- Dec 13, 2022
-
-
Oliver Hader authored
Introducing Yaml placeholders in backend user interface can lead to information disclosure and denial-of-service senarios. This change disallows adding new placeholders and throws an exception - existing placeholders are kept. Resolves: #89401 Releases: main, 11.5, 10.4 Change-Id: I69e24de07b5327507e1bf8de990f84402078f7d4 Security-Bulletin: TYPO3-CORE-SA-2022-016 Security-References: CVE-2022-23504 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77087 Reviewed-by:
Oliver Hader <oliver.hader@typo3.org> Tested-by:
Oliver Hader <oliver.hader@typo3.org>
-
waldhacker authored
Only evaluate TypoScript-like instructions like ``` submitButtonLabel = TEXT submitButtonLabel.value = Bar ``` defined within `plugin.tx_form.settings.formDefinitionOverrides` and `plugin.tx_form.settings.yamlSettingsOverrides` and **not** within form definition yaml files or the form setup yaml files. This is achieved by not searching the entire form definition or form setup for TypoScript instructions, but only the actual TypoScript. Resolves: #98403 Releases: main, 11.5, 10.4 Change-Id: I7b066f109d6061715c2240b01ed15185c58fa9f5 Security-Bulletin: TYPO3-CORE-SA-2022-015 Security-References: CVE-2022-23503 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77086 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org>
-
Torben Hansen authored
The password reset process for TYPO3 backend and frontend users does not destroy possible existing user sessions after the password has been changed. With this patch, all existing user sessions are destroyed when the password is changed in the password reset process. Resolves: #98462 Releases: main, 11.5, 10.4 Change-Id: I6744bfcf7cae56b4e525f2e0f9a44d06cf14396c Security-Bulletin: TYPO3-CORE-SA-2022-014 Security-References: CVE-2022-23502 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77085 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org>
-
Oliver Hader authored
This change ensures that individual storage page ids are valid by signing corresponding values with an HMAC. Resolves: #98010 Releases: main, 11.5, 10.4 Change-Id: I34d474ab23adca6bbcf20c108bb60acf6998bc6f Security-Bulletin: TYPO3-CORE-SA-2022-013 Security-References: CVE-2022-23501 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77084 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org>
-
Benni Mack authored
TYPO3 now uses a lock strategy to avoid having to many request waiting for the generation of the error page (which cannot be generated via the external HTTP request, as there might be not enough workers / PHP processes available during a DoS attack). If a lock is in place, it directly returns a generic error response instead of waiting for the lock or that the error page is retrieved/rendered. Additionally, if the external error page could not be retrieved (HTTP status code other than 200), it will also create a generic response and cache that instead. This avoids keeping requesting for the errounous external HTTP page. This could happen when using external HTTP requests (Guzzle) to resolve an error page (via PageContentErrorHandler) for 404 sites. Resolves: #98384 Releases: 11.5, 10.4 Change-Id: Iae1cae882707a519b2cef85112525ea213a72eef Security-Bulletin: TYPO3-CORE-SA-2022-012 Security-References: CVE-2022-23500 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77083 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org>
-
Oliver Hader authored
In case the web server scenario is not properly configured to deny HTTP host header injection, and the trustedHostsPattern is not explicit enough, a corresponding check in the reports module will issue an error message like * HTTP_HOST contained unexpected "a0a3aa2f59.random.example.org" * SERVER_NAME contained unexpected "a0a3aa2f59.random.example.org" Using the configuration directive `UseCanonicalName On` for Apache web server environments mitigates the risk. Resolves: #99347 Releases: main, 11.5, 10.4 Change-Id: Iaafd136fd817a0722f482d1d0e6b198382e40e3d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77038 Reviewed-by:
Benjamin Franzke <bfr@qbus.de> Tested-by:
Benjamin Franzke <bfr@qbus.de> Tested-by:
Benni Mack <benni@typo3.org> Tested-by:
