- Nov 20, 2020
-
-
Andreas Fernandez authored
Since #92689 the IconRegistry is fed by a JSON file taken from the TYPO3.Icons repository and does not grab all PNG and SVG files from the filesystem and auto-registers these files anymore. It turned out that some icons (all of them being PNG files) are not part of the TYPO3.Icons repository and thus haven't been registered anymore. This patch now registers icons of EXT:backend and EXT:impexp explicitly which are not part of the beforehand mentioned repository. Resolves: #92860 Related: #92689 Releases: master, 10.4 Change-Id: I0baab2b00be100ad768b4a67bf678e71e11f70bb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66693 Tested-by:
Oliver Bartsch <bo@cedev.de> Tested-by:
Simon Gilli <typo3@gilbertsoft.org> Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by:
Guido Schmechel <guido.schmechel@brandung.de> Reviewed-by:
-
Andreas Fernandez authored
With upcoming TYPO3 v11, support for PHP versions older than 7.4 is cancelled. Due to this, we don't have to check these versions anymore in Bamboo and thus remove them from the build plans. Resolves: #92888 Releases: master Change-Id: Iae261d4f4bc8ec205a583f685fda2ef183f32767 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66714 Reviewed-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
-
Charanth authored
These two parameters are switched. Releases: master, 10.4, 9.5 Resolves: #92887 Change-Id: I7a896a167f39b8a68664ef6f37b3b1be447825c9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66712 Tested-by:
Mathias Brodala <mbrodala@pagemachine.de> Reviewed-by:
-
Christian Kuhn authored
In the frontend middleware chain PrepareTypoScriptFrontendRendering interacts with TSFE and calls getFromCache() which acquires frontend rendering locks. Locks are usually released after TSFE rendering in the final middleware, the HTTP/RequestHandler. Middleware ShortcutAndMountPointRedirect however, wich is called after PrepareTypoScriptFrontendRendering, can return early without calling below middlewares. In this case, locks need to be explicitly released to prevent a deadlock. This is not an issue in normal frontend calls since acquired locks are always released in __destruct() of the locking API. But, if the frontend is called as sub request, for instance from within another frontend call, from cli or testing, the lock API destructors may or may not be called. If not, this leads to dangling locks after the FE sub request, which then may block a following sub request executed in the same process. Resolves: #92882 Releases: master, 10.4 Change-Id: I231e56fb04ffa899c6e1b4d7e1a9e4a971f632db Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66707 Tested-by:
Benni Mack <benni@typo3.org> Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
-
Georg Ringer authored
The usage count of forms in the form module must not count deleted elements. Resolves: #92880 Releases: master, 10.4 Change-Id: Ia58c4e28e03ea1caa3b22ba1188d039fcdea69ea Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66709 Tested-by:
Rudy Gnodde <rudy@famouswolf.com> Tested-by:
-
- Nov 19, 2020
-
-
Christian Kuhn authored
To bootstrap TYPO3 sub requests, the testing framework needs an instance of the class loader. There is no good way to retrieve this object that is immutable for the entire process. During casual bootstrap, an instance of the class loader is parked in object ClassLoadingInformation. The patch makes getClassLoader() public to allow retrieval. This solution is kinda ugly and should probably change later. The public method is for now marked @internal and should not be used by third party code to allow structural changes later. Resolves: #92883 Releases: master Change-Id: Ic819e1a5989a74ebf634e1b1090058b7fe93af9e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66708 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Tested-by:
-
Christian Kuhn authored
Frontend, backend and install tool application classes are the main entry points to create a response from a request object. From within a HTTP index.php, run() is called, which creates the request object from globals and feeds that to handle(). But, to retrieve a TYPO3 response from within a different PHP application, or from within TYPO3 itself (eg. a backend calls a frontend), the leading application would want to hand over a given or specially crafted PSR-7 ServerRequest directly. This is exactly what PSR-15 RequestHandlerInterface is for. By implementing this inteface in the application classes, the core increases interoperability significantly and allows to be easily called by a third party PHP application. Resolves: #92884 Releases: master Change-Id: I3047c92de06668db4dd5ef224bafde23f4b8ebd5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66710 Tested-by:
-
Christian Kuhn authored
Handing over '/' as $uri to InternalRequest() in functional tests triggers an ugly fallback mechanism that changes this to 'http://localhost/' within the FE call. Not handing over any $uri string at all defaults to 'http://localhost/' too, but at an much earlier and more transparent point. The patch streamlines two places that used the above method. Resolves: #92877 Releases: master, 10.4 Change-Id: Ic8e8e58315efeaf49298737f549bb5955520f7f8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66700 Tested-by:
-
Christian Kuhn authored
Test related fixture extension 'test_datahandler' still has calls in ext_tables.php that changes $GLOBALS['TCA']. This is forbidden for a while. Move those calls to Configuration/TCA/Overrides. Resolves: #92879 Releases: master, 10.4 Change-Id: I4cc66ca41caf52d872b0ff1a06a90d180a739ddb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66705 Tested-by:
-
Christian Kuhn authored
Test related fixture extension 'irre_tutorial' still has calls in ext_tables.php that changes $GLOBALS['TCA']. This is forbidden for a while. Move those calls to Configuration/TCA/Overrides. Resolves: #92878 Releases: master, 10.4 Change-Id: I56c652e5073ef26c46335e05213363007d4450e5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66703 Tested-by:
-
- Nov 18, 2020
-
-
Markus Klein authored
The backend module for backend users needs to use the hashed sessionId to check the online status if the session backend allows hashed ids. Resolves: #92871 Releases: master, 10.4, 9.5 Change-Id: Ifb5c2f48c751a52233888b293347425afd3092ae Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66697 Tested-by:
-
- Nov 17, 2020
-
-
Helmut Hummel authored
Extracting SVG processing to its own processor did not respect that previously SVG files without dimensions were handled as a side effect of undefined behaviour without causing hard errors. The new processor however throws an exception instead of accepting undefined behaviour, which causes old installations with such SVG files to break. As a mitigation (as long as no other correct behaviour is defined), some default image dimensions are assumed for SVG files where none can be properly determined. This does not make SVG files without defined dimensions properly work, but at least restores the previous behaviour of not throwing an exception. Additionally extracting SVG processing uncovered another bug that existed, but never fully surfaced before. Processed files that were updated, but in fact were using the original file (like SVGs typically do) accessed the wrong storage to fetch file infos, when the processed files were configured to remain of a different storage. This is now properly checked as well. Resolves: #92444 Resolves: #92449 Related: #92014 Releases: master, 10.4 Change-Id: Ide10af8105c5fb6a5257aa7a16e48a02a925a8fe Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65963 Tested-by:
Timo Poppinga <timo.poppinga@zdrei.com> Tested-by:
-
Georg Ringer authored
If the TSconfig setting is turned on, translations of content elements are bound to the default record in the display. This means that within each column with content elements any translation found for exactly the shown default content element will be shown in the language column next to the translation. This feature has been forgotten during the rewrite and is now readded. Resolves: #92482 Releases: master, 10.4 Change-Id: I408343d3b9a33b3239d1f341f3df36b65d2cd9c8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66412 Tested-by:
-
Helmut Hummel authored
To avoid loss of quality and spawning unnecessary imagemagick processes, cropping and scaling of images is now done with a single imagemagick process. By doing so, the code for SVG processing is streamlined. SVG processing code can further be improved later, by putting it into a dedicated file processing task processor. Releases: master, 10.4 Resolves: #91855 Change-Id: I3bf735e74dd46dec73431405f37616506747ccdf Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65187 Tested-by:
