[TYPO3-core] TYPO3_MODE "die" in Configurations/TCA
Frans Saris
franssaris at gmail.com
Thu Jun 12 18:31:13 CEST 2014
If you acces these files direct and error display is on it can expose paths
etc as there are calls made to methods etc that will result in fatal errors.
Gr. Frans
Op 12 jun. 2014 18:10 schreef "Bernhard Kraft" <kraftb at think-open.at>:
> On 06/12/2014 05:09 PM, Benjamin Mack wrote:
>
> Why was this added to all files initially anyway? Wasn't it because you
>> could include files like
>>
>
> Well. I can just guess. But lets look: What protection does it offer?
>
> - If the server is configured wrong and does not parse .php file the
> statement wont get executed anyways and the whole file will get dumped as
> plain text.
>
> - If some external application has access to the files it could simply do
> a define TYPO3_MODE and can include them for spying out variables.
>
> - It clobbers configuration files
>
> + It inhibits direct access to those files. Including the file from
> another server won't work - doing an include('http://...') will just
> include the parsed output of the script.
>
>
> Any other ideas about those? Maybe someone remembers more "+" reasons for
> those.
>
>
> greetings,
> Bernhard
> _______________________________________________
> Before posting to this list, please have a look to the posting rules
> on the following websites:
>
> http://typo3.org/teams/core/core-mailinglist-rules/
> http://typo3.org/development/bug-fixing/diff-and-patch/
> _______________________________________________
> TYPO3-team-core mailing list
> TYPO3-team-core at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-team-core
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20140612/74113720/attachment.htm>
More information about the TYPO3-team-core
mailing list