- May 25, 2020
-
-
Andreas Fernandez authored
Deleting an extension in Extension Manager doesn't make much sense in a Composer-based installation. For this reason, the removal of extensions is prohibited now. Resolves: #91456 Releases: master, 9.5 Change-Id: Ia96cf2741fd749d9f50540366351c8b576cac96b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64568 Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
Benjamin Franzke <bfr@qbus.de> Reviewed-by:
Simon Gilli <typo3@gilbertsoft.org> Reviewed-by:
Mathias Brodala <mbrodala@pagemachine.de> Reviewed-by:
Oliver Bartsch <bo@cedev.de> Reviewed-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
-
- May 22, 2020
-
-
Benni Mack authored
The PSR-14 event "AfterFileCopiedEvent" in FAL now also has the possibility to return the newly created file and the identifier. Resolves: #91373 Releases: master Change-Id: I08a01a0424e37fe2f010d2894d41a14628bdc950 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64478 Tested-by:
Daniel Goerz <daniel.goerz@posteo.de> Tested-by:
Susanne Moog <look@susi.dev> Reviewed-by:
-
chris authored
If the TypoScript variable `plugin.tx_felogin_pi1.replyTo` was set to an email address, it triggered the following error: `Symfony\\Component\\Mime\\Exception\\InvalidArgumentException: An address can be an instance of Address or a string (\"array\") given)` Releases: master Resolves: #91458 Change-Id: I4179d42025d0373cd1d7c0938a83ec0c90e25465 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64559 Tested-by:
Guido Schmechel <guido.schmechel@brandung.de> Reviewed-by:
-
Benjamin Franzke authored
Git converts CRLF to LF when plaintext files are staged. The existing copies of the rte_ckeditor Contrib/* sources have therefore already been converted to LF by git [1]. Initially these files had been copied as CRLF from the ckeditor4 sources in node_modules by grunt npmcopy. Now, when `yarn build` is executed, the copy operation is performed again, which means the files are reverted back to CRLF. Git therefore needs to perform the CRLF to LF conversion again. (Which itself needs to be triggered by the developer by staging the changed files) We do now mimic git`s autocrlf behaviour and replace CRLF by LF in the files copied from ckeditor Contrib/* folders to prevent the files from clobbering the `git status` or `git diff` output. By passing `encoding: null` to the grunt.file.copy options we ensure that binary files will be copied as is. Also configure *.svg files to be checked out as LF on all platforms (namely windows) like we do for other plaintext files as well. This ensures svg files do not show up (in windows) as changed because their original from node_modules was stored as LF. *.patch is added as patching jquery on windows would fail otherwise. [1] https://git-scm.com/docs/gitattributes#_end_of_line_conversion Resolves: #91374 Releases: master, 9.5 Change-Id: I2977a6d44f96f6593152bfe698ba5d35f32b131f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64481 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
-
Helmut Hummel authored
The point of repeatable update wizards is that they are not marked executed and thus always checked for possible updates. They therefore must not be marked executed during installation. Resolves: #91211 Releases: master, 9.5 Change-Id: Ic4e98b95711433705f77899d664cc7cf2c7a42ba Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64326 Reviewed-by:
Josef Glatz <josefglatz@gmail.com> Reviewed-by:
-
Stefan Froemken authored
Activating "showHiddenFilesAndFolders" in BE User settings shows hidden files and folders also when navigating through the files in filelist module. Resolves: #91309 Releases: master, 9.5 Change-Id: I8f04b43a2cc0df93b6e77290caed2b33c6951e44 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64424 Tested-by:
-
Susanne Moog authored
Resolves: #91457 Releases: master Change-Id: I29009a9498b050942e34a27815acdf996e6f0539 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64558 Tested-by:
-
Oliver Bartsch authored
Resolves: #91459 Relates: #91302 Releases: master Change-Id: Ic4af3247d7557a6c12a8d538e85795c507eab69a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64561 Tested-by:
Benni Mack <benni@typo3.org> Tested-by:
-
Oliver Bartsch authored
With the removal of `selicon_field_path` in #87937 also the automatic record type icon mapping was removed. As a result the record icon of a select item based on `foreign_table` is not resolved anymore. In addition, the `selectIcons` list is therefore no longer displayed. The previous functionality is now restored. Resolves: #91302 Relates: #87937 Releases: master Change-Id: If62f4ba65ef54ec2345131f6c117ce4336e76c4c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64560 Tested-by:
-
- May 21, 2020
-
-
Tymoteusz Motylewski authored
To highlight difference between BackendUtility::BEgetRootLine() and RootlineUtility->get() Resolves: #91455 Releases: 9.5, master Change-Id: I63d7ca395d5a052d29d718316474b69d6519ebc9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64554 Tested-by:
Richard Haeser <richard@maxserv.com> Reviewed-by:
-
Oliver Bartsch authored
Resolves: #91345 Releases: master Change-Id: I54ab67e85b3bf24b06916b674765ed22fb5de76c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64508 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Tested-by:
-
Andreas Fernandez authored
If an action in the Install Tool is executed that is related to an inline module or an interactable module (a.k.a "modal"), its trigger button(s) get now properly disabled and enabled to avoid executing the same actions consecutively while any request is still pending. Resolves: #91076 Releases: master Change-Id: I9a61063819f21a33ac8ede644fa8f998212b342b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64207 Tested-by:
Jonas Eberle <flightvision@googlemail.com> Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by:
-
Markus Klein authored
When initializing the configuration for a cache any existing configuration under its old name (cache_ prefixed) is applied as an additive override now. This ensures that basic configuration like groups are preserved and not removed with the formerly correct way to adjust cache-config. Resolves: #91306 Releases: master Change-Id: Ic862f80263f410688d2dffb7c13948c1c40488a3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64407 Tested-by:
Johannes Kasberger <johannes.kasberger@reelworx.at> Tested-by:
-
- May 20, 2020
-
-
Benni Mack authored
The documentation for lowlevel commands are optimized so they make more sense: * Nightly checks are run with a --dry-run command * cleanup:versions info is removed (the command is gone) * Checks have a --dry-run command Resolves: #88874 Releases: master, 9.5 Change-Id: If82ab67f7aec48c1b533e84d70ecdadc94e528bd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64530 Reviewed-by:
Tobias Gaertner <tobias.gaertner@benaja-websolutions.com> Reviewed-by:
-
Helmut Hummel authored
Set the current page id early, so that PageTS is fetched from the correct page instead of id 0. Releases: 9.5, master Resolves: #91445 Change-Id: I95a50b6c9d45be54291f27828d9f35cb62b3b4dd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64553 Reviewed-by:
Daniel Siepmann <coding@daniel-siepmann.de> Reviewed-by: Thomas Hohn Reviewed-by:
Helmut Hummel <typo3@helhum.io> Tested-by:
-
- May 19, 2020
-
-
Oliver Hader authored
Change-Id: I22eb57766cd6ddd8aa31447ccd374e52920c2010 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64529 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Tested-by:
-
Oliver Hader authored
Change-Id: Ifd8e3cc62c5b0a27b0bc938e5dbc8cb136a1d07c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64528 Tested-by:
-
Helmut Hummel authored
When saving a record on a page that is not part of a site, the slug field of this record, despite being set to "uniqueInSite" is not checked for uniqueness, as it is assumed unique enough. This assumption needs to be applied as well when resolving the record, instead of assuming the resolved record is not part of the current site. Releases: master, 9.5 Resolves: #91438 Change-Id: I347909b9b4caa523de3ad8e5d84c465e5d57b052 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64520 Reviewed-by:
-
Thomas Hohn authored
Re-added `$this->where_groupAccess` to init method. Resolves: #91429 Releases: master, 9.5 Change-Id: Ibd9b169e8d11e358023d8cfbd2085995769d16cc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64516 Tested-by:
-
Riny van Tiggelen authored
The old tx_realurl_pathcache does not have a uid field, but uses the field cache_id. The order-by now uses a different field depending on the table. Resolves: #90957 Releases: master, 9.5 Change-Id: I5efc62cb8a7cc1d96a503043d268fdacb3564e4b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64085 Reviewed-by:
-
- May 18, 2020
-
-
Oliver Hader authored
With TYPO3-CORE-SA-2020-006 (SSRF via XSS) a strict referrer handling has been introduced to avoid the install tool being called from other non same-origin locations. In case a HTTP referrer header was empty the system tried to refresh the view - otherwise the request was denied completely. Changes of issue #91396 using refresh-always are applied as well. Resolves: #91433 Related: #91396 Releases: master, 9.5 Change-Id: I2a570da4f2a933e709d653b54f1d53d5055ef3f7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64519 Tested-by:
-
Andreas Fernandez authored
The generated cache identifier may get very long in case a page has many frontend groups configured and may exceeds the limit of the caching frontend (which is 250 characthers per definition in FrontendInterface::PATTERN_ENTRYIDENTIFIER). To bypass this issue, the group list is hashed now. Resolves: #91413 Related: #91208 Releases: master, 9.5 Change-Id: Id44ae862eb5d45afbd49dc3f833c101c6acb5f5b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64512 Tested-by:
Frank W Blank <blank@wiro-consultants.com> Tested-by:
-
Benjamin Franzke authored
The PSR-11 container instance was not cleared upon serialization which caused an exception when Closures in the container where tried to be serialized. __wakeup() does already contain code to reset the container instance, therefore we only need to clear the entire object manager properties in __sleep(). Releases: master Resolves: #91398 Related: #88689 Change-Id: I58202752577b58cd882d13f471af1e045c9a4187 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64489 Tested-by:
Alexander Schnitzler <git@alexanderschnitzler.de> Tested-by:
-
Oliver Hader authored
Resolves: #91417 Releases: master, 9.5 Change-Id: I690cf19965310cdb8612dca3b34f751aafb4c550 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64502 Reviewed-by:
-
Alexander Schnitzler authored
While introducing the fully qualified controller class names in the extbase plugin configuration the originally used setter \TYPO3\CMS\Extbase\Mvc\Request::setControllerObjectName() has no longer been used to guess extension name, subpackage key and controller name from the class name since all that information is known. Said setter has been kept nevertheless and it was overlooked that it was still used by fluid widgets. This leads to property \TYPO3\CMS\Extbase\Mvc\Request::$controllerObjectName being empty in widget requests which then leads to an exception when trying to create a ClassSchema for the controller object name "". To fix this, the widget request is now created with the controller object name as constructor argument. Releases: master Resolves: #91418 Change-Id: I6abcdb8c68e831459228cc35c3263cec83d16f67 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64505 Tested-by:
-
Alexander Schnitzler authored
The ReflectionService usually doesn't get serialized by users directly but since Extbase has an unclean dependency chain, the serialization of the ReflectionService is triggered in user land code when serializing a LazyObjectStorage e.g. Since it's no problem to implement a clean serialization and unserialization of the ReflectionService it is implemented with this patch and will no longer cause any troubles. There is just one thing to mention. The ReflectionService usually comes with a cache which cannot be restored during wakeup of the serialized service. It's unlikely but it's possible that the absense of the cache can cause a performance hit. Releases: master, 9.5 Resolves: #91404 Change-Id: I8c64968f0f329528c9f578ba0ef76437ada40ac0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64494 Tested-by:
-
Oliver Hader authored
TYPO3-CORE-SA-2020-005 caused side-effects on Fluid AJAX widgets which unfortunatelly support any class instance to be temporarily stored in the current user-session. With mentioned change to address an insecure deserialization vulnerability it was limited to items that could be JSON-serialized. This limitation is removed again by switching back to `unserialize()`, but using an encryption-key-based HMAC signature on the payload. Due to its architecture there is no better approach available. This partially reverts commit e4fb92a8. Resolves: #91382 Releases: master, 9.5 Change-Id: I68cbd15e7df2f536180f174fa63cf27f8a19cfcd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64501 Tested-by:
Jonas Götze <jonnsn@gmail.com> Tested-by:
-
Resolves: #91411 Releases: master Change-Id: If9850f683e1f6e72e62fcfdb41802430d1888f69 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64510 Reviewed-by:
-
Oliver Hader authored
With TYPO3-CORE-SA-2020-006 (SSRF via XSS) a strict referrer handling has been introduced to avoid the TYPO3 backend being called from other non same-origin locations. In case a HTTP referrer header was empty the system tried to refresh the view - otherwise the request was denied completely. It turned out that this scenario was probably too strict, disabling feature `security.backend.enforceReferrer` was the only work-around for site administrators. This change adds new options for handling referrers in backend routes: * refresh-empty (existed already): refresh in case referrer is empty * refresh-same-site: refresh in case referrer is on same site, like `https://example.org/?eID=auth` calling `https://example.org/typo3/` * refresh-always: refresh always in case there is not valid referrer TYPO3's main backend route is using `refresh-always` now to be more relaxed on handling same-site and cross-site referrers as well. The term "refreshing" relates to trigger a reload in the browser to get the referrer of the current location. This still block direct CSRF/SSRF requests since the refreshing HTML instructions are delivered back to the client. Besides that, cross-site requests are covered by the `same-site` cookie policy, and existing CSRF tokens. Resolves: #91396 Releases: master, 9.5 Change-Id: Ib3756671fa60c6f41ba992d0e645f03da1730d19 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64492 Tested-by:
-
Andreas Fernandez authored
The PasswordRecovery template misses a layout which results in an empty HTML part being rendered. This patch adds the layout and renders our marvellous HTML mails again. The plaintext part missed the layout as well, which caused to miss some additional information available in the mails. Resolves: #91412 Related: #90729 Releases: master Change-Id: Ic883aefa5ae88783d0c74d2c7843d1e8445461ab Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64498 Tested-by:
Annett Jähnichen <jaehnichen@webit.de> Tested-by:
-
- May 17, 2020
-
-
ayacoo authored
Releases: master Resolves: #91395 Change-Id: If1c5c896c519aa5cf5ff35072bb101f718f8cdcb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64488 Tested-by:
Tymoteusz Motylewski <t.motylewski@gmail.com> Reviewed-by:
-
- May 15, 2020
-
-
jdoe-dev authored
The namespaces for the PSR-14 events are not working. Removed /Login - path since this is not existing. Releases: master Resolves: #91411 Change-Id: I25209c739f1f55b8c375a9f58ad4ce551344ae5d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64497 Tested-by:
-
Andreas Fernandez authored
When a null placeholder checkbox is changed, the linked form field is now marked as "changed", which triggers the confirmation when leaving the form while being unsaved. Resolves: #91351 Releases: master, 9.5 Change-Id: I1b3ac08223a4a4c588a980abe70f22ff9814b13f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64444 Tested-by:
Xavier Perseguers <xavier@typo3.org> Tested-by:
-
Oliver Hader authored
HTML element with identifier `t3js-login-url` is used to check whether referrer handling is activated and suported. In case the `Login.html` template has been overridden, mentioned element might not be given at all - which leads to a corresponding JavaScript error. Resolves: #91385 Releases: master, 9.5 Change-Id: Ie986a94209809c32cdfb217aa00b42f4369c525a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64484 Tested-by:
-
- May 14, 2020
-
-
Benjamin Franzke authored
The SMTP SSL/TLS migration introduced in #91070 does not take the case into account when no SMTP encryption was used at all (that means insecure plaintext authentication). This could be configured by specifying an empty string for `transport_smtp_encrypt` in TYPO3 v9. We do now check for this third option and adapt the migration to set the value to false, which means symfony/mailer will allow connection without encryption. Note: symfony/mailer will still try to start a STARTTLS connection if the server supports that capability. (That is now default in symfony/mailer and can't be deactivated) We also fix the default configuration of transport_smtp_encrypt to be a boolean value. The setting was switched to boolean in #90295 but was forgotten to be adapted here. Releases: master Resolves: #91391 Related: #91070 Related: #90295 Change-Id: I16f0f19cf91b92b3a252d2a52c7226dd0eb23296 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64490 Reviewed-by:
Torben Hansen <derhansen@gmail.com> Reviewed-by:
-
Oliver Hader authored
Using `<div />` as template to be used in jQuery worked previously, but is not supported with jQuery 3.5.x anymore. Occurences are now using correct expanded tags like `<div></div>`. Resolves: #91367 Releases: master, 9.5 Change-Id: I088481e607b4621e28550f79f065496c89b409d1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64479 Tested-by:
Sebastien Convers <sebastien.convers@agrosupdijon.fr> Tested-by:
-
Xavier Perseguers authored
The current record constraint was forgotten in the implementation of uniqueInTable and is now added. Resolves: #91378 Related: #91235 Releases: master, 9.5 Change-Id: Ie7862b22a06996a9d7ca484a01d7a1859c8f7276 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64482 Tested-by:
-
Oliver Hader authored
With security advisory TYPO3-CORE-SA-2020-004 new `BlockSerializationTrait` has been introduced blocking serialization and deserialization for a couple of classes (see advisory for details). Since this caused a couple of side-effects for valid use-cases, the restriction on serialize() is removed - which is fine from a security point of view. Resolves: #91387 Releases: master, 9.5 Change-Id: I9a9d415deab80badc3c1517f2e0c0c3336d3d936 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64486 Tested-by:
-
Daniel Siepmann authored
A context can be provided, when opening the CSH (Context Sensitive Help). E.g. when opening the CSH for a backend module or specific table field, the help entry for that module or field will be opened. This patch restores the described functionality by adding the action to the link opened via JavaScript. The "see also" links, used for cross referencing different CSH entries are fixed as well. Cross referencing links are now build using the proper ViewHelper to use backend module routing, instead of extbase routing. This ensures arguments are not moved into an arbitrary extbase plugin namespace. Resolves: #91370 Releases: master Change-Id: Ib6361e5a5f4ef441e098a595fa344f484a07ddc0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64477 Reviewed-by:
Sebastian Klein <laitnin@gmx.net> Reviewed-by:
-
- May 13, 2020
-
-
Markus Klein authored
Some methods have been added for this matcher, which are actually not deprecated/removed as a whole. Only the usage of those methods has been adjusted. The extension scanner is not capable of detecting such usages only, hence there is no sense in reporting every usage of those functions, albeit these usages might be valid. The matcher entries are removed therefore. Resolves: #91355 Releases: master Change-Id: I9da87ecb320f65d4fe5df168d788bb2ba8547f84 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64451 Tested-by:
-