core-ci <typo3@b13.com> Reviewed-by:
Benni Mack <benni@typo3.org>
-
Benjamin Franzke authored
There are different versions of pdfinfo available and used by different providers/distributions. a) Debian/Fedora use pdfinfo (>v20) from the poppler-utils package. Also hosters like Hetzner use this version. This variant defaults to UTF-8 output for metadata: https://linux.die.net/man/1/pdfinfo > -enc encoding-name Sets the encoding to use for text output. This defaults to "UTF-8". pdfinfo -v pdfinfo version 21.08.0 Copyright 2005-2021 The Poppler Developers - http://poppler.freedesktop.org Copyright 1996-2011 Glyph & Cog, LLC b) Older servers and hosters with legacy software (Mittwald, Domainfactory) use pdfinfo v3. This one defaults to Latin1 output: https://www.xpdfreader.com/pdfinfo-man.html > −enc encoding-name > Sets the encoding to use for text output. […] > This defaults to "Latin1" pdfinfo -v pdfinfo version 3.02 Copyright 1996-2007 Glyph & Cog, LLC Both versions support an -enc UTF-8 option, which is nowused to circumvent the differences between these tools, instead of implying Latin1 output (as done in #80085) which breaks variant a) by interpreting valid UTF-8 as ISO-8859-1 and thus applying a double encoding. Resolves: #99352 Related: #80085 Releases: main, 11.5, 10.4 Change-Id: Ib8f7ae742c5edc73036afcb7d2608cd01f4176fd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77082 Tested-by:
Stefan Bürk <stefan@buerk.tech> Tested-by:
core-ci <typo3@b13.com> Reviewed-by:
Stefan Bürk <stefan@buerk.tech> Reviewed-by:
Benni Mack <benni@typo3.org> Tested-by:
Benni Mack <benni@typo3.org>
-
Stephan Großberndt authored
Releases: main, 11.5, 10.4 Resolves: #99348 Change-Id: I43d305b0f02bd6049f32e65c95184a2d5bfa4fe5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77053 Tested-by:
core-ci <typo3@b13.com> Reviewed-by:
Benni Mack <benni@typo3.org> Tested-by:
Benni Mack <benni@typo3.org>
-
- Dec 07, 2022
-
-
Oliver Hader authored
When working with variable interpolation and similar scenarios, in most cases variables, constants, expressions, ... are embedded in a solid string and can only be identified and extracted by the corresponding "reader" or "parser". This string fragment splitter aims to introduce a simpler way for extracting and working with these embedded fragments. Example: $pattern = new StringFragmentPattern( StringFragmentSplitter::TYPE_EXPRESSION, '%[^%]+%' ); $splitter = new StringFragmentSplitter($pattern); $collection = $splitter->split( 'Hello %variable% World!' FLAG_UNMATCHED_AS_NULL ); // results in having // + StringFragment(type: 'raw', value: 'Hello ') // + StringFragment(type: 'expression', value: '%variable%') // + StringFragment(type: 'raw', value: ' World!') Resolves: #97553 Releases: main, 11.5, 10.4 Change-Id: Ie2b02a247ca884fa44ab7b3ba21214c8ee9bc457 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76947 Reviewed-by:
Oliver Hader <oliver.hader@typo3.org> Tested-by:
core-ci <typo3@b13.com> Tested-by:
Oliver Hader <oliver.hader@typo3.org>
-
- Dec 06, 2022
-
-
Benjamin Kott authored
Resolves: #99281 Releases: main, 11.5, 10.4 Change-Id: Ic65f08aa0bb67f97880d0ff5bb4c692fe7e6ffde Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76953 Reviewed-by:
Benni Mack <benni@typo3.org> Tested-by:
core-ci <typo3@b13.com> Tested-by:
Benni Mack <benni@typo3.org>
-
Benni Mack authored
<figure> is allowed in HTML5 outside of paragraphs, thus it should also be configured like that out-of-the-box See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figure Since CKEditor5 is using <figure> around tables, and also might add a <figcaption> both variants are now enabled by default. Resolves: #99273 Releases: main, 11.5, 10.4 Change-Id: I9356cc13ccef764f475ba42cc47f43f7ecd624a1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76898 Tested-by:
Benni Mack <benni@typo3.org> Tested-by:
core-ci <typo3@b13.com> Reviewed-by:
Benni Mack <benni@typo3.org>
-
- Dec 05, 2022
-
-
Oliver Hader authored
