Project

General

Profile

Actions

Bug #21935

closed

dummy-4.3.0.tar.gz has no ENABLE_INSTALL_TOOL

Added by Franz Holzinger almost 15 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
-
Start date:
2010-01-09
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

If you download the dummy-4.3.0.tar.gz and unpack it, then it does not have any file typo3conf/ENABLE_INSTALL_TOOL . This does not make sense, because you will soon need this file to continue. On a fresh database you cannot log in into the backend before you have started with the install tool. And the install tool will not work without this file.

(issue imported from #M13190)


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #22876: Automatically create ENABLE_INSTALL_TOOL file when 1-2-3 Install Tool is usedClosedJeff Segars2010-06-14

Actions
Actions #1

Updated by Chris topher almost 15 years ago

Also if you say, that the file will be deleted after an hour and so there won't be a big securitys whole, if it was present just from the beginning, the problem remains that the file may not be older than one hour when accessing the install tool.
How do you think this modification time should be saved in the package?

Besides that the message appearing on the screen, when you access the locked install tool is rather clear I think.

Actions #2

Updated by Franz Holzinger almost 15 years ago

Make a modification: Add a file ENABLE_INSTALL_TOOL.001 which will automatically be copied to ENABLE_INSTALL_TOOL with a most current date. If the user does not delete the ENABLE_INSTALL_TOOL.001, then he can always log in.

The appearing message is clear only to the very few English native speakers and the few TYPO3 experts, but never to the big number of normal TYPO3 users.

Actions #3

Updated by Chris topher over 14 years ago

If I understand you correctly, you want to have a usability improvement when setting up a new TYPO3 installation. You want the Install Tool always to be activated by default, without the user having to do anything.

That way every new TYPO3 installation is basically open to attackers. With an Install Tool auto enabled by default an attacker will have full control over the installation. Considering that it might be an absolute beginner who configured the system (that are the people you are thinking of), maybe there even is access to the whole database and more...
Since TYPO3 stores all its files under the webroot, this will work for an attacker really easy: Just scan for such an ENABLE_INSTALL_TOOL.001 file in typo3conf/ and you know where to take over a site.
Taking all this into account I consider this a great security risk and am strongly against such a feature.

Now you could say: OK, let's place this file there, when the user who just installed the system presses a button.
But where is then the usability improvement?
You already can put that file there easily by creating it via shell (which you should know, when you just installed TYPO3 using it) or via FTP (which really is no big extra effort after waiting for tenthousands of files to upload).
Adding just another way of doing one and the same thing won't make life easier, but will instead make things even more complicated.

So the usability improvement will be only marginal while the danger arising from such a behaviour is not to be underestimated.

At least after #22503 the Install Tool message in my eyes contains a clear instruction on how to solve the problem. It indeed is sad that this message is not localizable. To change that and have it localized when the user first accesses the Install Tool it won't be enough to use locallang files, because the translations would not yet have been fetched after copying the Core files.
However, this is really offtopic here. Please open a new issue, if you want to improve that!

Actions #4

Updated by Chris topher over 14 years ago

A reasonable logic for this problem is to be introduced with #22876.

Actions #5

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF