[TYPO3-core] TYPO3_MODE "die" in Configurations/TCA
Bernhard Kraft
kraftb at think-open.at
Thu Jun 12 18:08:24 CEST 2014
On 06/12/2014 05:09 PM, Benjamin Mack wrote:
> Why was this added to all files initially anyway? Wasn't it because you
> could include files like
Well. I can just guess. But lets look: What protection does it offer?
- If the server is configured wrong and does not parse .php file the
statement wont get executed anyways and the whole file will get dumped
as plain text.
- If some external application has access to the files it could simply
do a define TYPO3_MODE and can include them for spying out variables.
- It clobbers configuration files
+ It inhibits direct access to those files. Including the file from
another server won't work - doing an include('http://...') will just
include the parsed output of the script.
Any other ideas about those? Maybe someone remembers more "+" reasons
for those.
greetings,
Bernhard
More information about the TYPO3-team-core
mailing list