see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.1.0 composer req typo3/html-sanitizer:^2.1.0 composer req typo3/html-sanitizer:^2.1.0 \ -d typo3/sysext/core --no-update To use custom output rules, the Behavior object must be known in the Sanitizer, see https://github.com/TYPO3/html-sanitizer/pull/98 Resolves: #99271 Releases: main, 11.5, 10.4 Change-Id: I160f8b49284566afde87d07dde7a4fb69e3174c9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76921 Tested-by:
core-ci <typo3@b13.com> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org> Tested-by:
Oliver Hader <oliver.hader@typo3.org>
-
- Dec 03, 2022
-
-
Tomas Norre Mikkelsen authored
This patch ensures that search term like Ärmel and Æble is also working. Currently the match didn't work if a uppercase special char was used. With the additional modifier, this is now working, and there will be matches on both lowercase and uppercase matching words. Resolves: #97986 Releases: main, 11.5, 10.4 Change-Id: If7ff1669ead57557964ed5372c4af749c316d7bf Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76895 Tested-by:
Stefan Bürk <stefan@buerk.tech> Reviewed-by:
Stefan Bürk <stefan@buerk.tech> Tested-by:
core-ci <typo3@b13.com>
-
- Dec 01, 2022
-
-
Tomas Norre Mikkelsen authored
This encodes the PDF metadata to UTF-8 to ensure that special chars like æ ø å ü ö ä are allowed without cutting of the metadata text. Resolves: #80085 Releases: main, 11.5, 10.4 Change-Id: I02b0730dd659b54c0d8c7186a2089419bd56d2a2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76893 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
Andreas Fernandez <a.fernandez@scripting-base.de>
-
- Nov 12, 2022
-
-
Andreas Fernandez authored
This patch updates `moment-timezone`, having a fixed vulnerability, along with the related `moment` library. Executed commands: yarn add \ moment@^2.29.4 \ moment-timezone@^0.5.35 grunt build Resolves: #99061 Releases: main, 11.5, 10.4 Change-Id: I36376bad194aa63dda0146c8bc0f481b932dc89d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76558 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
Andreas Fernandez <a.fernandez@scripting-base.de>
-
- Nov 02, 2022
-
-
Oliver Hader authored
Invalid file names containing special characters like `<` or `>` are not correctly represented as text node. Error messages wrapped in an XML node need to be properly encoded. This was originally reported as a vulnerability, after analyzing the scenario, the TYPO3 Security Team came to the conclusion to handle it in public. It cannot be exploited directly without knowing the backend form protection token of a particular user session. Resolves: #98382 Releases: 11.5, 10.4 Change-Id: Icd73de28ef3b702b45cbc8f232b5595b6fda127b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76350 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org>
-
- Oct 19, 2022
-
-
Oliver Hader authored
With #85044, HMAC validation for form definitions in the backend form editor was introduced. However, nested multi-valued options have not been signed with corresponding HMAC values - which lead to error messages when persisting the form again in the backend. The exception for `_value` and `_label` (properties used for those multi-valued items) have been removed when generating HMAC values. Resolves: #94106 Resolves: #97235 Related: #85044 Releases: main, 11.5, 10.4 Change-Id: Iaf6798e0f5aa43bdaf90b2c1866745abaab25de1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76164 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org>
-
- Oct 14, 2022
-
-
Stefan Bürk authored
JetBrains created a new product named `Fleet` as lightweight editor. This tool tends to write it's config files to `.fleet/` folders, like all of the IntellJ based IDE's like PHPStorm uses the `.idea` folder. This change adds this config folder to .gitignore to avoid adding this folder to a patch if `Fleet` is used to create a patch. Resolves: #98615 Releases: main, 11.5, 10.4 Change-Id: I4f629a37904c2e9fda57df830377c98a88bec69c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76067 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Stefan Bürk <stefan@buerk.tech> Reviewed-by:
Stefan Bürk <stefan@buerk.tech>
-
- Sep 16, 2022
-
-
Torben Hansen authored
The doc comments for some functions in `\TYPO3\CMS\Core\Database\Connection` state, that table expressions and columns are not escaped. This is actually not true and it seems those doc comments have been adopted directly from `doctrine/dbal` back in 2016, when Doctrine DBAL was introduced to TYPO3. Resolves: #98318 Releases: main, 11.5, 10.4 Change-Id: If23d568b23ef1b3c6f40efd50e907af54c349b3d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75650 Reviewed-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
Christian Kuhn <lolli@schwarzbu.ch> Tested-by:
core-ci <typo3@b13.com> Tested-by:
Christian Kuhn <lolli@schwarzbu.ch>
-
Oliver Klee authored
`GeneralUtility::flushInternalRuntimeCaches` now also flushes the caches used by `makeInstance` to determine the final class name for instantiating classes. This allows unit tests to test that classes can be XCLASSed without the dummy XCLASS configuration spilling over into the next unit test. Resolves: #98346 Releases: main, 11.5, 10.4 Change-Id: Iea1d85231c5b51bb743f48ab018340997e39c3d3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75647 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by:
Christian Kuhn <lolli@schwarzbu.ch>
-
- Sep 13, 2022
-
-
Oliver Hader authored
Change-Id: Ib8ba8cc8c720f50691897abc59fda00fef32e905 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75722 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org>
-
Oliver Hader authored
Change-Id: I6dc1c8bd8f1c308ccc283de2d801e0821fb7253e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75721 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org>
-
Oliver Hader authored
see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.0.16 composer req masterminds/html5:^2.7.6 typo3/html-sanitizer:^2.0.16 composer req masterminds/html5:^2.7.6 typo3/html-sanitizer:^2.0.16 \ -d typo3/sysext/core --no-update Resolves: #98340 Releases: main, 11.5, 10.4 Change-Id: I254ea25410e01f7610b0c4ef8b83441ab216f1ca Security-Bulletin: TYPO3-CORE-SA-2022-011 Security-References: CVE-2022-36020 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75708 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org>
-
Oliver Hader authored
Variables in child nodes like `<f:asset.css>{value}</f:asset.css>` were not encoded and allow cross-site scripting. In case values shall be taken as is, corresponding `f:format.raw` instruction has to be used. Resolves: #97900 Releases: main, 11.5, 10.4 Change-Id: Id843a41c42bbe1f74cdc4efbc117b24d20026b97 Security-Bulletin: TYPO3-CORE-SA-2022-010 Security-References: CVE-2022-36108 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75707 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org>
-
Oliver Hader authored
FileDumpController is used to expose stored files from the backend user interface through a corresponding service-side process. Since content-security-policy settings for files served directly by the web server won't be applied, FileDumpController has to take care. Resolves: #98221 Releases: main, 11.5, 10.4 Change-Id: I4fde10e48e33fa08452eddf876172f56b4f38e28 Security-Bulletin: TYPO3-CORE-SA-2022-009 Security-References: CVE-2022-36107 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75706 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org>
-
Torben Hansen authored
When a TYPO3 backend user performs a password reset request, a password reset link including an expiration time is sent to the user. The expiration time is included in HMAC calculation of the saved password reset hash, but it is never evaluated if the expiration time is exceeded. This change adds the missing validity check for the expiration time included in the password reset link. Resolves: #97998 Releases: main, 11.5, 10.4 Change-Id: I8a1730faf6489e5c5eebb44ff4f82606785bd637 Security-Bulletin: TYPO3-CORE-SA-2022-008 Security-References: CVE-2022-36106 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75705 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org>
-
Oliver Hader authored
Observing response time during user authentication can be used to distinguish between existing and non-existing user accounts. This change introduces `MimicServiceInterface::mimicAuthUser` - to be implemented by 3rd party authentication services - which simulates corresponding times regular processing would usually take. Resolves: #98217 Releases: main, 11.5, 10.4 Change-Id: I143ae0d3877dffe6f2decbb3f0cf8c9d9cb6ca0b Security-Bulletin: TYPO3-CORE-SA-2022-007 Security-References: CVE-2022-36105 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75704 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org>
-
- Sep 07, 2022
-
-
Stephan Großberndt authored
README.md and CONTRIBUTING.md use the current repository links with this change. The change also includes several minor edits. Resolves: #98260 Releases: main, 11.5, 10.4 Change-Id: I77d4741df4134ae0babec2415cd8f5345592e29e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75634 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Oliver Bartsch <bo@cedev.de> Reviewed-by:
Stephan Großberndt <stephan.grossberndt@typo3.org> Reviewed-by:
Oliver Bartsch <bo@cedev.de>
-
- Sep 05, 2022
-
-
Josef Glatz authored
All values are default values except the redirectTTL value. Releases: main, 11.5, 10.4 Resolves: #98238 Change-Id: Ifef0b35445828aa4b82084b5a4216174b9ad3e89 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75577 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Oliver Bartsch <bo@cedev.de> Reviewed-by:
Oliver Bartsch <bo@cedev.de>
-
- Aug 16, 2022
-
-
Benni Mack authored
Backend modules which use absolute paths (which do not exist) should not raise an exception / error when using versionNumberInFilename checks. This happens e.g. with EXT:solr backend modules since #97939 was fixed. In the long-term extensions should define proper paths, so they also work in TYPO3 installations within a subfolder but for the time being, this change helps to solve the problem. Resolves: #98152 Related: #98106 Related: #97939 Releases: main, 11.5, 10.4 Change-Id: I071f2e63d4423d157f0f060a1295cb145474ee9d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75494 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
Benni Mack <benni@typo3.org>
-
- Aug 12, 2022
-
-
Christian Kuhn authored
This reverts commit 8c724b77. Reason for revert: The commit-msg hook now tends to throw away the message. Fully loosing a commit message is worse than a funny exit code. We revert for now and eventually come up with a different solution later. Change-Id: If1fdc93487e32f4be4f32ffd200005f746a50bee Reverts: #98094 Resolves: #98094 Releases: main, 11.5, 10.4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75453 Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by:
Simon Schaufelberger <simonschaufi+typo3@gmail.com> Tested-by:
core-ci <typo3@b13.com> Tested-by:
Stefan Bürk <stefan@buerk.tech> Reviewed-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by:
Simon Schaufelberger <simonschaufi+typo3@gmail.com> Reviewed-by:
Stefan Bürk <stefan@buerk.tech>
-
Benjamin Kott authored
While trying to restore the full desktop functionality aka mouse and keyboard behavior on a touch-device we came to the conclusion that it feels unintuitive. On touch devices, you have by design fewer input options and differentiators than with dedicated input devices like a mouse. It feels best to disable the drag and drop behavior and enable a smooth scrolling and navigation experience. Resolves: #91755 Resolves: #86946 Resolves: #93960 Releases: main, 11.5, 10.4 Change-Id: Ic08d06283cbb2331ff49983bd7d18b446f8bd76a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75431 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
Andreas Fernandez <a.fernandez@scripting-base.de>
-
- Aug 11, 2022
-
-
Benni Mack authored
With the fix of using versioned numbered filenames for the TYPO3 Backend, a use-case "absolutely referenced, but relative to public path file" did break for Frontend inclusions of CSS or JS files. This is now overcome by only using the original bugfix in the TYPO3 Backend. Resolves: #98106 Related: #97939 Releases: main, 11.5, 10.4 Change-Id: Iff6251bd95e1c0a93a6f5538b9f560e55ba80b0c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75369 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
Benni Mack <benni@typo3.org>
-
- Aug 07, 2022
-
-
Simon Schaufelberger authored
Resolves: #98094 Releases: main, 11.5, 10.4 Change-Id: If84f67d6ac91aeaa47849067e21bef6b13854f3c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75360 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by:
Christian Kuhn <lolli@schwarzbu.ch>
-
- Aug 05, 2022
-
-
Simon Schaufelberger authored
Since the persisted file is stored with a sanitized filename, it must be replaced with a sanitized file name as well, otherwise an error occurs that the source with the un-sanitized file name could not be found. Resolves: #98005 Releases: main, 11.5, 10.4 Change-Id: I9b38316f7a25a281521bff787956dcd6373249d0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75356 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by:
Christian Kuhn <lolli@schwarzbu.ch>
-
Stefan Bürk authored
Quite some issues with docker-compose v2 have been fixed We'll now try to use it again and remove a v1 restriction in `Build/Scripts/runTests.sh`. Resolves: #98086 Releases: main, 11.5, 10.4 Change-Id: I7e4ff82df374db33ba42db0e0d1483f6320ba9ea Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75354 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Stefan Bürk <stefan@buerk.tech> Reviewed-by:
Stefan Bürk <stefan@buerk.tech>
-
- Aug 01, 2022
-
-
Benni Mack authored
When using routing and custom enhancers to find out what page translation was exactly used to build special logic for Page resolving, the two language-related properties "sys_language_uid" and "l18n_cfg" are now loaded (and thus, added to the "_page" property of a Route) as well. This is useful as l10n_parent is already loaded anyways. Resolves: #98042 Releases: main, 11.5, 10.4 Change-Id: I23f964d5d22f27a9affebfeae87906d9549efda0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75230 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
Benni Mack <benni@typo3.org>
-
- Jul 30, 2022
-
-
Nikita Hovratov authored
In a scenario, where a backend user has two entry points, in which the second one intersects the first one (is a direct sub-page), pages were shown multiple times. The reason behind this was, that inside PageTreeRepository->groupAndSortPages() every page was added regardless if it was already added in a previous run. This is the case, when the same pages are found in different depth levels. E.g. 1 - Home (DB mount 1) 2 - Page 1 2 - Page 2 (DB mount 2) 3 - Subpage 1 // will be added for level 2 and 3 3 - Subpage 2 To prevent this, a guard clause was added, which checks whether the page was already added by comparing the uid value. Resolves: #96512 Resolves: #97774 Related: #96367 Releases: main, 11.5, 10.4 Change-Id: I65439011b894f05faef9cb507d905b3d7d3b709f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75224 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Stefan Bürk <stefan@buerk.tech> Reviewed-by:
Stefan Bürk <stefan@buerk.tech>
-
Stefan Bürk authored
Using database queries without deterministic sorting definition may lead to unreliabe resultsets in some dbms type and version, which also may change over time. Thus it's good practice to have proper defined sorting for queries, at least if result relies on a constant and reliable result sorting. With #96512 and #97774 additional tests has been added, which showed the unreliable of these database queries, blocking the bugfix backport to TYPO3 v10.4. This patch adds sorting definition to two db queries in `\TYPO3\CMS\Backend\Tree\Repository\PageTreeRepository` to ensure consistent results in a deterministic manner and make it possible to provide the related bugfix for TYPO3 v10.4. Resolves: #98056 Related: #96512 Related: #97774 Releases: main, 11.5, 10.4 Change-Id: I8a1bf3b93bcfcaec4c3de3ea6321db62847d0c21 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75336 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Stefan Bürk <stefan@buerk.tech> Reviewed-by:
Stefan Bürk <stefan@buerk.tech>
-
- Jul 29, 2022
-
-
Oliver Hader authored
A serialization issue has been fixed in symfony/mime 4.4.16 / 5.1.8 which has to be used as minimum version. https://github.com/symfony/symfony/commit/fd99eb26d893390b45c214f4884fea090f1c1178 Resolves: #98052 Releases: 10.4 Change-Id: Ie444aee39685b2f72fc77171fa56040db6a7cf7c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75330 Reviewed-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
Stefan Bürk <stefan@buerk.tech> Tested-by:
core-ci <typo3@b13.com> Tested-by:
Oliver Klee <typo3-coding@oliverklee.de> Tested-by:
Stefan Bürk <stefan@buerk.tech>
-