Since the merge of the resources-removal
TypoScript templates can't save "basedOn"
changes because of a SQL error, as the
resources field is still referenced by
the tca and ext_tables.php.

Change-Id: I548af5a41375b69563c3822a7c8b96687bdf9487
Fixes: #39937
Releases: 6.0
Reviewed-on: http://review.typo3.org/13903
Reviewed-by: Philipp Gampe
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Add possibility to execute scheduler via "at"-daemon instead of via cron.
This allows the scheduler more flexibility when to be invoked next.

This can be useful in environments where no cronjob can be set easily,
but access to at daemon is possible.

Change-Id: Ib450e59d76e23eb2eeb1ab4769f49d8ba8bd96b5
Resolves: #34227
Releases: 6.0
Reviewed-on: http://review.typo3.org/9177
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

At the moment the following static typoscript filenames are allowed:

setup.txt
constants.txt
include_static.txt
include_static_files.txt

* Allow ".ts" as file extensions
* Allow mixed usage of .ts and .txt
* .ts precedes .txt

Change-Id: I0ffd9ef50a07dfbaa8388d525c5ced09d5070103
Fixes: #34922
Releases: 4.8
Reviewed-on: http://review.typo3.org/9736
Reviewed-by: Philipp Gampe
Reviewed-by: Stefan Neufeind
Reviewed-by: Simon Schaufelberger
Tested-by: Simon Schaufelberger
Reviewed-by: Susanne Moog
Tested-by: Susanne Moog

Saltedpasswords is using user functions in the ext_conf_template which
use type hinting for the config object. As the new extension manager
handles the rendering of the configuration form differently, the type
hints have to be removed.

Change-Id: I00abd45523ca833799bb3101cdc8262e977750a1
Resolves: #39935
Releases: 6.0
Reviewed-on: http://review.typo3.org/13901
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Make it possible run a specific task by providing an additional
parameter -i and the uid of the task on the command line.

./typo3/cli_dispatch.phpsh scheduler -i <uid>

Use the parameter -f to force the execution even if the task is
disabled or no execution is scheduled.

Change-Id: I6226ea41fbb391a56f9eee3d3de919cc116157bc
Resolves: #31073
Relates: #38506
Releases: 6.0
Reviewed-on: http://review.typo3.org/12481
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Follow-Up to #37595

Fixes two things found during the review. Due to an unfortunate
timely intersection the original patch set was merged without
these fixes.

Change-Id: Ic9c69f09c1e92c628cd29c5c303e1807022a2a8e
Fixes: #37595
Releases: 6.0
Reviewed-on: http://review.typo3.org/13898
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Ingo Renner
Tested-by: Ingo Renner

Table cache_extensions is handled by ext:extensionmanager and should be
moved to its namespace. It is now in line with the according extbase
model and called tx_extensionmanager_domain_model_extension.

Change-Id: I9d8e0981bf5ff35c38c3254672b8b8015c72ff47
Resolves: #39922
Related: #39726
Releases: 6.0
Reviewed-on: http://review.typo3.org/13884
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Search for ext_icon.png and ext_icon.gif and store to
$GLOBALS['TYPO3_LOADED_EXT'][$_EXTKEY]['ext_icon']

Change-Id: I4867ba9c46b3c9d1674d91313599b2aada5e9295
Resolves: #37595
Releases: 6.0
Reviewed-on: http://review.typo3.org/13888
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Currently the PageRenderer renders all the page content before
USER_INT plugins are substituted in the cached output.
This leads to the situation, that adding header or footer data using
the PageRenderer does not work for USER_INT plugins.

If you for example try to use tt_content.media.20 in a
USER_INT plugin, the JS library and the inline JS, is not
included.

This change solves the problem, by adding the header and footer data
of the PageRenderer during USER_INT processing.

