[TYPO3-core] TYPO3_MODE "die" in Configurations/TCA
Stefan Neufeind
typo3.neufeind at speedpartner.de
Fri Jun 13 17:23:31 CEST 2014
On 06/13/2014 05:16 PM, Helmut Hummel wrote:
>
> On 13.06.14 12:08, Bernhard Kraft wrote:
>
>> For me it was obvious to protect everything in "Private/*" from access
>> but now you tell its the other way round: Allow only access to everyting
>> in "Public/*". Of course more restrictive is usually better than too
>> open.
>
> Blacklist vs whitelist approach. Yes, whitelisting is always preferable.
>
>> But the question is: Until now the security measure was to add those
>> die() statement which are unavoidable by an attacker. If allowing HTTP
>> access only to files within "Public/*" is the suggested TYPO3 security
>> measure, then this would have to get checked by the install tool as it
>> has to get proactively enabled by an admin.
>
> I was not talking about current state, but about what a future state
> could/ should look like.
>
> For now only the black list approach is possible (which is bad and
> should be changed).
And do we ship something for the blacklist or give a recommendation
(htaccess and nginx-snippet)? Could be additional to "putting the
oneliner into files" as you mentioned.
Regards,
Stefan
More information about the TYPO3-team-core
mailing list