[TYPO3-core] RFC: #11368: ENABLE_INSTALL_TOOL file should be ignored if older than one hour

bernd wilke x00nsji02 at sneakemail.com
Sun Jun 21 21:09:16 CEST 2009


Am Sun, 21 Jun 2009 19:17:59 +0200 schrieb Ingmar Schlecht:

> Hi Steffen,
> 
> I just talked to Michael about this, and he will adopt the patch, so
> that it will allow for longer sessions in the install tool, by touching
> the file at each click within the install tool. But it will still be
> necessary to create it in the beginning of the day when you want to
> start using the install tool.
> 
> What would be possible (and not compromise security) would be a button
> in the backend which admins can click to automatically create that file
> when they need it. However, I'm not quite sure where such a button
> should be placed, and if it makes sense at all...

I think this would break security. In case someone gets access to an 
admin-account he can use install-tool at once (just one click).
In the moment you need another access to webspace to create this file, 
which means additional security. 
I know how to create this lock-file from BE with admin-access, but it is 
not done within a minute.
 
> Apart from that, I'm +1 to the patch. Making installations more secure
> is a top priority IMHO and from experience I'd say that quite a lot of
> installations have the install tool enabled all the time.

what about an option in install-tool which decides how old the lockfile 
is allowed to be? -1 = ignore time
and then refresh timestamp with each click inside install-tool!

Then you can include the lockfile with a fresh installation and having 
the timeout set to 10 min by default. This would make installtion one 
step easier.

bernd
-- 
http://www.pi-phi.de/t3v4/cheatsheet.html


More information about the TYPO3-team-core mailing list