Introducing Yaml placeholders in backend user interface can lead to
information disclosure and denial-of-service senarios. This change
disallows adding new placeholders and throws an exception - existing
placeholders are kept.

Resolves: #89401
Releases: main, 11.5, 10.4
Change-Id: I69e24de07b5327507e1bf8de990f84402078f7d4
Security-Bulletin: TYPO3-CORE-SA-2022-016
Security-References: CVE-2022-23504
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77087


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Only evaluate TypoScript-like instructions like

```
submitButtonLabel = TEXT
submitButtonLabel.value = Bar
```

defined within

`plugin.tx_form.settings.formDefinitionOverrides`
and
`plugin.tx_form.settings.yamlSettingsOverrides`

and **not** within form definition yaml files or
the form setup yaml files.

This is achieved by not searching the entire form
definition or form setup for TypoScript instructions,
but only the actual TypoScript.

Resolves: #98403
Releases: main, 11.5, 10.4
Change-Id: I7b066f109d6061715c2240b01ed15185c58fa9f5
Security-Bulletin: TYPO3-CORE-SA-2022-015
Security-References: CVE-2022-23503
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77086


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The password reset process for TYPO3 backend and
frontend users does not destroy possible existing
user sessions after the password has been changed.

With this patch, all existing user sessions are
destroyed when the password is changed in the
password reset process.

Resolves: #98462
Releases: main, 11.5, 10.4
Change-Id: I6744bfcf7cae56b4e525f2e0f9a44d06cf14396c
Security-Bulletin: TYPO3-CORE-SA-2022-014
Security-References: CVE-2022-23502
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77085


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

This change ensures that individual storage page ids are
valid by signing corresponding values with an HMAC.

Resolves: #98010
Releases: main, 11.5, 10.4
Change-Id: I34d474ab23adca6bbcf20c108bb60acf6998bc6f
Security-Bulletin: TYPO3-CORE-SA-2022-013
Security-References: CVE-2022-23501
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77084


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

TYPO3 now uses a lock strategy to avoid having to many request
waiting for the generation of the error page (which cannot be
generated via the external HTTP request, as there might be not
enough workers / PHP processes available during a DoS attack).
If a lock is in place, it directly returns a generic error
response instead of waiting for the lock or that the error
page is retrieved/rendered.

Additionally, if the external error page could not be retrieved
(HTTP status code other than 200), it will also create a generic
response and cache that instead. This avoids keeping requesting
for the errounous external HTTP page.

This could happen when using external HTTP requests (Guzzle) to
resolve an error page (via PageContentErrorHandler) for 404 sites.

Resolves: #98384
Releases: 11.5, 10.4
Change-Id: Iae1cae882707a519b2cef85112525ea213a72eef
Security-Bulletin: TYPO3-CORE-SA-2022-012
Security-References: CVE-2022-23500
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77083


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

In case the web server scenario is not properly configured to deny
HTTP host header injection, and the trustedHostsPattern is not explicit
enough, a corresponding check in the reports module will issue
an error message like

* HTTP_HOST contained unexpected "a0a3aa2f59.random.example.org"
* SERVER_NAME contained unexpected "a0a3aa2f59.random.example.org"

Using the configuration directive `UseCanonicalName On` for Apache
web server environments mitigates the risk.

Resolves: #99347
Releases: main, 11.5, 10.4
Change-Id: Iaafd136fd817a0722f482d1d0e6b198382e40e3d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77038


Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benni Mack <benni@typo3.org>

There are different versions of pdfinfo available and used
by different providers/distributions.

a) Debian/Fedora use pdfinfo (>v20) from the poppler-utils package.
   Also hosters like Hetzner use this version.
   This variant defaults to UTF-8 output for metadata:
   https://linux.die.net/man/1/pdfinfo
   > -enc encoding-name
   Sets the encoding to use for text output. This defaults to "UTF-8".

   pdfinfo -v
   pdfinfo version 21.08.0
   Copyright 2005-2021 The Poppler Developers -
                       http://poppler.freedesktop.org
   Copyright 1996-2011 Glyph & Cog, LLC

b) Older servers and hosters with legacy software (Mittwald,
   Domainfactory) use pdfinfo v3. This one defaults to Latin1 output:
   https://www.xpdfreader.com/pdfinfo-man.html
   > −enc encoding-name
   > Sets the encoding to use for text output. […]
   > This defaults to "Latin1"

   pdfinfo -v
   pdfinfo version 3.02
   Copyright 1996-2007 Glyph & Cog, LLC

Both versions support an -enc UTF-8 option, which is nowused to
circumvent the differences between these tools, instead of implying
Latin1 output (as done in #80085) which breaks variant a) by
interpreting valid UTF-8 as ISO-8859-1 and thus applying
a double encoding.

Resolves: #99352
Related: #80085
Releases: main, 11.5, 10.4
Change-Id: Ib8f7ae742c5edc73036afcb7d2608cd01f4176fd
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77082


Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

Releases: main, 11.5, 10.4
Resolves: #99348
Change-Id: I43d305b0f02bd6049f32e65c95184a2d5bfa4fe5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77053


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

When working with variable interpolation and similar scenarios, in
most cases variables, constants, expressions, ... are embedded in
a solid string and can only be identified and extracted by the
corresponding "reader" or "parser".

This string fragment splitter aims to introduce a simpler way for
extracting and working with these embedded fragments.

Example:
    $pattern = new StringFragmentPattern(
      StringFragmentSplitter::TYPE_EXPRESSION,
      '%[^%]+%'
    );
    $splitter = new StringFragmentSplitter($pattern);
    $collection = $splitter->split(
      'Hello %variable% World!'
      FLAG_UNMATCHED_AS_NULL
    );

    // results in having
    // + StringFragment(type: 'raw', value: 'Hello ')
    // + StringFragment(type: 'expression', value: '%variable%')
    // + StringFragment(type: 'raw', value: ' World!')

Resolves: #97553
Releases: main, 11.5, 10.4
Change-Id: Ie2b02a247ca884fa44ab7b3ba21214c8ee9bc457
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76947


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Resolves: #99281
Releases: main, 11.5, 10.4
Change-Id: Ic65f08aa0bb67f97880d0ff5bb4c692fe7e6ffde
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76953


Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>

<figure> is allowed in HTML5 outside of paragraphs,
thus it should also be configured like that out-of-the-box

See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figure

Since CKEditor5 is using <figure> around tables, and also
might add a <figcaption> both variants are now enabled by default.

Resolves: #99273
Releases: main, 11.5, 10.4
Change-Id: I9356cc13ccef764f475ba42cc47f43f7ecd624a1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76898


Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benni Mack <benni@typo3.org>

see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.1.0

composer req typo3/html-sanitizer:^2.1.0
composer req typo3/html-sanitizer:^2.1.0 \
  -d typo3/sysext/core --no-update

To use custom output rules, the Behavior object must be known in
the Sanitizer, see https://github.com/TYPO3/html-sanitizer/pull/98

Resolves: #99271
Releases: main, 11.5, 10.4
Change-Id: I160f8b49284566afde87d07dde7a4fb69e3174c9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76921


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

This patch ensures that search term like Ärmel and Æble
is also working. Currently the match didn't work if a
uppercase special char was used.

With the additional modifier, this is now working, and
there will be matches on both lowercase and uppercase
matching words.

Resolves: #97986
Releases: main, 11.5, 10.4
Change-Id: If7ff1669ead57557964ed5372c4af749c316d7bf
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76895


Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>

This encodes the PDF metadata to UTF-8 to ensure that special chars
like æ ø å ü ö ä are allowed without cutting of the metadata text.

Resolves: #80085
Releases: main, 11.5, 10.4
Change-Id: I02b0730dd659b54c0d8c7186a2089419bd56d2a2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76893


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

This patch updates `moment-timezone`, having a fixed vulnerability,
along with the related `moment` library.

Executed commands:

    yarn add \
        moment@^2.29.4 \
        moment-timezone@^0.5.35
    grunt build

Resolves: #99061
Releases: main, 11.5, 10.4
Change-Id: I36376bad194aa63dda0146c8bc0f481b932dc89d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76558


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Invalid file names containing special characters like `<` or `>`
are not correctly represented as text node. Error messages wrapped
in an XML node need to be properly encoded.

This was originally reported as a vulnerability, after analyzing the
scenario, the TYPO3 Security Team came to the conclusion to handle it
in public. It cannot be exploited directly without knowing the backend
form protection token of a particular user session.

Resolves: #98382
Releases: 11.5, 10.4
Change-Id: Icd73de28ef3b702b45cbc8f232b5595b6fda127b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76350


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

With #85044, HMAC validation for form definitions in the backend form
editor was introduced. However, nested multi-valued options have not
been signed with corresponding HMAC values - which lead to error
messages when persisting the form again in the backend.

The exception for `_value` and `_label` (properties used for those
multi-valued items) have been removed when generating HMAC values.

Resolves: #94106
Resolves: #97235
Related: #85044
Releases: main, 11.5, 10.4
Change-Id: Iaf6798e0f5aa43bdaf90b2c1866745abaab25de1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76164


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

JetBrains created a new product named `Fleet` as
lightweight editor. This tool tends to write it's
config files to `.fleet/` folders, like all of the
IntellJ based IDE's like PHPStorm uses the `.idea`
folder.

This change adds this config folder to .gitignore
to avoid adding this folder to a patch if `Fleet`
is used to create a patch.

