>Fix:</b> Open the file typo3/install/index.php and remove/out-comment the line that outputs this message!");
> +error_reporting (E_ALL ^ E_NOTICE);
> +$PATH_thisScript = str_replace('//','/', str_replace('\\','/', (php_sapi_name()=='cgi'||php_sapi_name()=='isapi' ||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])? ($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_FILENAME']:$_SERVER['SCRIPT_FILENAME'])));
> +
> +	// Only allow Install Tool access if the file "typo3conf/ENABLE_INSTALL_TOOL" is found
> +$enableInstallToolFile = dirname(dirname(dirname($PATH_thisScript))).'/typo3conf/ENABLE_INSTALL_TOOL';
> +if (1==2 || !@is_file($enableInstallToolFile))	{
> +	die('The Install Tool is locked by a die() function call.<br /><br /><strong>Fix:</strong> Create a file typo3conf/ENABLE_INSTALL_TOOL<br />This file may simply be empty.<br /><br />For security reasons, it is highly recommended to rename<br />or delete this file after the operation is finished.');
>  }
>  
>  


-- 
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: restrict_install_tool_v3.diff
Url: http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20070121/a890af53/attachment.diff 


More information about the TYPO3-team-core mailing list