[TYPO3-core] RFC: allow access from private nets

Michael Stucki michael at typo3.org
Thu Jan 25 08:43:35 CET 2007


Committed, see ChangeLog notes!

- michael

Michael Stucki wrote:

> I think I received two +1s already, but didn't forget the change after
> this time.
> 
> So here is a repost, there's no need to review it. If nobody objects, I
> will commit this patch at the beginning of next week.
> 
> - michael
> 
> Michael Stucki wrote:
>> Hi Martin,
>> 
>> I think that instead of allowing a whole network to access the install
>> tool, it would be much better to allow access based on the existance of a
>> simple file.
>> 
>> The attached patch removes the IP check in the install tool and just
>> checks for the existance of typo3conf/ENABLE_INSTALL_TOOL instead.
>> 
>> This is very useful for mass hosters who share one TYPO3 source for many
>> sites. Also it allows install tool access without having to edit the
>> source code.
>> 
>> I don't see any problems with the change since you still need filesystem
>> access. Opinions?
>> 
>> Regards, michael
>> 
>> PS: If you have an idea how to improve the dirname(dirname(dirname(...)))
>> call, please let me know.
>> 
>>> The code in typo3/install/index.php checks if the access comes from
>>> localhost (127.0.0.1) or from the private net class C (192.168.0.0).
>>>
>>> But it prevents access from private nets of class A (10.0.0.0) or B
>>> (172.16.0.0).
>>>
>>> See http://www.faqs.org/rfcs/rfc1918.html.
>>>
>>> BT: http://bugs.typo3.org/view.php?id161
>>>
>>> Solution add this to the check:
>>>
>>> substr($_SERVER['REMOTE_ADDR'],0,3)!=0.' &&
>>> substr($_SERVER['REMOTE_ADDR'],0,7)!=72.16.'
>>>
>>> I think there are other checks for 192.168.* which should be changed
>>> accordingly.
>>>
>>> Masi
>> 
>> 
>> ------------------------------------------------------------------------
>> 
>> diff -ru TYPO3core.orig/typo3/install/index.php
>> TYPO3core/typo3/install/index.php
>> --- TYPO3core.orig/typo3/install/index.php   2005-11-23 17:11:37.000000000
>> +0100
>> +++ TYPO3core/typo3/install/index.php        2006-06-07 15:46:35.000000000 +0200
>> @@ -40,9 +40,13 @@
>>  // Insert some security here, if you don't trust the Install Tool
>>  Password: //
>> 
**************************************************************************
>>  
>> -    // This checks for my own IP at home. You can just remove the
>> if-statement.
>> -if (1==0 || (substr($_SERVER['REMOTE_ADDR'],0,7)!='192.168' &&
>> $_SERVER['REMOTE_ADDR']!='127.0.0.1'))       {
>> -    die("In the source distribution of TYPO3, the install script is
>> disabled by a die() function call.<br/><b>Fix:</b> Open the file
>> typo3/install/index.php and remove/out-comment the line that outputs this
>> message!"); +error_reporting (E_ALL ^ E_NOTICE); +$PATH_thisScript =
>> str_replace('//','/', str_replace('\\','/',
>> (php_sapi_name()=='cgi'||php_sapi_name()=='isapi'
>> ||php_sapi_name()=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']
$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])?
>> ($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']
$_SERVER['PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']
$_SERVER['ORIG_SCRIPT_FILENAME']:$_SERVER['SCRIPT_FILENAME'])));
>> +
>> +    // Only allow Install Tool access if the file
>> "typo3conf/ENABLE_INSTALL_TOOL" is found +$enableInstallToolFile =
>>
dirname(dirname(dirname($PATH_thisScript))).'/typo3conf/ENABLE_INSTALL_TOOL';
>> +if (1==2 || !@is_file($enableInstallToolFile))      {
>> +    die('The Install Tool is locked by a die() function call.<br /><br
>> /><strong>Fix:</strong> Create a file typo3conf/ENABLE_INSTALL_TOOL<br
>> />This file may simply be empty.<br /><br />For security reasons, it is
>> highly recommended to rename<br />or delete this file after the operation
>> is finished.');
>>  }
>>  
>>  
> 
> 

-- 
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/


More information about the TYPO3-team-core mailing list