Currently the FE session cookie is set on every request
and since 4.2 the sessionID is generated again on every
request unless the user is logged in. This is implemented
for avoiding the security problem of the
session fixation (see #19831).

If an installation does not use FE session cookies at all,
an option (TYPO3_CONF_VARS->FE->dontSetCookie)
never sets the cookie.

As the current behavior for non-logged-in FE calls
is not usable, the behaviour is changed to only set
the cookie if the user is logged in or the session data
is modified. The last example is helpful for websites
with e.g. a shopping cart on non-logged-in pages.
Currently, if an extension is trying to implement the
latter, the extension needs to hook or XCLASS the
FrontendUserAuthentication class to set the cookie
whenever needed.

Additionally, the security problem still exists if the
cookie is not set by TYPO3 itself, that's why the
cookie can only be set if there is a valid entry in
fe_user_sessions.

if using external caching (e.g. reverse proxies),
a "unneeded" cookie is always set currently,
which extensions like EXT:moc_varnish or
EXT:cachinfo mock to only set the cookie
if needed.

The attached patch removes the default-setting
of a cookie in the frontend, and only triggers
the setcookie() function when sessionData is
added or a user is logged-in.

Resolves: #55549
Releases: 6.2
Change-Id: If478bc00c2c55dda0cc38a898a1288098891671f
Reviewed-on: https://review.typo3.org/27230
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Benjamin Mack
Tested-by: Benjamin Mack

The new menu "categories-based tt_content menu" uses a "speaking" key
for its type. The same should be applied to the other new menu type
introduced in TYPO3 CMS 6.2 (i.e. categories-based page menu).

Resolves: #54611
Releases: 6.2
Change-Id: I489a528050dcfeef83c1919155a3b11e599b195c
Reviewed-on: https://review.typo3.org/26566
Reviewed-by: Markus Klein
Reviewed-by: Wouter Wolters
Reviewed-by: Michiel Roos
Reviewed-by: Francois Suter
Tested-by: Francois Suter

Either some deprecated properties were found, but the wizard was unable
to replace them all automatically, in which case the wizard should
report a failure, or no deprecated properties were found or there are
no more deprecated properties left after the update, in which cases the
wizard should report a success.

Resolves: #51364
Release: 6.2
Change-Id: Ifcddd75f8b257de8ca12038550816f158306d8b5
Reviewed-on: https://review.typo3.org/27369
Reviewed-by: Stanislas Rolland
Tested-by: Stanislas Rolland

Solution: Catch exceptions raised when the potential target folder or
the default user upload folder does not exist.

Resolves: #48512
Releases: 6.2
Change-Id: Ic0218f218b045562d0ea5499ac0440848ddf3028
Reviewed-on: https://review.typo3.org/27323
Reviewed-by: Stanislas Rolland
Tested-by: Stanislas Rolland

Resolves: #55359
Resolves: #55614
Releases: 6.2
Change-Id: I8aceb208ba2f28967f08e9ac458d9a9da3de507b
Reviewed-on: https://review.typo3.org/27359
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Solution: Use same logic as for the link dialogue

Resolves: #53259
Release: 6.2
Change-Id: I3c283536895edb849782da7159866992e3d3d051
Reviewed-on: https://review.typo3.org/27346
Reviewed-by: Stanislas Rolland
Tested-by: Stanislas Rolland

In #55569 we got rid of the empty TypoScript generated by
default. The configurationManager relies on the empty
arrays to be present, before merging. This patch removes
this necessity.

Resolves: #55687
Releases: 6.2
Change-Id: I7f5ec4f7d120ffa45c8b526817debbc5fd38fe4f
Reviewed-on: https://review.typo3.org/27350
Tested-by: Christian Weiske
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert

Before the inline drag and drop upload functionality to the default
upload folder is enabled it is made sure that the upload folder
is initialized and that the user is allowed to add files.

Resolves: #55628
Releases: 6.2
Change-Id: Ia18678dc432c6f0addea33aa0389db54297435e3
Reviewed-on: https://review.typo3.org/27302
Reviewed-by: Lorenz Ulrich
Tested-by: Lorenz Ulrich
Reviewed-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Change-Id: I19dc6d19251bc6bb7ab26d1b98d1ccf4a37c06d4
Reviewed-on: https://review.typo3.org/27328
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

Change-Id: If8aa7427548911d665cb84db21c0553b16a4b964
Reviewed-on: https://review.typo3.org/27327
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

This reverts commit 373a90b8

Benni is working on a better solution to the problem.

Related: #55557
Change-Id: I749ea9beb3879d7503294a51107a4a3855f0105e
Reviewed-on: https://review.typo3.org/27319
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny

Bug was introduced by #54265, one "(int)" was forgotten.

Releases: 6.2
Resolves: #55642
Change-Id: Ie56b36be9d2f11b46687c2966d84e49f301ffede
Reviewed-on: https://review.typo3.org/27317
Reviewed-by: Daniel Siepmann
Tested-by: Daniel Siepmann
Reviewed-by: Stefan Froemken
Tested-by: Stefan Froemken
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny

As felogin has no dependency for CSS Styled Content
it registers itself via
ExtensionManagementUtility::addTypoScript()
and does not hook in after css_styled_content, because
CSS styled content itself hasn't been initialized at that
time. Thus, felogin needs to have a dependency on
css_styled_content in order to still work as before.

Additionally, some unnecessary TypoScript code
was removed / cleaned up at the same time.

How to reproduce:
Add a login CE and you'll get a yellow error
message. Apply the patch, and the form will
show up (you need to uninstall / install an
extension first in order to have the dependecy
resolving take place).

Releases: 6.2
Resolves: #55557
Change-Id: I81e590038c10e793538419523ba37d3b29700b48
Reviewed-on: https://review.typo3.org/27233
Reviewed-by: Christian Kuhn
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

The whole header is clickable, thererfore move the css rule
to this place.

Change-Id: Ia864faba4976fc5e2e84299a42e2661a9566be1c
Resolves: #55611
Releases: 6.2, 6.1
Reviewed-on: https://review.typo3.org/27285
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Mention PHP extensions bcmath and gmp in INSTALL.md,
because openid requires one of them to be installed.

Resolves: #55635
Releases: 6.2
Change-Id: I6ab651d3cb863a570b82fc33231e746e897bee96
Reviewed-on: https://review.typo3.org/27309
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

In some rare cases the database connection might be down, but
DatabaseConnection still has isConnected set to TRUE.
A call to isConnected() simply returns the member variable's value.

Improve the getter to also ping() the database if the class thinks
it is connected to verify the connection state.

The other methods of the class will still use the member variable
and not the getter method to avoid a ping() to the database on every
database interaction.

Resolves: #54323
Releases: 6.2, 6.1
Change-Id: I6bf090e5ab5f1d5539319ff10a1fb224036c4634
Reviewed-on: https://review.typo3.org/26447
Reviewed-by: Bill Dagou
Tested-by: Bill Dagou
Reviewed-by: Wouter Wolters
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

The cleaned up addModule() method no longer adds the module after a
module, when the target module does not exist.

Expected behaviour: module added to the list.

Observed behaviour: module not added at all.

Change-Id: Ie0d1d0c98f9c7dde81636a40eb18a3a7816392f6
Resolves: #55608
Related: #55122
Releases: 6.2
Reviewed-on: https://review.typo3.org/27284
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Change-Id: Ib58894a67f0292b9d62da81511ce12d3f16590ef
Resolves: #55445
Releases: 6.2
Reviewed-on: https://review.typo3.org/27136
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

TypoScript configuration for TDParams is assigned to the PHP variable
$TDParams which is never used. The rest of the method uses $TDparams.

Change-Id: Ice8cd2ad2b4f1a8d68d62c3f2cfc4cfec3c3c210
Resolves: #54824
Releases: 6.2
Reviewed-on: https://review.typo3.org/26686
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein

This reverts commit de4811fc

This is not in line with the rest of the backend yet.
The "UX vision" is for after 6.2.

Change-Id: Iab8880163b0cb668237617b1260b4126b16d1cb3
Reviewed-on: https://review.typo3.org/27306
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny

This reverts commit 590f76cc

This is not in line with the rest of the backend yet.
The "UX vision" is for after 6.2.

Change-Id: Iabb64ac3a278a3a3e1423283a9267aa5996343f1
Reviewed-on: https://review.typo3.org/27307
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny

Removes share font from buttons. The current font does
not render adequately.

