Bug #105964
openInstall tool can be opened during total backend shutdown
0%
Description
When the `$GLOBALS['TYPO3_CONF_VARS']['BE']['adminOnly']` is set to `-1`
and you try to log into the backend the following error message is displayed:
```
Backend and Install Tool are locked for maintenance. [BE][adminOnly] is set to "-1".
```
This suggests to me that the Install tool is also locked. However accessing the install tool
via https://site-introduction.ddev.site/typo3/install.php still works.
So either the error message is incorrect (then I would open a forge ticket) or the install tools can be opened even though they shouldn't be (checked with the security team, they see no security issue here).
According to the docs https://docs.typo3.org/permalink/t3coreapi:confval-globals-typo3-conf-vars-be-adminonly
a value of -1 means "Total shutdown for maintenance purposes"
So not sure which behaviour would be expected here.
Updated by Oliver Hader 27 days ago
· Edited
The corresponding functionality has been rewritten for TYPO3 v6.2.0
from https://review.typo3.org/c/Packages/TYPO3.CMS/+/21468/16/typo3/install/index.php
to https://review.typo3.org/c/Packages/TYPO3.CMS/+/21468/16/typo3/sysext/install/Start/Install.php
However, the corresponding check in the previous index.php
was omitted/forgotten:
\TYPO3\CMS\Core\Core\Bootstrap::getInstance() // ... ->checkLockedBackendAndRedirectOrDie() // ...
→ Thus, until TYPO3 v6.2.0, the "shutdown" included the standalone Install Tool as well.