[TYPO3-core] RFC: #11368: ENABLE_INSTALL_TOOL file should be ignored if older than one hour
bernd wilke
x00nsji02 at sneakemail.com
Sun Jun 21 21:09:16 CEST 2009
Am Sun, 21 Jun 2009 19:17:59 +0200 schrieb Ingmar Schlecht:
> Hi Steffen,
>
> I just talked to Michael about this, and he will adopt the patch, so
> that it will allow for longer sessions in the install tool, by touching
> the file at each click within the install tool. But it will still be
> necessary to create it in the beginning of the day when you want to
> start using the install tool.
>
> What would be possible (and not compromise security) would be a button
> in the backend which admins can click to automatically create that file
> when they need it. However, I'm not quite sure where such a button
> should be placed, and if it makes sense at all...
I think this would break security. In case someone gets access to an
admin-account he can use install-tool at once (just one click).
In the moment you need another access to webspace to create this file,
which means additional security.
I know how to create this lock-file from BE with admin-access, but it is
not done within a minute.
> Apart from that, I'm +1 to the patch. Making installations more secure
> is a top priority IMHO and from experience I'd say that quite a lot of
> installations have the install tool enabled all the time.
what about an option in install-tool which decides how old the lockfile
is allowed to be? -1 = ignore time
and then refresh timestamp with each click inside install-tool!
Then you can include the lockfile with a fresh installation and having
the timeout set to 10 min by default. This would make installtion one
step easier.
bernd
--
http://www.pi-phi.de/t3v4/cheatsheet.html
More information about the TYPO3-team-core
mailing list