- Nov 17, 2020
-
-
Oliver Hader authored
Change-Id: Ie2adfafff4ab57cac9426d9a5784b794f459ea7c Resolves: #92829 Releases: master Security-Bulletin: TYPO3-CORE-SA-2020-009 Security-References: CVE-2020-26216 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66662 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Markus Klein authored
The access settings is an exclude field and hence the value is synchronized to the translation. Fetching the translation overlay therefore does not need to evaluate the fe_groups again. Resolves: #91725 Releases: master, 10.4, 9.5 Change-Id: Ie6ec2208d15f67eafb6a48627c5f1b76ffdc5725 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66330 Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
-
- Nov 16, 2020
-
-
Alexander Schnitzler authored
Since there is no dedicated AbstractController any more and ActionController cannot be dispatched without being extended the class is finally marked abstract. Releases: master Resolves: #92850 Change-Id: I910765ded482a59789dc3830701e497b4b8b45b8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66642 Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Tested-by:
-
Oliver Hader authored
Introduces Content-Security-Policy HTTP header check on fileadmin/ resources. This can be seen as follow-up up to TYPO3-CORE-SA-2020-006 and TYPO3-PSA-2019-010 now actively analyzing this HTTP header and letting users know in reports module and system environment check of the Install Tool. Resolves: #92835 Releases: master, 10.4, 9.5 Change-Id: I53028ae36c9195082993ee89d630efa7b555c547 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66627 Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
-
Oliver Hader authored
The session expiration time for the install tool is reduced from 60 to 15 minutes. When accessing the install tool via backend user interface, currently logged in backend users have to confirm their user password again in order to get access to the install tool. This process is known as "sudo mode". Standalone install tool is not affected by sudo mode confirmation. This change enforces mitigation as mentioned in TYPO3-CORE-SA-2020-006, see https://typo3.org/security/advisory/typo3-core-sa-2020-006. Resolves: #92836 Releases: master, 10.4, 9.5 Change-Id: Ib4f0e92346610879347a48587ffd575429b98650 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66630 Tested-by:
Torben Hansen <derhansen@gmail.com> Tested-by:
-
Christian Kuhn authored
Instead of instantiating PageRenderer early in ext_localconf, the additional require js for t3editor and rte_ckeditor is now injected by a PageRenderer hook when needed. Releases: master Resolves: #92848 Change-Id: I070d75482deb0b4c7a301719440ae18d28f0a57a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66641 Tested-by:
Oliver Bartsch <bo@cedev.de> Tested-by:
-
Chris Müller authored
Resolves: #92854 Related: #92062 Releases: master Change-Id: I416d747877aa3d7f56e8ddbd3438db27576c0ce4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66645 Tested-by:
-
Chris Müller authored
Resolves: #92851 Releases: master Change-Id: If7249e411165e1050b55d1d7aa9da6896fe3d9ba Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66643 Reviewed-by:
Mathias Brodala <mbrodala@pagemachine.de> Reviewed-by:
-
Benni Mack authored
With this change an undefined symbol is included when not having AdminPanel loaded: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66218 This change aims to change the logic for checking if the preview flag is enabled. Resolves: #92746 Reverts: #92242 Releases: master, 10.4, 9.5 Change-Id: I1005424a86f1ced595b23938bd6dcc70ff2f00c9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66372 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Reviewed-by:
-
Christian Kuhn authored
Functional test case methods getFrontendResponse() and getFrontendResult() have been deprecated a while ago but their core usages have not been adapted. Do this now by switching to their younger counterparts. Change-Id: Ica1a6625a29b9d35189f2c9fce29da52f121d280 Resolves: #92845 Releases: master, 10.4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66635 Tested-by:
-
Benni Mack authored
In order to build the group resolving more flexible, the major method "fetchGroupData()" is now separated into a smaller chunk as a pre-patch. Resolves: #92814 Releases: master Change-Id: Id688355a869948e1b4eb57f06ed23cee0e2d513c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66598 Tested-by:
-
- Nov 14, 2020
-
-
Eric Chavaillaz authored
If the loading text of the login box is too large, the text exceeds the size of the login button. This patch allow the button to grow vertically. Resolves: #92622 Releases: master, 10.4 Change-Id: I9aa7858fd23c5f5848657c6c029769e9fa8de179 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66554 Tested-by:
Martin Kutschker <mkutschker-typo3@yahoo.com> Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
-
Helmut Hummel authored
Change the implementation of backend deferred image processing to use a file processor, which is only but always used in the backend. By doing so all limitations of the current implementation are resolved, which means, width and height of the image can be set in HTML, to avoid layout shifts and once the images are processed, they will simply be delivered by the web server. Inconsistencies with thumbnail ratio (depending on crop being defined or not) are also tackled on the go. While this changes processing configuration for some files, which triggers a re-generation, it should not matter, as image processing will be done in parallel on request, making such changes viable in a bugfix release. The introduced database field is neither used nor required for the current implementation, but is introduced to provide a possibility for third party processors to replace the current implementation with simple (and persisted) URLs to third party SaaS image processing services. Resolves: #92188 Releases: master, 10.4 Change-Id: I8d1e14324085c5b6ba646475206c8cb10a1fc10d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65237 Tested-by:
-
Christian Kuhn authored
Back in 6.2 at ExtJS times, a feature has been introduced to the workspace module to extend the shown 'data grid' with custom columns. This implementation has been done for one specific customer who nowadays does not use the feature anymore. The feature broke when the transition to a native JavaScript implementation has been done in v8. There is not a single bug report this feature broke in forge, and it is hard to resurrect it with the new client side implementation. The patch drops related code from the extension. This gives core development more freedom to improve the workspace module with other patches. Change-Id: Ie66b172484cdd08de06e019aa004055975948e85 Resolves: #92838 Releases: master Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66632 Tested-by:
Daniel Haupt <mail@danielhaupt.de> Tested-by:
-
Georg Ringer authored
The TSconfig setting `mod.web_layout.disableAdvanced` has been used to disable the "clear cache"-button in the page module. Since this behaviour can be triggered through various other ways, like the context menu or by just saving the page record, this feature is removed completely. Resolves: #92837 Releases: master Change-Id: Ie4c563d89280bc494265611924e2b02727aed644 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66631 Tested-by:
-
- Nov 13, 2020
-
-
Christian Kuhn authored
SqlServer can not handle a transaction for a table, if the same table is queried currently. The install tool database row updater does this. Solution is to skip the transaction on this platform. Additionally, an update query is fixed to hint for proper field types. Resolves: #92832 Releases: master, 10.4 Change-Id: I5fc76705088a727dc1ff41410d6e2cd02b3d9655 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66622 Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by:
-
Oliver Hader authored
* replace string states with specific StatusMessage models * combine file path and base URL in new FileLocation model * streamline responsibilities of classes Resolves: #92834 Releases: master, 10.4, 9.5 Change-Id: Ib1a24fb00d4362062e88f93f236b3fd385015c3c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66624 Tested-by:
-
Andreas Fernandez authored
The package @typo3/icons can be updated to version 2.0.4 which adds some new icons and reverts the icons "actions-edit-hide" and "actions-edit-unhide" to their v1 variants. Executed commands: cd Build yarn add "@typo3/icons@^2.0.4" yarn build Resolves: #92833 Releases: master, 10.4 Change-Id: I78933010cb2d36b0d412b20c5e0d63976cc77035 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66623 Tested-by:
Simon Gilli <typo3@gilbertsoft.org> Tested-by:
-
Benni Mack authored
This change adds the methods * setRequest() * getRequest() * getUriBuilder() to the RenderingContext of EXT:Fluid. The main goal is to reduce the usages of the ControllerContext as much as possible to decouple Extbase from Fluid. When the "setRequest" method is used in the renderingContext, the controllerContext is filled as well, in order to be backwards-compatible. Resolves: #92826 Releases: master Change-Id: I41b8741e947c78895317ef2235959ceb251e103c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66323 Tested-by:
-
- Nov 12, 2020
-
-
Peter Kraume authored
Resolves: #92821 Releases: master, 10.4, 9.5 Change-Id: Ife0999560d3da75051b663b55d46e0f6a5e03dfb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66617 Tested-by:
Peter Kraume <peter.kraume@gmx.de> Tested-by:
Chris Müller <typo3@krue.ml> Reviewed-by:
-
Benni Mack authored
Creating a new record in a workspace adds two database rows. One that is the "placeholder", which - since v10.4 - contains the same metadata as the other record: * t3ver_wsid = workspaceID * t3ver_oid = 0 (simulating behavior of an "online pendant record") * t3ver_state = 1 And the "versionized" record, identified by: * t3ver_wsid = workspaceID * t3ver_oid = uid of the new placeholder record * t3ver_state = -1 As of TYPO3 v10, the first record is not needed anymore, the versioned record can be queried directly, however, since the relations (except MM) point to the placeholder record, this one is kept. As result, only one record is created from now on: * t3ver_wsid = workspaceID * t3ver_oid = 0 (no online counterpart) * t3ver_state = 1 On reading, the record is queried directly (no overlay needed anymore!) with the existing Database Doctrine Restrictions. On publishing, the record just gets the state/stage/wsid set and is "live". This brings fundamental benefits: * No overlays needed when querying * Fewer database records (placeholders are not helpful) * Conceptual problems with placeholder and shadowed fields are removed Resolves: #92791 Releases: master Change-Id: I0288cc63fe72d8442d586f309bd4054ac44e829b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65587 Tested-by:
-
Oliver Bartsch authored
In #92659 the tt_content fields `imagewidth` and `imageheight` have been adjusted to not limit user input per default. This improves the corresponding rst to properly describe the changes made. Resolves: #92825 Relates: #92659 Releases: master Change-Id: I61b1ee1fed95251d1a3be4dc9e3c996fb033aa04 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66611 Tested-by:
Josef Glatz <josefglatz@gmail.com> Tested-by:
-
- Nov 11, 2020
-
-
Guido Schmechel authored
Use the current W3C recommended mime types for fonts in htaccess base file, see https://www.iana.org/assignments/media-types/media-types.xhtml#font Releases: master, 10.4 Resolves: #92743 Change-Id: I8abc5abe703ef02ed678e8f7b7b28a3544ce239e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66513 Tested-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
-
Benjamin Franzke authored
No need to use a fully qualified namespace for 3rd party modules that are placed in TYPO3/CMS/Core/Contrib. There are usually aliases configured in the requirejs configuration, and if they are missing, we add them now. This change additionally drops an unneded module declaration for "TYPO3/CMS/Core/Contrib/imagesloaded.pkgd.min" which is not needed when simply using "imagesloaded" as module name. Commands used: grunt build Releases: master, 10.4 Resolves: #92725 Change-Id: I6e7c02104050202d5c1a8bd0d7546a1496f5636c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65693 Tested-by:
-
Alexander Nitsche authored
Only tables with TCA configurations are available for the export of a TYPO3 instance. The stored export configurations - so called presets - were missing the TCA configuration and thus had to be exported and imported separately in a database client. This patch adds a TCA configuration for the export configurations and thus makes them exportable and importable along with the main dump. The presets are saved on PID=0 and hidden from record lists to force the user to continue managing them with the export module. Resolves: #92346 Releases: master, 10.4 Change-Id: Ic5a9babc91a93f8bf1561b697c4fca0ad548f734 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65770 Reviewed-by:
Rémy DANIEL <dogawaf@no-log.org> Reviewed-by:
-
Xavier Perseguers authored
Due to a refactoring and "unrolling" of buttons in TYPO3 v9, the TSconfig options.saveDocNew has been forgotten when adding a button to create a new record right while editing another one. Even if the new button nowadays is physically not a "Save and create new" action in the label, the behaviour is strictly the same as any unchanged edit will trigger a modal asking whether the changes should be persisted. Releases: master, 10.4, 9.5 Resolves: #87321 Resolves: #92788 Change-Id: Ic79f7ff06afef0cf9423780eef2d5324e5613664 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66559 Tested-by:
Eric Chavaillaz <eric@hemmer.ch> Tested-by:
-
Anja Leichsenring authored
Two new options for the famous Build/Scripts/runTests.sh script have been added, that allow to quickly set up local environment for composer min and max testing. There is now - Build/Scripts/runTests.sh -s composerInstallMax for no platform.php setting and `composer update` preset and - Build/Scripts/runTests.sh -s composerInstallMin for platform.php set to current PHP version bugfix version 0 (like 7.2.0 or 8.0.0) and `composer update --prefer-lowest` preset Resolves: #92795 Releases: master, 10.4, 9.5 Change-Id: I13f782f2e73bb89404fcd2e18d507e2c39e4eba3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66570 Tested-by:
-
Christian Kuhn authored
Contains a change for an upcoming workspace related core patch. composer require --dev typo3/testing-framework ^6.4.7 Change-Id: I11980b635e3a2b00de481a8d73b69368554c08d3 Releases: master, 10.4 Resolves: #92818 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66604 Tested-by:
-
Sybille Peters authored
The Developer page explained how link handling is done in the RTE. This is not specific to linkvalidator and may change in the future. Understanding how the existing events work can be better done by looking in the core. Resolves: #92720 Releases: master Change-Id: I88bdf27c2045c29c0f93bcc3f394cb21471e0b73 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66274 Tested-by:
Björn Jacob <bjoern.jacob@tritum.de> Tested-by:
Daniel Goerz <daniel.goerz@posteo.de> Reviewed-by:
-
- Nov 10, 2020
-
-
Sybille Peters authored
Previously, if there were too many redirects, an error message "A redirect loop occurred" was displayed. This was misleading. A redirect loop is different from "too many redirects". "Too many redirects simply means that the maximum number of redirects used by the underlying HTTP request library (Guzzle) is reached before reaching the destination. This happens by default after 5 redirects. Therefore, the "too many redirects" error is now being displayed with its own message. Resolves: #92741 Releases: master Change-Id: I69e191e1f2c771eb83b8c82b2be12dd58730d8e3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66363 Reviewed-by:
Guido Schmechel <guido.schmechel@brandung.de> Reviewed-by:
-
spthiel authored
The renderType `selectCheckbox` allows for grouping of items, which are rendered as collapsed per default. A new TCA setting now allows to define this behavior for all groups at once. By adding the new setting `expandAll=true`, all groups are initially expanded. If not set or set to FALSE the current behvahiour remains and all groups are collapsed. Releases: master Resolves: #91859 Change-Id: I9db196a7bfa6b1399358afdc785814425a764e80 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65081 Tested-by:
-
Torben Hansen authored
Adds a focus style to the button on the login form so it is visible that the button has the focus. Resolves: #92620 Releases: master, 10.4 Change-Id: I1e98ed780cfbf2744cbf3646317f74911a8deeb2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66259 Tested-by:
Michael Telgkamp <michael.telgkamp@mindscreen.de> Tested-by:
-
Torben Hansen authored
Removed an unknown aria attribute from the modules menu and added an `aria-controls` attribute to 1st level menu items. Resolves: #92634 Releases: master, 10.4 Change-Id: Id15f902053e091add3e1321dbf6e6d23d9a0805d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66261 Tested-by:
-
Benni Mack authored
It is recommended for <style> and <link> HTML tags to not use the "type" attribute anymore. Details: * https://developer.mozilla.org/en-US/docs/Web/HTML/Element/link * https://developer.mozilla.org/en-US/docs/Web/HTML/Element/style The patch drops the attribute from rendering. The patch is marked as a breaking since it changes frontend output. Resolves: #45512 Releases: master Change-Id: I073d7ef6c40a824755768d33fcc71c9f26090801 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65548 Tested-by:
-
Benni Mack authored
The feature flag "security.frontend.keepSessionDataOnLogout" was introduced as part of a security bugfix to still enable frontend users to keep their session data even if they have logged out, where the session data was transferred and migrated to an anonymous session. Since this feature in general is insecure, as people who log off from a public computer would keep session data on that machine, the functionality is fully removed. Resolves: #92807 Releases: master Change-Id: Ieaebcc33e85e1df6e359a7eae318712896800bca Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66596 Tested-by:
-
Anja Leichsenring authored
The formerly hard coded DBMS versions the local testing script Build/Scripts/runTests.sh received more options to run almost all supported DBMS versions by passing addidional parameters. Resolves: #92794 Releases: master, 10.4 Change-Id: I402a605782c1063f4ec336d6279b768a79d1cc2b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66569 Tested-by:
Patrick Schriner <patrick.schriner@diemedialen.de> Tested-by:
-
- Nov 09, 2020
-
-
Benni Mack authored
One of TYPO3's major "fat" classes AbstractUserAuthentication is now thinned out as the "email when X failed login have been reached within a certain period of time" is moved to a hook implementation. AbstractUserAuthentication now does not have - public property $warningEmail - public property $warningPeriod - public property $warningMax - public method checkLogFailures() anymore, as this functionality were only used for this separate logic. Resolves: #92801 Releases: master Change-Id: Ib022af408a740bc6c5bbbb219f23e665182ae83c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66594 Tested-by:
-
Benni Mack authored
The AbstractUserAuthentication property "auth_timeout_field" was used in the past (until TYPO3 8.0) to be filled for backend purposes with "$GLOBALS['TYPO3_CONF_VARS']['BE']['sessionTimeout']" and for backend with the lifetime field. This field was not properly filled since TYPO3 v8.0, see issue #68890 for details. As the field had a dual-use but now is unused, it is properly removed as TYPO3 Core never implemented this on a per-userrecord-basis but handles this via the sessionTimeout propery now. Resolves: #92802 Related: #68890 Releases: master Change-Id: I760b50a292b93229bbebffac08e11393fe53393f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66595 Tested-by:
-
Christian Kuhn authored
* (v10) Moving a page that exists in live within workspaces multiple times does not upate the pid of the t3ver_state=4 overlay. * (v10, master) Moving a page that has translations in workspaces multiple times does not always properly update the pid of the translation overlay records to the new location. The patch fixes both issues and adds a series of functional tests to verify db state of these more complex / chained scenarios. It also marks one scenario as todo where a delete overlay is wrongly turned into a move overlay, effectively loosing the 'shall be deleted in live during publish' information. This can be fixed with another patch. Change-Id: If678440c980b8847232a6d146855025ff0091795 Resolves: #92779 Releases: master, 10.4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66452 Tested-by:
-
Benni Mack authored
In order to ensure best practices security-wise, it is recommended to have the flag "disableNoCacheParameter" enabled by default. The change enables this option for new installations. Resolves: #92792 Releases: master, 10.4 Change-Id: Ifdb2ad46e456f76c8cd78e027068d24f73dbb55c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66567 Tested-by:
-
