The setting for maxitems in the TCA of be_users and be_groups for
FAL permissions are wrong.
Fix the value to match the number of available options.

Resolves: #59263
Releases: 6.2
Change-Id: Ib38aab8bbd1f5fe9287ff0523139f88520f27e37
Reviewed-on: https://review.typo3.org/30518
Reviewed-by: Frans Saris
Reviewed-by: Alexander Opitz
Tested-by: Alexander Opitz
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

ObjectAccess->getPropertyPath() does not work with
ObjectStorage and numerical indexes, but it should be
because without it form fluid fields cannot be
properly handled as the value is always null.

Fixing fetching objects from ObjectStorage by index
will also enable shorter access of single objects in Fluid.

Imagine you want to render the first image in your
template. Previously you had to write this:

<f:for each="{object.images}" as="image" iteration="iterator">
	<f:if condition="{iterator.isFirst}">
		<f:image image="{image}" alt="" width="50"/>
	</f:if>
</f:for>

Now you can just write:

<f:image image="{object.images.0}" alt="" width="50"/>

Resolves: #37126
Related: #37000
Releases: 6.2
Change-Id: I45122bd145b5a179ad3e9e3894520f9a614906c8
Reviewed-on: https://review.typo3.org/29923
Reviewed-by: Markus Klein
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Fabien Udriot
Reviewed-by: Tymoteusz Motylewski
Tested-by: Tymoteusz Motylewski
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

The AbstractUserAuthentication::checkAuthentication() method calls
the logoff() method on every failed login attempt.

Since a logoff also causes a removal of the cookie,
any (anonymous) session data will be left unaccessible.

Keep the cookie when session data is present.

Releases: 6.2
Resolves: #58713
Change-Id: I744456f62197a7278635d8564d4883564d954dd2
Reviewed-on: https://review.typo3.org/30485
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Wouter Wolters
Reviewed-by: Stefan Neufeind
Reviewed-by: Markus Klein
Tested-by: Markus Klein

TCEforms is not wrapped in a div when dividers2tabs is disabled 
and a inline-element form element is present. As a result there 
is no background image/color shown.

This changes removes the check as the wrap is also needed when
inline-elements are present.

Resolves: #59163
Releases: 6.2
Change-Id: I8772fce0d99bacdf18692308c700c02c0a0defcf
Reviewed-on: https://review.typo3.org/30461
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Kay Strobach
Tested-by: Kay Strobach
Reviewed-by: Frans Saris
Tested-by: Frans Saris

This is not possible in PHP 5.3.

Resolves: #59203
Releases: 6.2
Change-Id: I108578f7635c50493a3b5d7a7fc81c021805abf8
Reviewed-on: https://review.typo3.org/30489
Reviewed-by: Markus Klein
Tested-by: Markus Klein

The title of a flexform element is cropped to maximum length of 30
characters. Instead it should obey the maximum title length in the user
settings.

Resolves: #58910
Releases: 6.2, 6.1
Change-Id: I28c6fc94b2d492217479bf014ff8f67463b4e98f
Reviewed-on: https://review.typo3.org/30242
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Fixes: #58485
Releases: 6.2
Change-Id: I9c3243b2cca9edb89d262a4d3f9cde17b906d440
Reviewed-on: https://review.typo3.org/30118
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Tymoteusz Motylewski
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

It's common sense to use self:: where possible because it's quicker and
makes code better understandable.

This change fixes 2 violations in \TYPO3\CMS\Core\Utility\GeneralUtility

Releases: 6.2
Resolves: #59001
Change-Id: Ie56a6697186426e3ff082b1694572c885c8420f5
Reviewed-on: https://review.typo3.org/30257
Reviewed-by: Christian Kuhn
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

When setting up a new TYPO3 installation, TYPO3 should redirect
to the install tool, when accessing the frontend or backend.

This redirect fails since introduction of the trustedHostsPattern
since no configuration is available at this point, while the
request itself is a BE or FE request, which will be denied in this
case.
Solution is to set the REQUEST_TYPE to INSTALL before doing the redirect
to install tool so that creating the redirect is allowed.

Resolves: #59087
Releases: 6.2, 6.1
Change-Id: I31bcbc20fa1c9bca0d6bf2b940bf26b9affe893b
Reviewed-on: https://review.typo3.org/30376
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

ext_emconf.php may lack the dependencies array. This will cause
a PHP warning in a foreach loop.

Fix this by checking for the type first.

