- Dec 22, 2022
-
-
Nikita Hovratov authored
Resolves: #99407 Related: #98122 Releases: main, 11.5 Change-Id: Ie5a8e894e65669e9faa3d30f908040006a0345d7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77215 Reviewed-by:
Benni Mack <benni@typo3.org> Tested-by:
core-ci <typo3@b13.com>
-
André Buchmann authored
The showForgotPasswordLink setting was renamed to showForgotPassword during the refactoring to fluid templates. It is now also renamed in the TypoScript setup. The TypoScript constant name is not changed to keep compatibility. Resolves: #98122 Releases: main, 11.5 Change-Id: I1b47da42fb17504e52bca4705c8444253d6b1f76 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77213 Reviewed-by:
-
- Dec 21, 2022
-
-
Eric Bode authored
To update the Indexed Search TypoScript documentation the following tasks have been completed: * Use of `.. confval::` block * All available settings are named * Some description texts have been optimized * Code examples were created * Indentation was done with 4 spaces * Heading types were corrected * Default values were entered separately outside the body text * Missing references were corrected Releases: main, 11.5 Resolves: #99353 Resolves: #99379 Change-Id: Ice6c38607fed68347dc38617c7dea8634f073483 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77214 Tested-by:
Lina Wolf <112@linawolf.de> Reviewed-by:
-
- Dec 20, 2022
-
-
Oliver Klee authored
The new version finds some more potential problems. > composer req --dev phpstan/phpstan:^1.9.4 > composer req --dev phpstan/phpstan-phpunit:^1.3.2 > ./Build/Scripts/runTests.sh -s phpstanGenerateBaseline Change-Id: Iae41030660fc24f8e5d83546cb9e22835517a719 Resolves: #99389 Releases: main, 11.5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77212 Tested-by:
-
- Dec 19, 2022
-
-
Oliver Bartsch authored
Resolves: #99380 Releases: main, 11.5 Change-Id: I44a4a805b4848700e30ed7127a6da62c1f4cfdde Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77138 Tested-by:
Oliver Bartsch <bo@cedev.de> Tested-by:
-
- Dec 16, 2022
-
-
Oliver Bartsch authored
The extension repository status check in the reports module is now skipped in composer mode. Resolves: #99385 Releases: main, 11.5 Change-Id: Ia3c049e1df5000045249a5308601bf2f75bf6ec9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77137 Tested-by:
-
Andreas Fernandez authored
The "History" button in EditDocumentController now uses existing locallang labels instead of a hardcoded string. Resolves: #99386 Releases: main, 11.5 Change-Id: I6853ce66a0ffbb23e6ed6fca42085a7b824519e4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77136 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
-
- Dec 15, 2022
-
-
Oliver Hader authored
Change-Id: Ic9acc8a7130f9e848b6809af395ffdd4e130b33a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77167 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Tested-by:
-
Oliver Hader authored
Change-Id: Ic870e4d6af389ad9bfefe445cec780d60364230d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77166 Reviewed-by:
-
Benjamin Franzke authored
$normalizedParams->getRequestDir() returns '/' for frontend requests and `/typo3/` for backend requests. This results in problems when the backend UriBuilder relies on getRequestDir() to provide the `/typo3/` suffix for backend URL generation. UriBuilder is now changed to base absolute URLs on getSiteUrl(), which is defined to return equal values for backend and frontend requests, the typo3 suffix is added manually. Note that v12 introduced similar behavior with #99234, where UriBuilder was adapted to use BackendEntryPointResolver, which rebases the backend URL calculation on the site path as well. Also note that the ABSOLUTE_URL mode in backend UriBuilder isn't actually used by the TYPO3 frontend, but some extensions started to execute system reports in frontend context, which exposed this bug with the introduction of #99347. Releases: 11.5, 10.4 Resolves: #99368 Related: #99347 Related: #99234 Change-Id: Ifaaeb4725c0243d34603dc86b2c89d12d9c06bdd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77159 Reviewed-by:
Benjamin Franzke <bfr@qbus.de> Tested-by:
-
Oliver Hader authored
ServerResponseCheck triggers a HTTP host header check which is expected to fail. The more generic TransferException is used to catch any other failed request, not only those with 4xx or 5xx HTTP status codes. Besides that, TLS certificates shall not be verified, and HTTP location redirects not be followed. Resolves: #99368 Releases: main, 12.1, 11.5, 10.4 Change-Id: Id40457d4408c74d9229d4e6dcdedc0b69ffe9667 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77153 Reviewed-by:
-
- Dec 14, 2022
-
-
Andreas Nedbal authored
Bootstrap removed panel classes in version 4 and the backend mostly has appropriate styles for the card component now, so old panel usages can be migrated. Resolves: #99223 Releases: main, 11.5 Change-Id: I4801e84fff23374ae1416a4b8b41520953d57017 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77157 Reviewed-by:
