- Mar 16, 2021
-
-
Christian Kuhn authored
The recent extbase related class schema revert introduced a warning within functional PHP 8 tests leading to test fails. Run the mariadb functionals with PHP 7.4 instead of PHP 8 for the moment again. Additionally a minor type hint from one of the recent security patches is added in ext:form area to make phpstan happy again. Related: #93745 Resolves: #93751 Releases: master Change-Id: Idac9c953d7029c3f67d6d1060354edfa5fa972dc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68463 Tested-by:
core-ci <typo3@b13.com> Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
Oliver Bartsch <bo@cedev.de> Tested-by:
Daniel Goerz <daniel.goerz@posteo.de> Reviewed-by:
-
Oliver Bartsch authored
The content element preview for menus displays the menu type label along with the record title of the defined pages and categories. Since the output was not properly encoded, this led to a XSS vulnerability in the page module. The issue is addressed by properly encoding user input. Note: Because of a bug in `PreviewRenderer`, the vulnerable code was most likely not executed in any TYPO3 installation after v8.6.0. Resolves: #93664 Releases: master, 11.1, 10.4, 9.5 Change-Id: I56ec17f5f07ff4d7c28f2241e0c9eeee9affd71f Security-Bulletin: TYPO3-CORE-SA-2021-008 Security-References: CVE-2021-21370 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68453 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Andreas Fernandez authored
The PreviewRenderer pattern introduced with #78450 makes use of the TCA feature `descriptionColumn` to render the content of this column in a content element's preview in the page module. The content of the column however was not properly escaped allowing a persistent XSS abuse. This patch adds a `htmlspecialchars()` to the output to escape the content properly Resolves: #93562 Related: #78450 Releases: master, 11.1, 10.4 Change-Id: I144c6c2d7f4f61f4479fac3c2d400a21f5d72405 Security-Bulletin: TYPO3-CORE-SA-2021-007 Security-References: CVE-2021-21340 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68452 Tested-by:
-
Oliver Hader authored
`AbstractUserAuthentication::$uc['moduleSessionID']` still stored plain session identifier, which has been replaced by corresponding HMAC. Resolves: #93359 Releases: master, 11.1, 10.4, 9.5 Change-Id: I920b8d3b364c249d2ec3a6deb42e141e5a1b8ff7 Security-Bulletin: TYPO3-CORE-SA-2021-006 Security-References: CVE-2021-21339 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68439 Tested-by:
-
Frank Naegler authored
To prevent DoS attacks by using page-based error handling, the content of the error page is now cached, this prevents fetching the content of the error pages again and again. Resolves: #88824 Releases: master, 11.1, 10.4, 9.5 Change-Id: I6dea5200dc710a182b66deedfbeb2110ea829117 Security-Bulletin: TYPO3-CORE-SA-2021-005 Security-References: CVE-2021-21359 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68438 Tested-by:
-
Andreas Fernandez authored
The form name is rendered multiple times in the form wizard when either creating or cloning a form. Any input is now sanitized to avoid XSS in the summary step of the form wizard. Resolves: #93560 Releases: master, 11.1, 10.4 Change-Id: I3ddce48e38e32456318c695774bbcd035115b5ae Security-Bulletin: TYPO3-CORE-SA-2021-004 Security-References: CVE-2021-21358 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68437 Tested-by:
-
Ralf Zimmermann authored
Form editors which provide only a limited set of allowed values (like single-select or multi-select form editors) now validate the submitted values against the set of allowed values (configured within the form setup). Resolves: #93581 Releases: master, 11.1, 10.4, 9.5 Change-Id: Iae0a34c20cacdbcfc4eff9c4b1add966c1657010 Security-Bulletin: TYPO3-CORE-SA-2021-003 Security-References: CVE-2021-21357 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68436 Tested-by:
-
Oliver Hader authored
File handling implementation in `UploadedFileReferenceConverter` of `ext:form` creates files in `/fileadmin/user_uploads/` whenever some Extbase controller is (implicitly) dealing with `FileReference` models, unless particular implementations assign specific type converters or register type converters having a higher processing priority. As a side-effect this could lead to by-passing mime-type validators, allowing to plant cross-site scripting and other malicious binaries to public accessible `/fileadmin/` storage. PHP files and similar are blocked since `fileDenyPattern` rule is active in any case. This change makes the usage of `UploadedFileReferenceConverter` more specific in the scope of processing contact forms with `ext:form` * use random folder names for files, `.../form_abcde12345/image.png` * removes `UploadedFileReferenceConverter` from being used implicitly by other Extbase implementations dealing with `FileReference` models `PseudoFileReference` has been introduced to limit properties being serialized to `uid` (in case it's a real file reference) or `uidLocal` (in case it's a transient reference, pointing to a file). Direct URLs to uploaded files are substituted by `fileDump` eID script now, enforcing corresponding FAL mime-type and denying the web server from guessing/interpreting a different mime-type based on file suffix. A unique form `__session` value has been introduce, serving as seed to derive for instance mentioned folder names for uploaded files. In addition to that, form `__state` is only parsed when having been submitted via expected `FormFrontendController::performAction`. Resolves: #92136 Releases: master, 11.1, 10.4, 9.5 Change-Id: I7c33803443a68d6b3c895ec74da802a70bd390c1 Security-Bulletin: TYPO3-CORE-SA-2021-002 Security-References: CVE-2021-21355 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68435 Tested-by:
