- Jun 28, 2022
-
-
agendartobias authored
config.typolinkLinkAccessRestrictedPages_addParams works only with redirectMode getpost. Releases: main, 11.5, 10.4 Resolves: #97370 Change-Id: I43fc29558eb1d282b4f5939fa115f5350cbede38 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74940 Tested-by:
Lina Wolf <112@linawolf.de> Reviewed-by:
-
- Jun 27, 2022
-
-
Larry Garfield authored
The search results page currently may show the "pages" indicator in the title when there are no page numbers to show. This patch changes it to only show pagination information if there is information to show. Resolves: #96796 Releases: main, 11.5, 10.4 Change-Id: I8c1600a7eb732ed018c22bc02b0e689eb39a081c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74938 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Stefan Bürk <stefan@buerk.tech> Reviewed-by:
-
Oliver Klee authored
This helps extensions that rely on the type annotations of that class for static analysis. Resolves: #97812 Related: #97377 Releases: 11.5 Change-Id: I0b48f459617e4f4e6c609bdb3abf6f8b465dabd9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74985 Tested-by:
Nikita Hovratov <nikita.h@live.de> Reviewed-by:
-
- Jun 24, 2022
-
-
Andreas Fernandez authored
The input field used within the backend search form at the top had an initial padding of 0px which mispositions the search field until all JavaScript is loaded because the field will be wrapped in a div container and thus the responsible CSS rule becomes unused. To solve this wrong positioning, the affected CSS definition is removed. Resolves: #97810 Releases: main, 11.5 Change-Id: I01477cd098adcb95fe18467c524a55f8df70da5a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74982 Tested-by:
Oliver Bartsch <bo@cedev.de> Reviewed-by:
-
David Bruchmann authored
The new option is explained here: https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/10.0/Featur e-80420-AllowMultipleRecipientsInEmailFinisher.html Releases: main, 11.5 Resolves: #96086 Change-Id: I740e360735e09d07f5a6f16513317e4b226fd0b1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74937 Tested-by:
-
Björn Jacob authored
The whole documentation about finishers has not been touched since ages. A lot of information are outdated. This patch fixes the mess. Also improve a language label to clarify the usage of the title field within the finishers "EmailToReceiver" and "EmailToSender". Resolves: #96048 Releases: main, 11.5 Change-Id: I3004194c37203993582e7f4687523ad766d3235d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74978 Tested-by:
Björn Jacob <bjoern.jacob@tritum.de> Tested-by:
-
- Jun 23, 2022
-
-
linawolf authored
Add changelog entry to https://review.typo3.org/c/Packages/TYPO3.CMS/+/74902 - Restrict export functionality to allowed users Resolves: #97771 Releases: main, 11.5, 10.4 Change-Id: I98252b73aa5b14a8cfe5d26559711123e17ced15 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74976 Tested-by:
-
- Jun 22, 2022
-
-
Andreas Fernandez authored
The maintainers of the package guzzlehttp/guzzle released a new version 7.4.5 that fixes two security issues: * CURLOPT_HTTPAUTH option not cleared on change of origin [1] * Change in port should be considered a change in origin [2] Executed commands: composer require \ guzzlehttp/guzzle:^7.4.5 \ -W composer require \ -d typo3/sysext/core \ guzzlehttp/guzzle:^7.4.5 \ --no-update [1] https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r [2] https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699 Resolves: #97802 Releases: main, 11.5, 10.4 Change-Id: Ia49f75f8ed078beb43ba42f89efdd8e68ee146c5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74972 Tested-by:Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
Stefan Bürk <stefan@buerk.tech...>
-
- Jun 19, 2022
-
-
Josef Glatz authored
$GLOBALS['TYPO3_CONF_VARS']['MAIL']['dsn'] may contain credentials and is therefore blinded in the configuration module. Resolves: #96993 Releases: main, 11.5 Change-Id: I9a6ff7cc8f6c58fa3281125d5198bebb452a4ebc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74936 Tested-by:
-
Oliver Klee authored
The factory method WorkspaceRecord::get() now uses a proper makeInstance() call instead of new for creating new instances, which allows XCLASSing the class and aligns object creation to "the TYPO3 way" in that place. Also add a regression test. Resolves: #97423 Relates: #97754 Releases: main, 11.5 Change-Id: I76e5ce3a1f908bf0efa4faaa439724e2d1d7cbb2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74960 Tested-by:
-
Oliver Klee authored
Also simplify the code of a caller as detected by static code analysis. Resolves: #97711 Relates: #97705 Releases: main, 11.5 Change-Id: I1323ffe047cc4954a8c031dbb0218739a7d95571 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74959 Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by:
-
Julian Hofmann authored
Doctrine (now?) does not allow values to be surrounded by single quotes. It expects a `PlainValue` but struggles over the quotes. Replacing the single quotes with double quotes solves this problem: `[Syntax Error] Expected PlainValue, got ''' at position ***` Releases: main, 11.5 Resolves: #97716 Change-Id: I34042f350bcac2d6518f73be9796d39e0bcc64a7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74935 Tested-by:
-
Andreas Fernandez authored
`RecoveryCodeTest` now uses a `NoopPasswordHash` implementation, that uses sha1 internally. It's obviously not as secure as the til today configured argon2 algorithm, but still fine for testing reasons, which greatly improves the test runtime. Resolves: #97788 Releases: main, 11.5 Change-Id: Ic7ee62f7dea3eedb2e792b88bec293e556454556 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74958 Tested-by:
-
Stefan Bürk authored
This patch adds a script to scan and verify namespace of core class and test files to be PSR-4 compliant. It uses provided namespace registration in core system extensions and root composer file for test namespace registrations. Test fixture test extensions are ignored for now. Check for these will be enabled in a dedicated patch, after streamling of fixture test extensions has been done. Resolves: #97790 Releases: main, 11.5 Change-Id: I36d2946891f2e12dd140b98075a13a65f0b70bb4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74957 Tested-by:
-
Stefan Bürk authored
This patch adjustes invalid namespaces uses in some files to ensure PSR-4 loading compatibility. Resolves: #97793 Releases: main, 11.5, 10.4 Change-Id: Ib8e0a1fd2b0c6493a7cda9d4360abec90b80ade4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74955 Tested-by:
-
Stefan Bürk authored
This patch adjustes invalid namespaces uses in some files to ensure PSR-4 loading compatibility. Additionally the superflous use statements are removed. Resolves: #97792 Releases: main, 11.5 Change-Id: I9a0bae0a2e59cf8dce77f131350db488c9688840 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74954 Tested-by:
-
- Jun 17, 2022
-
-
Chris Müller authored
Additionally, fix some flaws and typos. Resolves: #97760 Releases: main, 11.5 Change-Id: Ic661dec8a180db640a30fb7305b93e6cdb777efe Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74934 Tested-by:
-
Chris Müller authored
Additionally, use "On" as value for ExpiresActive directive as this is the preferred notation. Resolves: #97764 Releases: main, 11.5 Change-Id: Iee2433cf88cc7b7200a72c7d5308da0202fe3e78 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74933 Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
-
- Jun 15, 2022
-
-
Oliver Hader authored
Change-Id: I3aa1bf69e2c8350edeb71c2ce78a2363a8f5c7bc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74917 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Oliver Hader authored
Change-Id: Ia99dd3b078bc354f201267257d21a4ea44cb3b7f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74916 Tested-by:
-
Oliver Hader authored
The security fix TYPO3-CORE-SA-2022-005 introduced a synchronization of backend user and admin tool sessions - without considering these two documented aspects: + If no system maintainer is set up, then all administrators are assigned the system maintainer role. + In Development context, all administrators are system maintainers as well. Resolves: #97768 Releases: main, 11.5, 10.4 Change-Id: I81dbfc5d07a41a4fa254e1fb50210c74f5e6f02c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74911 Tested-by:
-
- Jun 14, 2022
-
-
Oliver Hader authored
Change-Id: I56f3976ac0866fd2972183af8b8ad07a67350408 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74909 Tested-by:
-
Oliver Hader authored
Change-Id: I87ce1032fe4bad74e14524c0c576fd4fa0a1ae76 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74908 Tested-by:
-
Oliver Hader authored
Admin tools sessions are revoked in case the initiatin backend user does not have admin or system maintainer privileges anymore. Besides that, revoking backend user interface sessions now also revokes access to admin tools. Standalone install tool is not affected. Resolves: #92019 Releases: main, 11.5, 10.4 Change-Id: I367098abd632fa34caa59e4e165f5ab1916894c5 Security-Bulletin: TYPO3-CORE-SA-2022-005 Security-References: CVE-2022-31050 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74901 Tested-by:
