- Dec 30, 2019
-
-
Alexander Schnitzler authored
php bin/rector process A couple of rectors have been disabled due to different reasons: - Rector\Php71\Rector\FuncCall\CountOnNullRector This rector has been disabled as it creates rather long and complex structures to avoid calling count on null. This rector will be enabled as soon as TYPO3 uses at least PHP 7.3 which introduces a "is_countable" method. - Rector\Php71\Rector\Assign\AssignArrayToStringRector This rector has been disabled as it does not work properly. The default types of parameters have been changed although their types could properly be inferred by a doc block or by value assignments. - Rector\Php71\Rector\BinaryOp\BinaryOpBetweenNumberAndStringRector This rector has been disabled as it does not work properly. A bug report is filed and to be found here: https://github.com/rectorphp/rector/issues/2454 - Rector\Php71\Rector\FuncCall\RemoveExtraParametersRector This rector has been disabled as it does not work properly. It removed arguments in tests, especially when using prophecies. Releases: master Resolves: #90002 Change-Id: I6ed14d38cc697a23104286db57535d6a3c0dbf62 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62751 Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
Benni Mack <benni@typo3.org> Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by:
-
Benni Mack authored
With PHP 8 on the horizon, TYPO3 Core should be prepared to also disallow files with the file extension ".php8" for uploading. Resolves: #90023 Releases: master, 9.5, 8.7 Change-Id: I670755c5ae09ccf6ffd49c4b91b4617956f76ad7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62776 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
Björn Jacob <bjoern.jacob@tritum.de> Reviewed-by:
Guido Schmechel <guido.schmechel@brandung.de> Reviewed-by:
-
- Dec 28, 2019
-
-
Benni Mack authored
Resolves: #90027 Releases: master Change-Id: I0783db5e26ceaba836a618f6dfce104080a4762d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62777 Tested-by:
-
Stephan Salzmann authored
The example claims to result in'.../detail/...', site configuration needs to reflect that. Releases: master, 9.5 Resolves: #90017 Change-Id: I3d6d133294763ee0e3e089c102a325a70ca3e1ea Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62772 Tested-by:
-
- Dec 27, 2019
-
-
Tymoteusz Motylewski authored
Releases: master, 9.5 Resolves #90025 Change-Id: I8e155f7f15bf291bddf11c74cead8c68c91de49f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62198 Reviewed-by:
Markus Klein <markus.klein@typo3.org> Reviewed-by:
-
Tizian Schmidlin authored
`TYPO3\CMS\Core\Routing\PageRouter::getPagesFromDatabaseForCandidates` looks-up candidates for the page using the `slug` field (and also sorts by this value). This has some serious impact on the website performance on systems with lots of pages. In order to optimize this, an index should be set. Releases: master Resolves: #88896 Change-Id: I1aecca781db9562243a15341819b3ce261708836 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61403 Tested-by:
Jonas Eberle <flightvision@googlemail.com> Tested-by:
-
Christian Eßl authored
Several parts of the core use the regular expression /date|time|int/ to test, if an 'eval' TCA configuration of a field contains one of these evaluation strings. This regex would however match any other string that contains one of those words. This patch fixes this behaviour by matching only the exact words. Resolves: #40347 Releases: master, 9.5 Change-Id: I2af1e3bf5b5cc4056f0e3875645c549a01e6dbd0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61885 Tested-by:
-
Susanne Moog authored
Resolves: #89842 Releases: master, 9.5 Change-Id: I42ffcc313290867d0410265f4c900225ceb554e2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62545 Tested-by:
Alexander Opitz <opitz.alexander@googlemail.com> Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
-
Benni Mack authored
The flag for TYPO3's supported galacian is now added with the "gl.png" flag. TYPO3 core previously had the "greenlandic" ("kl") named under the same file, which was now renamed. Resolves: #89929 Releases: master Change-Id: Ia267dbf7f3e4a2bec67d6534bf26eddc4aaf71b5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62759 Tested-by: -
Anja Leichsenring authored
The function in testing-framework provides a string that is target to be used e.g. for HTML tags, but the BackendUserAuthenticationTest uses it to produce a random userId, which needs to be an integer. If the randomly produced string contains not only numbers, the cast operation converts the uid to 0 and therefor prevents a DB query from execution. This prevention results in a not consumed mock object, which in turn causes a integration test failure. Resolves: #90018 Releases: master, 9.5 Change-Id: I559041591a600a04da86e8b4a85cf5e6dd176475 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62773 Tested-by:
-
Tobias Gaertner authored
For upgrading from an old versions where EXT:realurl was used the PopulatePagesSlugs upgradeWizard is in place. It now also respects the tx_realurl_pathsegment field in generatorOptions. The workflow is now, that it takes the page:tx_realurl_pathsegment field and if empty falls back to page:title. Resolves: #89069 Releases: master, 9.5 Change-Id: Ia9c6367d46713a8a1a609ef13c6bbd8878ec6bed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62748 Tested-by:
-
Michael Telgkamp authored
Add keyboard interaction acceptance tests for the pagetree interactions. Currently testing Home key, End key, navigation with Up and Down keys, opening a selected entry with Enter and collapsing and expanding of subtrees with Left / Right keys. Resolves: #89832 Resolves: #89955 Releases: master Change-Id: Ibe3c83fe6142296e333a66e68d67e283e2000957 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62521 Tested-by:
-
Anja Leichsenring authored
The extension does not exist for TYPO3 versions above 8, so the report must not exist either in these versions. Resolves: #89963 Releases: master, 9.5 Change-Id: I0de6b2646253a755b554b48dadabbfcb2bc1b795 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62674 Tested-by:
Jan Stockfisch <typo3@jan-stockfisch.de> Tested-by:
-
Oliver Hader authored
Resolves: #90016 Releases: master, 9.5 Change-Id: Id7fc792515cfc333118105ae832c2f283e455535 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62770 Tested-by:
-
Anja Leichsenring authored
The trigger will cause the plan to be executed after merge, which is not needed because nightly plans take care of it. Resolves: #89972 Releases: master, 9.5, 8.7 Change-Id: Iafc32174d2234439915c2e741020c4626391f98a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62721 Tested-by:
-
Anja Leichsenring authored
Resolves: #89976 Releases: master, 9.5, 8.7 Change-Id: I82d5811d9532ee47bcf2254c6bc18e4a3e0e74d0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62734 Tested-by:
-
- Dec 23, 2019
-
-
Oliver Hader authored
Affects following site configuration aspects in site management module: * page based error handling source field in link popup * URI base static source field in link popup Resolves: #90004 Releases: master Change-Id: I2d8548141f20d5bf328dccc7145bdd54e59d6603 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62757 Tested-by:
-
- Dec 20, 2019
-
-
Benni Mack authored
Updating codeception (3.2.1) and phpunit (8.5.0) to latest versions allows for further updating other dependencies TYPO3 is using. Used command: composer update codeception/codeception composer update phpunit/phpunit Resolves: #89984 Releases: master, 9.5, 8.7 Change-Id: I33a398fccadfb5c29056d33c7ff35429c263eb92 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62738 Tested-by:
-
Benni Mack authored
In TYPO3 v10, BasicFileUtility is not used by DataHandler anymore, and never initialized with other file permissions than "allow any file ending", which is why the simple check on the fileDenyPattern can be used directly in Import functionality. The next patch would then allow to clean up BasicFileUtility where the methods which belong to "internal_type=file" are not in use anymore. Resolves: #89941 Releases: master Change-Id: I58a28a1cd1f6d284d241479a324c877a2824e7bb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62627 Tested-by:
Susanne Moog <look@susi.dev> Reviewed-by:
-
- Dec 19, 2019
-
-
Andreas Fernandez authored
The "Broken Extension Scanner" has some flaws that are fixed with this patch: - Only one request is sent to scan all ext_localconf.php / ext_tables.php files, each - ext_tables.php is only scanned if ext_localconf.php was successful, since those are dependent - Protected extensions (mandatory to the system) cannot get uninstalled - After uninstalling an extension all caches are cleared Resolves: #89947 Releases: master, 9.5 Change-Id: I63aa7e67df9d061fded42af34c72727db629258a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62639 Tested-by:
-
Alexander Schnitzler authored
php bin/rector process The Rector\Php70\Rector\List_\ListSwapArrayOrderRector rector has been disabled as this needs proper testing and a separate patch. Releases: master Resolves: #89907 Change-Id: I56b296221622afdc72feb5a48145431efd993ea1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62592 Tested-by:
-
Alexander Schnitzler authored
composer remove --dev rector/rector composer require --dev rector/rector:~0.6 The update of rector brings important bugfixes and enables the installation of the latest version of phpstan/phpstan. Releases: master Resolves: #89918 Change-Id: I406aa56b19e88db23260033023e2c785425aef5e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62599 Tested-by: -
Anja Leichsenring authored
For testing mssql based jobs, the wait limit for the database to answer gets raised from 60 to 120 seconds to avoid build failures solely caused by the container being up too late. Releases: master, 9.5, 8.7 Resolves: #89986 Change-Id: If88949ed4dd978af1e349b524a40069b606dcb63 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62739 Tested-by:
-
Susanne Moog authored
The TimeTracker has been using the wrong order of glue and pieces, the PageLayoutView has used implode with only one parameter. Both occurences have been adjusted. Resolves: #89991 Releases: master, 9.5, 8.7 Change-Id: Id600409548cf89b24832afcb5d0784c24be1d1b6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62745 Tested-by:
-
- Dec 18, 2019
-
-
Anja Leichsenring authored
The usage of implode(array, string) has been marked as deprecated by PHP and triggers PHP Deprecation warnings by using PHP 7.4. Resolves: #89987 Releases: master, 9.5 Change-Id: I4094744bd067203856dc305bb7e1651797d0c959 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62741 Tested-by:
Markus Klösges <mkloesges@gmx.de> Reviewed-by:
-
Georg Ringer authored
Use the final subdomain localize.typo3.org instead of beta-translation.typo3.org. The latter is still available and will be removed at later time. Resolves: #89988 Releases: master Change-Id: Ic7188d9edea0bbd4753b136242d992d195196880 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62742 Tested-by:
-
Alexander Schnitzler authored
php bin/rector process Releases: master Resolves: #89807 Change-Id: I667199693dc519d0353d8e10b40d86faf1cf946a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62448 Tested-by:
-
Alexander Schnitzler authored
The now introduced functional tests are a replacement for the unit tests which were only possible by mocking the hell out of the RequestBuilder. Releases: master Resolves: #89898 Change-Id: Iccbd768ab0842e29d4954755e8f34f62bdc564f1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62580 Tested-by:
Michael Telgkamp <michael.telgkamp@mindscreen.de> Tested-by:
Daniel Goerz <daniel.goerz@posteo.de> Tested-by:
-
Benni Mack authored
Some tests use "accessibleMock" (= eval() code) where it is completely unnecessary as not even a mock is needed. Resolves: #89974 Releases: master Change-Id: I6d44a251e670ec97787a45b68b40e8f4bef2946f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62547 Tested-by:
-
Susanne Moog authored
ExactValueMatching of Closures in Prophecy may result in Comparison Failures causing the test to fail in newer PHPUnit Versions. Instead of an exact match of that closure, a type comparison is enough - as calling the closure is tested via following assertions. Resolves: #89982 Releases: master, 9.5 Change-Id: I23ef94a291a07d02e0c8857a1aeaf14931406af0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62737 Tested-by:
-
- Dec 17, 2019
-
-
Georg Ringer authored
Adopt the excludeForPackaging to include also .htaccess files in extension downloads of extension manager. Resolves: #89876 Releases: master, 9.5, 8.7 Change-Id: If5a00956165bab386a980bc897f5750a3ffc73da Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62582 Tested-by:
Oliver Bartsch <bo@cedev.de> Tested-by:
-
Claus Due authored
This patch: 1. Removes a redundant usage of a "NoSpace" VH and the associated namespace import since there are no other usages. 2. Deletes the VH class since it is not used elsewhere. 3. Removes an always-true and therefore redundant "if" Releases: master Resolves: #89956 Change-Id: I943653e04fa731cdc4bdcbc8d6e32663e3ca30c9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62648 Tested-by:
-
Frank Naegler authored
Resolves: #89005 Releases: master, 9.5, 8.7 Security-Commit: 82656cf8149d04f31b1441a03415b5e9a067c614 Security-Bulletin: TYPO3-CORE-SA-2019-026 Change-Id: If312a53b24d919439fa70f5df96be383876957a6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62720 Tested-by:
-
Frank Naegler authored
Resolves: #89452 Releases: master, 9.5, 8.7 Security-Commit: d73e50f02afc5459f737282ede6cc70579fe7181 Security-Bulletin: TYPO3-CORE-SA-2019-025 Change-Id: I55afb17f4b1509a3dfc945e28e5d35671f6c28f3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62719 Tested-by:
-
Andreas Fernandez authored
The Extension Manager and Language Pack Manager receive Zip archives as input from foreign sources and extract them on the disk. However, the previous approach is considered insecure as the target directory is not checked per file and directory traversal was possible. This patch adds a new service class that handles the extraction of Zip archives via PHP's internal ZipArchive class, which can handle such cases on its own. Resolves: #88764 Releases: master, 9.5, 8.7 Security-Commit: a02f19c73211a5f1c0286ab44bee27da9b73f026 Security-Bulletin: TYPO3-CORE-SA-2019-024 Change-Id: I701a577f54410344867b868409a38cc44339f976 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62718 Tested-by:
-
Andreas Fernandez authored
FAL currently filters invalid characters from file names stored by its API. However, this sanitization took no effect when the file was placed by e.g. uploads via FTP, which doesn't trigger FAL. This patch adds a missing `htmlspecialchars` call when the file extension is rendered and could not be sanitized before due to mentioned circumstances. Resolves: #88931 Releases: master, 9.5, 8.7 Security-Commit: 296c6a6723826b4ad2babbb1de5b9d23dfd256ea Security-Bulletin: TYPO3-CORE-SA-2019-023 Change-Id: I24cbc623f6390944a608eadf3ebe7a13d294e0ae Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62717 Tested-by:
-
Oliver Hader authored
In order to avoid XSS through typolink, anchor text is encoded correctly to be used in a HTML context. Fallback link texts of links to pages are encoded per default in case lib.parseFunc has not been configured. Resolves: #88635 Releases: master, 9.5, 8.7 Security-Commit: b62f71c4e098156052ff33e775208981c2ef512b Security-Bulletin: TYPO3-CORE-SA-2019-022 Change-Id: I76b0f06ad52a487e1aebc820531c11166ad45117 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62716 Tested-by:
-
Frank Naegler authored
Resolves: #88629 Releases: master, 9.5, 8.7 Security-Commit: df38c239aa9c627fb7b6f1c384d45ff0940d98fa Security-Bulletin: TYPO3-CORE-SA-2019-021 Change-Id: Ib12dc0affe7f15f1869cff57ea09d9999a0d632a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62715 Tested-by:
-
Oliver Hader authored
The ext:felogin recovery process is using a non-typesafe comparison which might be exploited with a probability of 0.000000294% and is storing the recovery token as plain MD5-hash in database. In order to streamline the process non-typesafe comparison is using PHP's hash_equals() method; for keeping backward compatibility just HMAC-SHA1 is applied to the recovery token in database. Since exploitations to this scenario are very unlikely (for a 50% chance an attacker would have to trigger the creation of around 170 million recovery requests) it is not handled with a security workflow - but using the public workflow. Resolves: #89952 Releases: master, 10.2, 9.5, 8.7 Change-Id: Idcb7b7d6eb418124dc17f1707284b6abe8a8b63b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62690 Tested-by:
-
Andreas Fernandez authored
Resolves: #89970 Releases: master Change-Id: I5b7e22c853993e7434c086c22a3898eefbe07899 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62687 Tested-by:
-