Resolves: #98615
Releases: main, 11.5, 10.4
Change-Id: I4f629a37904c2e9fda57df830377c98a88bec69c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76067


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

The doc comments for some functions in `\TYPO3\CMS\Core\Database\Connection`
state, that table expressions and columns are not escaped. This is actually
not true and it seems those doc comments have been adopted directly from
`doctrine/dbal` back in 2016, when Doctrine DBAL was introduced to TYPO3.

Resolves: #98318
Releases: main, 11.5, 10.4
Change-Id: If23d568b23ef1b3c6f40efd50e907af54c349b3d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75650


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

`GeneralUtility::flushInternalRuntimeCaches` now also flushes the caches
used by `makeInstance` to determine the final class name for
instantiating classes. This allows unit tests to test that classes can
be XCLASSed without the dummy XCLASS configuration spilling over into
the next unit test.

Resolves: #98346
Releases: main, 11.5, 10.4
Change-Id: Iea1d85231c5b51bb743f48ab018340997e39c3d3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75647


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Change-Id: Ib8ba8cc8c720f50691897abc59fda00fef32e905
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75722


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: I6dc1c8bd8f1c308ccc283de2d801e0821fb7253e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75721


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.0.16

composer req masterminds/html5:^2.7.6 typo3/html-sanitizer:^2.0.16
composer req masterminds/html5:^2.7.6 typo3/html-sanitizer:^2.0.16 \
  -d typo3/sysext/core --no-update

Resolves: #98340
Releases: main, 11.5, 10.4
Change-Id: I254ea25410e01f7610b0c4ef8b83441ab216f1ca
Security-Bulletin: TYPO3-CORE-SA-2022-011
Security-References: CVE-2022-36020
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75708


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Variables in child nodes like `<f:asset.css>{value}</f:asset.css>`
were not encoded and allow cross-site scripting. In case values shall
be taken as is, corresponding `f:format.raw` instruction has to be used.

Resolves: #97900
Releases: main, 11.5, 10.4
Change-Id: Id843a41c42bbe1f74cdc4efbc117b24d20026b97
Security-Bulletin: TYPO3-CORE-SA-2022-010
Security-References: CVE-2022-36108
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75707


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

FileDumpController is used to expose stored files from the backend
user interface through a corresponding service-side process. Since
content-security-policy settings for files served directly by the
web server won't be applied, FileDumpController has to take care.

Resolves: #98221
Releases: main, 11.5, 10.4
Change-Id: I4fde10e48e33fa08452eddf876172f56b4f38e28
Security-Bulletin: TYPO3-CORE-SA-2022-009
Security-References: CVE-2022-36107
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75706


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

When a TYPO3 backend user performs a password reset request, a
password reset link including an expiration time is sent to the
user. The expiration time is included in HMAC calculation of
the saved password reset hash, but it is never evaluated if the
expiration time is exceeded.

This change adds the missing validity check for the expiration
time included in the password reset link.

Resolves: #97998
Releases: main, 11.5, 10.4
Change-Id: I8a1730faf6489e5c5eebb44ff4f82606785bd637
Security-Bulletin: TYPO3-CORE-SA-2022-008
Security-References: CVE-2022-36106
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75705


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Observing response time during user authentication can be used to
distinguish between existing and non-existing user accounts. This
change introduces `MimicServiceInterface::mimicAuthUser` -  to be
implemented by 3rd party authentication services - which simulates
corresponding times regular processing would usually take.

Resolves: #98217
Releases: main, 11.5, 10.4
Change-Id: I143ae0d3877dffe6f2decbb3f0cf8c9d9cb6ca0b
Security-Bulletin: TYPO3-CORE-SA-2022-007
Security-References: CVE-2022-36105
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75704


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

README.md and CONTRIBUTING.md use the current repository links with this change.
The change also includes several minor edits.

Resolves: #98260
Releases: main, 11.5, 10.4
Change-Id: I77d4741df4134ae0babec2415cd8f5345592e29e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75634


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Stephan Großberndt <stephan.grossberndt@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

All values are default values except the redirectTTL value.

Releases: main, 11.5, 10.4
Resolves: #98238
Change-Id: Ifef0b35445828aa4b82084b5a4216174b9ad3e89
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75577


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Backend modules which use absolute paths (which do not
exist) should not raise an exception / error when
using versionNumberInFilename checks.

This happens e.g. with EXT:solr backend modules
since #97939 was fixed.

In the long-term extensions should define proper
paths, so they also work in TYPO3 installations within
a subfolder but for the time being,
this change helps to solve the problem.

Resolves: #98152
Related: #98106
Related: #97939
Releases: main, 11.5, 10.4
Change-Id: I071f2e63d4423d157f0f060a1295cb145474ee9d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75494


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

This reverts commit 8c724b77.

Reason for revert:
The commit-msg hook now tends to throw away the message.
Fully loosing a commit message is worse than a funny
exit code. We revert for now and eventually come up
with a different solution later.

Change-Id: If1fdc93487e32f4be4f32ffd200005f746a50bee
Reverts: #98094
Resolves: #98094
Releases: main, 11.5, 10.4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75453


Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Simon Schaufelberger <simonschaufi+typo3@gmail.com>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Simon Schaufelberger <simonschaufi+typo3@gmail.com>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

While trying to restore the full desktop functionality
aka mouse and keyboard behavior on a touch-device we
came to the conclusion that it feels unintuitive.

On touch devices, you have by design fewer input options
and differentiators than with dedicated input devices like
a mouse. It feels best to disable the drag and drop
behavior and enable a smooth scrolling and navigation
experience.

Resolves: #91755
Resolves: #86946
Resolves: #93960
Releases: main, 11.5, 10.4
Change-Id: Ic08d06283cbb2331ff49983bd7d18b446f8bd76a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75431


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

With the fix of using versioned numbered filenames for the
TYPO3 Backend, a use-case "absolutely referenced, but
relative to public path file" did break for Frontend
inclusions of CSS or JS files.

This is now overcome by only using the original bugfix in the TYPO3
Backend.

Resolves: #98106
Related: #97939
Releases: main, 11.5, 10.4
Change-Id: Iff6251bd95e1c0a93a6f5538b9f560e55ba80b0c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75369


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Resolves: #98094
Releases: main, 11.5, 10.4
Change-Id: If84f67d6ac91aeaa47849067e21bef6b13854f3c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75360


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Since the persisted file is stored with a sanitized filename, it must be
replaced with a sanitized file name as well, otherwise an error occurs
that the source with the un-sanitized file name could not be found.

Resolves: #98005
Releases: main, 11.5, 10.4
Change-Id: I9b38316f7a25a281521bff787956dcd6373249d0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75356


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Quite some issues with docker-compose v2 have been fixed
We'll now try to use it again and remove a v1 restriction
in `Build/Scripts/runTests.sh`.

Resolves: #98086
Releases: main, 11.5, 10.4
Change-Id: I7e4ff82df374db33ba42db0e0d1483f6320ba9ea
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75354


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

When using routing and custom enhancers to find out
what page translation was exactly used to build
special logic for Page resolving, the two
language-related properties "sys_language_uid"
and "l18n_cfg" are now loaded (and thus, added to the
"_page" property of a Route) as well.

This is useful as l10n_parent is already loaded anyways.

Resolves: #98042
Releases: main, 11.5, 10.4
Change-Id: I23f964d5d22f27a9affebfeae87906d9549efda0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75230


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

In a scenario, where a backend user has two entry
points, in which the second one intersects the first
one (is a direct sub-page), pages were shown
multiple times.

The reason behind this was, that inside
PageTreeRepository->groupAndSortPages() every page
was added regardless if it was already added in a
previous run. This is the case, when the same pages
are found in different depth levels.

E.g.

1 - Home (DB mount 1)
  2 - Page 1
  2 - Page 2 (DB mount 2)
    3 - Subpage 1 // will be added for level 2 and 3
    3 - Subpage 2

To prevent this, a guard clause was added, which
checks whether the page was already added by
comparing the uid value.

Resolves: #96512
Resolves: #97774
Related: #96367
Releases: main, 11.5, 10.4
Change-Id: I65439011b894f05faef9cb507d905b3d7d3b709f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75224


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Using database queries without deterministic sorting
definition may lead to unreliabe resultsets in some
dbms type and version, which also may change over time.
Thus it's good practice to have proper defined sorting
for queries, at least if result relies on a constant
and reliable result sorting.

With #96512 and #97774 additional tests has been added,
which showed the unreliable of these database queries,
blocking the bugfix backport to TYPO3 v10.4.

This patch adds sorting definition to two db queries in
`\TYPO3\CMS\Backend\Tree\Repository\PageTreeRepository`
to ensure consistent results in a deterministic manner
and make it possible to provide the related bugfix for
TYPO3 v10.4.

Resolves: #98056
Related: #96512
Related: #97774
Releases: main, 11.5, 10.4
Change-Id: I8a1bf3b93bcfcaec4c3de3ea6321db62847d0c21
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75336


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

A serialization issue has been fixed in symfony/mime 4.4.16 / 5.1.8
which has to be used as minimum version.

https://github.com/symfony/symfony/commit/fd99eb26d893390b45c214f4884fea090f1c1178

Resolves: #98052
Releases: 10.4
Change-Id: Ie444aee39685b2f72fc77171fa56040db6a7cf7c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75330


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: Stefan Bürk <stefan@buerk.tech>