[TYPO3-core] TYPO3_MODE "die" in Configurations/TCA
Stefan Neufeind
typo3.neufeind at speedpartner.de
Fri Jun 13 12:13:58 CEST 2014
On 06/13/2014 12:08 PM, Bernhard Kraft wrote:
>
> On 06/12/2014 11:41 PM, Helmut Hummel wrote:
>
>> 1.
>> Reduce the number of entry scripts to (at best one or) let's say a hand
>> full and all required static resources to defined folders
>> (Public/Resources) and move all other files outside the document root
>
> For me it was obvious to protect everything in "Private/*" from access
> but now you tell its the other way round: Allow only access to everyting
> in "Public/*". Of course more restrictive is usually better than too open.
>
> But the question is: Until now the security measure was to add those
> die() statement which are unavoidable by an attacker. If allowing HTTP
> access only to files within "Public/*" is the suggested TYPO3 security
> measure, then this would have to get checked by the install tool as it
> has to get proactively enabled by an admin.
>
> I assume just hiding it somewhere deep in a rusty Server-Setup guide is
> not as sufficient as to place this information at a prominent location.
It's been discussed often that our shipped .htaccess or the multiple
.htaccess-files are "not really there for security".
By allowing only things in Public as a default we will run into problems
with older extensions.
But would adding things like ext/*/Resources/Private,
ext/*/Configuration etc. with a deny-rule by default and optionally
(commented out) a suggested deny for ext/* with an explicit allow for
Public make sense maybe?
(This brings us a bit OT though ...)
Kind regards,
Stefan
More information about the TYPO3-team-core
mailing list