Whitelist extension (was: Re: [Typo3-typo3org] Comments on the mirroring concept)

Michael Stucki michael at typo3.org
Thu Mar 10 00:16:45 CET 2005

Hi Juergen,

> Isn't this the same with *any* mirror server in the internet.
> If the ADMIN is mad he could do anything.
> But compromising an EXT I just would write one and upload it.
> Give it a fancy name and make sure that on the first run it
> generates code that is put somewhere, where it is always run
> and not deleted from the EXT.
> OK,it will be found, but that might take quite some time.

You may be right. But still I see much sense for such an extension. If it
can't really ensure that nobody finds a way around this, then we can still
give recommendations for the people. I think most people would be happy to
have a list of extensions which they know that these have been reviewed and
are regarded to be secure.

>> Well, the shell extension is much easier!
>> Move localconf.php to fileadmin/, edit it and move it back. Done! :-)
> So as we all know this it could be used easily by anyone.
> The point is: People have to be careful on the internet,
> with *everthing*, and as EXT are only run be admins
> they should know what they are doing.
> Some might trust, some might download the source and read
> it and then install it.
> Same with debian and freeBSD packages. What i try to say:
> I would not put too much efforts i nmaing it *safe* because
> IMHO it is not possible to make it save and therefore will give
> people the false impression that it might be safe.

A warning messages is fine I guess.

Regards, michael
Want support? Please read the list rules first: http://typo3.org/1438.0.html
Time to subscribe to typo3-announce:

More information about the TYPO3-team-typo3org mailing list