Resolves: #58640
Releases: 6.2
Change-Id: Ifb04268e04f5349282f895f6b3d7354dbc45affc
Reviewed-on: https://review.typo3.org/29947
Reviewed-by: Christian Kuhn
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

Resolves: #58756
Releases: 6.2
Change-Id: Ide09c7792e9b24afe480230893cac18570ce4f19
Reviewed-on: https://review.typo3.org/30069
Reviewed-by: Markus Klein
Tested-by: Markus Klein

This patch corrects a minor typo in module: Web -> About TYPO3 CMS.
It currently reads "TYPO3 CMS is a enterprise-class...", but it should
read: "...is an enterprise..." ("an" with a "n").

Resolves: #59187
Releases: 6.2
Change-Id: I4e77e54dded08ef4cbdd484d81660a1e39241986
Reviewed-on: https://review.typo3.org/30476
Reviewed-by: Markus Klein
Tested-by: Markus Klein

If localizing a parent-child structure, usually the language
of the parent element shall be applied to related child records
as well as new child records.

Due to a missing array segment, the accordant section in the
the InlineElement source code never was processed.

Resolves: #57063
Releases: 6.2, 6.1
Change-Id: I7e563044f9889538f9b8171f71f7685722db8266
Reviewed-on: https://review.typo3.org/30448
Reviewed-by: Markus Klein
Reviewed-by: David Greiner
Reviewed-by: Wouter Wolters
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

With the cleanup of the backend styles a padding of the
pallete header got missing.

This patch adds this padding just like the other headers
in the TCEforms.

Resolves: #59160
Releases: 6.2
Change-Id: I25ca0ccb0bbd7f4f6d014e12f1cebe1b12050718
Reviewed-on: https://review.typo3.org/30458
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

Due to patch https://review.typo3.org/#/c/30305/ the string comparison
on colPos fails and new content elements are always stored on pid 0.
This patch corrects the check for an integer colPos type by setting the
unused variable to NULL.

Resolves: #59059
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: Iecd7f0cacf5c9315d882eebeb3893bcfa63ae7eb
Reviewed-on: https://review.typo3.org/30389
Reviewed-by: Fabien Udriot
Tested-by: Fabien Udriot
Reviewed-by: Alexander Opitz
Tested-by: Alexander Opitz
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Problem: Token validation fails.
Solution: Use BackendUtility::getModuleUrl to ensure validity of token.

Resolves: #58371
Releases: 6.2
Change-Id: I334826dbeb2a11a6b28d4fd610670fe4d7558e1a
Reviewed-on: https://review.typo3.org/30221
Tested-by: Chris Müller
Reviewed-by: Stanislas Rolland
Tested-by: Stanislas Rolland

Extbase allows to register alternative implementations for
objects. However that does not work for view helpers using
a closing tag. The resolved (alternative) object is compared
to the name of the original view helper and throws an
exception like:

  #1224485398: Templating tags not properly nested. Expected:
  "AlternativeViewHelper"; Actual: "OriginalViewHelper"

A simple solution is to save the class name of the object returned
from the object manager in a runtime cache and check this when
resolving a view helper name. A nice side effect is, that a same
view helper name must not be calculated over and over again.

Fixes: #52272
Releases: 6.0, 6.1, 6.2
Change-Id: Ie49e5e83c779b4748dc2059f8fbc85552ce4b406
Reviewed-on: https://review.typo3.org/24057
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The maximums for today's exports are limited to strict.
It's 10MB for a settable file size included in exports;
raise it to 1000MB. The maximum settable number of
records is 10000; raise it to 1000000.

Resolves: #58912
Releases: 6.2
Change-Id: If2613b453cfbfda5c4909770064f112c23eca83b
Reviewed-on: https://review.typo3.org/30202
Reviewed-by: Tymoteusz Motylewski
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

* Avoid unnecessary fully qualified class names
* Add return NULL for consistency if a method only returns a value
  in some cases

Releases: 6.2
Resolves: #59006
Change-Id: I8c005a3e20fc49d65123e415025bef1c41ad7854
Reviewed-on: https://review.typo3.org/30260
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Oliver Klee
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Fix sql error "Column 'public' cannot be null" on saving
with unchecked box public.

Resolves: #57405
Releases: 6.2
Change-Id: I1582728cc56781fdc12409956008fc82a6cd0d03
Reviewed-on: https://review.typo3.org/30112
Reviewed-by: Fabien Udriot
Tested-by: Fabien Udriot
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Change-Id: I4c71414dca763d9ba29ab93b18a0389941f51af7
Resolves: #58809
Releases: 6.2
Reviewed-on: https://review.typo3.org/30113
Reviewed-by: Dmitry Dulepov
Reviewed-by: Oliver Klee
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Additionally solve the problem when http:// is missing
due to usage of the link wizard.

