Releases: main, 11.5, 10.4
Resolves: #99348
Change-Id: I43d305b0f02bd6049f32e65c95184a2d5bfa4fe5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77053


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

When working with variable interpolation and similar scenarios, in
most cases variables, constants, expressions, ... are embedded in
a solid string and can only be identified and extracted by the
corresponding "reader" or "parser".

This string fragment splitter aims to introduce a simpler way for
extracting and working with these embedded fragments.

Example:
    $pattern = new StringFragmentPattern(
      StringFragmentSplitter::TYPE_EXPRESSION,
      '%[^%]+%'
    );
    $splitter = new StringFragmentSplitter($pattern);
    $collection = $splitter->split(
      'Hello %variable% World!'
      FLAG_UNMATCHED_AS_NULL
    );

    // results in having
    // + StringFragment(type: 'raw', value: 'Hello ')
    // + StringFragment(type: 'expression', value: '%variable%')
    // + StringFragment(type: 'raw', value: ' World!')

Resolves: #97553
Releases: main, 11.5, 10.4
Change-Id: Ie2b02a247ca884fa44ab7b3ba21214c8ee9bc457
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76947


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Resolves: #99281
Releases: main, 11.5, 10.4
Change-Id: Ic65f08aa0bb67f97880d0ff5bb4c692fe7e6ffde
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76953


Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>

<figure> is allowed in HTML5 outside of paragraphs,
thus it should also be configured like that out-of-the-box

See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figure

Since CKEditor5 is using <figure> around tables, and also
might add a <figcaption> both variants are now enabled by default.

Resolves: #99273
Releases: main, 11.5, 10.4
Change-Id: I9356cc13ccef764f475ba42cc47f43f7ecd624a1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76898


Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benni Mack <benni@typo3.org>

see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.1.0

composer req typo3/html-sanitizer:^2.1.0
composer req typo3/html-sanitizer:^2.1.0 \
  -d typo3/sysext/core --no-update

To use custom output rules, the Behavior object must be known in
the Sanitizer, see https://github.com/TYPO3/html-sanitizer/pull/98

Resolves: #99271
Releases: main, 11.5, 10.4
Change-Id: I160f8b49284566afde87d07dde7a4fb69e3174c9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76921


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

This patch ensures that search term like Ärmel and Æble
is also working. Currently the match didn't work if a
uppercase special char was used.

With the additional modifier, this is now working, and
there will be matches on both lowercase and uppercase
matching words.

Resolves: #97986
Releases: main, 11.5, 10.4
Change-Id: If7ff1669ead57557964ed5372c4af749c316d7bf
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76895


Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>

This encodes the PDF metadata to UTF-8 to ensure that special chars
like æ ø å ü ö ä are allowed without cutting of the metadata text.

Resolves: #80085
Releases: main, 11.5, 10.4
Change-Id: I02b0730dd659b54c0d8c7186a2089419bd56d2a2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76893


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

This patch updates `moment-timezone`, having a fixed vulnerability,
along with the related `moment` library.

Executed commands:

    yarn add \
        moment@^2.29.4 \
        moment-timezone@^0.5.35
    grunt build

Resolves: #99061
Releases: main, 11.5, 10.4
Change-Id: I36376bad194aa63dda0146c8bc0f481b932dc89d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76558


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Invalid file names containing special characters like `<` or `>`
are not correctly represented as text node. Error messages wrapped
in an XML node need to be properly encoded.

This was originally reported as a vulnerability, after analyzing the
scenario, the TYPO3 Security Team came to the conclusion to handle it
in public. It cannot be exploited directly without knowing the backend
form protection token of a particular user session.

Resolves: #98382
Releases: 11.5, 10.4
Change-Id: Icd73de28ef3b702b45cbc8f232b5595b6fda127b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76350


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

With #85044, HMAC validation for form definitions in the backend form
editor was introduced. However, nested multi-valued options have not
been signed with corresponding HMAC values - which lead to error
messages when persisting the form again in the backend.

The exception for `_value` and `_label` (properties used for those
multi-valued items) have been removed when generating HMAC values.

Resolves: #94106
Resolves: #97235
Related: #85044
Releases: main, 11.5, 10.4
Change-Id: Iaf6798e0f5aa43bdaf90b2c1866745abaab25de1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76164


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

JetBrains created a new product named `Fleet` as
lightweight editor. This tool tends to write it's
config files to `.fleet/` folders, like all of the
IntellJ based IDE's like PHPStorm uses the `.idea`
folder.

This change adds this config folder to .gitignore
to avoid adding this folder to a patch if `Fleet`
is used to create a patch.

Resolves: #98615
Releases: main, 11.5, 10.4
Change-Id: I4f629a37904c2e9fda57df830377c98a88bec69c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76067


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

The doc comments for some functions in `\TYPO3\CMS\Core\Database\Connection`
state, that table expressions and columns are not escaped. This is actually
not true and it seems those doc comments have been adopted directly from
`doctrine/dbal` back in 2016, when Doctrine DBAL was introduced to TYPO3.

Resolves: #98318
Releases: main, 11.5, 10.4
Change-Id: If23d568b23ef1b3c6f40efd50e907af54c349b3d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75650


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

`GeneralUtility::flushInternalRuntimeCaches` now also flushes the caches
used by `makeInstance` to determine the final class name for
instantiating classes. This allows unit tests to test that classes can
be XCLASSed without the dummy XCLASS configuration spilling over into
the next unit test.

Resolves: #98346
Releases: main, 11.5, 10.4
Change-Id: Iea1d85231c5b51bb743f48ab018340997e39c3d3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75647


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Change-Id: Ib8ba8cc8c720f50691897abc59fda00fef32e905
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75722


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: I6dc1c8bd8f1c308ccc283de2d801e0821fb7253e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75721


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.0.16

composer req masterminds/html5:^2.7.6 typo3/html-sanitizer:^2.0.16
composer req masterminds/html5:^2.7.6 typo3/html-sanitizer:^2.0.16 \
  -d typo3/sysext/core --no-update

Resolves: #98340
Releases: main, 11.5, 10.4
Change-Id: I254ea25410e01f7610b0c4ef8b83441ab216f1ca
Security-Bulletin: TYPO3-CORE-SA-2022-011
Security-References: CVE-2022-36020
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75708


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Variables in child nodes like `<f:asset.css>{value}</f:asset.css>`
were not encoded and allow cross-site scripting. In case values shall
be taken as is, corresponding `f:format.raw` instruction has to be used.

Resolves: #97900
Releases: main, 11.5, 10.4
Change-Id: Id843a41c42bbe1f74cdc4efbc117b24d20026b97
Security-Bulletin: TYPO3-CORE-SA-2022-010
Security-References: CVE-2022-36108
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75707


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

FileDumpController is used to expose stored files from the backend
user interface through a corresponding service-side process. Since
content-security-policy settings for files served directly by the
web server won't be applied, FileDumpController has to take care.

Resolves: #98221
Releases: main, 11.5, 10.4
Change-Id: I4fde10e48e33fa08452eddf876172f56b4f38e28
Security-Bulletin: TYPO3-CORE-SA-2022-009
Security-References: CVE-2022-36107
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75706


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

When a TYPO3 backend user performs a password reset request, a
password reset link including an expiration time is sent to the
user. The expiration time is included in HMAC calculation of
the saved password reset hash, but it is never evaluated if the
expiration time is exceeded.

This change adds the missing validity check for the expiration
time included in the password reset link.

Resolves: #97998
Releases: main, 11.5, 10.4
Change-Id: I8a1730faf6489e5c5eebb44ff4f82606785bd637
Security-Bulletin: TYPO3-CORE-SA-2022-008
Security-References: CVE-2022-36106
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75705


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Observing response time during user authentication can be used to
distinguish between existing and non-existing user accounts. This
change introduces `MimicServiceInterface::mimicAuthUser` -  to be
implemented by 3rd party authentication services - which simulates
corresponding times regular processing would usually take.

Resolves: #98217
Releases: main, 11.5, 10.4
Change-Id: I143ae0d3877dffe6f2decbb3f0cf8c9d9cb6ca0b
Security-Bulletin: TYPO3-CORE-SA-2022-007
Security-References: CVE-2022-36105
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75704


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

README.md and CONTRIBUTING.md use the current repository links with this change.
The change also includes several minor edits.

Resolves: #98260
Releases: main, 11.5, 10.4
Change-Id: I77d4741df4134ae0babec2415cd8f5345592e29e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75634


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Stephan Großberndt <stephan.grossberndt@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

All values are default values except the redirectTTL value.

