[TYPO3-core] RFC: #11368: ENABLE_INSTALL_TOOL file should be ignored if older than one hour
Michael Stucki
michael at typo3.org
Tue Jun 23 09:29:13 CEST 2009
Hi Lars,
>> What does the security team say to this approach? Do you consider it to
>> be problematic?
>
> The key is to make sure the behavior cannot be faked and that there is
> done enough validation to make sure the session is valid.
>
> This should still go into another RFC and when that one is present, the
> security team would like to look into it, to verify the method used
> doesn't introduce a breach :)
Altight, so I'll commit v2 of the patch and post a separate RFC afterwards.
>> I don't think it is a problem, as the file is only created if an admin
>> user has clicked on the "Install" module within the last hour (or if it
>> was created manually, again within the last hour). And still, there is
>> no Install Tool without having the password for it.
>
> At first thought I personally like the idea too, and it would for sure
> make the file lock mechanism more transparent, and combined with
> auto-delete, this would not only enhance security, but also make the
> install tool access more user-friendly and hassle-free for admins.
That's the reason for it.
- michael
--
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
More information about the TYPO3-team-core
mailing list