Change-Id: I676d14b4ddf81d5d3ec0fc0d0ebb32d08910047a
Resolves: #58569
Resolves: #58986
Releases: 6.2
Reviewed-on: https://review.typo3.org/29952
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Markus Klein
Tested-by: Markus Klein

lang/4.5/locallang_csh_pages.xlf contains invalid
HTML structure a <p> tag should actually be a <b> tag.

Resolves: #58936
Releases: 6.2, 6.1, 4.5
Change-Id: Id37d424296628202d8d434e0cf9cafd8529da2c3
Reviewed-on: https://review.typo3.org/30220
Reviewed-by: Stefan Neufeind
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Fix the usage of relative paths in INCLUDE_TYPOSCRIPT inclusions of
static templates from extensions.

EXT:myext/Configuration/TypoScript/setup.txt:
<INCLUDE_TYPOSCRIPT: source="DIR:./Setup/">

EXT:myext/Configuration/TypoScript/Setup/ holds some TS files.

Resolves: #57447
Releases: 6.2
Change-Id: I64ba190fa6959eb27a2d6f1c278cfb9c9c3cbfaf
Reviewed-on: https://review.typo3.org/29468
Reviewed-by: Stefan Neufeind
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Jan Kiesewetter
Tested-by: Jan Kiesewetter
Reviewed-by: Markus Klein
Tested-by: Markus Klein

PathUtility::getAbsolutePathOfRelativeReferencedFileOrPath()
Add a check to the function to identify a given basepath as described
in the function header.

Resolves: #57918
Releases: 6.2, 6.1
Change-Id: I8de12cb917b2f32490bb160686ce06a036abfd85
Reviewed-on: https://review.typo3.org/29467
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein

The unit tests for the recent HTTP host fix are failing
if executed in CLI mode.
In CLI mode no server environments and HTTP headers are available,
that's why the behavior needs to know about the
test execution process.

We solve this by mocking allowed request types.

Resolves: #59022
Releases: 6.2, 6.1, 6.0
Change-Id: I3c93d181dcec5f34064798e7c31240877fde610d
Reviewed-on: https://review.typo3.org/30323
Reviewed-by: Nicole Cordes
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Change-Id: Ic42722b40b91e61dfd839241b91b9ff31a322259
Reviewed-on: https://review.typo3.org/30317
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

Change-Id: Ib7b6505d59bdec51f537afec80678c11c0ad0b89
Reviewed-on: https://review.typo3.org/30316
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

TYPO3 uses the values of HTTP_HOST in several
places without validating them. This could
lead to a situation where links are generated
using the host part from HTTP_HOST.

Since HTTP_HOST headers are user input and
can be spoofed by an attacker, it leads
into several potential and actual security issues.

To address this, a configuration option for
trusted hosts is added, which is evaluated every
time getIndpEnv('HTTP_HOST') is called.

The configuration option is

$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']

and can contain either a regular expression or the
value "SERVER_NAME"

To properly output the exception message in case
the trustedHostPattern does not match,
we need to adapt the exception handlers slightly
to not log information in this case and to actually
show the message even in production context to not
confuse admins on what is currently going wrong.

To not break all existing installations, the default
pattern is set to 'SERVER_NAME' which allows all
HTTP_HOST values matching the SERVER_NAME (and
optionally the SERVER_PORT if a port is specified
in the HTTP_HOST value).

This will secure all installation which use properly
configured name based virtual hosts, but leaves
installations where the web server is not bound
to a specific host name still in an insecure state.

Change-Id: I42fe77fe919755942636108a71c31175647449a9
Fixes: #30377
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30307
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Needs to be fixed also in 6.x, but the affected function is not
used anymore.

Change-Id: If10b0cf25015eada0657aaebc19da3e3364f738a
Fixes: #54111
Fixes: #54113
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: d23f0ccc8960832c184a0e6c5daced98a0b6d096
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30306
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Sanitize user-input colPos in new content element wizard.

