- Jun 21, 2022
-
-
Benni Mack authored
LZW enabled compression for GIF and TIF is now removed in favor of just using convert which is available most of the time. This was needed back in 200x when TIFF was super-big, but is usually now properly bundled in IM/GM. Resolves: #97797 Releases: main Change-Id: Iba4d19f27cde90ee910048f12ec27ede13282c16 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74918 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
core-ci <typo3@b13.com> Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by:
-
Christian Kuhn authored
Field 'clear' in sys_template is a checkbox field: 1 = clear constants 2 = clear setup 3 = clear both constants & setup The patch updates a functional test setup to properly clear both constants and setup. Change-Id: I45175bbeb571328715928d133ce83245608e208c Resolves: #97800 Releases: main Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74969 Tested-by:
Stefan Bürk <stefan@buerk.tech> Tested-by:
Benni Mack <benni@typo3.org> Tested-by:
-
Andreas Fernandez authored
To allow dispatching notifications to the user the easy way, a new global flash message queue, identified by `TYPO3\CMS\Core\Messaging\FlashMessageQueue::NOTIFICATION_QUEUE`, is introduced that takes the flash message and renders it as a notification on the top-right edge of the backend. Backend modules based on `TYPO3\CMS\Backend\Template\ModuleTemplate` automatically gain advantage of this feature. Resolves: #97595 Releases: main Change-Id: I0e04f0412117649391c0f50fa4249b7832dded69 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74582 Tested-by:
Simon Schaufelberger <simonschaufi+typo3@gmail.com> Tested-by:
Oliver Bartsch <bo@cedev.de> Reviewed-by:
-
Torben Hansen authored
Argument types for 2 functions can safely be set to `string`, since current implementations already ensure, that only a string is passed as argument. Resolves: #97799 Releases: main Change-Id: Ia1f81b63f53c3087b4d03979a8fc17e0f7c8f6dd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74968 Tested-by:
-
- Jun 20, 2022
-
-
Oliver Klee authored
This helps avoid breakage when GeneralUtility will switch to strict mode. This change also prevents a whole bunch of possible invalid array access warnings. Resolves: #97583 Relates: #97578 Releases: main Change-Id: Id500872d91a7b47c647bb9a4d860477ee9ca7595 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74961 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Tested-by:
-
Christian Kuhn authored
Add some more comments to TemplateService related properties and fix typos. Resolves: #97796 Releases: main Change-Id: I131e141e0d1acce57ded287348c7ed0e2ab8a983 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74964 Tested-by:
-
- Jun 19, 2022
-
-
Oliver Hader authored
The backend related global-event-handler is a helper to especially submit POST forms on various DOM elements. It supersedes "onClick" events by having a watcher defined by data attributes. The patch extends given solution to also act on other elements, especially the "<a .." tag. This will be used by the upcoming backend TypoScript Object browser and in general allows to send POST requests instead of GET requests on many elements. The JavaScript implementation has been prepared a while ago already, but missed a use-case up until now. Change-Id: I6604fd866543f94addbb9909fd41fb2ba3355bf5 Resolves: #97795 Related: #91052 Releases: main Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74963 Tested-by:
-
Christian Kuhn authored
Enrich existing test data providers of ArrayUtility::flatten() with another scenario to see how it behaves on details. Change-Id: I3e97689efc2f72e1a9532b12652c98ecaef67556 Resolves: #97794 Releases: main Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74962 Tested-by:
-
Oliver Klee authored
This helps avoid breakage when GeneralUtility will switch to strict mode. This change also prevents a whole bunch of possible invalid array access warnings. Resolves: #97582 Relates: #97580 Releases: main Change-Id: I950d64fcb2f16b5044eeff465c85b4022525ceb6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74863 Tested-by:
-
linawolf authored
Document the status quo and the recent changes. resolves https://github.com/TYPO3-Documentation/Changelog-To-Doc/issues/84 resolves https://github.com/TYPO3-Documentation/Changelog-To-Doc/issues/77 Resolves: #97758 Releases: main Change-Id: I35596dad6f9f840f21fac42ca7f2d58009ba5463 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74873 Tested-by:
Chris Müller <typo3@krue.ml> Tested-by:
Sybille Peters <sypets@gmx.de> Tested-by:
-
Josef Glatz authored
$GLOBALS['TYPO3_CONF_VARS']['MAIL']['dsn'] may contain credentials and is therefore blinded in the configuration module. Resolves: #96993 Releases: main, 11.5 Change-Id: I9a6ff7cc8f6c58fa3281125d5198bebb452a4ebc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74856 Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
-
Larry Garfield authored
Resolves: #97744 Releases: main Change-Id: I60f3424696f2b6b655922b6c377ce65ec139c877 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74829 Tested-by:
-
Sybille Peters authored
In .editorconfig indenting of 4 spaces is configured (implicitly) for HTML files. Most files already use this, but some files contain TABs. This patch converts the existing TABs to 4 spaces. Resolves: #97757 Releases: main Change-Id: I2f8d135dedb342a5c1c7f21d4540da0057918d8d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74872 Tested-by:
André Buchmann <andy.schliesser@gmail.com> Tested-by:
-
Georg Ringer authored
Show all Symfony expression language providers in the configuration module including their functions and variables. Resolves: #97480 Releases: main Change-Id: I777477c9601a2cd9e9bd9f9cf3dae4682ed2c791 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74446 Tested-by:
-
Nikita Hovratov authored
For the Module Template Layout to render FlashMessages, it needs to hold the FlashMessageQueue with the added messages. This needs to be done manually for extbase extensions, as they are holding their own internal queue. This patch also reverts the related patch #97569, which fixed it by adding an explicit f:flashMessages VH to the templates. Resolves: #97717 Related: #97569 Related: #96745 Releases: main Change-Id: I926298f303a4d0d0ffdaffa771ac7667f971b8f1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74795 Tested-by:
-
Oliver Klee authored
The factory method WorkspaceRecord::get() now uses a proper makeInstance() call instead of new for creating new instances, which allows XCLASSing the class and aligns object creation to "the TYPO3 way" in that place. Also add a regression test. Resolves: #97423 Relates: #97754 Releases: main, 11.5 Change-Id: I76e5ce3a1f908bf0efa4faaa439724e2d1d7cbb2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74347 Tested-by:
-
Oliver Klee authored
Also simplify the code of a caller as detected by static code analysis. Resolves: #97711 Relates: #97705 Releases: main, 11.5 Change-Id: I1323ffe047cc4954a8c031dbb0218739a7d95571 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74864 Tested-by:
-
Andreas Fernandez authored
`RecoveryCodeTest` now uses a `NoopPasswordHash` implementation, that uses sha1 internally. It's obviously not as secure as the til today configured argon2 algorithm, but still fine for testing reasons, which greatly improves the test runtime. Resolves: #97788 Releases: main, 11.5 Change-Id: Ic7ee62f7dea3eedb2e792b88bec293e556454556 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74929 Reviewed-by:
-
Julian Hofmann authored
Doctrine (now?) does not allow values to be surrounded by single quotes. It expects a `PlainValue` but struggles over the quotes. Replacing the single quotes with double quotes solves this problem: `[Syntax Error] Expected PlainValue, got ''' at position ***` Releases: main, 11.5 Resolves: #97716 Change-Id: I34042f350bcac2d6518f73be9796d39e0bcc64a7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74794 Tested-by:
-
Stefan Bürk authored
This patch adds a script to scan and verify namespace of core class and test files to be PSR-4 compliant. It uses provided namespace registration in core system extensions and root composer file for test namespace registrations. Test fixture test extensions are ignored for now. Check for these will be enabled in a dedicated patch, after streamling of fixture test extensions has been done. Resolves: #97790 Releases: main, 11.5 Change-Id: I36d2946891f2e12dd140b98075a13a65f0b70bb4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74930 Tested-by:
-
Anja Leichsenring authored
The component causes errors every once in a while and does not provide a huge benefit anymore. This part contains the low hanging fruits, the harder cases will be tackled in other parts. Resolves: #97762 Releases: main Change-Id: I36d59cbf3514c13cceacf8de4bebf577b2389f59 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74882 Tested-by:
-
Stefan Bürk authored
This patch adjustes invalid namespaces uses in some files to ensure PSR-4 loading compatibility. Resolves: #97793 Releases: main, 11.5, 10.4 Change-Id: Ib8e0a1fd2b0c6493a7cda9d4360abec90b80ade4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74953 Tested-by:
-
Stefan Bürk authored
This patch adjustes invalid namespaces uses in some files to ensure PSR-4 loading compatibility. Additionally the superflous use statements are removed. Resolves: #97792 Releases: main, 11.5 Change-Id: I9a0bae0a2e59cf8dce77f131350db488c9688840 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74952 Tested-by:
-
Stefan Bürk authored
This change replaces invalid namespaces in some files to ensure PSR-4 loading compatibility. Additional missing namespace autoloading configuration for `tstemplate` test files is added to root composer.json. Resolves: #97791 Releases: main Change-Id: I52a473f71dd284a3ecb7e0bda397331db3b4b47d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74931 Tested-by:
-
- Jun 17, 2022
-
-
Chris Müller authored
Additionally, fix some flaws and typos. Resolves: #97760 Releases: main, 11.5 Change-Id: Ic661dec8a180db640a30fb7305b93e6cdb777efe Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74877 Tested-by:
Björn Jacob <bjoern.jacob@tritum.de> Tested-by:
Nikita Hovratov <nikita.h@live.de> Reviewed-by:
-
Benni Mack authored
When using compressed files such as JS / CSS files, the files are now put in a ".gz" file extension instead of ".gzip" as this is more wide-spread and possible by default. Also see https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types Resolves: #93182 Releases: main Change-Id: I27aa2dbf5d36809eb85c77701b47e03cf5618692 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67272 Tested-by:
Mathias Bolt Lesniak <mathias@pixelant.no> Tested-by:
crell <larry@garfieldtech.com> Reviewed-by:
-
Chris Müller authored
Additionally, use "On" as value for ExpiresActive directive as this is the preferred notation. Resolves: #97764 Releases: main, 11.5 Change-Id: Iee2433cf88cc7b7200a72c7d5308da0202fe3e78 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74922 Tested-by:
-
Larry Garfield authored
Resolves: #97742 Releases: main Change-Id: If4944dd1d45b3e8c9522689f472fec9f6810eacb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74827 Tested-by:
Joey Bouten <joey.bouten@beech.it> Reviewed-by:
-
- Jun 15, 2022
-
-
Oliver Hader authored
The security fix TYPO3-CORE-SA-2022-005 introduced a synchronization of backend user and admin tool sessions - without considering these two documented aspects: + If no system maintainer is set up, then all administrators are assigned the system maintainer role. + In Development context, all administrators are system maintainers as well. Resolves: #97768 Releases: main, 11.5, 10.4 Change-Id: I81dbfc5d07a41a4fa254e1fb50210c74f5e6f02c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74910 Tested-by:
Rudy Gnodde <rudy@famouswolf.com> Tested-by:
Xavier Perseguers <xavier@typo3.org> Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Thomas Hohn Reviewed-by:
-
- Jun 14, 2022
-
-
Oliver Hader authored
Admin tools sessions are revoked in case the initiatin backend user does not have admin or system maintainer privileges anymore. Besides that, revoking backend user interface sessions now also revokes access to admin tools. Standalone install tool is not affected. Resolves: #92019 Releases: main, 11.5, 10.4 Change-Id: I367098abd632fa34caa59e4e165f5ab1916894c5 Security-Bulletin: TYPO3-CORE-SA-2022-005 Security-References: CVE-2022-31050 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74905 Tested-by:
-
Andreas Fernandez authored
The `receiverName` variable used in the password recovery mail of the Extbase felogin plugin was susceptible to HTML injection due to missing sanitization. The variable is now passed thru the `f:format.htmlspecialchars` ViewHelper. Resolves: #96559 Releases: main, 11.5, 10.4 Change-Id: I60e23c161f7f2fcc87b8870345b10a4c31d7b8db Security-Bulletin: TYPO3-CORE-SA-2022-004 Security-References: CVE-2022-31049 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74904 Tested-by:
-
Gabe Troyan authored
Multivalue items in the form editor user interface were previewed as HTML, but should be treated as scalar text only. Resolves: #96743 Releases: main, 11.5, 10.4 Change-Id: I5e8dab26119490ecf19ac5d48c2bc7a5a00daaad Security-Bulletin: TYPO3-CORE-SA-2022-003 Security-References: CVE-2022-31048 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73297 Tested-by:
-
Torben Hansen authored
When a TYPO3 exception is handled through registered exception handlers, log writers may log sensitive information to logs, since the full stacktrace is logged. With this change, exception handlers that extend AbstractExceptionHandler except DebugExceptionHandler will by default not include the exception object any more and thereby not log the full stacktrace. Resolves: #96866 Releases: main, 11.5, 10.4 Change-Id: Iaf233eefc9a1a60334a47753baf457e8282e68c0 Security-Bulletin: TYPO3-CORE-SA-2022-002 Security-References: CVE-2022-31047 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74903 Tested-by:
-
Torben Hansen authored
The import functionality of the import/export module is already restricted to admin users or users, who explicitly have access through the user TSConfig setting "options.impexp.enableImportForNonAdminUser". The export functionality has the following security drawbacks: * Export for editors is not limited on field level * The "Save to filename" functionality saves to a shared folder, which other editors with different access rights may have access to. Both issues are not easy to resolve and also the target audience for the Import/Export functionality are mainly TYPO3 admins. Therefore, now also the export functionality is restricted to TYPO3 admin users and to users, who explicitly have access through the new user TSConfig setting "options.impexp.enableExportForNonAdminUser". Additionally, the contents of the temporary "importexport" folder in file storages is now only visible to users who have access to the export functionality. In general, it is recommended to only install the Import/Export extension when the functionality is required. Resolves: #94951 Releases: main, 11.5, 10.4 Change-Id: Iae020baf051aeec0613366687aa8ebcbf9b3d8b2 Security-Bulletin: TYPO3-CORE-SA-2022-001 Security-References: CVE-2022-31046 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74902 Tested-by:
-
Oliver Bartsch authored
The action to delete an indexed item in the IndexedSearch backend module used the "id" parameter to pass the indexed item id to the method. The controller is based on extbase and previously, those parameters were prefixed with the plugin namespace. However, with #97096 the parameters in extbase backend modules are no longer prefix by default, which therefore lead to a collision. The "id" parameter should always represent the currently selected page, underlying code performs access checks on this value. This is now resolved by using a dedicated parameter, which is not already "reserved" by underlying functionality. Resolves: #97766 Related: #97096 Releases: main Change-Id: If7ccb1dfbdad6f907eb4f27187eb7eb9b753e9dc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74885 Tested-by:
-
- Jun 13, 2022
-
-
Oliver Bartsch authored
TYPO3's Mailer implementation does now dispatch two new PSR-14 events. The `BeforeMailerSentMessageEvent` can be used to manipulate the message and the envelope before being sent. The `AfterMailerSentMessageEvent` can be used to add further processing after the message has been sent. Resolves: #93689 Releases: main Change-Id: I02ec5ad5b7a18f9f6f4f7146b676f7ce773d3b29 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74825 Tested-by:
-
Torben Hansen authored
The package guzzlehttp/guzzle has been updated to version 7.4.4 and 6.5.7 which both fix the security issues [1] and [2]. Since TYPO3 is not affected by the issues by default, this is handled as a public bugfix. 3rd party extensions may however be affected by the vulnerabilities if `Authorization` or `Cookie` headers are used. Executed commands: composer require \ guzzlehttp/guzzle:^7.4.4 \ -W composer require \ -d typo3/sysext/core \ guzzlehttp/guzzle:^7.4.4 \ --no-update [1] https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q [2] https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9 Resolves: #97759 Releases: main, 11.5, 10.4 Change-Id: I6ed48f2b03e5e0ca82a9aa493499a5eaf65b184c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74876 Tested-by:Oliver Klee <typo3-coding@olive...>
-
- Jun 11, 2022
-
-
Jochen Roth authored
Currently the clearFilterReloadsPageTreeWithoutFilterApplied randomly fails due to a still existing element. This seems to be caused by performance issues in CI. This is now solved by waiting for the element to actually disappear. Resolves: #97749 Releases: main, 11.5 Change-Id: Ib417fc97dcff6ddf0f3c1370ffa419a79f21eba6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74858 Tested-by:
-
Stefan Bürk authored
This change adds the ability to clean rendered documentation folder and files in all system extension folders in one go. Mentioned folders are `typo3/sysext/*/Documentation-GENERATED-temp`. Added command/testsuite: * `Build/Scripts/runTests.sh -s cleanRenderedDocumentation` Additionally the already combined cleaning command `-s clean` is extended to delete rendered documentation in the same run. Resolves: #97673 Releases: main, 11.5, 10.4 Change-Id: I344f897769cd5f475d43db67dd1b27693f49a658 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74717 Tested-by:
-
- Jun 10, 2022
-
-
Stefan Bürk authored
This patch adds the ability to run commands with PHP8.2 using `Build/Scripts/runTests.sh`. Support is added early to check which issues may raise up with new major PHP version. Help text of script is adopted to state the possibility of the new PHP version with proper example commands. Additionally, a note and check for currently not supported xdebug with PHP8.2 is added. Resolves: #97755 Releases: main, 11.5 Change-Id: I9df13d35278793fba8c5475c8abd602bd1c27896 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74869 Tested-by:
-
