[TYPO3-core] RFC #14719: Automatically create ENABLE_INSTALL_TOOL file when 1-2-3 Install Tool is used
Ernesto Baschny [cron IT]
ernst at cron-it.de
Tue Jun 15 16:52:37 CEST 2010
Jeff Segars schrieb am 15.06.2010 15:31:
> On 6/15/10 2:36 AM, Dmitry Dulepov wrote:
>> Hi!
>>
>> Jeff Segars wrote:
>>> Problem:
>>> When a new user first installs TYPO3, they must create the
>>> ENABLE_INSTALL_TOOL file before installation can continue. For a
>>> friendlier first install, it would be nice to automatically create the
>>> file and go directly to the 1-2-3 Install Tool
>>
>> This may cause security issues. The most obvious is when the site is in
>> prepared but not yet installed. If it is left like this, anybody from the
>> Internet will be able to access Install tool.
>>
>> I insist that it must be evaluated by the security team before it is
>> committed.
>
> No disagreement from me :)
>
> There's certainly a fine line between an easier first install and
> maintaining security so I agree that the security team should be on
> board before anything is committed.
Many PHP web applications require the user to do some "file-system"
action on the server before installing it, just to "prove" that this is
"his environment".
So I don't really think it is that user-unfriendly, as the user is then
from start aware of this file and its importance.
What we could do is make this "necessary step" more integrated in the
1-2-3 wizard, so that the "first step" is something like "now go create
a file named typo3conf/ENABLE_INSTALL_TOOL on the server", instead of
scaring error messages ("The Install Tool is locked" etc...).
Cheers,
Ernesto
More information about the TYPO3-team-core
mailing list