[TYPO3-core] TYPO3_MODE "die" in Configurations/TCA

Bernhard Kraft kraftb at think-open.at
Fri Jun 13 12:08:50 CEST 2014


On 06/12/2014 11:41 PM, Helmut Hummel wrote:

> 1.
> Reduce the number of entry scripts to (at best one or) let's say a hand
> full and all required static resources to defined folders
> (Public/Resources) and move all other files outside the document root

For me it was obvious to protect everything in "Private/*" from access 
but now you tell its the other way round: Allow only access to everyting 
in "Public/*". Of course more restrictive is usually better than too open.

But the question is: Until now the security measure was to add those 
die() statement which are unavoidable by an attacker. If allowing HTTP 
access only to files within "Public/*" is the suggested TYPO3 security 
measure, then this would have to get checked by the install tool as it 
has to get proactively enabled by an admin.

I assume just hiding it somewhere deep in a rusty Server-Setup guide is 
not as sufficient as to place this information at a prominent location.


More information about the TYPO3-team-core mailing list