[TYPO3-core] RFC: #11368: ENABLE_INSTALL_TOOL file should be ignored if older than one hour

Michael Stucki michael at typo3.org
Tue Jun 23 09:29:13 CEST 2009


Hi Lars,

>> What does the security team say to this approach? Do you consider it to
>> be problematic?
> 
> The key is to make sure the behavior cannot be faked and that there is 
> done enough validation to make sure the session is valid.
> 
> This should still go into another RFC and when that one is present, the 
> security team would like to look into it, to verify the method used 
> doesn't introduce a breach :)

Altight, so I'll commit v2 of the patch and post a separate RFC afterwards.

>> I don't think it is a problem, as the file is only created if an admin
>> user has clicked on the "Install" module within the last hour (or if it
>> was created manually, again within the last hour). And still, there is
>> no Install Tool without having the password for it.
> 
> At first thought I personally like the idea too, and it would for sure 
> make the file lock mechanism more transparent, and combined with 
> auto-delete, this would not only enhance security, but also make the 
> install tool access more user-friendly and hassle-free for admins.

That's the reason for it.

- michael
-- 
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/


More information about the TYPO3-team-core mailing list