Change-Id: I8d2a998275e52fbb831abb9046f3711e82acc401
Resolves: #55624
Releases: 6.2
Reviewed-on: https://review.typo3.org/27301
Tested-by: Markus Klein
Reviewed-by: Markus Klein
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

In the package dependency resolver, the method
buildDependencyGraph builds the dependency graph
first for the framework packages and afterwards
for all left packages.

The filtering if a package is a framework package
happens by comparing the package path with PATH_typo3
and a sysext folder contant. But as PATH_typo3 is
absolute and the package path from the package states
configuration is relative to PATH_site, this filter
does not work.

The patch changes the path to a relativ one.

Fixes: #55623
Releases: 6.2
Change-Id: I2f57dee433054463ebfd17aab5f76b19986c2747
Reviewed-on: https://review.typo3.org/27300
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Stefan Froemken
Tested-by: Stefan Froemken
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

Styles all buttons in the backend similar to UX vision paper.
Inverts buttons colors and changes font-family.

This patch does not bring styling to primary button: orange
or secondary button: silver.

Change-Id: I273e76a02083aedca4c6759948172b418e990ede
Resolves: #55592
Releases: 6.2
Reviewed-on: https://review.typo3.org/27265
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Marcin Sągol
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

Unify form input fields with TCE forms input fields with
TCE forms readOnly text.

Change-Id: If17a9477bcedad33745b5e093b338472365a81cf
Resolves: #55599
Releases: 6.2
Reviewed-on: https://review.typo3.org/27269
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Benjamin Mack
Tested-by: Benjamin Mack

Since the introduction of FAL the option to upload a file
directly in your form has disappeared.

With this change the upload posibility is back with some extras.
* progress is shown
* drag&drop of files
* multiple file upload

The options is can be disabled just like before in the
user settings and for each field in TCA.

foreign_selector_fieldTcaOverride.config.appearance.fileUploadAllowed = 0

The upload button is only shown for browsers that support
drag&drop upload. And only for FAL fields (sys_file_reference).

Resolves: #55545
Releases: 6.2
Change-Id: I4b984099095d7f66c3d37023cd6c547b2ff5d59f
Reviewed-on: https://review.typo3.org/27237
Reviewed-by: Benjamin Mack
Tested-by: Benjamin Mack

When loading tt_content as an inline record WITHOUT using AJAX,
some additional broken fields are rendered.

Change-Id: Ia5aaec79d0fb7c3266ea4f3a0c04d65b1af4b201
Fixes: #39048
Releases: 6.2, 6.1
Reviewed-on: https://review.typo3.org/12904
Reviewed-by: Alexander Opitz
Tested-by: Alexander Opitz
Reviewed-by: Stefan Neufeind
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Add a migration function to the SilentConfigurationUpgradeService which
takes care of migrating the old class names used for the Install Tool
Upgrade Wizard's information storage to the new (namespaced) class names.

Resolves: #54457
Releases: 6.2
Change-Id: Ib6edb9ec3a8a1dc4873eb38e9a08bc8107db31bb
Reviewed-on: https://review.typo3.org/26451
Reviewed-by: Benjamin Mack
Tested-by: Benjamin Mack
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

The EM has a lot of code related prior to
the inclusion of package management.

This change does a small cleanup in
ListUtility and calling code to make
better use of the new API.

Resolves: #55562
Releases: 6.2
Change-Id: I7aa5f5204ed3552fec617f2cd9e65dac2009486f
Reviewed-on: https://review.typo3.org/27239
Reviewed-by: Wouter Wolters
Reviewed-by: Stefan Neufeind
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

Tabmenu so far used mouseOver/mouseOut to set CSS-classes.
This is replaced with :hover functionality.

Change-Id: Ie62c017bca7bf26b1d48f1ae02ebab45090f3263
Resolves: #55600
Releases: 6.2
Reviewed-on: https://review.typo3.org/27270
Reviewed-by: Marcin Sągol
Tested-by: Marcin Sągol
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

When invalid credentials are entered in the Backend login form, various
PHP warnings are raised such as

    PHP Warning: Illegal string offset 'uid'

because $user is not an array.

Resolves: #55434
Releases: 6.2, 6.1
Change-Id: I62b85816ce04720ed9fd236965c3a6f55effd093
Reviewed-on: https://review.typo3.org/27126
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

extbase BaseTestCase extends core BaseTestCase and overrides
inject() with a duplicate. Remove dupe.