Resolves: #22273
Releases: 6.0
Change-Id: I97609684ccacdab1bd0853b9ccd6608716706f87
Reviewed-on: http://review.typo3.org/7465
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert
Reviewed-by: Susanne Moog
Tested-by: Susanne Moog

One path is wrong in ext_autoload and should be fixed

Change-Id: I8a84ed8bec8f877dee491127c43ffa5ca0bc3757
Fixes: #37478
Releases: 6.0
Reviewed-on: http://review.typo3.org/13837
Reviewed-by: Wouter Wolters
Reviewed-by: Ingo Renner
Tested-by: Ingo Renner

Introduce setting ['config']['treeConfig']['appearance']['width']
to apply custom width for TCA select fields that use the tce tree.

Change-Id: I757745e51f650c20f23e60aa6c4a9b7b0fca6b99
Releases: 6.0
Resolves: #39046
Reviewed-on: http://review.typo3.org/12860
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Die early in the bootstrap if register_globals is On.

Change-Id: Icd2541447c190db7f1a6d01cd9da624568018b41
Resolves: #39920
Releases: 6.0
Reviewed-on: http://review.typo3.org/13882
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Once sys_note records have been shown in the info module but
after changing the code, this didn't work anymore.

This patch adds a hook which is then used by sys_note

Change-Id: Ib73db81a508ec88b9502a41c1405e6a47c056c61
Resolves: #39234
Releases: 6.0
Reviewed-on: http://review.typo3.org/13813
Reviewed-by: Wouter Wolters
Reviewed-by: Felix Kopp
Tested-by: Felix Kopp
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

In sane server setups, it is usually not a good idea to configure TYPO3
to create files and folders with writable bit for 'others'. The
introduction package actually sets fileCreateMask and folderCreateMask
to 666 and 777, but this is to ease the installation process and make
the introduction package work in curious setups as well without problems.

Therefore we now add a warning to the reports module instead, if the
write bit for others is set, so an administrator is informed on the
possible security impact, while the installation process is still smooth.

Change-Id: Iae75a9f9492d8b784a3e1ea2c754a14abbc58f3e
Releases: 6.0
Resolves: #39912
Reviewed-on: http://review.typo3.org/13874
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

One test for t3lib_log_Logger is marked as skipped
because it was unclear how to do the test.
Implement the test correctly and remove the skip.

Change-Id: Iad5b56b0fdbc96bf4c20509de0ada80a1e7c8908
Fixes: #39916
Releases: 6.0
Reviewed-on: http://review.typo3.org/13878
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Make record list on pages flexible and conform with list layout.
Before this patch the table width was forced to 480px.

Also adds header for each record list with total count and title.
Moves the click menu and edit link to standard positions in table.
Now includes the record list hover styles and standard paddings.

CSS styles for previous non-standard table style are removed:
there were no further references for ".typo3-page-stdlist".

Change-Id: I9245442f174a5c82cd5c1cb0ab41dc0ea680fb24
Resolves: #38368
Releases: 6.0
Reviewed-on: http://review.typo3.org/12709
Reviewed-by: Ingo Renner
Tested-by: Ingo Renner
Reviewed-by: Stefan Neufeind
Reviewed-by: Felix Kopp
Tested-by: Felix Kopp
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

The styling of the extension manager is not completed.
The CSS will follow step by step.

First part is the styling of manage extensions.

Change-Id: Id5d48cdf92b645cfe5188072d1af1bc226833326
Releases: 6.0
Resolves: #39909
Reviewed-on: http://review.typo3.org/13870
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Extensions without descriptions are displayed
wrong because of the empty title tag which is
falsely interpreted by the tooltip plugin.

Change-Id: Ie3f44152252ecb2dfa3e4400e27a7de66190f330
Fixes: #39911
Releases: 6.0
Reviewed-on: http://review.typo3.org/13873
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Rename getTypo3Version to getCurrentTypo3Version

Change-Id: I3cfd951e78ac45575022e5ce3c67ca81b438de37
Resolves: #39901
Releases: 6.0
Reviewed-on: http://review.typo3.org/13871
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Change-Id: Ieb3823ad72fe41875484dfc25c8f1eea1feef917
Resolves: #39906
Related: #39726
Reviewed-on: http://review.typo3.org/13869
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Move the default styles of ext:form to TS in
plugin.tx_form._CSS_DEFAULT_STYLE. This way it can be disabled with
TypoScript either via plugin.tx_form._CSS_DEFAULT_STYLE >, and also
respects the config.removeDefaultCss setting.

Change-Id: Ie2b0c397124f06ec32114983e78dd60b4229ce97
Resolves: #32480
Releases: 6.0
Reviewed-on: http://review.typo3.org/11932
Reviewed-by: Susanne Moog
Tested-by: Susanne Moog

For 6.0 a new extension manager based on
extbase was developed. Goal of this extension
manager is not to be the most feature rich
but easy to use extension managers.

Therefore the whole extension manager was
restructured and some features where removed:
* language handling -> will be an own extension
* file editing -> can be done via other extensions
* upload extension -> will be integrated into extdeveval

This patch adds the base extension manager.
Styling and JS fine tuning will be done afterwards.

Please test the given functionality carefully and
report as many bugs as you can find to the project
at forge (TYPO3 6.0 > Extension Manager).

Change-Id: I28ef14401f40e239e5ea235af2be3e431fb8789d
Resolves: #39726
Releases: 6.0
Reviewed-on: http://review.typo3.org/13612
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

TYPO3 stores date and date/time values as a Unix timestamp.
This feature allows native database types to be used instead.

Native fields must be marked in the TCA using the key "dbType":

'my_native_date' => array(
    'exclude' => 0,
    'label' => 'My native date',
    'config' => array(
        'dbType'   => 'date',
        'type'     => 'input',
        'size'     => '8',
        'max'      => '20',
        'eval'     => 'date',
        'checkbox' => '0',
        'default'  => '0'
    )
),

Supported types for "dbType" are: date, datetime

Change-Id: I078047abd7a93e16cfca7f1fec3fe52109c6d347
Resolves: #38965
Releases: 6.0
Reviewed-on: http://review.typo3.org/12808
Reviewed-by: Marcus Schwemer
Tested-by: Marcus Schwemer
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Susanne Moog
Tested-by: Susanne Moog

Some tests for t3lib_log are failing in some cases, because
the fixture classes are not available. They are available
when executing the tests with the phpunit backend module
because the files are named *_test.php, recognized as
test files and thus required.

To avoid this confusion, the fixture classes are now moved
to a fixture directory and renamed so that they not end with *_test.php
To be consistent the class names are also renamed.


Change-Id: Ia5efce2909111b79ed6c836c4c704a78faacdc65
Fixes: #39885
Releases: 6.0
Reviewed-on: http://review.typo3.org/13854
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Allow easy comparison like:
[globalVar = TSFE:id = 10|12|15]   (in list)
[globalVar = TSFE:id != 10|12|15]  (not in list)

Change-Id: Iae920720ae6058c2cd741f74204c2fbce779e00f
Resolves: #39700
Releases: 6.0
Reviewed-on: http://review.typo3.org/13589
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Ingo Renner
Tested-by: Ingo Renner

Change-Id: I58ec40a9ede4458374a33317e861a3064e518e2b
Resolves: #39712
Depends: #39738 (Documentation)
Releases: 6.0
Reviewed-on: http://review.typo3.org/13604
Reviewed-by: Ingo Renner
Tested-by: Ingo Renner
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert

This changeset implements the sectionIndex setting
"useColPos" that can be used to change the colPos
query filter. A negative value drops the filter
completely. Only integers are allowed as values
and stdWrap is possible.

Example:
tt_content.menu.20.3.1.sectionIndex.useColPos = -1

Change-Id: Ic65cdee014aa7972e3d28504a678a001355ed312
Resolves: #21142
Releases: 6.0
Reviewed-on: http://review.typo3.org/11251
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Stefan Neufeind
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer
Reviewed-by: Stefan Galinski
Tested-by: Stefan Galinski

In the "Basic Configuration" section, some configuration values are
rendered without proper escaping both as input fields or as
regular content of the page. These values are htmlspecialchars-
treated now.

For the "All Configuration" form, all input fields and text area fields get now htmlspecialchars-treated.

Change-Id: I141efa5ad610bda4608f65c136af472cc3c4ec73
Fixes: #21634
Releases: 6.0, 4.7, 4.6, 4.5
Security-Commit: 1063d380e3532b69c24800f20b1127af70f820a0
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13774
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

This patch adds htmlspecialchars to page link target to prevent
XSS.

Change-Id: I5e9f07ec7465cd8658c4761328b394559cf9a53b
Fixes: #32653
Releases: 6.0, 4.7, 4.6, 4.5
Security-Commit: 5de8ebf8a53e744fa9ce06a9e02835c7a637a664
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13773
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Properly quote the form name and field list
for the JavaScript validation

Fixes: #25052
Releases: 6.0, 4.7, 4.6, 4.5

Change-Id: I328a3a39e3034c55de96d403994a450d9397f389
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13772
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Properly encode field labels that are set via TSConfig.

Fixes: #25356
Releases: 6.0, 4.7, 4.6, 4.5

Change-Id: Ie61322d25c28cf953d3662fbd78febf64a21a970
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13771
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The scheduler test-task that sends an email does not properly
sanitize the input of the email field when rendering the editing
form of that task.

Change-Id: Ic77e50b339488acb5b811e35aaa558e26ac6193e
Fixes: #30967
Releases: 6.0, 4.7, 4.6, 4.5
Security-Commit: d72a6e273edb2e249c1f544f0d6b7139aecdc825
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13770
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Add support for HTML5 tags and attributes in RemoveXSS.

Change-Id: I4c51967b213b9bfe532887767a9b1cdcb182e9d7
Fixes: #37127
Releases: 6.0, 4.7, 4.6, 4.5
Security-Commit: 6ad77fddb6e264cd2ef763446c79a30a6cee0a2a
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13769
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The configuration module showed the encryption key as plaintext.
For this view, the encryption key is masked and it's length is
shown instead, e.g. "***** (length: 96 characters)"

Change-Id: I16145e76a60d15d8e9575ef0cc5cf3cd54b1b6b1
Fixes: #39345
Releases: 6.0, 4.7, 4.6, 4.5
Security-Commit: c9b4932c07d1b95c47e5c184b74c2d3493db3b06
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13768
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Using the old and already deprecated CSH handling in TYPO3 backend,
untrusted GP data is unserialized. There's no longer a code path
in TYPO3 to generate the GP data. So we can safely remove all
leftovers.

Change-Id: I522cc774e65754ebbf05e6d1df65da41e7ab3f8a
Fixes: #33520
Releases: 6.0, 4.7, 4.6, 4.5
Security-Commit: ac048ef7f8a789b218c2fa170747122beb594277
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13767
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Indexed Search statistics module is vulnerable to
persistent XSS attack injected by arbitrary frontend users.

Change-Id: Ieb87cfff20a5e49522a2410d24a3b2ae141535a0
Fixes: #31927
Releases: 6.0, 4.7, 4.6, 4.5
Security-Commit: 9aa89980af0db90bfc535f4858fc61036c3d8170
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13766
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

When t3lib_div::quoteJSvalue() was used with second
parameter set to TRUE closing HTML script tags were
not escaped correctly.

Now every character except harmless ones is encoded
to a hex representation.

Change-Id: I4ce17c924458bc4db659b2d37e7932cc9b0c340d
Releases: 6.0, 4.7, 4.6, 4.5
Fixes: #23226
Security-Commit: ee1778ab0c7b4525dbabab4fcb94eb112b767e69
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13765
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Change-Id: I5484ffc0b383ccf14fdf9252514a324c26bc74e0
Reviewed-on: http://review.typo3.org/13734
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

Class t3lib_file_exception_abstractFileOperationException is never
thrown itself and only extended. It should be abstract.

Change-Id: I98611945801259cb9aa9ee24e6aa6649d327e179
Releases: 6.0
Resolves: #39817
Reviewed-on: http://review.typo3.org/13696
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

t3lib_treeView is the base class for trees and is always
extended by other classes for specific trees.
The patch adds the abstract keyword to the class declaration.

Change-Id: I5a54f1339ccf84c16671d0dd19bb4bc9d1f5747c
Resolves: #39816
Releases: 6.0
Reviewed-on: http://review.typo3.org/13695
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn