Project

General

Profile

Actions

Bug #105964

open

Install tool can be opened during total backend shutdown

Added by Lina Wolf 27 days ago. Updated 27 days ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Install Tool
Target version:
-
Start date:
2025-01-20
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
13
PHP Version:
8.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

When the `$GLOBALS['TYPO3_CONF_VARS']['BE']['adminOnly']` is set to `-1`
and you try to log into the backend the following error message is displayed:

```
Backend and Install Tool are locked for maintenance. [BE][adminOnly] is set to "-1".
```

This suggests to me that the Install tool is also locked. However accessing the install tool
via https://site-introduction.ddev.site/typo3/install.php still works.

So either the error message is incorrect (then I would open a forge ticket) or the install tools can be opened even though they shouldn't be (checked with the security team, they see no security issue here).

According to the docs https://docs.typo3.org/permalink/t3coreapi:confval-globals-typo3-conf-vars-be-adminonly
a value of -1 means "Total shutdown for maintenance purposes"

So not sure which behaviour would be expected here.

Actions #1

Updated by Oliver Hader 27 days ago · Edited

The corresponding functionality has been rewritten for TYPO3 v6.2.0

from https://review.typo3.org/c/Packages/TYPO3.CMS/+/21468/16/typo3/install/index.php
to https://review.typo3.org/c/Packages/TYPO3.CMS/+/21468/16/typo3/sysext/install/Start/Install.php

However, the corresponding check in the previous index.php was omitted/forgotten:

\TYPO3\CMS\Core\Core\Bootstrap::getInstance()
 // ...
 ->checkLockedBackendAndRedirectOrDie()
 // ...

→ Thus, until TYPO3 v6.2.0, the "shutdown" included the standalone Install Tool as well.

Actions

Also available in: Atom PDF