[TYPO3-core] TYPO3_MODE "die" in Configurations/TCA

Helmut Hummel helmut.hummel at typo3.org
Fri Jun 13 17:16:13 CEST 2014


Hi!

On 13.06.14 12:08, Bernhard Kraft wrote:

> For me it was obvious to protect everything in "Private/*" from access
> but now you tell its the other way round: Allow only access to everyting
> in "Public/*". Of course more restrictive is usually better than too open.

Blacklist vs whitelist approach. Yes, whitelisting is always preferable.

> But the question is: Until now the security measure was to add those
> die() statement which are unavoidable by an attacker. If allowing HTTP
> access only to files within "Public/*" is the suggested TYPO3 security
> measure, then this would have to get checked by the install tool as it
> has to get proactively enabled by an admin.

I was not talking about current state, but about what a future state 
could/ should look like.

For now only the black list approach is possible (which is bad and 
should be changed).

Kind regards,
Helmut

-- 
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 Core Developer, TYPO3 Security Team Member

TYPO3 .... inspiring people to share!
Get involved: typo3.org


More information about the TYPO3-team-core mailing list