[TYPO3-core] RFC: #11368: ENABLE_INSTALL_TOOL file should be ignored if older than one hour
Ingmar Schlecht
ingmar at typo3.org
Sun Jun 21 19:17:59 CEST 2009
Hi Steffen,
I just talked to Michael about this, and he will adopt the patch, so
that it will allow for longer sessions in the install tool, by touching
the file at each click within the install tool. But it will still be
necessary to create it in the beginning of the day when you want to
start using the install tool.
What would be possible (and not compromise security) would be a button
in the backend which admins can click to automatically create that file
when they need it. However, I'm not quite sure where such a button
should be placed, and if it makes sense at all...
Apart from that, I'm +1 to the patch. Making installations more secure
is a top priority IMHO and from experience I'd say that quite a lot of
installations have the install tool enabled all the time.
cheers
Ingmar
Steffen Ritter schrieb:
> Michael Stucki schrieb:
>> Again, now with proper subject :-)
>>
>> - michael
>>
>> Michael Stucki schrieb:
>>> This is an SVN patch request.
>>>
>>> Type: Minor security enhancement
>>>
>>> Bugtracker references:
>>> http://bugs.typo3.org/view.php?id=11368
>>>
>>> Branch: TYPO3_4-1, TYPO3_4-2, Trunk
>>>
>>> Problem:
>>> To enable access to the Install Tool, a file
>>> typo3conf/ENABLE_INSTALL_TOOL must be created.
>>> In cases of an insecure Install Tool password, it would be helpful if
>>> that file is automatically removed if it is older than one hour. This
>>> assures that an admin has explicitely unlocked the Install Tool
>>> within the last hour.
>>>
>>> Solution:
>>> Remove the file if it is older than 1 hour.
>>> Additionally, I have slightly adjusted the error message and changed
>>> the syntax from one huge line to smaller pieces.
>>>
>>> - michael
>>>
>>
>>
> -1, please take care that the last admin logout is past more than one
> hour ago or make it configurable...
>
> admins should be mature and not treated like childs. It's good to have
> this ENABLE_INSTALL_TOOL, but please do not delete it like you want to.
>
> Thinking about a day like today, using my free-time updating and
> improoving a site of on an assocation im member of, working over the all
> day with less power (since it's sunday, i wanna have a cup of coffe and
> so on) i just don't wont to recreate this file every hour...
More information about the TYPO3-team-core
mailing list