-
Torben Hansen authored
A missing check in GeneralUtility::sanitizeLocalUrl() resulted in an url starting with `//` to be considered as a local url. This change ensures, that urls starting with `//` are not considered local. Corresponding unit tests are fixed and extended, since they need a full environment to process correctly. Resolves: #92891 Releases: master, 11.1, 10.4, 9.5 Change-Id: I41eb16776742b3e0d2cffd064dd0408e4faa7c78 Security-Bulletin: TYPO3-CORE-SA-2021-001 Security-References: CVE-2021-21338 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68434 Tested-by:
-
- Mar 15, 2021
-
-
Benni Mack authored
The change makes "e712dc9e" existing Extbase installations broken, so this is reverted. Change-Id: I141e100a1dcbfe6c2d9b41af090c1c120052a8f4 Resolves: #93745 Reverts: #92946 Releases: master, 10.4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68329 Tested-by:
-
Markus Klein authored
The login dialog may show a cookie warning. This has only to be shown if the authentication was successful, but the cookie has not been accepted by the browser. Resolves: #93492 Releases: master, 10.4 Change-Id: I5d8409357e9db1ed73f38862d8a1586580dab6ca Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68334 Tested-by:
Benni Mack <benni@typo3.org> Tested-by:
Richard Haeser <richard@richardhaeser.com> Reviewed-by:
-
Benni Mack authored
The SVG tree is now building the SVG elements and needed containers ("<g>") via lit-helper. In addition, the update() method is renamed to this.updateVisibleNodes() to easier integrate this as Lit element, as update() is a reserved protected method in lit. The initialize() method is much cleaner, as the event listener registration is now separated in a custom method. Resolves: #93724 Releases: master Change-Id: I945cd620f9900c6ea535dfe5f0d44ee5ced46f89 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68367 Tested-by:Daniel Gorges <daniel.gorges@b13.com> Tested-by:
-
- Mar 14, 2021
-
-
Christian Kuhn authored
The 'heavy lifting' parts like db init and first frontend call can be quite slow in the 'installer' tests. We raise timeouts to stabilize them. This patch mostly targets v10 since the bootstrap package related tests are currently off in master. Change-Id: I82425ab2cabfea9746aed7a7a49134f9e2ad497e Resolves: #93737 Releases: master, 10.4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68391 Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by:
-
Tina Westner authored
With this commit the method getSearchWords is called after initializing $this->searchData, which is used there (only when searchType is 20 - search for "sentence") Resolves: #75845 Releases: master, 10.4 Change-Id: Ic344f05fb6f4ac1ef496907edfc4fa0e49010401 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68369 Tested-by:
-
Christian Kuhn authored
Brings an error/exception handler improvement for acceptance tests. composer req --dev typo3/testing-framework:^6.8.0 Resolves: #93735 Releases: master, 10.4 Change-Id: I9d6aff03cd811c36d73959191b946d493ece7572 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68384 Tested-by:
-
Nikita Hovratov authored
Releases: master Resolves: #93729 Change-Id: I9dea4a153138e29ae77c9f3e5ae5e202851a09ab Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68374 Tested-by:
Martin Kutschker <mkutschker-typo3@yahoo.com> Reviewed-by:
Jonas Eberle <flightvision@googlemail.com> Reviewed-by:
-
Christian Kuhn authored
Record history tends to show changes of content elements that have been done in a workspace in live. This is misleading. The patch changes the queries a bit to fetch correct records only and adapts the workspace view a bit to be more meaningful. Change-Id: Ie13ec0529b0943110b6d1096f37ac4a9f6b1e5e5 Resolves: #93725 Releases: master Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65494 Tested-by:
Guido Schmechel <guido.schmechel@brandung.de> Tested-by:
-
Anja Leichsenring authored
The test became quite unstable lately, and with a little bit of breathing room after a page reload has been executed, it should be more stable again. Resolves: #93736 Releases: master, 10.4 Change-Id: I4f803d4b5c03a76e66464acf5bdcd35b2121206a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68386 Tested-by:
-
Christian Kuhn authored
Update some simple cases in DataHandler where method arguments are provided, but not used. Change-Id: I4658fadd8b031a428fcb21b616172729ece6daa8 Resolves: #93678 Releases: master Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68253 Tested-by:
-
Christian Kuhn authored
Honor -x option for acceptance tests: Both 'Tester' and 'System under test' allow break points with -s acceptance and -s install. Resolves: #93734 Releases: master Change-Id: Ia3f5a518089be675e33ddc673ebd4c99b2dbfaf6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68380 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
-
Christian Kuhn authored
codeception seeFileFound() and dontSeeFileFound() apply some path magic if relative files are given. It leads to wrong paths. This is however not (yet) shown due to error suppression in the suite. To work on ac test error handling for increased PHP 8 compatibility, this needs to be sorted out first. Resolves: #93732 Releases: master, 10.4 Change-Id: I0f69ec066069261e7b47afa44e934c0b5ee02b51 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68378 Tested-by:
-
Christian Kuhn authored
The backend template analyzer module has a 'breakpoint' handling that works as follows: When a template is shown and line numbers are enabled and one line number is clicked, a link parameter jumps to the template object browser and instructs it to parse TypoScript only up to this line to show the state of constants or setup array up until this parsed point. This hidden and not documented feature has been around since 'ever', with only a few persons knowing, understanding or even actively using it. Last patch in this area was for TYPO3 4.4. The implementation is quite messy and goes through various classes, a bunch of properties and some inline javascript. The patch drops the feature: It is not well known and of limited use - the frontend does not reflect it and TypoScript in general tends to become less complex nowadays. Resolves: #93726 Related: #23265 Related: #23246 Related: #55761 Releases: master Change-Id: I4f0c7f507a5a6e212f166206b5d3e606071b46c4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68371 Tested-by:
-
Torben Hansen authored
Corrects some wrong language identifiers introduced in #91008 Resolves: #93731 Releases: master, 10.4 Change-Id: I2e33e922a248634f9a6ce10274ca53df1ca447d8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68377 Tested-by:
-
Andreas Fernandez authored
The field be_groups.pagetypes_select is of type TEXT, which can contain data of a maximum of 64 kilobytes. This patch removes the maxitems constraint pinned to 20 items as a page type identifier usually is a few bytes long. Resolves: #93728 Releases: master, 10.4 Change-Id: I88ea4bb84eb054b22ed00e30f0a95dd4cd1e7375 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68373 Tested-by:
-
- Mar 12, 2021
-
-
Alexander Nitsche authored
The wiki.typo3.org is marked as deprecated and gets replaced soon by docs.typo3.org permanently. Replace all wiki links by actual documentation links. Resolves: #93677 Releases: master, 10.4, 9.5 Change-Id: Ib1bc42a6f2192580581499a9a0c1deb8d21ae2e0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68252 Tested-by:
Lina Wolf <112@linawolf.de> Reviewed-by:
-
Christian Kuhn authored
* Drop a TimeTracker test that does a sleep(1) to safe this second. The subject is pretty trivial anyways. * The recently introduced MFA related unit tests receive some password hashing options to reduce calculation costs. This reduces suite execution time from ~60 seconds to ~40 locally - totally worth it. Resolves: #93723 Releases: master Change-Id: I510f8b8f71f7c787e30a92e14a7876464f0655a6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68368 Tested-by:
-
Daniel Goerz authored
Remove entries from phpstan.neon for ignored errors that have been fixed meanwhile. Parameter reportUnmatchedIgnoredErrors finds those, but it is false by default. We may drop that parameter with a dedicated patch, but are currently not sure why it is commented as 'needed for bamboo' at the moment. Resolves: #93711 Releases: master Change-Id: I9439b2144f60f0a4021b307ef5bacaa23801880e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68358 Tested-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
-
Martin Kutschker authored
In the backend and frontend the array of user group ids of the current backend user is now available as backend.user.userGroupIds. In the frontend the the array of user group ids of the current frontend user is available as frontend.user.userGroupIds. Resolves: #93591 Releases: master Change-Id: Ifb10d025ad944ce17753c450ee2d7086bbb668c8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68111 Tested-by:
-
Richard Haeser authored
The install tool login is directly checking if the text "The Install Tool is locked" is shown. Since this text comes from an async request, this might take some time. Also wait for the page to reload after creating the ENABLE_INSTALL_TOOL file before trying to fill the password field. Resolves: #93715 Releases: master Change-Id: I03230ee8107afe24c5c61d762f59ba0658e533d5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68361 Tested-by:
-
Richard Haeser authored
