TYPO3 Core

Install Tool -> Important Actions -> Core Update

After updating the TYPO3 core to a new version, the old TYPO3 source directory remains in the file system. This has at least two significant drawbacks:

(1) Data consumption

An extracted TYPO3 source package currently consumes around 90M bytes of data. Most hosters limit the disk space of a web container and depending on the hosting plan and size of the web site, files in fileadmin, database, etc. this data could be used more wisely. Especially, if someone updates from 6.2.0 to 6.2.1 to 6.2.2 to 6.2.3, etc. (6 updates almost consume 500M bytes of unused data).

Keep in mind, that the "Core Update" feature predominantly targets TYPO3 site owners, who do not work with web servers, command line tools, etc. every day - so problems are inevitable.

(2) Security

If the update has been done due to an insecure TYPO3 core version, the old, insecure sources should not remain in the file system. Depending on the vulnerability, it might be possible to exploit a security issue. We also highlight this in our official TYPO3 Security Guide [1]:

(quote) As a general rule, it is highly recommended you remove all code from the system that is not in use. This includes TYPO3 extensions, any TypoScript [...], PHP scripts as well as all other functional components

Suggested Solution:

Introduce another step at the end of the Core Update process, that asks the user (maybe even recommends), if the previous TYPO3 source directory (version x.y.z) should be removed from the file system to save disk space. In case of a security update, an appropriate, exigent warning should strongly recommend this.

[1] http://docs.typo3.org/typo3cms/SecurityGuide/GuidelinesIntegrators/Extensions/Index.html#extension-remove