-
Andreas Fernandez authored
The `receiverName` variable used in the password recovery mail of the Extbase felogin plugin was susceptible to HTML injection due to missing sanitization. The variable is now passed thru the `f:format.htmlspecialchars` ViewHelper. Resolves: #96559 Releases: main, 11.5, 10.4 Change-Id: I60e23c161f7f2fcc87b8870345b10a4c31d7b8db Security-Bulletin: TYPO3-CORE-SA-2022-004 Security-References: CVE-2022-31049 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74900 Tested-by:
-
Gabe Troyan authored
Multivalue items in the form editor user interface were previewed as HTML, but should be treated as scalar text only. Resolves: #96743 Releases: main, 11.5, 10.4 Change-Id: I5e8dab26119490ecf19ac5d48c2bc7a5a00daaad Security-Bulletin: TYPO3-CORE-SA-2022-003 Security-References: CVE-2022-31048 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74899 Tested-by:
-
Torben Hansen authored
When a TYPO3 exception is handled through registered exception handlers, log writers may log sensitive information to logs, since the full stacktrace is logged. With this change, exception handlers that extend AbstractExceptionHandler except DebugExceptionHandler will by default not include the exception object any more and thereby not log the full stacktrace. Resolves: #96866 Releases: main, 11.5, 10.4 Change-Id: Iaf233eefc9a1a60334a47753baf457e8282e68c0 Security-Bulletin: TYPO3-CORE-SA-2022-002 Security-References: CVE-2022-31047 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74898 Tested-by:
-
Torben Hansen authored
The import functionality of the import/export module is already restricted to admin users or users, who explicitly have access through the user TSConfig setting "options.impexp.enableImportForNonAdminUser". The export functionality has the following security drawbacks: * Export for editors is not limited on field level * The "Save to filename" functionality saves to a shared folder, which other editors with different access rights may have access to. Both issues are not easy to resolve and also the target audience for the Import/Export functionality are mainly TYPO3 admins. Therefore, now also the export functionality is restricted to TYPO3 admin users and to users, who explicitly have access through the new user TSConfig setting "options.impexp.enableExportForNonAdminUser". Additionally, the contents of the temporary "importexport" folder in file storages is now only visible to users who have access to the export functionality. In general, it is recommended to only install the Import/Export extension when the functionality is required. Resolves: #94951 Releases: main, 11.5, 10.4 Change-Id: Iae020baf051aeec0613366687aa8ebcbf9b3d8b2 Security-Bulletin: TYPO3-CORE-SA-2022-001 Security-References: CVE-2022-31046 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74897 Tested-by:
-
- Jun 13, 2022
-
-
Torben Hansen authored
The package guzzlehttp/guzzle has been updated to version 7.4.4 and 6.5.7 which both fix the security issues [1] and [2]. Since TYPO3 is not affected by the issues by default, this is handled as a public bugfix. 3rd party extensions may however be affected by the vulnerabilities if `Authorization` or `Cookie` headers are used. Executed commands: composer require \ guzzlehttp/guzzle:^7.4.4 \ -W composer require \ -d typo3/sysext/core \ guzzlehttp/guzzle:^7.4.4 \ --no-update [1] https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q [2] https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9 Resolves: #97759 Releases: main, 11.5, 10.4 Change-Id: I6ed48f2b03e5e0ca82a9aa493499a5eaf65b184c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74878 Tested-by:
-
- Jun 11, 2022
-
-
Jochen Roth authored
Currently the clearFilterReloadsPageTreeWithoutFilterApplied randomly fails due to a still existing element. This seems to be caused by performance issues in CI. This is now solved by waiting for the element to actually disappear. Resolves: #97749 Releases: main, 11.5 Change-Id: Ib417fc97dcff6ddf0f3c1370ffa419a79f21eba6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74875 Tested-by:
-
Markus Klein authored
By making the modal's primary button a submit button and binding it to the form, the user can now use the ENTER key to submit the password. Resolves: #97746 Releases: main, 11.5 Change-Id: Icc380057259a0c44511098d640bdd8c4ca395a55 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74867 Tested-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
-
Stefan Bürk authored
This change adds the ability to clean rendered documentation folder and files in all system extension folders in one go. Mentioned folders are `typo3/sysext/*/Documentation-GENERATED-temp`. Added command/testsuite: * `Build/Scripts/runTests.sh -s cleanRenderedDocumentation` Additionally the already combined cleaning command `-s clean` is extended to delete rendered documentation in the same run. Resolves: #97673 Releases: main, 11.5, 10.4 Change-Id: I344f897769cd5f475d43db67dd1b27693f49a658 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74841 Tested-by:
-
- Jun 10, 2022
-
-
Stefan Bürk authored
This patch adds the ability to run commands with PHP8.2 using `Build/Scripts/runTests.sh`. Support is added early to check which issues may raise up with new major PHP version. Help text of script is adopted to state the possibilty of the new PHP version with proper example commands. Additionally a note and check for currently not suppored xdebug with PHP8.2 is added. Resolves: #97755 Releases: main, 11.5 Change-Id: I9df13d35278793fba8c5475c8abd602bd1c27896 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74870 Tested-by:
-
Oliver Klee authored
PHP 8.1.7 introduced a bug that it considers the month number 100 to be valid, which breaks one of our tests. As it is not relevant for the test whether the invalid month is exactly 100 or 99, we now are using a number that does not trigger the PHP bug. https://github.com/php/php-src/issues/8749 Resolves: #97756 Releases: main, 11.5 Change-Id: I2ca2b90a2c1e46f16cfeddda29d80e6a83779b1c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74840 Reviewed-by:
-
Oliver Hader authored
A dialog trying to prevent overriding existing files in the filelist module shows an incorrect modification date of files that are existing on the server-side. When using regular unix timestamps (instead of micro-timestamps), dedicated `moment.unix` function has to be used. Resolves: #97724 Releases: main, 11.5, 10.4 Change-Id: Ieb5a00aaf87410e9721e39d91b9e0da13a109bc6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74806 Tested-by:
-
Chris Müller authored
Resolves: #97612 Releases: main, 11.5 Change-Id: Ia23a15f0beb864a8b53c568ed27642ec7ac8c7b2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74868 Tested-by:
-
- Jun 09, 2022
-
-
André Buchmann authored
Some default fields (e.g. tt_content.bodytext) can contain null values. TYPO3 first fetches the data in the default language and then overlays the rows data with the translation values. The overlay method inspects each array item with the php isset() function. This validates not only the existence of the array key, but also the values. null and false values evaluated as false. Empty strings evaluate as true. This leads to inconsistent output in the frontend. The overlay now valides only the array key existence and applies also empty values. Resolves: #97616 Releases: main, 11.5, 10.4 Change-Id: I4b01c52e9ac7adde786b3395bce870bc0a354b58 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74834 Tested-by:
-
Larry Garfield authored
More code paths identified as dead by PHPStan, or that PHPStan isn't understanding correctly. Used command: > Build/Scripts/runTests.sh -s phpstanGenerateBaseline Resolves: #97649 Releases: main, 11.5 Change-Id: I8ff67b7ebda5d64624d4e42a9775e4709bff3f08 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74836 Tested-by:
-
- Jun 07, 2022
-
-
Simon Schaufelberger authored
Searched for "/** @var " and went through all results manually. Skipped results where GeneralUtility::makeInstance is called with a variable. This reduces the PHPStan baseline further. Imported some namespaces on the go. Run commands: > Build/Scripts/runTests.sh -s phpstanGenerateBaseline > Build/Scripts/runTests.sh -s cglGit Resolves: #97705 Releases: main,11.5 Change-Id: I700ba596234af8cd3d32507fb03d77cfe30c678a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74787 Tested-by:
-
Josua Vogel authored
Guard invalid argument type exception by using null coalescing operator in `\TYPO3\CMS\Form\Domain\Finishers\FinisherVariableProvider`. Resolves: #97699 Releases: main, 11.5 Change-Id: I6312fb35d52857004e0467a20e215fc4095e0037 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74832 Tested-by:
-
