[TYPO3-core] RFC #14935: Install tool password can be overwritten by an extensions' ext_localconf.php
Jeff Segars
jsegars at alumni.rice.edu
Tue Jan 4 18:13:30 CET 2011
On 1/4/11 3:47 AM, Benjamin Mack wrote:
> Hey,
>
> this is a SVN patch request.
>
> Branch: trunk only
>
> Type: security feature
>
> Bt reference: http://bugs.typo3.org/view.php?id=14935
>
> Problem:
> The Install Tool Password can be changed by any extension that is
> installed. It should only be changeable in localconf.php
>
> Solution:
> Use a constant instead of the variable - throughout the Core.
>
> All the best,
> benni.
Hey Benni,
Overall +1 on reading and testing, with one comment.
Would it make sense to define the TYPO3_InstallToolPassword constant
right after localconf.php is included? Currently, there are about 80
lines in between and that opens the possibility something could happen
in these lines to let the password be changed.
As it stands now, the code all appears to be safe with no hooks or
XCLASSes possible but in the future something like hooks in the
deprecation logging could accidentally allow a password change to happen.
Thanks,
Jeff
More information about the TYPO3-team-core
mailing list