A large number of files were stored with executable permissions. This
may be a (minor) security risk and can be confusing. The patch removes
the executable permissions on all files but:

* typo3/cli_dispatch.phpsh
* typo3/cleaner_check.sh
* typo3/cleaner_fix.sh

Resolves: #56571
Releases: 6.2
Change-Id: Ib6a9fb19fe716d7d5405d5a7120b50269bdbf5f8
Reviewed-on: https://review.typo3.org/28072
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

SQL parser is unable to parse the complex Upgrade Wizard query. As we
know that it is compatible with DBMS we actively support (MySQL,
PostgreSQL, Oracle, MS SQL), a pragmatic solution is implemented to
bypass the parser while keeping compatibility with DBAL and its remapping
feature.

Releases: 6.2
Fixes: #56390
Change-Id: I54c01a3eca73668be579fb45e6fea907664290d6
Reviewed-on: https://review.typo3.org/27996
Reviewed-by: Andreas Fernandez
Tested-by: Andreas Fernandez
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert

The backend search is currently not
working for file collections etc as there
is no searchFields string provided.

The patch adds them, and also
adds it to non-visible records like
sys_file and sys_file_records as they
might be used in a different
visualization when having a filesearch
service.

The patch is easily testable if you
take a file collection and name it
"my collection". Searching in the list
module on that page for "collection"
does not show anything without
the patch.

see
https://review.typo3.org/#/c/16725/9

Releases: 6.2
Resolves: #56410
Change-Id: I0e99b3b291f085b81560e8f823d3e258a8645fc0
Reviewed-on: https://review.typo3.org/27928
Reviewed-by: Tom Ruether
Tested-by: Tom Ruether
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Change-Id: Ie70bf11000e9b70f60bbd6923ab1516904164edd
Reviewed-on: https://review.typo3.org/28062
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

Change-Id: I034ed6f244869918e9e3b7c189a629825d76df79
Reviewed-on: https://review.typo3.org/28061
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

We can only clear the opcache in XCache if xcache.admin.enable_auth is not
set, else you get a fatal error.

Resolves: #56554
Related: #55252
Releases: 6.2
Change-Id: Ia33afc4141852c58266f6c7dfedec82f4c35148d
Reviewed-on: https://review.typo3.org/28059
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny

Refine the class and interface structure of
Install Tool actions.

Resolves: #52736
Releases: 6.2
Change-Id: Id1b0107670859e140169767233ba9944822e0d8d
Reviewed-on: https://review.typo3.org/24665
Reviewed-by: Alexander Opitz
Tested-by: Alexander Opitz
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

extListArray is obsolete and can be removed. It is already taken
core off in the install tool upgrade process.

Change-Id: Ie9b86f28deebd3aab1031a725d72d852374e5607
Resolves: #56552
Releases: 6.2
Reviewed-on: https://review.typo3.org/28054
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Cache Identifiers shorten the MD5 hash - This is superfluous substr() work
without any gain - remove it.

Change-Id: I0061337afb74df2f29aae69f868a1a0bbe3ad966
Resolves: #56313
Releases: 6.2
Reviewed-on: https://review.typo3.org/27878
Reviewed-by: Dmitry Dulepov
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

If a driver is readonly, the upload button in the file list disappears,
but the DragUploader is still activated - on the whole page.
Clicking anywhere on the list page causes an upload file selection to
pop up. Additionally the new button is shown but has no functionality.
The patch removes DragUploader and superfluous button.

Change-Id: I3f6c2e932d9f66feb6590f08229ddaaad06e688e
Resolves: #56443
Releases: 6.2
Reviewed-on: https://review.typo3.org/27946
Reviewed-by: Nicole Cordes
Tested-by: Nicole Cordes
Reviewed-by: Christian Weiske
Tested-by: Christian Weiske
Reviewed-by: Rico Sonntag
Tested-by: Rico Sonntag
Reviewed-by: Frans Saris
Tested-by: Frans Saris

When the backend user session expires, currently
a popup window is shown which asks the user to
relogin when salted passwords or rsaauth are used
(which is currently our default).

However when a user works with multiple browser tabs
open, it is easy to overlook this popup. When realizing
that the session is expired and the user logs
into the backend again in one tab, the session
is authenticated in all other open tabs, but a
new CSRF protection token has been generated, which
makes working in this tab impossible, especially
because the tokens are now checked for virtually
any action.

