[TYPO3-core] RFC #11369: jumpUrl should only allow files matching fileDenyPattern
Michael Stucki
michael at typo3.org
Mon Jun 22 13:32:04 CEST 2009
Attached is a new version which implements a suggestion by Olly to
disallow access also if the parent directory name is "typo3conf". This
assures that also backups (*~ etc.) of localconf.php - which we consider
most delicate - are also unaccessible.
- michael
Michael Stucki schrieb:
> Hi Marcus,
>
>>> Problem:
>>> jumpUrl should only allow files matching fileDenyPattern, so e.g. PHP
>>> files can not be downloaded with jumpUrl any more.
>>
>> The title should be read as
>> "jumpUrl should only allow files *not* matching fileDenyPattern"
>> Am I right?
>
> Certainly, yes :-)
>
>> I really appreciate the patch.
>>
>> +1 by reading if you consider Bastian's comment
>
> Oops. Neither Ingmar nor me noticed that although we copied the line
> exactly from this function :-) Good point!
>
> New patch is attached. +1 from me as well (just reading, no testing).
>
> - michael
>
--
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: bug_11369_v3.diff
Url: http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20090622/ab99c80c/attachment-0002.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: bug_11369_v3_w.diff
Url: http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20090622/ab99c80c/attachment-0003.txt
More information about the TYPO3-team-core
mailing list