Change-Id: I947cde3378f0d3ca02ef59c35cc7b0e18b85e751
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74273


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: Ib8848fca36837bde9b0f0dc528e44e4ee2fde0af
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74272


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The check for doing the functional test splitting
script and running the selected chunk used similar
but different minimum chunk value to check against.
Thus the splitting script has not been executed in
all chunk execution contexts.

This patch uses now exactly the same check in the
'Build/Scripts/runTests.sh' like it is defined in
the corresponding docker-compose service config.

Furthermore all previous created functional split
files are now removed to avoid leftovers, which
occured if re-run has lower chunksize defined.

Example which is now properly fixed:

> Build/Scripts/runTests.sh -s functional -c 1/1

Example with partial part files from previous run:

> Build/Scripts/runTests.sh -s functional -c 1/10
> Build/Scripts/runTests.sh -s functional -c 1/8

Resolves: #97283
Releases: main, 11.5, 10.4
Change-Id: Id3a0d1c85540b4e7e46aaea69cf2d96839e8e72e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74194


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

This patch applies the new documentation standards to the .editorconfig.

Resolves: #97302
Releases: main, 11.5, 10.4
Change-Id: I798b355f71dfa7ba8ac20ad424105e99a5c870cc
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74141


Tested-by: core-ci <typo3@b13.com>
Tested-by: Lina Wolf <112@linawolf.de>
Reviewed-by: Lina Wolf <112@linawolf.de>

When core functional tests started to heavily rely
on CSV based import- and assertion files, we found
that editing such .csv files in Microsoft Excel leads
to warnings if the number of columns is not identical
for each row.

Script checkIntegrityCsvFixtures.php has then been
established to verify all rows of .csv fixture files
have the same amount of fields per file, and has been
enabled as CI job to ensure all existing fixture
files follow this.

Nowadays, this restriction feels archaic: Devs actively
working with these CSV files typically edit them in
an IDE like PhpStorm directly and don't use Excel for
this anymore. The PhpStorm plugin "Rainbox CSV" also
helps by coloring these files and other alternatives
like libreoffice do not have this 'all rows must have
same number of colums' restriction.

The patch drops the script, the runTests.sh usage and
the CI calls. This has the additional advantage that
line breaks for single fields are now possible, which
will further improve handling and readability of field
values in upcoming patches.

Resolves: #97274
Related: #83943
Releases: main, 11.5, 10.4
Change-Id: I2b4c2afc98c8471bccae1afb15e055182b563ee7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74131


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

In accordance with the core code base, "libs" in
"includeJSFooterlibs" must be lowercase.

Releases: main, 11.5, 10.4
Resolves: #97251
Change-Id: I0b1d25d6f22254cf7d3747cf66ab0c7e2e611628
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74133


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Recent CKEditor4 v4.18.0 addressed several vulnerabilities:
* CVE-2022-24728 (XSS via attributes & comments)
* CVE-2022-24729 (reDoS via Dialog Plugin API)
* see https://ckeditor.com/cke4/release/CKEditor-4.18.0 for details

Mentioned known vulnerabilities are not considered relevant for the
TYPO3 backend user interface. By-passing CKEditor's XSS protection
allows to persist malicious markup in database fields, which is
mitigated during frontend rendering by typo3/html-sanitizer.

That's why this issue is handled as regular bugfix.

Executed commands:
  cd Build/
  nvm use
  yarn add ckeditor4@^4.18.0
  rm -r ../typo3/sysext/rte_ckeditor/Resources/Public/JavaScript/Contrib/
  yarn exec grunt build

Resolves: #97239
Releases: main, 11.5, 10.4
Change-Id: I3be12120c316b334e7efd237d0300e6d3cd165a8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74058


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Benni Mack <benni@typo3.org>

Recent guzzlehttp/psr7 versions address vulnerability CVE-2022-24775.
Mentioned known vulnerability is not considered relevant for the
TYPO3 core. That's why this issue is handled as regular bugfix.

Commands executed:
  composer req guzzlehttp/psr7:^1.8.5
  composer req guzzlehttp/psr7:^1.8.5 \
    -d typo3/sysext/core --no-update

Resolves: #97240
Releases: main, 11.5, 10.4
Change-Id: I915b5620140912ecf1e0dc5bc887f4cc25ffb85a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74061


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The confirmation password, required for accessing
the install tool through the backend, now uses the
autocomplete attribute to prevent password managers
from initiating a "change password" workflow.

