- Nov 20, 2020
-
-
Benni Mack authored
The PHP version that is required now, is PHP 7.4, more specifically PHP 7.4.1, which fixed a hard issue on the JIT compiler. Used composer commands: composer config platform.php 7.4.1 composer req php:^7.4 composer req php:^7.4 -d typo3/sysext/core --no-lock Releases: master Resolves: #92890 Change-Id: Iaf090b34b1f825adcdb5d42e8a4df20673677a6f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66717 Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
-
Devid Messner authored
Replace the uid of the translated page with the uid of the original page in the mountpoint parameter. Resolves: #91328 Releases: master, 10.4 Change-Id: I6eeceff8b191cd76e134fda59e67550b58dfa985 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64952 Tested-by:
-
Sybille Peters authored
Linkvalidator ships with several Linktype classes that are used to check specific links such as ExternalLinktype, Filelinktype etc. The Linktype LinkHandler is not used by default (see Page TSconfig mod.linkvalidator.linktypes). It was used to check links of the extension "linkhandler" which is now outdated. The latest version supports TYPO3 4.1.0. Functionality from the extension linkhandler has been migrated to the core in TYPO3 8, but in any case the LinkHandler link type supports outdated link syntax starting with "record:". Resolves: #92693 Releases: master Change-Id: Ie0736720ce975b8ccf8e8323660e18d0c772b251 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66265 Tested-by:
-
Sybille Peters authored
When a broken link is fixed by using the pencil icon in list of broken links, the broken link should get removed from the list. Resolves: #92710 Releases: master, 10.4 Change-Id: I56e620313491414916f81cb32419348b7dab00d3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66287 Tested-by:
-
Eric Chavaillaz authored
The TsConfig CGL are described: https://docs.typo3.org/m/typo3/reference-coreapi/master/en-us/CodingGuidelines/CglTsConfig.html This patch ensure that those rules are now respected everywhere in the core. Resolves: #92820 Releases: master Change-Id: I7eef518c1aad5758a5d39d469ea16d5bbb97653b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66606 Tested-by:
Richard Haeser <richard@richardhaeser.com> Reviewed-by:
-
Sybille Peters authored
The edit record icon now has a proper button style to unify the appearance between the modules (e.g. redirect module). Resolves: #92823 Releases: master Change-Id: I899007222068fba39ff6672433908e04db31804e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66609 Tested-by:
Oliver Bartsch <bo@cedev.de> Tested-by:
Chris Müller <typo3@krue.ml> Tested-by:
-
Joachim Eckerlin authored
Additional wrapper around the sword in the search result template. Allowing CSS Styling to the word, but not the label. Resolves: #92786 Releases: master Change-Id: Iff9cab894883ed1cefe0769d40cad2f50ecf9102 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66695 Reviewed-by:
Torben Hansen <derhansen@gmail.com> Reviewed-by:
-
Anja Leichsenring authored
In order to improve quick result accessment, a summary is now outputted at the very end of the local test run. Details about test suite, php version and DBMS version are given, together with a clear message whether the test run was successful or not. Resolves: #92796 Releases: master, 10.4, 9.5 Change-Id: I0470a5e811088a5b56174ff66eaff1fd8387264e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66571 Tested-by:
Simon Gilli <typo3@gilbertsoft.org> Tested-by:
Jonas Eberle <flightvision@googlemail.com> Reviewed-by:
-
Markus Klein authored
The l10n_parent fields of sys_file_metadata and sys_file_reference are never shown anywhere. Having them as type 'select' in the TCA causes the FormEngine to try loading all possible parent value, which can be thousands or more. This degrades backend performance towards unusable. Changing the TCA definition to 'group' mitigates the issue easily as no lookup list has to be created/loaded. Resolves: #92863 Releases: master, 10.4 Change-Id: Ibf76ac51f6d79a69fdc19bfe1993bcb6c97de233 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66671 Reviewed-by:
Wouter Wolters <typo3@wouterwolters.nl> Reviewed-by:
Mathias Brodala <mbrodala@pagemachine.de> Reviewed-by:
-
Matthias Weber authored
Set the color of placeholders to #767676 to meet WCAG AA conformance for background-color #fefefe. Resolves: #92621 Releases: master Change-Id: I573876390cc628793817a5498479b0389afd05cc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66262 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Tested-by:
-
Christian Kuhn authored
It seems the DynamicReturnTypePlugin for PhpStorm does not deal with 'self::class'. Change a couple of makeInstance() calls to hint for the returned object. Resolves: #92876 Releases: master Change-Id: I2cd2ad28dcd4e3baba641bdbc0dbdbc50d6bde9d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66699 Tested-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
-
Andreas Fernandez authored
Since #92689 the IconRegistry is fed by a JSON file taken from the TYPO3.Icons repository and does not grab all PNG and SVG files from the filesystem and auto-registers these files anymore. It turned out that some icons (all of them being PNG files) are not part of the TYPO3.Icons repository and thus haven't been registered anymore. This patch now registers icons of EXT:backend and EXT:impexp explicitly which are not part of the beforehand mentioned repository. Resolves: #92860 Related: #92689 Releases: master, 10.4 Change-Id: I0baab2b00be100ad768b4a67bf678e71e11f70bb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66693 Tested-by:
Guido Schmechel <guido.schmechel@brandung.de> Reviewed-by:
-
Andreas Fernandez authored
With upcoming TYPO3 v11, support for PHP versions older than 7.4 is cancelled. Due to this, we don't have to check these versions anymore in Bamboo and thus remove them from the build plans. Resolves: #92888 Releases: master Change-Id: Iae261d4f4bc8ec205a583f685fda2ef183f32767 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66714 Reviewed-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
-
Charanth authored
These two parameters are switched. Releases: master, 10.4, 9.5 Resolves: #92887 Change-Id: I7a896a167f39b8a68664ef6f37b3b1be447825c9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66712 Tested-by:
-
Christian Kuhn authored
In the frontend middleware chain PrepareTypoScriptFrontendRendering interacts with TSFE and calls getFromCache() which acquires frontend rendering locks. Locks are usually released after TSFE rendering in the final middleware, the HTTP/RequestHandler. Middleware ShortcutAndMountPointRedirect however, wich is called after PrepareTypoScriptFrontendRendering, can return early without calling below middlewares. In this case, locks need to be explicitly released to prevent a deadlock. This is not an issue in normal frontend calls since acquired locks are always released in __destruct() of the locking API. But, if the frontend is called as sub request, for instance from within another frontend call, from cli or testing, the lock API destructors may or may not be called. If not, this leads to dangling locks after the FE sub request, which then may block a following sub request executed in the same process. Resolves: #92882 Releases: master, 10.4 Change-Id: I231e56fb04ffa899c6e1b4d7e1a9e4a971f632db Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66707 Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
-
Georg Ringer authored
The usage count of forms in the form module must not count deleted elements. Resolves: #92880 Releases: master, 10.4 Change-Id: Ia58c4e28e03ea1caa3b22ba1188d039fcdea69ea Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66709 Tested-by:
Rudy Gnodde <rudy@famouswolf.com> Tested-by:
-
- Nov 19, 2020
-
-
Christian Kuhn authored
To bootstrap TYPO3 sub requests, the testing framework needs an instance of the class loader. There is no good way to retrieve this object that is immutable for the entire process. During casual bootstrap, an instance of the class loader is parked in object ClassLoadingInformation. The patch makes getClassLoader() public to allow retrieval. This solution is kinda ugly and should probably change later. The public method is for now marked @internal and should not be used by third party code to allow structural changes later. Resolves: #92883 Releases: master Change-Id: Ic819e1a5989a74ebf634e1b1090058b7fe93af9e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66708 Tested-by:
-
Christian Kuhn authored
Frontend, backend and install tool application classes are the main entry points to create a response from a request object. From within a HTTP index.php, run() is called, which creates the request object from globals and feeds that to handle(). But, to retrieve a TYPO3 response from within a different PHP application, or from within TYPO3 itself (eg. a backend calls a frontend), the leading application would want to hand over a given or specially crafted PSR-7 ServerRequest directly. This is exactly what PSR-15 RequestHandlerInterface is for. By implementing this inteface in the application classes, the core increases interoperability significantly and allows to be easily called by a third party PHP application. Resolves: #92884 Releases: master Change-Id: I3047c92de06668db4dd5ef224bafde23f4b8ebd5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66710 Tested-by:
-
Christian Kuhn authored
Handing over '/' as $uri to InternalRequest() in functional tests triggers an ugly fallback mechanism that changes this to 'http://localhost/' within the FE call. Not handing over any $uri string at all defaults to 'http://localhost/' too, but at an much earlier and more transparent point. The patch streamlines two places that used the above method. Resolves: #92877 Releases: master, 10.4 Change-Id: Ic8e8e58315efeaf49298737f549bb5955520f7f8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66700 Tested-by:
-
Christian Kuhn authored
Test related fixture extension 'test_datahandler' still has calls in ext_tables.php that changes $GLOBALS['TCA']. This is forbidden for a while. Move those calls to Configuration/TCA/Overrides. Resolves: #92879 Releases: master, 10.4 Change-Id: I4cc66ca41caf52d872b0ff1a06a90d180a739ddb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66705 Tested-by:
-
Christian Kuhn authored
Test related fixture extension 'irre_tutorial' still has calls in ext_tables.php that changes $GLOBALS['TCA']. This is forbidden for a while. Move those calls to Configuration/TCA/Overrides. Resolves: #92878 Releases: master, 10.4 Change-Id: I56c652e5073ef26c46335e05213363007d4450e5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66703 Tested-by:
-
- Nov 18, 2020
-
-
Markus Klein authored
The backend module for backend users needs to use the hashed sessionId to check the online status if the session backend allows hashed ids. Resolves: #92871 Releases: master, 10.4, 9.5 Change-Id: Ifb5c2f48c751a52233888b293347425afd3092ae Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66697 Tested-by:
-
- Nov 17, 2020
-
-
Helmut Hummel authored
Extracting SVG processing to its own processor did not respect that previously SVG files without dimensions were handled as a side effect of undefined behaviour without causing hard errors. The new processor however throws an exception instead of accepting undefined behaviour, which causes old installations with such SVG files to break. As a mitigation (as long as no other correct behaviour is defined), some default image dimensions are assumed for SVG files where none can be properly determined. This does not make SVG files without defined dimensions properly work, but at least restores the previous behaviour of not throwing an exception. Additionally extracting SVG processing uncovered another bug that existed, but never fully surfaced before. Processed files that were updated, but in fact were using the original file (like SVGs typically do) accessed the wrong storage to fetch file infos, when the processed files were configured to remain of a different storage. This is now properly checked as well. Resolves: #92444 Resolves: #92449 Related: #92014 Releases: master, 10.4 Change-Id: Ide10af8105c5fb6a5257aa7a16e48a02a925a8fe Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65963 Tested-by:
Timo Poppinga <timo.poppinga@zdrei.com> Tested-by:
-
Georg Ringer authored
If the TSconfig setting is turned on, translations of content elements are bound to the default record in the display. This means that within each column with content elements any translation found for exactly the shown default content element will be shown in the language column next to the translation. This feature has been forgotten during the rewrite and is now readded. Resolves: #92482 Releases: master, 10.4 Change-Id: I408343d3b9a33b3239d1f341f3df36b65d2cd9c8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66412 Tested-by:
-
Helmut Hummel authored
To avoid loss of quality and spawning unnecessary imagemagick processes, cropping and scaling of images is now done with a single imagemagick process. By doing so, the code for SVG processing is streamlined. SVG processing code can further be improved later, by putting it into a dedicated file processing task processor. Releases: master, 10.4 Resolves: #91855 Change-Id: I3bf735e74dd46dec73431405f37616506747ccdf Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65187 Tested-by:
-
Oliver Hader authored
Processing XML external entities is explicitly disallowed when retrieving RSS/XML data from a remote service. Code-wise it is handled as security issue - however it was not possible to actually exploit the code with current system distributions. Default processing of external entities has been disabled in libxml2 since verion 2.9 - thus, most systems are not affected by this issue. Resolves: #92329 Releases: master, 10.4 Change-Id: Ia00e98ea8e54472ad09fbf4beaf1481eaa5fd7a2 Security-Bulletin: TYPO3-CORE-SA-2020-012 Security-References: CVE-2020-26229 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66665 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Oliver Hader authored
Instead of storing session IDs with their corresponding storage backends in plain text, their HMAC-SHA256 (Redis) or HMAC-MD5 (DB) is being used. HMAC-MD5 had to be chosen to avoid breaking changes for limited field size in database fields (32 characters currently). This change also allows a fallback to non-hashed-session values, meaning that * set() and update() will create new session records with the hashed identifier * get() contains a fallback to the non-hashed-version when no session with a hashed identifier is found Resolves: #91854 Releases: master, 10.4, 9.5 Change-Id: Ia57acc5e0d0cf71088af1aaff1ab894bd1d4e3dd Security-Bulletin: TYPO3-CORE-SA-2020-011 Security-References: CVE-2020-26228 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66664 Tested-by:
-
Oliver Hader authored
* XSS in `f:be.labels.csh` in argument `label` * XSS in `f:be.menus.actionMenu` in argument `label` * XSS in `f:form` in argument `fieldNamePrefix` Resolves: #92602 Releases: master, 10.4, 9.5 Change-Id: I7574bfb60eb2e11ecfb98d187f2edd580f43cd93 Security-Bulletin: TYPO3-CORE-SA-2020-010 Security-References: CVE-2020-26227 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66663 Tested-by:
-
Oliver Hader authored
Change-Id: Ie2adfafff4ab57cac9426d9a5784b794f459ea7c Resolves: #92829 Releases: master Security-Bulletin: TYPO3-CORE-SA-2020-009 Security-References: CVE-2020-26216 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66662 Tested-by:
-
Markus Klein authored
The access settings is an exclude field and hence the value is synchronized to the translation. Fetching the translation overlay therefore does not need to evaluate the fe_groups again. Resolves: #91725 Releases: master, 10.4, 9.5 Change-Id: Ie6ec2208d15f67eafb6a48627c5f1b76ffdc5725 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66330 Tested-by:
-
- Nov 16, 2020
-
-
Alexander Schnitzler authored
Since there is no dedicated AbstractController any more and ActionController cannot be dispatched without being extended the class is finally marked abstract. Releases: master Resolves: #92850 Change-Id: I910765ded482a59789dc3830701e497b4b8b45b8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66642 Tested-by:
-
Oliver Hader authored
Introduces Content-Security-Policy HTTP header check on fileadmin/ resources. This can be seen as follow-up up to TYPO3-CORE-SA-2020-006 and TYPO3-PSA-2019-010 now actively analyzing this HTTP header and letting users know in reports module and system environment check of the Install Tool. Resolves: #92835 Releases: master, 10.4, 9.5 Change-Id: I53028ae36c9195082993ee89d630efa7b555c547 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66627 Tested-by:
-
Oliver Hader authored
The session expiration time for the install tool is reduced from 60 to 15 minutes. When accessing the install tool via backend user interface, currently logged in backend users have to confirm their user password again in order to get access to the install tool. This process is known as "sudo mode". Standalone install tool is not affected by sudo mode confirmation. This change enforces mitigation as mentioned in TYPO3-CORE-SA-2020-006, see https://typo3.org/security/advisory/typo3-core-sa-2020-006. Resolves: #92836 Releases: master, 10.4, 9.5 Change-Id: Ib4f0e92346610879347a48587ffd575429b98650 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66630 Tested-by:
-
Christian Kuhn authored
Instead of instantiating PageRenderer early in ext_localconf, the additional require js for t3editor and rte_ckeditor is now injected by a PageRenderer hook when needed. Releases: master Resolves: #92848 Change-Id: I070d75482deb0b4c7a301719440ae18d28f0a57a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66641 Tested-by:
-
Chris Müller authored
Resolves: #92854 Related: #92062 Releases: master Change-Id: I416d747877aa3d7f56e8ddbd3438db27576c0ce4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66645 Tested-by:
-
Chris Müller authored
Resolves: #92851 Releases: master Change-Id: If7249e411165e1050b55d1d7aa9da6896fe3d9ba Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66643 Reviewed-by:
-
Benni Mack authored
With this change an undefined symbol is included when not having AdminPanel loaded: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66218 This change aims to change the logic for checking if the preview flag is enabled. Resolves: #92746 Reverts: #92242 Releases: master, 10.4, 9.5 Change-Id: I1005424a86f1ced595b23938bd6dcc70ff2f00c9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66372 Tested-by:
-
Christian Kuhn authored
Functional test case methods getFrontendResponse() and getFrontendResult() have been deprecated a while ago but their core usages have not been adapted. Do this now by switching to their younger counterparts. Change-Id: Ica1a6625a29b9d35189f2c9fce29da52f121d280 Resolves: #92845 Releases: master, 10.4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66635 Tested-by:
-
Benni Mack authored
In order to build the group resolving more flexible, the major method "fetchGroupData()" is now separated into a smaller chunk as a pre-patch. Resolves: #92814 Releases: master Change-Id: Id688355a869948e1b4eb57f06ed23cee0e2d513c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66598 Tested-by:
-
- Nov 14, 2020
-
-
Eric Chavaillaz authored
If the loading text of the login box is too large, the text exceeds the size of the login button. This patch allow the button to grow vertically. Resolves: #92622 Releases: master, 10.4 Change-Id: I9aa7858fd23c5f5848657c6c029769e9fa8de179 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66554 Tested-by:
Martin Kutschker <mkutschker-typo3@yahoo.com> Tested-by:
-
