Fixed bug #11710: Remove local loopback bypass in Install Tool Login (thanks to Mario...
[Packages/TYPO3.CMS.git] / typo3 / install / index.php
1 <?php
2 /***************************************************************
3 * Copyright notice
4 *
5 * (c) 1999-2009 Kasper Skaarhoj (kasperYYYY@typo3.com)
6 * All rights reserved
7 *
8 * This script is part of the TYPO3 project. The TYPO3 project is
9 * free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * The GNU General Public License can be found at
15 * http://www.gnu.org/copyleft/gpl.html.
16 * A copy is found in the textfile GPL.txt and important notices to the license
17 * from the author is found in LICENSE.txt distributed with these scripts.
18 *
19 *
20 * This script is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * This copyright notice MUST APPEAR in all copies of the script!
26 ***************************************************************/
27 /**
28 * Starter-script for install screen
29 *
30 * $Id$
31 *
32 * @author Kasper Skaarhoj <kasperYYYY@typo3.com>
33 * @package TYPO3
34 * @subpackage core
35 */
36
37
38
39 // **************************************************************************
40 // Insert some security here, if you don't trust the Install Tool Password:
41 // **************************************************************************
42
43 error_reporting (E_ALL ^ E_NOTICE);
44 $PATH_thisScript = str_replace('//','/', str_replace('\\','/', (PHP_SAPI=='cgi'||PHP_SAPI=='isapi' ||PHP_SAPI=='cgi-fcgi')&&($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED'])? ($_SERVER['ORIG_PATH_TRANSLATED']?$_SERVER['ORIG_PATH_TRANSLATED']:$_SERVER['PATH_TRANSLATED']):($_SERVER['ORIG_SCRIPT_FILENAME']?$_SERVER['ORIG_SCRIPT_FILENAME']:$_SERVER['SCRIPT_FILENAME'])));
45
46 // Only allow Install Tool access if the file "typo3conf/ENABLE_INSTALL_TOOL" is found
47 $enableInstallToolFile = dirname(dirname(dirname($PATH_thisScript))).'/typo3conf/ENABLE_INSTALL_TOOL';
48
49 if (is_file($enableInstallToolFile) && (time() - filemtime($enableInstallToolFile) > 3600)) {
50 $content = file_get_contents($enableInstallToolFile);
51 $verifyString = 'KEEP_FILE';
52
53 if (trim($content) !== $verifyString) {
54 // Delete the file if it is older than 3600s (1 hour)
55 unlink($enableInstallToolFile);
56 }
57 }
58
59 // Change 1==2 to 1==1 if you want to lock the Install Tool regardless of the file ENABLE_INSTALL_TOOL
60 if (1==2 || !is_file($enableInstallToolFile)) {
61 die(nl2br('<strong>The Install Tool is locked.</strong>
62
63 Fix: Create a file typo3conf/ENABLE_INSTALL_TOOL
64 This file may simply be empty.
65
66 For security reasons, it is highly recommended to rename
67 or delete the file after the operation is finished.
68
69 <strong>If the file is older than 1 hour TYPO3 has automatically
70 deleted it, so it needs to be created again.</strong>
71 '));
72 }
73
74
75
76 // *****************************************************************************
77 // Defining constants necessary for the install-script to invoke the installer
78 // *****************************************************************************
79 define('TYPO3_MOD_PATH', 'install/');
80 $BACK_PATH='../';
81
82 // Defining this variable and setting it non-false will invoke the install-screen called from init.php
83 define('TYPO3_enterInstallScript', '1');
84 require ('../init.php');
85
86 ?>