Resolves: #92969
Releases: master, 10.4
Change-Id: I27bc81e7ebaa9684b4e15c7208841ca5e3a4338d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73998


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Resolves: #91204
Releases: 10.4
Change-Id: I68be95cc7517d505ef555ab321119f539c956603
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73858


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Simon Schaufelberger <simonschaufi+typo3@gmail.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Simon Schaufelberger <simonschaufi+typo3@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Change-Id: Ie878e940ba6365fd72649a25e23d26e06c0db365
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73853


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Change-Id: I06ed4c4b1242374d5792bcf96585fc2dae9eb728
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73852


Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

The ExpressionLanguageResolver should be generic and not
implement some TypoScript related logic.

Therefore the check for "ELSE" expression is moved to
AbstractConditionMatcher

Dead code is removed on the go.

Resolves: #97077
Releases: 10.4, 11.5, main
Change-Id: Ic5037b46c65ffb80f2f5b242e671e2454922171c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73838


Tested-by: core-ci <typo3@b13.com>
Tested-by: Helmut Hummel <typo3@helhum.io>
Reviewed-by: Helmut Hummel <typo3@helhum.io>

When ext:felogin is configured to redirectMode "getpost,login",
the extension does always redirect to a page configured in
TS/Flexform although a valid redirect URL is provided using
`return_url` or `redirect_url` GET parameter. Root cause of the
problem is the wrong assignment of the fluid variable
`redirectURL`, which should be used for GET/POST redirect urls
only.

This patch ensures, that the fluid variable `redirectURL`
is assigned either with GET data from `return_url` or
`redirect_url` if available.

Resolves: #92068
Releases: main, 11.5, 10.4
Change-Id: Iae3ba5c4345b26a1cf9d52801c6d101c5986dbb4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73785


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

DefaultSanitizerBuilder for HTML sanitizer creates a new behavior
for each invocation which is superfluous and can be cached in memory.

Resolves: #96862
Releases: main, 11.5, 10.4
Change-Id: I4a6710524a1f2f1256c8aa7694ceaa56a627a07f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73460


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Install tool has been trying to connect to the database before
checking if a bare minimum of configuration is given to. This has
been done to decide if the database connect step needs to be shown.

Starting with php8.1 this fails hard and the step is not shown,
thus an installation cannot be finished.

This patch change the checking order and checks for the bare minimum of
configuration first, before try to connect to the database.

Build/Scripts/runTests.sh -s acceptanceInstall -p 8.1 -d sqlite
Build/Scripts/runTests.sh -s acceptanceInstall -p 8.1 -d mariadb
Build/Scripts/runTests.sh -s acceptanceInstall -p 8.1 -d mysql

Resolves: #95545
Releases: master, 10.4
Change-Id: I9923198b26f86e44fd6c1f6655195faa0c79895e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73652


Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Benni Mack <benni@typo3.org>

Change-Id: Iaf5eac9530f91a647c1702ff2f0800488cdee1c7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73640


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: If64bef86e6414801ec81cd622d4a59c80b5a43ff
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73639


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Recent release of enshrined/svg-sanitize addressed a XSS vulnerability.

The main purpose of having this library in TYPO3 is to protect against
user submitted images that contains markup - which is possible with
SVG files. In most TYPO3 scenarios these files would be stored in
https://example.org/fileadmin/evil.svg and can be fetched directly.

However, recent update for CVE-2022-23638 of the svg-sanitizer library
seems to address the usage of inline SVG, used in an embedded HTML
context, see https://github.com/darylldoyle/svg-sanitizer/issues/71

Resolves: #96901
Releases: main, 11.5, 10.4
Change-Id: Iacbaf4b9c9725dee9c12df3646fc1131b7ed93ed
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73628


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

For unknown reasons the /ajax/login/refresh
route has never been used (all the way back to v6),
to request a session timeout update.

Instead the route /ajax/login/timedout, *without* the
skipSessionUpdate=1 parameter has been used to
refresh an existing session.

With the introduction of configurable route parameters
in #81409 this inconsistency wasn't noticed and the
skipSessionUpdate parameter has been moved into the
route-configuration, which meant /ajax/login/timedout was
always called with skipSessionUpdate=1,
even as result of the "Stay logged in" button, where
a session update was intended.

Use the dedicated /ajax/login/refresh route
in order to actually refresh the session.

Releases: main, 11.5, 10.4
Resolves: #96978
Related: #81409
Change-Id: I6e7ac78fdfae49fa07ac6b75d64dd1c381ad7e2b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73625


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

Recent pdo_sqlsrv 5.10.0 force SSL enabled
connections with valid certificates. We can't
supply these in CI right now.

The patch removes active functional testing with
this DBMS on CI, but keeps the rest of the
infrastructure in runTests.sh and friends.

This is a quick fix to get v11 and v10 green
again. We could pick this up again if we find
a solution for the certificate issue.

Resolves: #96974
Releases: 11.5, 10.4
Change-Id: I0af99c52ae447ae6974d21236a862179e9b40dd6
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73614


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Our LICENSE.txt files contain a custom header
mentioning details of a 3rd party library.

The patch resets LICENSE.txt files to the
default GPLv2 version [1] and moves the 3rd party
credits to the backend about module, which
already lists other credits. This obeys the
authors whish to set a link to his work.

The default LICENSE.txt files have the additional
advantage that services like github should
recognize the project as GPLv2 licensed project.

[1] https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt

Resolves: #96837
Releases: main, 11.5, 10.4
Change-Id: I63a4cd286ea3714667688d12347034b9ae67f276
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73447


Tested-by: core-ci <typo3@b13.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Change-Id: I46b6ad09eacc8e7da38743607d3537323108d36d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73348


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: I63603e8a8511b2599b20ee1d1065e7cca730e6b9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73347


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Due to a bug, the class properties did not override
properly using alternative names as the TYPO3-internal
"mergeRecursiveWithOverrule" was used in the wrong order.

This patch now uses "array_replace_recursive" and adds the
child properties at the very end.

Resolves: #87566
Releases: main, 11.5, 10.4
Change-Id: I91799cfb6c2effb8440bd099502ae801c9a69d15
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73087


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Under some circumstances, e.g. in a translations
only page module, a given $languageId (in this case
the default `0`) is not part of the $siteLanguages
array, since this only contains languages, allowed
for the user.

To fix a null pointer exception, we check whether
the SiteLanguage exists, before accessing it.

Resolves: #96600
Releases: 10.4
Change-Id: I2897edbf932075645a0c00dddb441b7eaa098708
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73102


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

When previewing pages a null pointer exception
is triggered in the frontend RequestHandler, in
case $GLOBALS['LANG'] does not exist. This
is the case when no user object exists (or is
not a FrontendBackendUserAuthentication).

This is now fixed by creating the LanguageService
with the corresponding factory and no longer relying
on $GLOBALS['LANG'].

Additionally, another possible null pointer is
fixed in the factory, since createFromUserPreferences()
allows NULL for the first parameter "$user"
but previously did not check the provided
value before accessing.

Resolves: #96590
Releases: main, 11.5, 10.4
Change-Id: I160a9dae9131973d681b392ee713d1fadcb9a24b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73095


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

The created reports.xml when running acceptance tests
is used for nothing in CI and just uploaded as artifact
along with the other reports. When ac tests fail, the
generally useful file is reports.html together with the
screenshots. Creating the xml file is skipped now.

Users who still want to create the xml file when running
the acceptanc test suite can do so by adding the "extra"
argument to runTests.sh:
> Build/Scripts/runTests.sh -s acceptance -e '--xml reports.xml'

Resolves: #96557
Releases: main, 11.5, 10.4
Change-Id: Ic385e307bb48702bc9269e42960fc76f1aa0be41
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73050


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Doctrine uses mixed type for most of their method arguments in
QueryBuilder. Since TYPO3 core uses variadic arguments for some
methods in the wrapping QueryBuilder, argument types have been
streamlined to match the ones in the concrete QueryBuilder
instance from Doctrine.

Resolves: #96507
Related: #96457
Releases: main, 11.5, 10.4
Change-Id: I834240f764feac7af9fba7db0d45aaf4927abb2e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73010


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

The change for issue #94357 introduced handling for `event/` URLs,
and accidentally modified handling for `video/` URLs as well. As a
result, the `video/` IDs were incorrectly resolved containing a
leading slash.