-
Oliver Hader authored
Processing XML external entities is explicitly disallowed when retrieving RSS/XML data from a remote service. Code-wise it is handled as security issue - however it was not possible to actually exploit the code with current system distributions. Default processing of external entities has been disabled in libxml2 since verion 2.9 - thus, most systems are not affected by this issue. Resolves: #92329 Releases: master, 10.4 Change-Id: Ia00e98ea8e54472ad09fbf4beaf1481eaa5fd7a2 Security-Bulletin: TYPO3-CORE-SA-2020-012 Security-References: CVE-2020-26229 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66665 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Oliver Hader authored
Instead of storing session IDs with their corresponding storage backends in plain text, their HMAC-SHA256 (Redis) or HMAC-MD5 (DB) is being used. HMAC-MD5 had to be chosen to avoid breaking changes for limited field size in database fields (32 characters currently). This change also allows a fallback to non-hashed-session values, meaning that * set() and update() will create new session records with the hashed identifier * get() contains a fallback to the non-hashed-version when no session with a hashed identifier is found Resolves: #91854 Releases: master, 10.4, 9.5 Change-Id: Ia57acc5e0d0cf71088af1aaff1ab894bd1d4e3dd Security-Bulletin: TYPO3-CORE-SA-2020-011 Security-References: CVE-2020-26228 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66664 Tested-by:
-
Oliver Hader authored
* XSS in `f:be.labels.csh` in argument `label` * XSS in `f:be.menus.actionMenu` in argument `label` * XSS in `f:form` in argument `fieldNamePrefix` Resolves: #92602 Releases: master, 10.4, 9.5 Change-Id: I7574bfb60eb2e11ecfb98d187f2edd580f43cd93 Security-Bulletin: TYPO3-CORE-SA-2020-010 Security-References: CVE-2020-26227 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66663 Tested-by:
-
Oliver Hader authored
Change-Id: Ie2adfafff4ab57cac9426d9a5784b794f459ea7c Resolves: #92829 Releases: master Security-Bulletin: TYPO3-CORE-SA-2020-009 Security-References: CVE-2020-26216 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66662 Tested-by:
-
Markus Klein authored
The access settings is an exclude field and hence the value is synchronized to the translation. Fetching the translation overlay therefore does not need to evaluate the fe_groups again. Resolves: #91725 Releases: master, 10.4, 9.5 Change-Id: Ie6ec2208d15f67eafb6a48627c5f1b76ffdc5725 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66330 Tested-by:
-
- Nov 16, 2020
-
-
Alexander Schnitzler authored
Since there is no dedicated AbstractController any more and ActionController cannot be dispatched without being extended the class is finally marked abstract. Releases: master Resolves: #92850 Change-Id: I910765ded482a59789dc3830701e497b4b8b45b8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66642 Tested-by:
-
Oliver Hader authored
Introduces Content-Security-Policy HTTP header check on fileadmin/ resources. This can be seen as follow-up up to TYPO3-CORE-SA-2020-006 and TYPO3-PSA-2019-010 now actively analyzing this HTTP header and letting users know in reports module and system environment check of the Install Tool. Resolves: #92835 Releases: master, 10.4, 9.5 Change-Id: I53028ae36c9195082993ee89d630efa7b555c547 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66627 Tested-by:
-
Oliver Hader authored
The session expiration time for the install tool is reduced from 60 to 15 minutes. When accessing the install tool via backend user interface, currently logged in backend users have to confirm their user password again in order to get access to the install tool. This process is known as "sudo mode". Standalone install tool is not affected by sudo mode confirmation. This change enforces mitigation as mentioned in TYPO3-CORE-SA-2020-006, see https://typo3.org/security/advisory/typo3-core-sa-2020-006. Resolves: #92836 Releases: master, 10.4, 9.5 Change-Id: Ib4f0e92346610879347a48587ffd575429b98650 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66630 Tested-by:
Torben Hansen <derhansen@gmail.com> Tested-by:
-
Christian Kuhn authored
Instead of instantiating PageRenderer early in ext_localconf, the additional require js for t3editor and rte_ckeditor is now injected by a PageRenderer hook when needed. Releases: master Resolves: #92848 Change-Id: I070d75482deb0b4c7a301719440ae18d28f0a57a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66641 Tested-by:
-
Chris Müller authored
Resolves: #92854 Related: #92062 Releases: master Change-Id: I416d747877aa3d7f56e8ddbd3438db27576c0ce4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66645 Tested-by:
-
Chris Müller authored
Resolves: #92851 Releases: master Change-Id: If7249e411165e1050b55d1d7aa9da6896fe3d9ba Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66643 Reviewed-by:
-
Benni Mack authored
With this change an undefined symbol is included when not having AdminPanel loaded: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66218 This change aims to change the logic for checking if the preview flag is enabled. Resolves: #92746 Reverts: #92242 Releases: master, 10.4, 9.5 Change-Id: I1005424a86f1ced595b23938bd6dcc70ff2f00c9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66372 Tested-by:
-
Christian Kuhn authored
Functional test case methods getFrontendResponse() and getFrontendResult() have been deprecated a while ago but their core usages have not been adapted. Do this now by switching to their younger counterparts. Change-Id: Ica1a6625a29b9d35189f2c9fce29da52f121d280 Resolves: #92845 Releases: master, 10.4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66635 Tested-by:
-
Benni Mack authored
In order to build the group resolving more flexible, the major method "fetchGroupData()" is now separated into a smaller chunk as a pre-patch. Resolves: #92814 Releases: master Change-Id: Id688355a869948e1b4eb57f06ed23cee0e2d513c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66598 Tested-by:
-
- Nov 14, 2020
-
-
Eric Chavaillaz authored
If the loading text of the login box is too large, the text exceeds the size of the login button. This patch allow the button to grow vertically. Resolves: #92622 Releases: master, 10.4 Change-Id: I9aa7858fd23c5f5848657c6c029769e9fa8de179 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66554 Tested-by:
Martin Kutschker <mkutschker-typo3@yahoo.com> Tested-by:
-
Helmut Hummel authored
Change the implementation of backend deferred image processing to use a file processor, which is only but always used in the backend. By doing so all limitations of the current implementation are resolved, which means, width and height of the image can be set in HTML, to avoid layout shifts and once the images are processed, they will simply be delivered by the web server. Inconsistencies with thumbnail ratio (depending on crop being defined or not) are also tackled on the go. While this changes processing configuration for some files, which triggers a re-generation, it should not matter, as image processing will be done in parallel on request, making such changes viable in a bugfix release. The introduced database field is neither used nor required for the current implementation, but is introduced to provide a possibility for third party processors to replace the current implementation with simple (and persisted) URLs to third party SaaS image processing services. Resolves: #92188 Releases: master, 10.4 Change-Id: I8d1e14324085c5b6ba646475206c8cb10a1fc10d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65237 Tested-by:
-
Christian Kuhn authored
Back in 6.2 at ExtJS times, a feature has been introduced to the workspace module to extend the shown 'data grid' with custom columns. This implementation has been done for one specific customer who nowadays does not use the feature anymore. The feature broke when the transition to a native JavaScript implementation has been done in v8. There is not a single bug report this feature broke in forge, and it is hard to resurrect it with the new client side implementation. The patch drops related code from the extension. This gives core development more freedom to improve the workspace module with other patches. Change-Id: Ie66b172484cdd08de06e019aa004055975948e85 Resolves: #92838 Releases: master Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66632 Tested-by:
Daniel Haupt <mail@danielhaupt.de> Tested-by:
-
Georg Ringer authored
The TSconfig setting `mod.web_layout.disableAdvanced` has been used to disable the "clear cache"-button in the page module. Since this behaviour can be triggered through various other ways, like the context menu or by just saving the page record, this feature is removed completely. Resolves: #92837 Releases: master Change-Id: Ie4c563d89280bc494265611924e2b02727aed644 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66631 Tested-by:
-
- Nov 13, 2020
-
-
Christian Kuhn authored
SqlServer can not handle a transaction for a table, if the same table is queried currently. The install tool database row updater does this. Solution is to skip the transaction on this platform. Additionally, an update query is fixed to hint for proper field types. Resolves: #92832 Releases: master, 10.4 Change-Id: I5fc76705088a727dc1ff41410d6e2cd02b3d9655 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66622 Tested-by:
-
Oliver Hader authored
* replace string states with specific StatusMessage models * combine file path and base URL in new FileLocation model * streamline responsibilities of classes Resolves: #92834 Releases: master, 10.4, 9.5 Change-Id: Ib1a24fb00d4362062e88f93f236b3fd385015c3c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66624 Tested-by:
-
Andreas Fernandez authored
The package @typo3/icons can be updated to version 2.0.4 which adds some new icons and reverts the icons "actions-edit-hide" and "actions-edit-unhide" to their v1 variants. Executed commands: cd Build yarn add "@typo3/icons@^2.0.4" yarn build Resolves: #92833 Releases: master, 10.4 Change-Id: I78933010cb2d36b0d412b20c5e0d63976cc77035 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66623 Tested-by:
-
Benni Mack authored
This change adds the methods * setRequest() * getRequest() * getUriBuilder() to the RenderingContext of EXT:Fluid. The main goal is to reduce the usages of the ControllerContext as much as possible to decouple Extbase from Fluid. When the "setRequest" method is used in the renderingContext, the controllerContext is filled as well, in order to be backwards-compatible. Resolves: #92826 Releases: master Change-Id: I41b8741e947c78895317ef2235959ceb251e103c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66323 Tested-by:
-
- Nov 12, 2020
-
-
Peter Kraume authored
Resolves: #92821 Releases: master, 10.4, 9.5 Change-Id: Ife0999560d3da75051b663b55d46e0f6a5e03dfb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66617 Tested-by:
Peter Kraume <peter.kraume@gmx.de> Tested-by:
Chris Müller <typo3@krue.ml> Reviewed-by:
-
Benni Mack authored
Creating a new record in a workspace adds two database rows. One that is the "placeholder", which - since v10.4 - contains the same metadata as the other record: * t3ver_wsid = workspaceID * t3ver_oid = 0 (simulating behavior of an "online pendant record") * t3ver_state = 1 And the "versionized" record, identified by: * t3ver_wsid = workspaceID * t3ver_oid = uid of the new placeholder record * t3ver_state = -1 As of TYPO3 v10, the first record is not needed anymore, the versioned record can be queried directly, however, since the relations (except MM) point to the placeholder record, this one is kept. As result, only one record is created from now on: * t3ver_wsid = workspaceID * t3ver_oid = 0 (no online counterpart) * t3ver_state = 1 On reading, the record is queried directly (no overlay needed anymore!) with the existing Database Doctrine Restrictions. On publishing, the record just gets the state/stage/wsid set and is "live". This brings fundamental benefits: * No overlays needed when querying * Fewer database records (placeholders are not helpful) * Conceptual problems with placeholder and shadowed fields are removed Resolves: #92791 Releases: master Change-Id: I0288cc63fe72d8442d586f309bd4054ac44e829b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65587 Tested-by:
-
Oliver Bartsch authored
In #92659 the tt_content fields `imagewidth` and `imageheight` have been adjusted to not limit user input per default. This improves the corresponding rst to properly describe the changes made. Resolves: #92825 Relates: #92659 Releases: master Change-Id: I61b1ee1fed95251d1a3be4dc9e3c996fb033aa04 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66611 Tested-by:
Josef Glatz <josefglatz@gmail.com> Tested-by:
-
- Nov 11, 2020
-
-
Guido Schmechel authored
Use the current W3C recommended mime types for fonts in htaccess base file, see https://www.iana.org/assignments/media-types/media-types.xhtml#font Releases: master, 10.4 Resolves: #92743 Change-Id: I8abc5abe703ef02ed678e8f7b7b28a3544ce239e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66513 Tested-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
-
