[TYPO3-core] TYPO3_MODE "die" in Configurations/TCA
helmut.hummel at typo3.org
Fri Jun 13 17:16:13 CEST 2014
On 13.06.14 12:08, Bernhard Kraft wrote:
> For me it was obvious to protect everything in "Private/*" from access
> but now you tell its the other way round: Allow only access to everyting
> in "Public/*". Of course more restrictive is usually better than too open.
Blacklist vs whitelist approach. Yes, whitelisting is always preferable.
> But the question is: Until now the security measure was to add those
> die() statement which are unavoidable by an attacker. If allowing HTTP
> access only to files within "Public/*" is the suggested TYPO3 security
> measure, then this would have to get checked by the install tool as it
> has to get proactively enabled by an admin.
I was not talking about current state, but about what a future state
could/ should look like.
For now only the black list approach is possible (which is bad and
should be changed).
Release Manager TYPO3 6.0
TYPO3 Core Developer, TYPO3 Security Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-team-core