[TYPO3-core] TYPO3_MODE "die" in Configurations/TCA

Helmut Hummel helmut.hummel at typo3.org
Fri Jun 13 17:16:13 CEST 2014


On 13.06.14 12:08, Bernhard Kraft wrote:

> For me it was obvious to protect everything in "Private/*" from access
> but now you tell its the other way round: Allow only access to everyting
> in "Public/*". Of course more restrictive is usually better than too open.

Blacklist vs whitelist approach. Yes, whitelisting is always preferable.

> But the question is: Until now the security measure was to add those
> die() statement which are unavoidable by an attacker. If allowing HTTP
> access only to files within "Public/*" is the suggested TYPO3 security
> measure, then this would have to get checked by the install tool as it
> has to get proactively enabled by an admin.

I was not talking about current state, but about what a future state 
could/ should look like.

For now only the black list approach is possible (which is bad and 
should be changed).

Kind regards,

Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 Core Developer, TYPO3 Security Team Member

TYPO3 .... inspiring people to share!
Get involved: typo3.org

More information about the TYPO3-team-core mailing list