The new file extension .typoscript will be the default for TypoScript
configuration files and is the only recommended one from now on. This
effort is made to introduce a dedicated file extension for TypoScript
configuration files, and to avoid conflicts with already existing and
more spread file extensions like ".ts" for TypeScript or Video Transport
Stream Files.

Resolves: #78161
Resolves: #80689
Releases: master, 8.7
Change-Id: I44b41631f498e3ba39e0f1936329094a59859f4e
Reviewed-on: https://review.typo3.org/50096


Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Joerg Boesche <typo3@joergboesche.de>
Reviewed-by: Benjamin Kott <benjamin.kott@outlook.com>
Tested-by: Benjamin Kott <benjamin.kott@outlook.com>

Tighten the RewriteRule for static resource passthrough to allow for
speaking URL path segments like "typo3", "fileadmin", etc. instead of
causing a 404 error.

This issue was introduced with https://review.typo3.org/39254/

Resolves: #76928
Releases: master, 7.6, 6.2
Change-Id: I9815b7626d6a33677a3f971f452c0600141632b4
Reviewed-on: https://review.typo3.org/48788


Tested-by: Bamboo TYPO3com <info@typo3.com>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

For Apache 2.2 the current location is needed in the RewriteRule for the
versionNumberInFilename feature.

Resolves: #77098
Releases: master, 7.6, 6.2
Change-Id: I94fea70473d7598a00cfcf8b9ed4f464661c369b
Reviewed-on: https://review.typo3.org/48975


Tested-by: Bamboo TYPO3com <info@typo3.com>
Reviewed-by: Marco Huber <mail@marco-huber.de>
Tested-by: Marco Huber <mail@marco-huber.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

Resolves: #76352
Releases: master, 7.6
Change-Id: I8332c93f1171d030d4198091779c8f1242c9337b
Reviewed-on: https://review.typo3.org/48360


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

Update the default .htaccess file. The users must update their
actual configuration (.htaccess or server config) manually.

Resolves: #75934
Releases: master, 7.6, 6.2
Change-Id: I8e40263c72f68c44cb8fd8c1944a44e4d38d9daa
Reviewed-on: https://review.typo3.org/47930


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Tested-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>

Since mod_filter is available since Apache 2.3.7 we need to check for
the apache version in the htaccess file.
Older versions of apache will work as well, even though they do not need
to check for the existence of mod_filter.

A comment is added to inform older Apache versions.

Resolves: #72886
Releases: master, 7.6, 6.2
Change-Id: Ia4905c992b52b2bd540ece0a1c1866aeacf6de85
Reviewed-on: https://review.typo3.org/46150


Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

Allow access to the visible content from within the `/.well-known/`
hidden directory. The access to all other hidden files and directories
(starting with a dot) is still blocked.

The /.well-known/ directory represents the standard (RFC 5785) path
prefix for "well-known locations", and therefore, access to its visible
content should not be blocked.

Change-Id: I533d38a12da5cae59abed4fc00d597814d28fa04
Resolves: #72712
Releases: master,7.6,6.2
Reviewed-on: https://review.typo3.org/45901


Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

Add a subdirectory typo3temp/var/ (by default) which
contains all files which should never be accessible
for the web user.

In the future, this option should be configurable so it can
be put outside of the document root (e.g. via an
environment variable).

Resolves: #72479
Releases: master
Change-Id: Ia2e425a2ff55deac91c02b829c73036478995b0b
Reviewed-on: https://review.typo3.org/45505


Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Tested-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Reviewed-by: Susanne Moog <typo3@susannemoog.de>
Tested-by: Susanne Moog <typo3@susannemoog.de>

Since the Production context is the default if no context is set
via environment variables, we do not forcefully set
the context in template .htaccess either.

This allows to set the context via webserver configuration
without the need to touch the lines in the .htaccess file.

Resolves: #69434
Releases: master, 6.2
Change-Id: I70915c51479c91c0db22c7637e46cb1c0fae2db4
Reviewed-on: http://review.typo3.org/42942


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>

The typo3/ directory must currently be exposed in the web root for TYPO3 to work properly.
Having the vendor dir with all composer dependencies in typo3/vendor however means, that
these will also be exposed. This can be a security risk, which can be avoided by simply
moving the vendor directory one level up.

