[TYPO3-core] TYPO3_MODE "die" in Configurations/TCA

Bernhard Kraft kraftb at think-open.at
Thu Jun 12 18:08:24 CEST 2014

On 06/12/2014 05:09 PM, Benjamin Mack wrote:

> Why was this added to all files initially anyway? Wasn't it because you
> could include files like

Well. I can just guess. But lets look: What protection does it offer?

- If the server is configured wrong and does not parse .php file the 
statement wont get executed anyways and the whole file will get dumped 
as plain text.

- If some external application has access to the files it could simply 
do a define TYPO3_MODE and can include them for spying out variables.

- It clobbers configuration files

+ It inhibits direct access to those files. Including the file from 
another server won't work - doing an include('http://...') will just 
include the parsed output of the script.

Any other ideas about those? Maybe someone remembers more "+" reasons 
for those.


More information about the TYPO3-team-core mailing list