This changes cleans up the AjaxLogin functionality
by making use of the new Ajax API introduced lately
and functionality is added so that AjaxLogin also
works with rsaauth and saltedpasswords enabled.

Additionally the form protection framework is slightly
reworked to better support the re-login and token
restore functionality in the AjaxLogin.

The "showRefreshLoginPopup" functionality is still
kept, because AjaxLogin can still not handle
OpenID logins.

Resolves: #56453
Releases: 6.2
Change-Id: Ic6c3415f292d346293c7d2c775288f4ba62ebc15
Reviewed-on: https://review.typo3.org/27954
Reviewed-by: Nicole Cordes
Tested-by: Nicole Cordes
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Frans Saris
Tested-by: Frans Saris
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Resolves: #56471
Releases: 6.2
Change-Id: I8bd844326566715201ab3ae82811c945566b5b88
Reviewed-on: https://review.typo3.org/27977
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

The upgrade wizard to migrate the fields like e.g.
tt_content->image and pages->media fetches all records
of each table and loops over them. This is basic, and not
very clever, especially when the max_execution_time is
less than the upgrade wizards needs to process all fields
or if the memory_limit is reached because ALL of the
records are fetched.

Thus, the patch modifies the behavior in the following ways:
* As all TCA value are switched from text to integer
 (the value itself, not the DB field yet) the SQL is done to
only fetch records that are not empty, not integer
(and not deleted). This reduces the memory footprint
massively.
* The check for a record is now done for each table and
then for each field of the table (as the SQL has been changed).
* The field is only marked as "done" if no more records were
found in the migration run.
* Also, the redudant myfile_05.jpg are not moved if the
first file with that name (myfile.jpg) was moved already.

The migration wizard can now be run multiple times
(and the counter shows how many records are left).

Furthermore the wizard hides itself now once all migrations
are done.

Resolves: #53845
Resolves: #53891
Releases: 6.2
Change-Id: I835a07158e6869d80b4426d9774754421963ef81
Reviewed-on: https://review.typo3.org/25621
Reviewed-by: Jigal van Hemert
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny

In PHP 5.3 anonymous functions can't be bound to static/self so an extra
call to a public function is needed.

Resolves: #56546
Related: #55252
Releases: 6.2
Change-Id: I56fc8c4ae92e50c35e972413540b43ec1fa714fc
Reviewed-on: https://review.typo3.org/28048
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers

When adding a new file through the ResourceStorage there
is a check to see if the file already exists. But this check
does not sanitize the target filename, so it could happen that
you get a false positive because when the file really is added
to the file system the target filename is sanitized.

This patch sanitizes the file name before the fileExists check.

Releases: 6.2, 6.1
Resolves: #55299
Change-Id: I519220040448b08883146caf463ed58544a18453
Reviewed-on: https://review.typo3.org/27806
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Xavier Perseguers
Reviewed-by: Wouter Wolters
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

The new eval function "maximumRecordsChecked"
silently disables the checkbox again when the
maximum number of records has been reached.

The patch adds a log entry for the user on saving
the record.

You can test this change with #55177.

Resolves: #55590
Releases: 6.2
Change-Id: Ie8489f6b8fe519130689098968ae28fabe7c7b8e
Reviewed-on: https://review.typo3.org/27264
Reviewed-by: Frans Saris
Tested-by: Frans Saris
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Classes are not overriding the method with a compatible list
of parameters.

Fixes: #48034
Releases: 6.2
Change-Id: I1e288cb90e12e3dc50b38c13bd76988f0be16cab
Reviewed-on: https://review.typo3.org/20602
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers

Method getLabelsFromItemsList() is expected to return an empty list
when the column is populating items from a foreign_table configuration
option. Method getProcessedValue() is explicitly checking this to
retrieve the label from the corresponding foreign record if it could not
be resolved from the list of static items.

This reverts commits 5dd32b83 and
9596d4da and moves the business logic
into method getProcessedValue().

Releases: 6.2, 6.1
Fixes: #54131
Change-Id: I15dcf0c4bcb76ecc85de8e3202b1376a24981b06
Reviewed-on: https://review.typo3.org/27689
Reviewed-by: Frans Saris
Tested-by: Frans Saris
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Instead of relying on the backward compatiblity layer of the
FrontendContentAdapterService when rendering images with
css_styled_content the render_textpic method is modified so that it
is also be possible to use FAL functions and properties for image
rendering.

The captionsSplit / imageTextSplit constants are removed because
every image has its own properties for that with FAL and they are
not needed any more.

The globalCaption rendering was removed because the captions are now
always attached to a single image.

The longdescURL handling was also removed because the files do not
have this property at the moment and the longdescURL field for
tt_content records is also not visible in the Backend.

Resolves: #53764
Releases: 6.2
Change-Id: I1d9c8ad1d7a498816e724960613818a05d587d4f
Reviewed-on: https://review.typo3.org/25511
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Frans Saris
Tested-by: Frans Saris

If the RTE magic images FAL migration upgrade wizard in the
install tool ever fails (due to max_execution_time) or some
SQL error, then the migration stops and can be run again.

However, if the wizard is run again, it always checks
if the source file still exists. The wizard should rather
check if the target file exists, if not, move the source file
to the target file.

As a separate "step" in this wizard, if the target file (already)
exists, then the DB change can be done.

Additionally, a typo for the output is fixed as well.

Resolves: #53846
Releases: 6.2
Change-Id: Id7c3b6176997848210d83c54cd133819ab15f435
Reviewed-on: https://review.typo3.org/25622
Reviewed-by: Wouter Wolters
Reviewed-by: Tom Ruether
Tested-by: Tom Ruether
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny

In case sys_file_reference contains references to tables that no longer
exist physically (i.e. for extensions that were deinstalled and tables
then deleted through "Database Compare"), the sys_reference_table
upgrade wizard now no longer fails with an exception. Instead the buggy
rows will be deleted from the table.

Resolves: #53650
Releases: 6.2
Change-Id: I6a95b4abef77848de3ed97a1cf9b212434be7c98
Reviewed-on: https://review.typo3.org/25414
Reviewed-by: Wouter Wolters
Reviewed-by: Markus Klein
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny

Instead of using a slow COUNT on huge tables, we add an
additional query here, which tries to get the first
found record in oder to test if records exists
or not. This new query is extremely fast, because it
uses indexes. It only needs one huge table
like sys_log in your database to see a performance
boost in BE list module.

Resolves: #55891
Releases: 6.2
Change-Id: I920729421bcece8af3b7cdd5f53446e5a1be5300
Reviewed-on: https://review.typo3.org/27554
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer
Reviewed-by: Oliver Klee
Reviewed-by: Markus Klein
Tested-by: Markus Klein

When a column is defined as a multivalued static enumeration:
'somecolumn' => array(
    'exclude' => 0,
    'label' => 'Some label',
    'config' => array(
        'type' => 'select',
        'items' => array(
            array('Option 1', 1),
            array('Option 2', 2),
            array('Option 3', 3),
            array('Option 4', 4),
        ),
        'size' => 4,
        'maxitems' => 4,
        'eval' => ''
    ),
),
it is not possible to query the domain model using operation "contains":
$value = 2;
$query->matching(
    $query->contains('somecolumn', $value)
);

Releases: 6.2, 6.1
Fixes: #56205
Change-Id: If898db7f355ad931d1c8b55febc2f59f19b0f38b
Reviewed-on: https://review.typo3.org/27787
Reviewed-by: Alexander Opitz
Reviewed-by: Wouter Wolters
Reviewed-by: Stefan Froemken
Tested-by: Stefan Froemken
Reviewed-by: Markus Klein
Tested-by: Markus Klein

After manipulating PHP files, which we include with "require" we should
clear the opcode cache, if there is one installed.

So we introduce OpcodeCacheUtility to handle the clearing of the opcode
cache. Also to have a way to give feedback to the install tool which
can show the quality of the opcode cache in use. It also checks if an
opcode cache is enabled in the configuration, not only if the extension
is installed.

Use of this opcode cache clearing is added to the ConfigurationManager,
PackageManager and the cache (Simple)FileBackend.

Make use of this data in the SystemEnvironmentCheck.