By doing so, a web directory which contains only two symlinks (typo3 and index.php) and no
sources or link to the sources, will be protected from this risk.

Resolves: #68918
Releases: master
Change-Id: I5e504520102f94c81897945b41043d930cfc5b5f
Reviewed-on: http://review.typo3.org/42495


Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Tested-by: Mathias Brodala <mbrodala@pagemachine.de>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Access to vcs directories should be denied by default to avoid leaking
information to the outsite that might have been accidentally committed
to a repository.
This does not effect the core as the version information is public by
license, but any repository containing configuration or third party
extensions.

Resolves: #68626
Releases: master,6.2
Change-Id: I4f3cb88e577f56ac71d882c8b11341da46a8b757
Reviewed-on: http://review.typo3.org/42100


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

The configuration now works independently of RewriteBase,
hence we must not define one.

Resolves: #67922
Releases: master, 6.2
Change-Id: Ib1e14f808fbf2e7abd08a4e85d2a3d4e8509060a
Reviewed-on: http://review.typo3.org/40929


Reviewed-by: Frederic Gaus <frederic.gaus@flagbit.de>
Tested-by: Frederic Gaus <frederic.gaus@flagbit.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Fix invalid syntax for mod_filter on apache 2.4 and mismatching comment
endings.

Resolves: #66235
Releases: master
Change-Id: Id4a67dab8f2fbf4d4bf9e2da4ac1c83d06b93388
Reviewed-on: http://review.typo3.org/40793


Reviewed-by: Stephan Großberndt <stephan@grossberndt.de>
Tested-by: Stephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

Improve the example .htaccess file by adding rules for caching,
MIME types and CORS. Also, the rewrite rules are extended to block
access to certain files and folders.

Additionally all rules are made compatible for Apache 2.4 as well.

Resolves: #23078
Resolves: #66235
Releases: master, 6.2
Change-Id: I629f524b5a209769601f04a74bb7434736058ab8
Reviewed-on: http://review.typo3.org/39254


Reviewed-by: Stephan Großberndt <stephan@grossberndt.de>
Tested-by: Stephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

Similar to protecting the private resources, the configuration
of an extension should be protected as well.

Change-Id: Ib68cb77ea21e8ec192927d1c9c62a30c1bb7103f
Releases: master, 6.2
Resolves: #66573
Reviewed-on: http://review.typo3.org/38921


Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Reviewed-by: Stefan Froemken <froemken@gmail.com>
Tested-by: Stefan Froemken <froemken@gmail.com>
Reviewed-by: Jan Kiesewetter <jan@t3easy.de>
Tested-by: Jan Kiesewetter <jan@t3easy.de>
Reviewed-by: Andreas Fernandez <andreas.fernandez@aspedia.de>
Tested-by: Markus Klein <klein.t3@reelworx.at>

The affected rules are those for TYPO3_CONTEXT.
These rules should just set the ENV variable,
but should not touch the URL.
According to apache httpd docs this has to be
indicated by using a dash.

Also unnecessary grouping in the regexp has been
removed.

Resolves: #59037
Releases: 6.3, 6.2
Change-Id: I56cadcfb3cfae0a0ee679c6886cda9f5498fc47c
Reviewed-on: https://review.typo3.org/30328
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Armin Ruediger Vieweg
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Since removing the t3lib folder in TYPO3 6.2, there is
no more reason to keep reference to this folder in the
example .htaccess file.

Resolves: #55265
Releases: 6.2
Change-Id: Ic7f2cff96186551b2aa08c9e785f42c4f8612fce
Reviewed-on: https://review.typo3.org/27017
Reviewed-by: Henrik Ziegenhain
Reviewed-by: Oliver Klee
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

Flow has the notion of ApplicationContext which provides a unique
API for handling contexts.

This API allow us to provide default configuration sets for
particular contexts. For example having decent logging in
production context vs. full reports in development context.

