[TYPO3-core] TYPO3_MODE "die" in Configurations/TCA
Helmut Hummel
helmut.hummel at typo3.org
Fri Jun 13 17:23:15 CEST 2014
Hi!
On 13.06.14 12:13, Stefan Neufeind wrote:
> It's been discussed often that our shipped .htaccess or the multiple
> .htaccess-files are "not really there for security".
> By allowing only things in Public as a default we will run into problems
> with older extensions.
>
> But would adding things like ext/*/Resources/Private,
> ext/*/Configuration etc. with a deny-rule by default and optionally
> (commented out) a suggested deny for ext/* with an explicit allow for
> Public make sense maybe?
The problem is, that with the current state of TYPO3 CMS and extensions,
we cannot offer a sane solution for the diverse possible hosting
environments.
Such blacklisting rules in .htaccess are necessarily incomplete (not
covering all, not covering anything with nginx) and therefore offer a
sense of security which is not there.
Rather than discussing rules that never will be able to catch all cases,
we should make it possible to move al files out of the docroot which do
not need to be accessible.
Everything else is like forging a big lock for the door but leaving the
windows wide open. Yes most people might not climb through windows, but
some still can ;)
Kind regards,
Helmut
--
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 Core Developer, TYPO3 Security Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-team-core
mailing list