- Jun 14, 2022
-
-
Gabe Troyan authored
Multivalue items in the form editor user interface were previewed as HTML, but should be treated as scalar text only. Resolves: #96743 Releases: main, 11.5, 10.4 Change-Id: I5e8dab26119490ecf19ac5d48c2bc7a5a00daaad Security-Bulletin: TYPO3-CORE-SA-2022-003 Security-References: CVE-2022-31048 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74899 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Torben Hansen authored
When a TYPO3 exception is handled through registered exception handlers, log writers may log sensitive information to logs, since the full stacktrace is logged. With this change, exception handlers that extend AbstractExceptionHandler except DebugExceptionHandler will by default not include the exception object any more and thereby not log the full stacktrace. Resolves: #96866 Releases: main, 11.5, 10.4 Change-Id: Iaf233eefc9a1a60334a47753baf457e8282e68c0 Security-Bulletin: TYPO3-CORE-SA-2022-002 Security-References: CVE-2022-31047 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74898 Tested-by:
-
Torben Hansen authored
The import functionality of the import/export module is already restricted to admin users or users, who explicitly have access through the user TSConfig setting "options.impexp.enableImportForNonAdminUser". The export functionality has the following security drawbacks: * Export for editors is not limited on field level * The "Save to filename" functionality saves to a shared folder, which other editors with different access rights may have access to. Both issues are not easy to resolve and also the target audience for the Import/Export functionality are mainly TYPO3 admins. Therefore, now also the export functionality is restricted to TYPO3 admin users and to users, who explicitly have access through the new user TSConfig setting "options.impexp.enableExportForNonAdminUser". Additionally, the contents of the temporary "importexport" folder in file storages is now only visible to users who have access to the export functionality. In general, it is recommended to only install the Import/Export extension when the functionality is required. Resolves: #94951 Releases: main, 11.5, 10.4 Change-Id: Iae020baf051aeec0613366687aa8ebcbf9b3d8b2 Security-Bulletin: TYPO3-CORE-SA-2022-001 Security-References: CVE-2022-31046 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74897 Tested-by:
-
- Jun 13, 2022
-
-
Torben Hansen authored
The package guzzlehttp/guzzle has been updated to version 7.4.4 and 6.5.7 which both fix the security issues [1] and [2]. Since TYPO3 is not affected by the issues by default, this is handled as a public bugfix. 3rd party extensions may however be affected by the vulnerabilities if `Authorization` or `Cookie` headers are used. Executed commands: composer require \ guzzlehttp/guzzle:^7.4.4 \ -W composer require \ -d typo3/sysext/core \ guzzlehttp/guzzle:^7.4.4 \ --no-update [1] https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q [2] https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9 Resolves: #97759 Releases: main, 11.5, 10.4 Change-Id: I6ed48f2b03e5e0ca82a9aa493499a5eaf65b184c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74878 Tested-by:core-ci <typo3@b13.com> Tested-by:
-
- Jun 11, 2022
-
-
Jochen Roth authored
Currently the clearFilterReloadsPageTreeWithoutFilterApplied randomly fails due to a still existing element. This seems to be caused by performance issues in CI. This is now solved by waiting for the element to actually disappear. Resolves: #97749 Releases: main, 11.5 Change-Id: Ib417fc97dcff6ddf0f3c1370ffa419a79f21eba6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74875 Tested-by:
Stefan Bürk <stefan@buerk.tech> Reviewed-by:
-
Markus Klein authored
By making the modal's primary button a submit button and binding it to the form, the user can now use the ENTER key to submit the password. Resolves: #97746 Releases: main, 11.5 Change-Id: Icc380057259a0c44511098d640bdd8c4ca395a55 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74867 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
-
Stefan Bürk authored
This change adds the ability to clean rendered documentation folder and files in all system extension folders in one go. Mentioned folders are `typo3/sysext/*/Documentation-GENERATED-temp`. Added command/testsuite: * `Build/Scripts/runTests.sh -s cleanRenderedDocumentation` Additionally the already combined cleaning command `-s clean` is extended to delete rendered documentation in the same run. Resolves: #97673 Releases: main, 11.5, 10.4 Change-Id: I344f897769cd5f475d43db67dd1b27693f49a658 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74841 Tested-by:
-
- Jun 10, 2022
-
-
Stefan Bürk authored
This patch adds the ability to run commands with PHP8.2 using `Build/Scripts/runTests.sh`. Support is added early to check which issues may raise up with new major PHP version. Help text of script is adopted to state the possibilty of the new PHP version with proper example commands. Additionally a note and check for currently not suppored xdebug with PHP8.2 is added. Resolves: #97755 Releases: main, 11.5 Change-Id: I9df13d35278793fba8c5475c8abd602bd1c27896 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74870 Tested-by:
-
Oliver Klee authored
PHP 8.1.7 introduced a bug that it considers the month number 100 to be valid, which breaks one of our tests. As it is not relevant for the test whether the invalid month is exactly 100 or 99, we now are using a number that does not trigger the PHP bug. https://github.com/php/php-src/issues/8749 Resolves: #97756 Releases: main, 11.5 Change-Id: I2ca2b90a2c1e46f16cfeddda29d80e6a83779b1c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74840 Reviewed-by:
-
Oliver Hader authored
A dialog trying to prevent overriding existing files in the filelist module shows an incorrect modification date of files that are existing on the server-side. When using regular unix timestamps (instead of micro-timestamps), dedicated `moment.unix` function has to be used. Resolves: #97724 Releases: main, 11.5, 10.4 Change-Id: Ieb5a00aaf87410e9721e39d91b9e0da13a109bc6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74806 Tested-by:
-
Chris Müller authored
Resolves: #97612 Releases: main, 11.5 Change-Id: Ia23a15f0beb864a8b53c568ed27642ec7ac8c7b2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74868 Tested-by:
-
- Jun 09, 2022
-
-
André Buchmann authored
Some default fields (e.g. tt_content.bodytext) can contain null values. TYPO3 first fetches the data in the default language and then overlays the rows data with the translation values. The overlay method inspects each array item with the php isset() function. This validates not only the existence of the array key, but also the values. null and false values evaluated as false. Empty strings evaluate as true. This leads to inconsistent output in the frontend. The overlay now valides only the array key existence and applies also empty values. Resolves: #97616 Releases: main, 11.5, 10.4 Change-Id: I4b01c52e9ac7adde786b3395bce870bc0a354b58 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74834 Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
-
Larry Garfield authored
More code paths identified as dead by PHPStan, or that PHPStan isn't understanding correctly. Used command: > Build/Scripts/runTests.sh -s phpstanGenerateBaseline Resolves: #97649 Releases: main, 11.5 Change-Id: I8ff67b7ebda5d64624d4e42a9775e4709bff3f08 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74836 Tested-by:
Nikita Hovratov <nikita.h@live.de> Reviewed-by:
-
- Jun 07, 2022
-
-
Simon Schaufelberger authored
Searched for "/** @var " and went through all results manually. Skipped results where GeneralUtility::makeInstance is called with a variable. This reduces the PHPStan baseline further. Imported some namespaces on the go. Run commands: > Build/Scripts/runTests.sh -s phpstanGenerateBaseline > Build/Scripts/runTests.sh -s cglGit Resolves: #97705 Releases: main,11.5 Change-Id: I700ba596234af8cd3d32507fb03d77cfe30c678a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74787 Tested-by:
-
Josua Vogel authored
Guard invalid argument type exception by using null coalescing operator in `\TYPO3\CMS\Form\Domain\Finishers\FinisherVariableProvider`. Resolves: #97699 Releases: main, 11.5 Change-Id: I6312fb35d52857004e0467a20e215fc4095e0037 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74832 Tested-by:
Oliver Bartsch <bo@cedev.de> Reviewed-by:
-
- Jun 06, 2022
-
-
Simon Schaufelberger authored
Also add some (indirect) basic tests for GifBuilder::calculateValue. Used command: > Build/Scripts/runTests.sh -s phpstanGenerateBaseline Resolves: #97690 Releases: main, 11.5 Change-Id: I836db8570f64ecb2729c1707fcfe9fc1af672151 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74771 Reviewed-by:
-
Simon Schaufelberger authored
Sometimes it happens that the page tree is not updated within a certain amount of time resulting in failing tests. This patch will add a timeout and makes sure that the page tree is updated. Resolves: #97714 Releases: main, 11.5 Change-Id: Id28d955ccda6838701aea63e6aa97b5ee9c602b5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74823 Tested-by:
-
Chris Müller authored
Resolves: #97658 Releases: main, 11.5 Change-Id: Ic4e18d64849e64404dca0eef240060d882476526 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74770 Tested-by:
-
Oliver Klee authored
This is now covered by the annotations using generics in the testing framework base class, and hence not needed anymore. (Removing it also helps get consistent behavior from PhpStorm's static type analysis.) Resolves: #97736 Releases: main, 11.5, 10.4 Change-Id: Ia7d7e790bb92eaf1c9b7ffa4f9d97b2b0a50dee3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74768 Reviewed-by:
-
- Jun 05, 2022
-
-
Oliver Bartsch authored
For translating / synchronizing (inline) records, the DataHandler dispatches the data map to the DataMapProcessor. This components' implementation of the translation prefix however differed from the one in DataHandler, leading to inconsistency, as some fields still got the "Translate to:" prefix added, while others did not. This is now fixed by aligning the functionality with the one used in the DataHandler. Resolves: #97721 Releases: main, 11.5 Change-Id: I425ca172f2c66cf43613fb62be0e35fa1dff76fe Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74767 Tested-by:
-
- Jun 04, 2022
-
-
Georg Ringer authored
The pagination links of the redirects module must respect a given ordering. Resolves: #97645 Releases: main, 11.5 Change-Id: Iaa65b8e365e9014796c463118504182f66b49ccb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74766 Tested-by:
-
Oliver Klee authored
For empty storages, we need to avoid accessing inexistent array elements. Resolves: #97417 Relates: #97554 Releases: main, 11.5 Change-Id: Ieee36b4c0ede9726ce936030f631a3322e3813a9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74765 Tested-by:
-
- Jun 03, 2022
-
-
Sascha Egerer authored
The placeholder replacement in the yaml import method must receive the current configuration context to be able to replace placeholders with values that are already configured instead of the subvalues of the import statement. Resolves: #92956 Releases: main, 11.5 Change-Id: I4766bf1e6d268bb4c1bdd24e638c9b5056e600b8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74764 Tested-by:
-
Marc Willmann authored
Even if the property 'crop' is not explicit set in the TypoScript code provide expected values to the stdWrap method (which expects a string and not NULL). Resolves: #97720 Releases: main, 11.5 Change-Id: Id8039ea5e379aa9a3ed81499f90160a5af8546f3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74763 Tested-by:
-
Georg Ringer authored
Instead of checking for the array key `enablecolumns` the check must be done on the field `disabled` itself. Resolves: #97728 Releases: main, 11.5 Change-Id: I411b37d4d63eb1ad52592cd887a95c2552ab7bfa Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74762 Tested-by:
-
Oliver Klee authored
Also drop type annotations that already are present in the corresponding field in the superclass, and drop some type annotations that are redundant with the existing native type declarations. This helps resolves a bunch of new PHPStan warnings after the recent changes in the testing framework. It also helps static code analysis, and makes the code more succinct. Resolves: #97687 Releases: main, 11.5 Change-Id: I6f1b67f410f7e195b036bc5b5b528cb271a990b9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74749 Tested-by:
Simon Schaufelberger <simonschaufi+typo3@gmail.com> Tested-by:
crell <larry@garfieldtech.com> Reviewed-by:
-
Andreas Fernandez authored
If TCA with a file upload is used within IRRE (e.g. as done by EXT:news), creating a new record or opening an existing record now sets up the drag uploader. As the DragUploader module is loaded independently from the FormEngine main module, loading order may vary, rendering an event-based solution unstable. To solve this issue without any major refactorings, a MutationObserver is installed by the DragUploader module. Resolves: #97676 Releases: main, 11.5 Change-Id: I36a3922999842f4d0bddfc7e4b148ec39880d9df Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74813 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Reviewed-by:
-
Oliver Hader authored
+ npm package moment up to v2.29.2 contained a vulnerability (https://github.com/advisories/GHSA-8hfj-j24r-96c4) which only affected npm server users - in order to avoid confusion concerning security aspects, the package version is raised + npm package moment-timezone was upgraded to recent timezone data "IANA TZDB 2021" Executed commands: cd Build; \ nvm use; \ yarn upgrade moment moment-timezone; \ yarn exec grunt clear-build; \ yarn exec grunt build Resolves: #97723 Releases: main, 11.5, 10.4 Change-Id: I84ea9ca6b696d74aab70cfa45e6d41a95ae0159d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74803 Tested-by:
-
- Jun 02, 2022
-
-
Oliver Klee authored
Also add a missing type cast. Used command: > ./Build/Scripts/runTests.sh -s phpstanGenerateBaseline Resolves: #97426 Releases: main, 11.5 Change-Id: I5a48c0737833792f99652cc54a90db9bcbe798b8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74808 Tested-by:
-
Oliver Hader authored
composer req --dev composer/composer:^2.2.12 Resolves: #97722 Releases: main, 11.5 Change-Id: I526de4c62b5f9bc03230a8794cd42082e9f00560 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74801 Tested-by:
-
- May 31, 2022
-
-
Oliver Bartsch authored
The scheduler module contains a special task, which allows to select schedulable symfony commands. The corresponding field provider therefore adds the commands' configured arguments and options. Due to insufficient prefixing, it was not possible to display arguments and options with the same name. Additionally, using "action" as name always overwrote the "select schedulable commands" field. This is now resolved by adding proper prefixes. Resolves: #97691 Releases: main, 11.5 Change-Id: I0e2c958fc699065cad6c53c0876e2c9ef14fc1f6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74761 Tested-by:
-
Larry Garfield authored
Based on the code, these parameters are nullable. The doc comments should reflect that. Doing so eliminates several PHPStan warnings. Whether these parameters ought to be nullable is a question for another time. Resolves: #97648 Releases: main, 11.5 Change-Id: Id0cc51d159ebb0321e94f7fb77a5d560950cfb05 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74791 Tested-by:
-
- May 30, 2022
-
-
Torben Hansen authored
The switch structures in `Context` class are indented wrong. This patch corrects the indentation. Resolves: #97708 Releases: main, 11.5 Change-Id: I70b9f94b196b8bb94078df41956f67619cd4bc15 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74760 Tested-by:
-
Oliver Klee authored
Used commands: > composer req --dev phpstan/phpstan:^1.7.3 > ./Build/Scripts/runTests.sh -s clean > ./Build/Scripts/runTests.sh -s phpstanGenerateBaseline Resolves: #97706 Releases: main, 11.5 Change-Id: Ida82935064ad4ff5c2858d9a5a6696befd52e512 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74789 Tested-by:
-
Oliver Klee authored
Also adapt the callers accordingly. This resolves a few PHPStan warnings and allows simplifying some code. Used command: > ./Build/Scripts/runTests.sh -s phpstanGenerateBaseline Resolves: #97703 Releases: main, 11.5 Change-Id: I29b7278960a519dd7c5e0d3e2966b75933941a38 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74788 Tested-by:
-
- May 29, 2022
-
-
Larry Garfield authored
This conversion got past the big conversion patch before, probably due to the negation. Resolves: #97640 Releases: main, 11.5 Change-Id: I67dd19c286ce25ad8cda71c1451fa84ed25dc971 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74784 Tested-by:
-
- May 28, 2022
-
-
Oliver Klee authored
Resolves: #97630 Releases: main, 11.5 Change-Id: Id31d1b28929eb85dd2adaa8a263e5d84a2a842b5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74783 Tested-by:
-
Larry Garfield authored
According to PHPStan, these checks are all unnecessary. Most of them appear to be type checks that have been rendered unnecessary due later type additions. They are therefore removed without replacement. Used command: > Build/Scripts/runTests.sh -s phpstanGenerateBaseline Resolves: #97622 Releases: main, 11.5 Change-Id: I9aac41e98b22fcce55afb97f8aeaebe3209a8bfb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74782 Tested-by:
-
Torben Hansen authored
Update copyright year to 2022 Resolves: #97704 Releases: main, 11.5, 10.4 Change-Id: I15e6c0674ac293eecad88f95379ec33679dda8d4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74758 Tested-by:
-
- May 27, 2022
-
-
Chris Müller authored
The patch provides the following changes: - Use consistent header levels - Format code examples with the correct language - Use example.org as domain for example link - Apply takeaways from https://forge.typo3.org/issues/85035#note-8 (chapter "login process") Resolves: #97692 Related: #85035 Releases: main, 11.5 Change-Id: If6c7851c25210cf4e03fb07efeaf14973e667cb9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74757 Tested-by:
-