The context is set using the TYPO3_CONTEXT environment variable.
If not set the context defaults to "Production".

The context can be queried using:
\TYPO3\CMS\Core\Core\Bootstrap::getInstance()->getContext();

Resolves: #49988
Releases: 6.2
Change-Id: Id953052f2846c740f27a83931adfb64b0d8d9169
Reviewed-on: https://review.typo3.org/22269
Reviewed-by: Thomas Maroschik
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

The "apache-trailing-slash workaround" is not needed and can be
removed

Change-Id: Ic67cd24eb6ea6de2e78a871ec4b7831b8487be8b
Resolves: #42503
Releases: 6.0
Reviewed-on: http://review.typo3.org/16032
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

This patch removes the old simulate_static system extension.
Since tslib_fe still contains idPartsAnalyze(), which is a relict of
simulate static methods, this method also removed.

Change-Id: I3631909fe6a77fd0861e7be5acdb6f3bf82fdb42
Resolves: #25099
Releases: 6.0
Reviewed-on: http://review.typo3.org/9132
Reviewed-by: Stefan Galinski
Tested-by: Stefan Galinski
Reviewed-by: Wouter Wolters
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

The documentation (NEWS.txt and TypoScript completion) does not
correctly explain the feature set of config.compressJs.

Instead of the advertised minification (stripping white-spaces), it only
applies GZIP compression (which then requires compressionLevel to be
enabled in the Install Tool). This is a difference to
config.compressCss, which does such a minification.

Additionally, .htaccess lacks hints about the gzip rules, which now also
apply to the Frontend.

Change-Id: I30929ee70d0ab5fd6db74717889af6104c12e23d
Resolves: #31251
Releases: 4.6
Reviewed-on: http://review.typo3.org/6277
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert

Add a new security section within .htaccess to help users secure their
TYPO3 install:

- Restrict access to deleted files in Recycler directories
- Restrict access to TypoScript files in default templates directories
- Restrict access to Private extension directories

Resolves: #28368
Change-Id: I94c09f50616af55cfdd9577097251692b2111ae7
Reviewed-on: http://review.typo3.org/3462
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@10273 709f56b5-9817-0410-a4d7-c38de5d9e867

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@10206 709f56b5-9817-0410-a4d7-c38de5d9e867

Follow-up to issue #11103: Cleanup of _.htaccess and references to misc/advanced.htaccess in config_default


git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@10194 709f56b5-9817-0410-a4d7-c38de5d9e867

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@9959 709f56b5-9817-0410-a4d7-c38de5d9e867

Added feature #11103: Improve advanced_htaccess and make it more compatible (Thanks to Christopher Stelmaszyk)


git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@9445 709f56b5-9817-0410-a4d7-c38de5d9e867

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@9178 709f56b5-9817-0410-a4d7-c38de5d9e867

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@8683 709f56b5-9817-0410-a4d7-c38de5d9e867

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@7522 709f56b5-9817-0410-a4d7-c38de5d9e867

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@7520 709f56b5-9817-0410-a4d7-c38de5d9e867

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@7508 709f56b5-9817-0410-a4d7-c38de5d9e867

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@2016 709f56b5-9817-0410-a4d7-c38de5d9e867

Fixed bug #4883: mod_rewrite rules rewrite missing favicon.ico to index.php (thanks to Stefan Geith for this hint - notice that manual modification of existing .htaccess files might be neccessary)

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@2014 709f56b5-9817-0410-a4d7-c38de5d9e867

* Removed misc/mod_rewrite.htaccess and misc/php_optimized.htaccess and replaced them by misc/simple.htaccess and misc/advanced.htaccess
* Added a die() call to protect the display of phpinfo() in misc/phpcheck/incfile.php
* config.disablePrefixComment was ignored by plugins
* $TT->pull() was called without $TT->push() before in typo3/sysext/indexed_search/class.indexer.php
* Fixed bug #0001239: Install tool does not accept hyphen in database host name


git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@772 709f56b5-9817-0410-a4d7-c38de5d9e867