- Feb 11, 2020
-
-
Oliver Hader authored
Branch "master" of removed system extensions was outdated and not available anymore. Resolves: #90358 Related: #90350 Releases: 10.2, 9.3, 9.2, 8.7 Change-Id: If019ec6d334e127a49c14e346f9e2fbd0cdfbf58 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63201 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Oliver Hader authored
List of system extensions and their last occurrence in the TYPO3 core: + context_help: 8.7 + cshmanual: 8.7 + css_styled_content: 8.7 + func: 8.7 + info_pagetsconfig: 8.7 + sv: 8.7 + version: 8.7 + wizard_crpages: 8.7 + wizard_sortpages: 8.7 + lang: 9.2 + documentation: 9.3 + saltedpasswords: 9.3 Tasks: + branch-alias to dev-master shall be used for their last occurrence + current master branch in subtree-split packages is outdated and invalid Resolves: #90350 Releases: 9.3, 9.2, 8.7 Change-Id: Ibff3c70b8b7d3f4de979ef9b9f07050d5b1ca299 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63196 Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
-
- Feb 10, 2020
-
-
Oliver Hader authored
In order to compatible with https://getcomposer.org/doc/04-schema.md composer.json declarations had to be adjusted and dropped previous replace statements like this: "replace": { "core": "*" } Resolves: #89392 Releases: master, 9.5, 8.7 Change-Id: I4d530fe90551b16c54462a81a457d0bff9f2de8b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63194 Tested-by:
-
- Jul 31, 2018
-
-
Oliver Hader authored
Change-Id: I2939d237c1524a9a7b6e8d17472523fae3014b3f Reviewed-on: https://review.typo3.org/57741 Reviewed-by:
-
Oliver Hader authored
Change-Id: I073d1f4a256b2ab43bec0815b8432d78b70aa16f Reviewed-on: https://review.typo3.org/57740 Reviewed-by:
-
- Jul 30, 2018
-
-
Susanne Moog authored
Resolves: #85426 Releases: master Change-Id: I9752b736282e658add439ca0c6db640004f18045 Reviewed-on: https://review.typo3.org/57732 Reviewed-by:
-
Ralf Zimmermann authored
The form definition renaming upgrade wizard renames the persistence identifier within the form plugin flexform. As a result, finisher overrides can no longer be properly assigned. This patch adds an upgrade wizard which will be able to restore these finisher overrides. Resolves: #85544 Releases: master, 8.7 Change-Id: Idf1ffd8432fed88431b9a0feb407f42df3304401 Reviewed-on: https://review.typo3.org/57733 Reviewed-by:
-
Ralf Zimmermann authored
Allows the form editor to save the property "defaultValue" for "Inspector-PropertyGridEditor" inspector editors. This rules for the form element types "SingleSelect", "RadioButton", "MultiCheckbox" and "MultiSelect". Besides that a flaw in JavaScript is solved that truncated values by one character (e.g. having "propert" instead of "property"), as well as having a correct representation of objects and arrays when initializing them in JavaScript. Resolves: #85608 Resolves: #85670 Releases: master, 8.7 Change-Id: Ia82ee236e6becb36db13fb15e96c7caceab370d1 Reviewed-on: https://review.typo3.org/57728 Reviewed-by:
-
Oliver Hader authored
After fixing the issue of TYPO3-CORE-SA-2018-003 file commands for form definitions (those ending with new ".form.yaml" extension) has been limited. Since the "move" command theoretically would allow to move and rename a file, it has been denied as well. However, it is okay to move those files around in case the file extension has not been changed or when being moved to a recycle folder. Resolves: #85570 Releases: master, 8.7 Change-Id: Ic1f40d061b330d62138a42be9e868fca77b17187 Reviewed-on: https://review.typo3.org/57653 Tested-by:
TYPO3com <no-reply@typo3.com> Reviewed-by:
Ralf Zimmermann <ralf.zimmermann@tritum.de> Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Tested-by:
-
Oliver Hader authored
Including files from Phar archives (e.g. "phar://file.phar/autoload.php") does not work properly with having PHP setting open_basedir defined. The reason for that is, that TYPO3's custom PharStreamWrapper tries to find the appropriate base Phar file using file_exists() calls internally. In case those files are not part of the open_basedir restriction - which is the case for everything prefixed with the "phar://" scheme - a PHP warning is shown. Resolves: #85547 Releases: master, 8.7, 7.6 Change-Id: I72fdd7f0c016c0a8b1ed56a82b6b4042cac4d930 Reviewed-on: https://review.typo3.org/57727 Reviewed-by:
-
- Jul 20, 2018
-
-
Benni Mack authored
The field "uid" is never fetched, so no count() is possible in the DB count query. Resolves: #85252 Releases: master, 9.3 Change-Id: I9a3f1cb13bf20dcbe4bfb5451afd465e5981ecb4 Reviewed-on: https://review.typo3.org/57638 Reviewed-by:
-
- Jul 17, 2018
-
-
Andreas Fernandez authored
The library `doctrine/dbal`, which is used by TYPO3 for database communication removed the dependency to `doctrine/common` with their latest release. This breaks some features of TYPO3, for this reason the version constraint is changed to ensure the used doctrine/dbal version is kept in version 2.7. Used command: composer require \ doctrine/dbal:~2.7.0 \ doctrine/lexer:^1.0 Resolves: #85575 Releases: master, 9.3 Change-Id: I97f93053f0e32e108ccba324229e51528236955b Reviewed-on: https://review.typo3.org/57615 Reviewed-by:Mathias Brodala <mbrodala@pagemachine.de> Tested-by:
Helmut Hummel <typo3@helhum.io> Tested-by:
-
- Jul 12, 2018
-
-
Oliver Hader authored
Change-Id: I713e25e6a115be6d0b527f1b3899bc555ff77347 Reviewed-on: https://review.typo3.org/57580 Reviewed-by:
-
Oliver Hader authored
Change-Id: I7d259e1265e64e63c56b23e966be00361a22137c Reviewed-on: https://review.typo3.org/57579 Reviewed-by:
-
Oliver Hader authored
Change-Id: Iefc6752f0045f303263705d7649218f8c0947918 Reviewed-on: https://review.typo3.org/57578 Reviewed-by:
-
Oliver Hader authored
Change-Id: I25d0b2027332ba92ba377b9a0064ee7315412db1 Reviewed-on: https://review.typo3.org/57577 Reviewed-by:
-
Susanne Moog authored
FormDefinitionValidationServiceTest modified the encryption key in test data-provider functions. Those functions are executed prior to actually executing the tests and causes side-effects during running the test suite. Resolves: #85539 Releases: master, 9.3, 8.7 Change-Id: I9fbd60905eb37470fa3661225b681476ff9df3c3 Reviewed-on: https://review.typo3.org/57571 Reviewed-by:
-
Oliver Hader authored
Resolves: #..... Releases: master, 8.7 Change-Id: Iace5c4d064182c628e9d3b03876c73e19dd725cd Reviewed-on: https://review.typo3.org/57568 Reviewed-by:
-
Oliver Hader authored
In order to streamline the FAL API the following signals have been added. The according post-processing signals have been available already before: + ResourceStorageInterface::SIGNAL_PreFileCreate + ResourceStorageInterface::SIGNAL_PreFileSetContents Resolves: #85434 Releases: master, 8.7 Change-Id: I41fc07afbc4e1a393c8a26fe02f431a7b62015d8 Reviewed-on: https://review.typo3.org/57564 Reviewed-by:
Benni Mack <benni@typo3.org> Tested-by:
-
Oliver Hader authored
Resolves: #85424 Releases: master, 8.7 Security-Commit: 82619eb231e725d77fb8196f0b6bfca9f722bc4f Security-Bulletin: TYPO3-CORE-SA-2018-004 Change-Id: I8c4ce101c3eecfb9ecbe25e1a16a0812bdee34ff Reviewed-on: https://review.typo3.org/57556 Reviewed-by:
-
Ralf Zimmermann authored
The form editor save and preview actions now check the submitted form definition against configured possibilities within the form editor setup. Releases: master, 8.7 Resolves: #85044 Security-Commit: f4a1a09378ed286f3744d6a72f09bfa11a6ba87e Security-Bulletin: TYPO3-CORE-SA-2018-003 Change-Id: I38f965b7a324e6386257ffdfd33eb69aa617c2ea Reviewed-on: https://review.typo3.org/57555 Reviewed-by:
-
Susanne Moog authored
Before this change, form definitions have been persisted in regular `.yaml` files. In order to make the meaning and purpose of those files more explicit, the new file ending `.form.yaml` is introduced. Invocations of the file abstraction layer API for those form files have to be allowed explicitly by granting commands individually using `FilePersistenceSlot::allowInvocation`. New form definitions are created with the new file ending per default. An upgrade wizard renames existing form definitions that are stored in according storage folders (`allowedFileMounts`). In addition references in FlexForm of content elements are adjusted to the new file names as well - in case a form definition has been referenced before. The file list user interface disabled according direct actions for `.form.yaml` files or redirects those to the according form module. Using just `.yaml` instead of `.form.yaml` from site packages is deprecated. Using just `.yaml` instead of `.form.yaml` from file storages is not allowed anymore. Resolves: #84910 Releases: master, 8.7 Security-Commit: e4680db22c680b489545679f118f3242c2929708 Security-Bulletin: TYPO3-CORE-SA-2018-003 Change-Id: I196327d968cbd53bcc623d050d5b3b8742937996 Reviewed-on: https://review.typo3.org/57554 Reviewed-by:
-
Oliver Hader authored
Resolves: #85385 Releases: master, 8.7, 7.6 Security-Commit: f4d645d131fabc98cbbdcefcffb951040d2dd246 Security-Bulletin: TYPO3-CORE-SA-2018-002 Change-Id: If9a312440040da2193512565350fa2342d503278 Reviewed-on: https://review.typo3.org/57553 Reviewed-by:
-
Christian Kuhn authored
SoftReferenceIndex throws exceptions on phar streams LegacyLinkNotationConverter throws exceptions on phar streams Resolves: #85385 Releases: master, 8.7, 7.6 Security-Commit: 4fde9d6a2333435af9033f55e9a5e2d428f6ea0d Security-Bulletin: TYPO3-CORE-SA-2018-002 Change-Id: I09284269d7d9763c92f8d2aa2e82e37e9dc7f0de Reviewed-on: https://review.typo3.org/57552 Reviewed-by:
-
Oliver Hader authored
This custom stream wrapper for the phar:// protocol overrides PHP's native handling. In case Phar bundles shall be loaded from a valid directory, the custom wrapper falls back to the native PHP wrapper in order to invoke Phar-related actions. In case the location is not trustworthy, an according exception is thrown. The custom stream wrapper is registered in the beginning of TYPO3's bootstrap class. Truested locations are those in typo3conf/ext/* - anything else is denied and not considered as trustworthy. Releases: master, 8.7, 7.6 Resolves: #85385 Security-Commit: efa085d9a5aebfac6b92309ea53c455b95a81fcc Security-Bulletin: TYPO3-CORE-SA-2018-002 Change-Id: I97a661e0c82728c6cb44e4b067646dfb69403d89 Reviewed-on: https://review.typo3.org/57551 Reviewed-by:
-
Oliver Hader authored
Using password hashing methods that are related by class inheritance can lead to authentication bypass by just knowing a valid username. Resolves: #84703 Releases: master, 8.7, 7.6 Security-Commit: 2951c4fc0529ec0fd6047786edd3b7189428e574 Security-Bulletin: TYPO3-CORE-SA-2018-001 Change-Id: Ib8d2e8b696c9e7b15f9b479f07aa64f9dce41fe3 Reviewed-on: https://review.typo3.org/57550 Reviewed-by:
-
- Jun 11, 2018
-
-
Oliver Hader authored
Change-Id: I4adf71f27e40df89bc77825e6771d5b249cf1ffd Reviewed-on: https://review.typo3.org/57186 Reviewed-by:
-
Frank Naegler authored
Using the second parameter of TBE_EDITOR.rawurlencode cuts the input to 200 characters for any input value. The parameter is rather useless and its usage can be simply removed to allow URLs with more than 200 characters. Resolves: #85226 Releases: master, 8.7 Change-Id: I8391488d6fb21ede9280041dd41e3feb7e19dbd1 Reviewed-on: https://review.typo3.org/57183 Reviewed-by:
Joerg Boesche <typo3@joergboesche.de> Tested-by:
Susanne Moog <susanne.moog@typo3.org> Tested-by:
-
Frank Naegler authored
Since EXT:frontend does not have CSS files anymore, the postcss config for Grunt is not necessary anymore. Resolves: #85225 Releases: master Change-Id: Ibdecf246c2841e383d745dfdfbf7f3a7181be19b Reviewed-on: https://review.typo3.org/57181 Reviewed-by:
Benjamin Kott <benjamin.kott@outlook.com> Tested-by:
-
Frank Naegler authored
Resolves: #85213 Related: #84993 Releases: master Change-Id: Ib8cd46951cb5032a7554042e2d8a7a052102788b Reviewed-on: https://review.typo3.org/57174 Tested-by:
-
Benni Mack authored
The EM changes due to the new automatic DB fields addition for TCA-based tables come with a small side-effect, namely that all extensions are now evaluated when doing the SQL create queries. The introduced changes now only do execute "safe" DB updates, but not limited to an extension, but for all installed extensions. Thus, non-safe DB operations are not taken into account for an extension installation/upgrade anymore. The patch reverts the changes to the original behaviour, so that a follow-up patch can introduce the following behaviour: - Install extension - Do _safe_ DB updates for the whole system - Do breaking DB updates for the extensions to be installed/upgraded - Execute ext_tables_*adt.sql files + imports Resolves: #85215 Releases: master Change-Id: Ief1118319eb0afcd586efdff506cf44d00e02fb7 Reviewed-on: https://review.typo3.org/57173 Tested-by:
Nicole Cordes <typo3@cordes.co> Tested-by:
-
Christian Kuhn authored
Resolves: #85190 Related: #85188 Releases: master Change-Id: Ia77e74753fcca2c13b0e32b2dce186723c457775 Reviewed-on: https://review.typo3.org/57153 Tested-by:
Jigal van Hemert <jigal.van.hemert@typo3.org> Reviewed-by:
-
Christian Kuhn authored
typo3/testing-framework since version 3.8.0 can reset singletons created by makeInstance automatically if $this->$resetSingletonInstances is set to true. This version additionally checks for left over singletons in case that property has not been set and lets tests fail in this case. composer require --dev typo3/testing-framework:^3.8 As advantage, a manual backup of singleton instances within tests is not needed anymore. The patch comes with a set of test case adaptions to cope with this new situation. Change-Id: Ib5f278145e385e32d543541872cf5e1f208fad47 Resolves: #85209 Releases: master Reviewed-on: https://review.typo3.org/57169 Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by:
-
- Jun 10, 2018
-
-
Andreas Fernandez authored
The URLs to the create actions for backend users and backend groups were built in a strange way which required some quirks to be fully functional. This patch removes the unnecessary `explodeUrl2Array()` call, which also renders the `rawurlencode()` obsolete. Resolves: #85211 Releases: master Change-Id: I3b8f5864fc398b9a4f8f2c0de5d72a38cb8a471b Reviewed-on: https://review.typo3.org/57172 Tested-by:
Riccardo De Contardi <erredeco@gmail.com> Tested-by:
-
Benni Mack authored
Due to moving a class name the import statement in ErrorController was wrong. Resolves: #85210 Related: #85101 Releases: master Change-Id: I17cd062868ca3d0686218abd469a72cbdd08018b Reviewed-on: https://review.typo3.org/57171 Tested-by:
-
Anja Leichsenring authored
Resolves: #85202 Releases: master Change-Id: I6f61db1d2c29a3b9d4794e33cbaf2c6e634e14c7 Reviewed-on: https://review.typo3.org/57158 Tested-by:
-
Christian Kuhn authored
Static method variables are even more pita than static class variables, especially if their state is created from db rows or path information: It is nearly impossible to get rid of this state at a later point again, even reflection does not help here. The patch abandons all 'static $foo' method variables from the system, using these strategies: * Remove some entirely which were used as first level cache and only cache-away simple non db related code structures. * Switch some to use cache framework cache_runtime instead which can be evicted easily. * Use class properties in some cases instead. Change-Id: Ic699846a2c6ec661ee1124ace50df1aa04a1954b Resolves: #85206 Releases: master Reviewed-on: https://review.typo3.org/57167 Tested-by:
-
Michael Schams authored
The fully qualified class name of class `TableGarbageCollectionTask` must be used to configure database tables, which should be cleaned up (inactive or deleted records removed from the system). This change replaces `tx_scheduler_TableGarbageCollection` with the correct class name in the documentation: \TYPO3\CMS\Scheduler\Task\TableGarbageCollectionTask::class Releases: master Resolves: #85205 Change-Id: I13434bf6bc13dd987263605d845f8b59b69e0796 Reviewed-on: https://review.typo3.org/57166 Tested-by:
-
- Jun 09, 2018
-
-
Jan Helke authored
Releases: master Resolves: #85092 Change-Id: I29bb5a3d0546d790d9c8d05c52f448ecefbc8564 Reviewed-on: https://review.typo3.org/57063 Tested-by:
-
Frank Naegler authored
The new IpAnonymizationAdditionalFieldProvider introduced the same JavaScript variable which breaks the garbage collection task. The JavaScript initialization has been removed and the field provider simplified. Resolves: #85068 Releases: master, 8.7, 7.6 Change-Id: Ibb307ee37d6fea33a721373bdc50bbbd3fee1453 Reviewed-on: https://review.typo3.org/57136 Tested-by:
-