Releases: main, 11.5, 10.4
Resolves: #98238
Change-Id: Ifef0b35445828aa4b82084b5a4216174b9ad3e89
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75577


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Backend modules which use absolute paths (which do not
exist) should not raise an exception / error when
using versionNumberInFilename checks.

This happens e.g. with EXT:solr backend modules
since #97939 was fixed.

In the long-term extensions should define proper
paths, so they also work in TYPO3 installations within
a subfolder but for the time being,
this change helps to solve the problem.

Resolves: #98152
Related: #98106
Related: #97939
Releases: main, 11.5, 10.4
Change-Id: I071f2e63d4423d157f0f060a1295cb145474ee9d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75494


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

This reverts commit 8c724b77.

Reason for revert:
The commit-msg hook now tends to throw away the message.
Fully loosing a commit message is worse than a funny
exit code. We revert for now and eventually come up
with a different solution later.

Change-Id: If1fdc93487e32f4be4f32ffd200005f746a50bee
Reverts: #98094
Resolves: #98094
Releases: main, 11.5, 10.4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75453


Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Simon Schaufelberger <simonschaufi+typo3@gmail.com>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Simon Schaufelberger <simonschaufi+typo3@gmail.com>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

While trying to restore the full desktop functionality
aka mouse and keyboard behavior on a touch-device we
came to the conclusion that it feels unintuitive.

On touch devices, you have by design fewer input options
and differentiators than with dedicated input devices like
a mouse. It feels best to disable the drag and drop
behavior and enable a smooth scrolling and navigation
experience.

Resolves: #91755
Resolves: #86946
Resolves: #93960
Releases: main, 11.5, 10.4
Change-Id: Ic08d06283cbb2331ff49983bd7d18b446f8bd76a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75431


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

With the fix of using versioned numbered filenames for the
TYPO3 Backend, a use-case "absolutely referenced, but
relative to public path file" did break for Frontend
inclusions of CSS or JS files.

This is now overcome by only using the original bugfix in the TYPO3
Backend.

Resolves: #98106
Related: #97939
Releases: main, 11.5, 10.4
Change-Id: Iff6251bd95e1c0a93a6f5538b9f560e55ba80b0c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75369


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Resolves: #98094
Releases: main, 11.5, 10.4
Change-Id: If84f67d6ac91aeaa47849067e21bef6b13854f3c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75360


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Since the persisted file is stored with a sanitized filename, it must be
replaced with a sanitized file name as well, otherwise an error occurs
that the source with the un-sanitized file name could not be found.

Resolves: #98005
Releases: main, 11.5, 10.4
Change-Id: I9b38316f7a25a281521bff787956dcd6373249d0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75356


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Quite some issues with docker-compose v2 have been fixed
We'll now try to use it again and remove a v1 restriction
in `Build/Scripts/runTests.sh`.

Resolves: #98086
Releases: main, 11.5, 10.4
Change-Id: I7e4ff82df374db33ba42db0e0d1483f6320ba9ea
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75354


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

When using routing and custom enhancers to find out
what page translation was exactly used to build
special logic for Page resolving, the two
language-related properties "sys_language_uid"
and "l18n_cfg" are now loaded (and thus, added to the
"_page" property of a Route) as well.

This is useful as l10n_parent is already loaded anyways.

Resolves: #98042
Releases: main, 11.5, 10.4
Change-Id: I23f964d5d22f27a9affebfeae87906d9549efda0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75230


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

In a scenario, where a backend user has two entry
points, in which the second one intersects the first
one (is a direct sub-page), pages were shown
multiple times.

The reason behind this was, that inside
PageTreeRepository->groupAndSortPages() every page
was added regardless if it was already added in a
previous run. This is the case, when the same pages
are found in different depth levels.

E.g.

1 - Home (DB mount 1)
  2 - Page 1
  2 - Page 2 (DB mount 2)
    3 - Subpage 1 // will be added for level 2 and 3
    3 - Subpage 2

To prevent this, a guard clause was added, which
checks whether the page was already added by
comparing the uid value.

Resolves: #96512
Resolves: #97774
Related: #96367
Releases: main, 11.5, 10.4
Change-Id: I65439011b894f05faef9cb507d905b3d7d3b709f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75224


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Using database queries without deterministic sorting
definition may lead to unreliabe resultsets in some
dbms type and version, which also may change over time.
Thus it's good practice to have proper defined sorting
for queries, at least if result relies on a constant
and reliable result sorting.

With #96512 and #97774 additional tests has been added,
which showed the unreliable of these database queries,
blocking the bugfix backport to TYPO3 v10.4.

This patch adds sorting definition to two db queries in
`\TYPO3\CMS\Backend\Tree\Repository\PageTreeRepository`
to ensure consistent results in a deterministic manner
and make it possible to provide the related bugfix for
TYPO3 v10.4.

Resolves: #98056
Related: #96512
Related: #97774
Releases: main, 11.5, 10.4
Change-Id: I8a1bf3b93bcfcaec4c3de3ea6321db62847d0c21
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75336


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

A serialization issue has been fixed in symfony/mime 4.4.16 / 5.1.8
which has to be used as minimum version.

https://github.com/symfony/symfony/commit/fd99eb26d893390b45c214f4884fea090f1c1178

Resolves: #98052
Releases: 10.4
Change-Id: Ie444aee39685b2f72fc77171fa56040db6a7cf7c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75330


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: Stefan Bürk <stefan@buerk.tech>

In preparation for patchset
https://review.typo3.org/c/Packages/TYPO3.CMS/+/70460/,
functional tests are introduced to test the caching behavior
of EXT:form.

Resolves: #97049
Related: #93887
Releases: main, 11.5, 10.4
Change-Id: Ief1c8d90371d6003512f88a064c2d82e51502590
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75326


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Casual raise of v6 typo3/testing-framework.

> composer req --dev mikey179/vfsstream:^1.6.11
> composer req --dev typo3/testing-framework:^6.16.6

Change-Id: I4761948bd8827ab4638f280d5b69403d300afcb1
Resolves: #98026
Releases: main, 11.5, 10.4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75294


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

The issue has been resolved in sysbox, we don't
need the patch level pin anymore.

Resolves: #98015
Related: #97570
Releases: main, 11.5, 10.4
Change-Id: I1a2080ec3e8609350c9975bad8f65e69513d5f48
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75222


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Creating a version overlay of a record that has flexform
sections and moving or deleting some of these sections
at the same time fails in DataHandler due to a wrong uid
lookup for the section command array.

The patch fixes this scenario in the DataHandler flexform
processing code and leaves an according explanation comment.

Note this v10 backport contains the fix only and skips
the functional tests that have been added with main.

Resolves: #73761
Releases: main, 11.5, 10.4
Change-Id: Ib1c910c59a2ebfe9b7545cabb258f44bac2cd273
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75195


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

The reference "Inside TYPO3" is not available anymore since TYPO3 8.7.

The sentences are quite useless anyway.

Releases: main, 11.5, 10.4
Resolves: #97913
Change-Id: I2d496726db8b22de667d230a99f7d17341fd309d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75157


Tested-by: core-ci <typo3@b13.com>
Tested-by: Sybille Peters <sypets@gmx.de>
Tested-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Sybille Peters <sypets@gmx.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75182

In case GU::createVersionNumberedFilename() receives
a file with an absolute path, no back path should be resolved
since the resolved path will always be invalid, which led
to no version number got added to the filename anymore.

This is now fixed by checking for the path being absolute.

Resolves: #97939
Releases: main, 11.5, 10.4
Change-Id: I5bb0150fa27b8c9c1af2aa99bd8baacd55889245
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75142


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Docblock annotations with more then one space between a wildcard
character `*` and the annotation start character `@` was not found.
Additionally, annotation identifiers did not regonize hyphens as
valid identifier character, thus cutting of e.g. phpstan annoations.

This patch now properly finds annotions with multi-space separations
and annotation identifiers containing hyphens. Additionally, two
phpstan specific annotations are allowed.

> https://phpstan.org/writing-php-code/phpdoc-types#local-type-aliases

Summarized contained tasks:

> find multi-space separated annotations
  e.g. `*  @<AnnotationIdentifier>`
> properly extract full annotation identifier containing hyphens
  e.g. `* @annoation-identifier-with-hyphen`
> add `@phpstan-type` and `@phpstan-import-type` as allowed
  annotation, but only on class level, and not on class-property
  or class-method level

Resolves: #97917
Resolves: #97918
Resolves: #97919
Releases: main, 11.5, 10.4
Change-Id: Iab69ffd87d407088f1237168e19b67a8dc846c8f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75138


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>