[TYPO3-core] TYPO3_MODE "die" in Configurations/TCA

Helmut Hummel helmut.hummel at typo3.org
Fri Jun 13 17:23:15 CEST 2014


On 13.06.14 12:13, Stefan Neufeind wrote:

> It's been discussed often that our shipped .htaccess or the multiple
> .htaccess-files are "not really there for security".
> By allowing only things in Public as a default we will run into problems
> with older extensions.
> But would adding things like ext/*/Resources/Private,
> ext/*/Configuration etc. with a deny-rule by default and optionally
> (commented out) a suggested deny for ext/* with an explicit allow for
> Public make sense maybe?

The problem is, that with the current state of TYPO3 CMS and extensions, 
we cannot offer a sane solution for the diverse possible hosting 

Such blacklisting rules in .htaccess are necessarily incomplete (not 
covering all, not covering anything with nginx) and therefore offer a 
sense of security which is not there.

Rather than discussing rules that never will be able to catch all cases, 
we should make it possible to move al files out of the docroot which do 
not need to be accessible.

Everything else is like forging a big lock for the door but leaving the 
windows wide open. Yes most people might not climb through windows, but 
some still can ;)

Kind regards,

Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 Core Developer, TYPO3 Security Team Member

TYPO3 .... inspiring people to share!
Get involved: typo3.org

More information about the TYPO3-team-core mailing list