Resolves: #55252
Releases: 6.2, 6.1, 6.0
Change-Id: I881f3fbe055c9566663c2c3c238de62ae30f7149
Reviewed-on: https://review.typo3.org/27024
Reviewed-by: Markus Klein
Tested-by: Markus Klein

The standard-search relies on basic form-functionality.
But if EXT:form is installed, that functionality is overlaid
and the result is wrong.

Provide a flag so that standard-search can request to use
the "basic" form-functionality, preventing EXT:form from
dealing with it.

Change-Id: I52cbd6cecc7222217ff766393dd37ad9d1a9aa30
Resolves: #50274
Releases: 6.2, 6.1
Reviewed-on: https://review.typo3.org/28042
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert

DBAL's DatabaseConnection::INSERTquery() builds an array. The keys
(fields) are mapped through quoteFieldNames(), which returns an empty
string. DBAL's SqlParser tries to use $GLOBALS['TYPO3_DB'], which is
not available here.

Resolves: #56306
Releases: 6.2
Change-Id: I97eff8f796fcb8d530d16ff5f6111ebd5d28d5ce
Reviewed-on: https://review.typo3.org/27864
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Current Order:

* Welcome
* Important actions
* System environment
* Configuration Presets
* Folder structure
* Test setup
* Upgrade Wizard
* All configuration
* Clean up
* Logout from Install Tool

New proposed order:

* Important Actions
* Configuration Presets
* All Configuration
* Upgrade Wizard
* System environment
* Folder Structure
* Test Setup
* Cleanup

"Logout" is put below the menu as a link and "Welcome"
is just the first screen but without any menu item for it.

Resolves: #56497
Releases: 6.2
Change-Id: I20a3c363e5039b875c0aef2d23353f981dabee6b
Reviewed-on: https://review.typo3.org/28002
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny
Reviewed-by: Jan Helke
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

After submitting an invalid form twice, extbase tries to
create the related submodel instead of edit.
This is because of the missing __identity part
for the related submodel

Resolves: #46185
Releases: 6.0, 6.1, 6.2
Change-Id: If3ec15b9eff0fc8d9a7dc682518cbfd72bb4665b
Reviewed-on: https://review.typo3.org/21101
Reviewed-by: Stefan Neufeind
Reviewed-by: Stefan Froemken
Tested-by: Stefan Froemken
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

As felogin and some other extensions don't work without
css_styled_content it should be enabled by default as well. This patch
adds the Package class to install the extension by default.

Resolves: #56292
Releases: 6.2
Change-Id: I9aad88966c0c292cdff865276dc131f358a52697
Reviewed-on: https://review.typo3.org/27858
Reviewed-by: Dmitry Dulepov
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Nicole Cordes
Tested-by: Nicole Cordes
Reviewed-by: Christian Kuhn
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Brings visual illusion for :active / click state.
Bugfixes :hover on <button>

Resolves: #56480
Releases: 6.2
Change-Id: I08d38c50d23f5fbcf591dbd54edca34944568591
Reviewed-on: https://review.typo3.org/27983
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

PHP Warning: Illegal string offset 'usergroup' is shown when
trying to login to the frontend while currently already being
logged into the backend.

Also the usergroup-column needs to be fetched from
$this->fe_user->usergroup_column.

Change-Id: Ia9772262616e9bd62e0827b0f211b8efe77ea80b
Resolves: #56508
Releases: 6.2
Reviewed-on: https://review.typo3.org/28000
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert

If an extension used static content ID 43 (content default),
it also added itself (during each runtime of ext_localconf.php)
to all available content blocks.
The original way is problematic as an extension that
provides content templates may be included after
an extension that wants to add itself after all content
templates.
This is now more confusing as the package manager
resolves the ordering of extensions and now,
CSS Styled Content gets loaded after felogin and
indexed_search.

To resolve this problem completely, the additional
TypoScript for each "contentRenderingTemplate",
a TS template that provides default content renderings,
is added to one global default TypoScript and is only
merged at the TemplateService class.

Therefore the extension loading ordering does not
matter anymore.

Resolves: #55942
Resolves: #55174
Resolves: #55557
Releases: 6.2
Change-Id: Id0c983bf96a3a76fde2183c57a17066ef8fd4ac8
Reviewed-on: https://review.typo3.org/27587
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

PHP Warning: Illegal string offset is thrown in some places
if an fe_user logs out.