When you copy a folder to another (or the same) parent folder that already contains a folder or file with the same name, a proper error message will be shown to the user. Resolves: #92806 Releases: master, 10.4 Change-Id: I60a756172c8ed280d4cb4273fad4a3de99120576 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67442 Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
-
Benoit Chenu authored
EditDocumentController adds t3ver_oid field in SQL query for tables which don't use workspaces Resolves: #93708 Releases: master, 10.4 Change-Id: Ic711ce86a6f5c4f4a23044c02c67418dd85e2dae Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68348 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Reviewed-by:
-
Christian Kuhn authored
Allow a call like Build/Scripts/runTests.sh -s phpstan typo3/sysext/linkvalidator Change-Id: Ic7bdc943ab203b34b8710bf95468b9335c6e31ae Resolves: #93710 Release: master, 10.4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68357 Tested-by:
-
Georg Ringer authored
Update from 4.15.0 to 4.16.0 to use the latest bugfix release which also includes security related fixes of 4.15.1 in plugins which are not used by TYPO3. Changelog: https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md Executed commands: cd Build yarn add ckeditor4@^4.16.0 yarn build Resolves: #92885 Releases: master, 10.4, 9.5 Change-Id: Ief6b1d9248da201fb9078697362e81131f5426fc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68336 Tested-by:
Josef Glatz <josefglatz@gmail.com> Tested-by:
Marco Bresch <marco.bresch@starfinanz.de> Tested-by:
Stefan Froemken <froemken@gmail.com> Tested-by:
-
- Mar 11, 2021
-
-
Christian Kuhn authored
Change-Id: I65477aae557daac272091bbc718af6e46b30aa89 Resolves: #93712 Releases: master Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68360 Tested-by:
-
Richard Haeser authored
When no language packs are installed and $GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['lang']['availableLanguages'] is not set, an empty array is now checked instead of throwing an error. Resolves: #93709 Releases: master Change-Id: I67eafe26b671a8bd25c896d20ca799c899016d97 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68356 Tested-by:
-
Daniel Goerz authored
From now on, phpstan will validate arguments passed to methods for type integrity. This patch also resolves all remaining issues in the core up to PHP 7.4. Running phpstan on PHP 8 is therefore disabled temporarily and will be enabled again with another patch that resolves all remaining PHP 8 issues regarding argument types. Resolves: #93652 Releases: master Change-Id: I2cbd15c5e83ae188a4d453c71b5841d424b2eef8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68191 Tested-by:
-
Oliver Bartsch authored
Because bootstrap 5 requires the `.nav-link` class for styling of nav tab links, our custom SCSS now uses the class selector together with the type selector. Otherwise it will be overruled by the default bootstrap styles because of their specificity. See: https://getbootstrap.com/docs/5.0/components/navs-tabs/#fill-and-justify Furthermore is the `.active` class, indicating the active tab, not longer set on the `.nav-item` element, but on the `.nav-link` element. The custom SCSS is therefore adjusted to respect this changed behaviour. Resolves: #93691 Releases: master Change-Id: I57260c370a12dd997652065fa6eebb82705eec38 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68302 Tested-by:
-
Oliver Bartsch authored
In case a TCA column with type=inline does not contain "container controls", e.g. the `languages` column in a site configuration, a TypeError was triggered by the toggleContainerControls() method. This is fixed by proper type checking. Resolves: #93690 Releases: master, 10.4 Change-Id: I6dc0a874adddb6e9c56565087b090072656b54eb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68301 Tested-by:
-
Markus Klein authored
Logs written via the logging API now include the correct remote address instead of the marker ###IP###. Additionally, some actions were logged twice, this is streamlined. Resolves: #93693 Releases: master, 10.4 Change-Id: I7d420046f5cff605383ce330784821644d9b9fac Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68304 Tested-by:
Torben Hansen <derhansen@gmail.com> Tested-by:
-
Benni Mack authored
This change optimizes the SVG Tree implementations (again), this time focussing on using proper constructors for SVG tree and its derivatives (SelectTree, PageTree, FileStorageTree). In addition, the search + filter logic is now moved into the base class, in order to reduce duplicate code, and to re-add features (next steps) that were not implemented in TYPO3 v9 when re-writing the page tree, such as highlighting filtered results. In addition, unused properties and settings are removed. This change marks one of the final changes for reworking the SVG Tree implementation, afterwards allowing us to move towards: * native DOM events in favor of d3-dispatch * custom elements instead of wrapper methods * decouple "top." and "document." based settings into the Container classes Resolves: #93701 Releases: master Change-Id: I55733b8c2d0a84ca263ac6e77d7d0bac30877e25 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68332 Tested-by:
-