Change-Id: Ifa90ea1ede3b6c2a5436c505993c533803306d01
Fixes: #48695
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: bad0160450fb5786e1cb1e393c76c3da38c2ffe7
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30305
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Change-Id: I2b5214e666d1c9edc5354dd3983401038e9aaf66
Fixes: #54109
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: e17bc3297e95f6ffd5d1df682235bfaac7a5ad53
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30304
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Change-Id: I096d26b3eee20493b146633bda11529890be59dc
Fixes: #57576
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: b49bd72b12f709e1c3dffd4f471d138ad1dcceb5
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30303
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The url for the Open in New Window button must be quoted for
use in JavaScript to prevent XSS issues.

Change-Id: I3e55f31c3c857989d71a5ef1a0368b96aa5e2c31
Fixes: #48693
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 4d9cd3e6f589c77b5a366497a33f7eb2099dc749
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30302
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Fix the AbstractUserAuthentication class to properly invalidate
the current session if it timed out.

Change-Id: Id50ee1abd197674fa9379b52b46b63ecf770c964
Fixes: #57673
Releases: 6.2
Security-Commit: 38e24be1ff26fa181f16b91c57a0fcbe4da5065a
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30301
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The file charts.swf is vulnerable to XSS, is delivered
by ExtJS but not used in TYPO3 CMS at all.

Since the vendor of ExtJS did not fix this vulnerability,
we decided to remove it from TYPO3 sources.

Change-Id: Ib30cac84983f5a30956d0a09af933b0fbca1d6ff
Fixes: #54526
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 2402b6cfa3ab2a054ef3e28f3d8de8f7dfee17ec
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30300
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The remove format function with msword selected removes too much
content when there is more than one style block in content.

Note: Thanks to Volker Burggräf

Resolves: #58310
Releases: 6.2, 6.1, 4.5
Change-Id: Ia29767239d92fde20ceee97ece47786d3fd3a9a5
Reviewed-on: https://review.typo3.org/30223
Reviewed-by: Stanislas Rolland
Tested-by: Stanislas Rolland

The experimental extbase plugin of indexed_search is not
translatable on Pootle because it is still using locallang.xml
instead of a XLIFF translation file.

Change-Id: Ia3a45573737f8be0f802bfdbf5bd4f36add66b07
Resolves: #58796
Releases: 6.2, 6.1
Reviewed-on: https://review.typo3.org/30103
Reviewed-by: Dmitry Dulepov
Tested-by: Dmitry Dulepov
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers

As a result of a missing check if $row['t3ver_state'] exists,
an exception is thrown when IconUtility::getIcon() is called
with only the required params set.

This patch adds the missing check.

Resolves: #58846
Releases: 6.2
Change-Id: I70da9ee79a5c0ee1ad4fe8892e8ed28f904a11da
Reviewed-on: https://review.typo3.org/30152
Reviewed-by: Fabien Udriot
Tested-by: Fabien Udriot
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Some DataHandler functional test cases are duplicated or are not
required anymore. Here's a list of what has changed and moved
into some existing testing structure:

Core:
* DataHandlerTest::canCreateTtContent
** Regular\Modify\ActionTest::createContents
* DataHandlerTest::canLocalizeTtContent
** Regular\Modify\ActionTest::localizeContent
* DataHandlerTest::canCopyPasteTtContent
** Regular\Modify\ActionTest::copyPasteContent
* DataHandlerTest::canCutPasteTtContent
** Regular\Modify\ActionTest::movePasteContentToDifferentPage
* IRRE\MtoNMMAsymetricLocalizationKeepTest::*
** IRRE\CSV\Modify\ActionTest::localizeParentContent*
** IRRE\ForeignField\Modify\ActionTest::localizeParentContent*
* IRRE\MtoNMMAsymetricLocalizationSelectTest::*
** IRRE\CSV\Modify\ActionTest::localizeParentContent*
** IRRE\ForeignField\Modify\ActionTest::localizeParentContent*

Workspaces:
* IRRE\MToNMMTest::*
** ManyToMany\Modify\ActionTest::*
** ManyToMany\Publish\ActionTest::*
** ManyToMany\PublishAll\ActionTest::*
* IRRE\OneToNCSVTest::*
** IRRE\CSV\Modify\ActionTest::*
** IRRE\CSV\Publish\ActionTest::*
** IRRE\CSV\PublishAll\ActionTest::*
* IRRE\OneToNForeignFieldTest::*
** IRRE\ForeignField\Modify\ActionTest::*
** IRRE\ForeignField\Publish\ActionTest::*
** IRRE\ForeignField\PublishAll\ActionTest::*

Resolves: #58870
Releases: 6.2
Change-Id: I0c75fcf826d05f8515a5609cb00c153992ba7b44
Reviewed-on: https://review.typo3.org/30177
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn