Move credentials outside of the webroot

Default TYPO3 behaviour

TYPO3 by default stores all kind of configuration in a file called typo3conf/localconf.php. Together with backend/frontend/graphics configuration, security related information is stored there too (encryption key, db name/username/password, install tool password hash). As it is a php file that doesn't output anything at all and you're having PHP installed (overwise TYPO3 wouldn't run), it is not considered to be a security problem.

However, typo3conf/localconf.php is located in the webroot and is therefore accessible to any website user and a request for that file will return a parsed/empty web page.

I personally don't like that. Information that is not intended to be published (in contrast, it is intended to be kept private) should not be stored in the webroot.

Worst case example: You are upgrading PHP package or recompiling PHP and suddenly PHP interpreter stops working; *.php files might, due to a configuration error, no longer associated with PHP interpreter; a vulnerability in TYPO3 exposes unparsed PHP files (I hope this will never happen again). The result of such problems would be that Apache delivers that file in plain-text, giving an attacker access to credentials.

How does a default typo3conf/localconf.php look like:

 

localconf.php
<?php
$TYPO3_CONF_VARS['SYS']['sitename']='FooBar';

$typo_db_host='127.0.0.1';
$typo_db='foo_db';
$typo_db_username='foo_dbu';
$typo_db_password='bar';


$TYPO3_CONF_VARS['SYS']['encryptionKey']='foo';

$typo_db_extTableDef_script='extTables.php';

## INSTALL SCRIPT EDIT POINT TOKEN - all lines after this points may be changed by the install script!

$TYPO3_CONF_VARS['EXT']['extList']='fooBar';

?>

Consider following directory structure. "htdocs" is the webroot of the website where TYPO3 resides in. Directory "configuration" is on the same level like "htdocs" and therefore outside of the webroot.

 

Improved version

With that additionally created directory "configuration" in place, we are now able to include files from there.

In typo3conf/localconf.php we set up an variable that keeps the path to the configuration directory, include (require) a credentials.inc.php file, cut credentials from the localconf.php file and paste them in credentials.inc.php.

These files now look like following:

 

localconf.php
<?php

$confDir=(realpath(dirname(__FILE__). DIRECTORY_SEPARATOR
            .'..'. DIRECTORY_SEPARATOR
            .'..'. DIRECTORY_SEPARATOR
            .'configuration'));

require($confDir. DIRECTORY_SEPARATOR .'credentials.inc.php');

$TYPO3_CONF_VARS['SYS']['sitename']='FooBar';

$typo_db_host='127.0.0.1';
$typo_db='foo_db';

$typo_db_extTableDef_script='extTables.php';

## INSTALL SCRIPT EDIT POINT TOKEN - all lines after this points may be changed by the install script!

$TYPO3_CONF_VARS['EXT']['extList']='fooBar';

?>
credentials.inc.php
<?php

$typo_db_username='foo_dbu';
$typo_db_password='bar';

$TYPO3_CONF_VARS['SYS']['encryptionKey']='foo';

?>

Bonus

In the same way than the credentials.inc.php example, we are now able to extract other configuration data and put it in a separate file.

I usually do this for per host configuration (vs. per website!) which means graphics configuration and configuration of paths to binaries, etc ... Development, staging and production server might differ (even different OS); files in webroot (or a backup of those) can then easily exchanged between these servers and will never again require a modification of configuration data to fit each server's special layout.

Of course this also helps when setting up new websites; simply copy an existing configuration directory on the same server. You won't need to deal with e.g. graphicsmagick/imagemagick configuration for new websites again and again.

Stefan Esser:
PHP-Sicherheit: PHP/MySQL-Webanwendungen sicher programmieren

###OFFERSUMMARY_LOWESTNEWPRICE_FORMATTEDPRICE###

Order here