Resolves: #96509
Releases: main, 11.5, 10.4
Change-Id: I5623ff59dac44a699877e4e5a2e91707f72a407e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72969


Tested-by: Jigal van Hemert <jigal.van.hemert@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Jigal van Hemert <jigal.van.hemert@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: I9afad25a88555d3a89610b63ab0afd21e1284304
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72957


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: I52bd2fc97d0e1a24ad393bc6b2fb4597fb5f73be
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72956


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The maintainer of the `colors` package decided to rampage and released
a bonkers version, see [1] and [2], causing an implosion of the npm eco
system.
Albeit TYPO3 uses this as a transitive dependency only, we're going
to be safe and enforce this package to version 1.4.0, the current known
to-be-stable version.

[1] https://github.com/Marak/colors.js/issues/285
[2] https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

Resolves: #96499
Releases: main, 11.5, 10.4
Change-Id: Ic8ad9105c9a9bc45bb2519547bb044be672db27c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72931


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Update to CKEditor v4.17.1 which addressed browser compatibility
issues and known security vulnerabilities:

https://ckeditor.com/cke4/release-notes

Commands:
  rm -r typo3/sysext/rte_ckeditor/Resources/Public/JavaScript/Contrib
  cd Build
  yarn add 'ckeditor4@^4.17.1'
  yarn build

Resolves: #96494
Releases: main, 11.5, 10.4
Change-Id: I87039f5a5d1fe7488f6d4c5d0c36e90421d4c93e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72930


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Some browsers (reported were Safari and Firefox) are not able to
load the file tree when invoking the module the first time.
This is because the iframe src is initially set to about:blank
and ModuleMenu calls both, iframe.setAttribute('src', …) and
iframe.contentWindow.location.reload(). This seems to cause
browsers to abort load as the current URL is being reloaded.

This is actually a result of a refactoring in #52877 where
the condition navUrl != currentUrl previously correctly
issued a `setUrl()` call but afterwards was swapped to
call `refresh()` instead (or rather additionally).

Releases: 10.4
Resolves: #96475
Resolves: #92556
Related: #52877
Change-Id: Ib20c05e0ca6ed1de62cabf86b6a46a3399636fab
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72932


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Update to @claviska/jquery-minicolors v2.3.6 which addressed
known security vulnerabilities:

https://security.snyk.io/vuln/SNYK-JS-CLAVISKAJQUERYMINICOLORS-1930824
https://github.com/claviska/jquery-minicolors/releases/tag/2.3.6

Commands:
  cd Build
  yarn add '@claviska/jquery-minicolors@^2.3.6'
  yarn build

Resolves: #96495
Releases: main, 11.5, 10.4
Change-Id: Iaafdd29dd50a18321746fb36702702302078fceb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72942


Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

This patch adds a check to detect self referencing
redirects, thus avoiding them and instead log an error
in the corresponding frontend redirect middleware.

Furthermore, add a bunch of tests along the way to cover
this change and the different constellations, for example
not avoiding redirect with the same path but external host.

Resolves: #96427
Releases: main, 11.5, 10.4
Change-Id: I554ba51b53065dd754068e379f69c2a5dffc3054
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72808


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Benni Mack <benni@typo3.org>

User supplied strings must not be concatenated into the format
parameter of sprintf() as sequences like %s, or (more likely) %20S
(which is ' S' url escaped) may be contained and cause warnings
because sprintf() expects additional arguments in that case.

Streamline to always use the static '%s: "%s"' format instead.

Releases: main, 11.5, 10.4
Resolves: #96478
Change-Id: Ic3b09c6e1e7c617e78ea405289680bd78d0aab64
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72901


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

With the introduction of itemGroups, the index 3 of
the select items array has been shifted one position
to the right. Before that, the index 3 was used for
descriptions and index 4 for an optional keyword
EXPL_ALLOW or EXPL_DENY. These are used together
with authMode=individual to explicitly allow or deny
single items.

Since descriptions now occupy the index 4, the
former usage of this index needs to be shifted as
well to index 5.

For backwards compatibility reasons, a TCA migration
is added, which will check for these special
keywords and move them one index up.

Resolves: #96444
Related: #91008
Releases: main, 11.5, 10.4
Change-Id: I32a96f5c6377871551ab4ee60a402a585da7eaa0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72820


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72857

This patch adds missing 'CompositeExpression' as union
type for QueryBuilder methods 'where()', 'andWhere()'
and 'orWhere()' to match the ability of the underlying
doctrine/dbal QueryBuilder methods.

Resolves: #96457
Releases: main, 11.5, 10.4
Change-Id: Ib9330ffabcdc7680bfd5bb8a991cec60889c9773
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72879


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>