Resolves: #55696
Releases: 6.2
Change-Id: I532a27c0d2fc4b80d3a3f92da0079f4e9517d06c
Reviewed-on: https://review.typo3.org/27362
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Oliver Klee
Reviewed-by: Alexander Opitz
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

SearchController::compileSingleResultRow() causes double
htmlspecialchars() call on $title.

This patch removes the general htmlspecialchars() call since
$title will be escaped in linkPage() anyway.
The only place which requires escaping has the call added now.

Resolves: #56262
Releases: 6.2, 6.1, 6.0
Change-Id: Ic94fe7fe7d2145fc539adcdf21faf42c33f5b32e
Reviewed-on: https://review.typo3.org/27849
Reviewed-by: Stefan Neufeind
Reviewed-by: Dragan Tomic
Tested-by: Dragan Tomic
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

The delimiter has to be reversed for the case of limit 2,
as the search is performed on the non-reversed string.
Otherwise the function will yield different results for
limits greater than 2.

Resolves: #56405
Releases: 6.2
Change-Id: I077d38918d98fbe2e5cd153c75b115e0d95734f8
Reviewed-on: https://review.typo3.org/27926
Reviewed-by: Georg Tiefenbrunn
Tested-by: Georg Tiefenbrunn
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

If the DataMapper shall map a 1:N relation for
a property of a domain object and the element
type of this property is another domain object
and not a storage type, the data mapper must
always fetch the related elements from persistence
and cannot rely on the persistence session lookup.

This is the case because the relation to the parent
is set on the child side and not the other way around.
The column in the parent row is useless in that case
and does not hold the id of the child.

We can also not rely on the persistence session
because we do not know the identifier of the child
until we fetched it.

Resolves: #56442
Releases: 6.2, 6.1
Change-Id: Icc3ebf9b825f6380691c60839621f01ca9875e4e
Reviewed-on: https://review.typo3.org/27949
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Marc Bastian Heinrichs
Tested-by: Marc Bastian Heinrichs

The condensed mode user setting has been removed
three years ago with #24585

Now also remove the leftover parts.
Keep the language labels to not interfere
with older versions.

Resolves: #56479
Releases: 6.2
Change-Id: I8cb3ebc5aac162357ce1d343eed1031156ccd749
Reviewed-on: https://review.typo3.org/27980
Reviewed-by: Benjamin Mack
Tested-by: Benjamin Mack
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Resolves: #53753
Releases: 6.2
Change-Id: I3acb81c71796bc84ada29e6cdf6141be07f69ca3
Reviewed-on: https://review.typo3.org/25503
Reviewed-by: Christian Opitz
Reviewed-by: Fabien Udriot
Tested-by: Fabien Udriot
Reviewed-by: Felix Kopp
Tested-by: Felix Kopp
Reviewed-by: Thomas Maroschik
Tested-by: Thomas Maroschik

The DataProviderTest calls BackendUtility::isRecordLocked
statically. We cannot mock that call, but we can
"mock" a locked record so that BackendUtility::isRecordLocked
does not query the database.

Resolves: #56472
Releases: 6.2
Change-Id: I268a7a900a0f2dcbf248f6a4d856354c7b1cdcd6
Reviewed-on: https://review.typo3.org/27975
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Introduces two new upgrade wizards in the Install tool.

The first wizard - added as first step of the upgrade wizards - adds
tables, fields and keys to comply to the database schema. When this is
necessary no other wizards can be executed until these are created.

The second wizard - added as last step of the upgrade wizards - changes
tables, fields and keys to comply to the database schema. When other
upgrade wizards are available, this one is not available to make sure
they have all necessary fields.

In order to make sure they are added as first and last step they are
added in UpdateWizard instead of ext_localconf.php.

The former "Final step" is now optional and has been renamed to "Hint".
The buttons to start the update wizards from the list have been renamed
from "Next" to "Execute".

Resolves: #53890
Releases: 6.2
Change-Id: I866b558df3325acca3122bbd4e0c2285447fcdf3
Reviewed-on: https://review.typo3.org/27240
Reviewed-by: Markus Klein
Tested-by: Markus Klein