Change-Id: I96ce01c9754ce57cb5d10e9a322a8c5acb950647
Resolves: #55606
Releases: 6.2
Reviewed-on: https://review.typo3.org/27272
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

The default lifetime for the cache_pagesection is not set, so the
overall default of 3600 is used. This leads to the information in there
being repeatedly generated, though it does seldom change (it only
consists of information in the rootline, TypoScript configuration,
conditions etc.). Therefore, the lifetime is increased by this patch
again to 30 days. The cache is cleared nonetheless when clearing "all
caches".

The default lifetime for this cache was unlimited prior to the
introduction of the caching framework.

Change-Id: I98b307f11779174110ea2d5d79027771b44c5098
Resolves: #39295
Releases: 6.2, 6.1
Reviewed-on: https://review.typo3.org/27228
Reviewed-by: Ingo Schmitt
Tested-by: Ingo Schmitt
Reviewed-by: Stefan Froemken
Tested-by: Stefan Froemken
Reviewed-by: Oliver Klee
Reviewed-by: Andreas Wolf
Tested-by: Andreas Wolf

Resolves: #55603
Releases: 6.2

Change-Id: I27efb6d19f580eba455cde92dd76628f72dce536
Reviewed-on: https://review.typo3.org/27271
Reviewed-by: Wouter Wolters
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Removes excessive top margin above Web>Page backend layout
cells. Brings gridCells equal heights and bottom spacing. Replaces
full white borders with adequate margins.

Change-Id: Ic5e7d3279c4facd969f171280d881b5620df4be7
Resolves: #55150
Related: #39971
Releases: 6.2
Reviewed-on: https://review.typo3.org/26936
Reviewed-by: Benjamin Mack
Tested-by: Benjamin Mack
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Integrate the definition of packages that should be activated at
first installation and packages that are required for a minimal
usable system in the package manager.

There are now three possible properties in Classes/Package.php:

* protected - Package can not be uninstalled in em.
* partOfFactoryDefault - Package is activated at first installation.
* partOfMinimalUsableSystem - Package is activated if
  PackageStates.php is missing. extensionmanager and t3skin are
  affected here, if PackageStates.php is deleted, the install tool
  will create a new one with those packages activated, so the backend
  is "usable" enough to activate further packages.

Resolves: #53988
Releases: 6.2
Change-Id: I4f5d3f0a7d3bcf332d1e8e6c29156f93bae8029c
Reviewed-on: https://review.typo3.org/27226
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Thomas Maroschik
Tested-by: Thomas Maroschik
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

Brings button style to "Download" link with download icon.

Change-Id: I4edae8b861d9c6f98f156d8b538031dd8ca8f62c
Resolves: #55597
Releases: 6.2
Reviewed-on: https://review.typo3.org/27267
Reviewed-by: Marcin Sągol
Tested-by: Marcin Sągol
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Brings an icon for download action. Icon is based on the
action-edit-upload sprite icon.

Change-Id: I4327c85c14dea3b69d8184259c5ac8729396d2e8
Resolves: #55594
Releases: 6.2
Reviewed-on: https://review.typo3.org/27266
Reviewed-by: Cedric Ziel
Tested-by: Cedric Ziel
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Moves definitions to CSS/structure.
Also fixes right margin for a.t3-button.

Change-Id: Ib51e8b7e3c11e0a4cf474b6322aaeaed11c63b55
Resolves: #55588
Related: #55539
Releases: 6.2
Reviewed-on: https://review.typo3.org/27260
Reviewed-by: Marcin Sągol
Tested-by: Marcin Sągol
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

This change-set adds new functional tests for the DataHandler
to ensure the correct behaviour in the Live Workspace. The
difference to current functional tests is, that here a more
complete picture is checked in the database instead of only
particular ids and values.

The tests use a DataSet, which is basically only a CSV file
that hold the record values for required tables. These CSV
files can easily be modified by any spreadsheet application.
The "Scenario" DataSets are used to define the scenario each
test case is based on - the "Assertion" DataSets are used to
acutally assert that the correct processing was done in
the DataHandler.

Resolves: #54855
Releases: 6.2
Change-Id: I5d748cde04a70b9c158d09f9a0bd337ef809fd02
Reviewed-on: https://review.typo3.org/27188
Reviewed-by: Peter Kuehn
Tested-by: Peter Kuehn
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader