[TYPO3-core] RFC: allow access from private nets
Michael Stucki
michael at typo3.org
Thu Jan 25 08:43:35 CET 2007
Committed, see ChangeLog notes!
- michael
Michael Stucki wrote:
> I think I received two +1s already, but didn't forget the change after
> this time.
>
> So here is a repost, there's no need to review it. If nobody objects, I
> will commit this patch at the beginning of next week.
>
> - michael
>
> Michael Stucki wrote:
>> Hi Martin,
>>
>> I think that instead of allowing a whole network to access the install
>> tool, it would be much better to allow access based on the existance of a
>> simple file.
>>
>> The attached patch removes the IP check in the install tool and just
>> checks for the existance of typo3conf/ENABLE_INSTALL_TOOL instead.
>>
>> This is very useful for mass hosters who share one TYPO3 source for many
>> sites. Also it allows install tool access without having to edit the
>> source code.
>>
>> I don't see any problems with the change since you still need filesystem
>> access. Opinions?
>>
>> Regards, michael
>>
>> PS: If you have an idea how to improve the dirname(dirname(dirname(...)))
>> call, please let me know.
>>
>>> The code in typo3/install/index.php checks if the access comes from
>>> localhost (127.0.0.1) or from the private net class C (192.168.0.0).
>>>
>>> But it prevents access from private nets of class A (10.0.0.0) or B
>>> (172.16.0.0).
>>>
>>> See http://www.faqs.org/rfcs/rfc1918.html.
>>>
>>> BT: http://bugs.typo3.org/view.php?id161
>>>
>>> Solution add this to the check:
>>>
>>> substr($_SERVER['REMOTE_ADDR'],0,3)!=0.' &&
>>> substr($_SERVER['REMOTE_ADDR'],0,7)!=72.16.'
>>>
>>> I think there are other checks for 192.168.* which should be changed
>>> accordingly.
>>>
>>> Masi
>>
>>
>> ------------------------------------------------------------------------
>>
>> diff -ru TYPO3core.orig/typo3/install/index.php
>> TYPO3core/typo3/install/index.php
>> --- TYPO3core.orig/typo3/install/index.php 2005-11-23 17:11:37.000000000
>> +0100
>> +++ TYPO3core/typo3/install/index.php 2006-06-07 15:46:35.000000000 +0200
>> @@ -40,9 +40,13 @@
>> // Insert some security here, if you don't trust the Install Tool
>> Password: //
>>
**************************************************************************
>>
>> - // This checks for my own IP at home. You can just remove the
>> if-statement.
>> -if (1==0 || (substr($_SERVER['REMOTE_ADDR'],0,7)!='192.168' &&
>> $_SERVER['REMOTE_ADDR']!='127.0.0.1')) {
>> - die("In the source distribution of TYPO3, the install script is
>> disabled by a die() function call.<br/><b>Fix:</b> Open the file
>> typo3/install/index.php and remove/out-comment the line that outputs this
>> message!"); +error_reporting (E_ALL ^ E_NOTICE); +$PATH_thisScript =
>> str_replace('//','/', str_replace('\\','/',
>> (php_sapi_name()=='cgi'||php_sapi_name()=='isapi'
>> ||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']
$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])?
>> ($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']
$_SERVER['PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']
$_SERVER['ORIG_SCRIPT_FILENAME']:$_SERVER['SCRIPT_FILENAME'])));
>> +
>> + // Only allow Install Tool access if the file
>> "typo3conf/ENABLE_INSTALL_TOOL" is found +$enableInstallToolFile =
>>
dirname(dirname(dirname($PATH_thisScript))).'/typo3conf/ENABLE_INSTALL_TOOL';
>> +if (1==2 || !@is_file($enableInstallToolFile)) {
>> + die('The Install Tool is locked by a die() function call.<br /><br
>> /><strong>Fix:</strong> Create a file typo3conf/ENABLE_INSTALL_TOOL<br
>> />This file may simply be empty.<br /><br />For security reasons, it is
>> highly recommended to rename<br />or delete this file after the operation
>> is finished.');
>> }
>>
>>
>
>
--
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
More information about the TYPO3-team-core
mailing list