Nikita Hovratov <nikita.h@live.de> Tested-by:
-
Oliver Hader authored
The security fix for TYPO3-CORE-SA-2022-013 enforced the `pid` HTTP parameter to be signed via HMAC during the frontend user authentication process. To provide better backward compatibility for those individual scenarios, the new `security.frontend.enforceLoginSigning` feature flag has been introduced, which is enabled per default, but can be disabled individually. Resolves: #99366 Releases: 11.5, 10.4 Change-Id: Ib633d7d3166a2f58caebc0a258699549b5cf2fa4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77155 Reviewed-by:
Helmut Hummel <typo3@helhum.io> Tested-by:
Stefan Bürk <stefan@buerk.tech> Tested-by:
-
Oliver Klee authored
PHPStan 1.9.3 finds another potential problem and brings some performance improvements. Run commands: > composer req --dev phpstan/phpstan:^1.9.3 > composer req --dev phpstan/phpstan-phpunit:^1.3.1 > ./Build/Scripts/runTests.sh -s phpstanGenerateBaseline Resolves: #99356 Releases: main, 11.5 Change-Id: I9d1429949379cc35518fad6750d6d063827623ed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77124 Reviewed-by:
-
- Dec 13, 2022
-
-
Andreas Fernandez authored
The icon set used for the flags in TYPO3 accidentally used the flag of Andorra for Zimbabwe. Unfortunately, it's not tracable anymore where those flags came from, therefor, the flag of Zimbabwe is copied from https://github.com/lipis/flag-icons and has been converted to PNG. The flags of https://github.com/lipis/flag-icons may be used in the long run as a maintained replacement. Resolves: #99344 Releases: main, 11.5 Change-Id: I68e0e3b99254f35cce8c84a668a04765ea7b8159 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77133 Tested-by:
-
Oliver Bartsch authored
The title of the "edit column" button in the page module is now using the correct locallang key instead of an undefined variable. Resolves: #99339 Releases: main, 11.5 Change-Id: Ic3a44174da62d25de06e1673dd5748dedf4aff0a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77132 Tested-by:
-
Oliver Hader authored
Change-Id: I46e19a332d7067961066da9d1fa91ad546bc3d11 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77108 Reviewed-by:
-
Oliver Hader authored
Change-Id: I2d0ca5bacc7de24d933e2d05a7edae59e6e229a3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77107 Tested-by:
-
Oliver Hader authored
see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.1.1 composer req typo3/html-sanitizer:^2.1.1 composer req typo3/html-sanitizer:^2.1.1 \ -d typo3/sysext/core --no-update Resolves: #99351 Releases: main, 11.5, 10.4 Change-Id: I25a17ce13a8f90cdd07a7cc51e515dff3b6bb03b Security-Bulletin: TYPO3-CORE-SA-2022-017 Security-References: CVE-2022-23499 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77094 Tested-by:
-
Oliver Hader authored
Introducing Yaml placeholders in backend user interface can lead to information disclosure and denial-of-service senarios. This change disallows adding new placeholders and throws an exception - existing placeholders are kept. Resolves: #89401 Releases: main, 11.5, 10.4 Change-Id: I69e24de07b5327507e1bf8de990f84402078f7d4 Security-Bulletin: TYPO3-CORE-SA-2022-016 Security-References: CVE-2022-23504 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77093 Tested-by:
-
waldhacker authored
Only evaluate TypoScript-like instructions like ``` submitButtonLabel = TEXT submitButtonLabel.value = Bar ``` defined within `plugin.tx_form.settings.formDefinitionOverrides` and `plugin.tx_form.settings.yamlSettingsOverrides` and **not** within form definition yaml files or the form setup yaml files. This is achieved by not searching the entire form definition or form setup for TypoScript instructions, but only the actual TypoScript. Resolves: #98403 Releases: main, 11.5, 10.4 Change-Id: I7b066f109d6061715c2240b01ed15185c58fa9f5 Security-Bulletin: TYPO3-CORE-SA-2022-015 Security-References: CVE-2022-23503 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77092 Reviewed-by:
-
Torben Hansen authored
The password reset process for TYPO3 backend and frontend users does not destroy possible existing user sessions after the password has been changed. With this patch, all existing user sessions are destroyed when the password is changed in the password reset process. Resolves: #98462 Releases: main, 11.5, 10.4 Change-Id: I6744bfcf7cae56b4e525f2e0f9a44d06cf14396c Security-Bulletin: TYPO3-CORE-SA-2022-014 Security-References: CVE-2022-23502 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77091 Tested-by:
-
Oliver Hader authored
This change ensures that individual storage page ids are valid by signing corresponding values with an HMAC. Resolves: #98010 Releases: main, 11.5, 10.4 Change-Id: I34d474ab23adca6bbcf20c108bb60acf6998bc6f Security-Bulletin: TYPO3-CORE-SA-2022-013 Security-References: CVE-2022-23501 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77090 Reviewed-by:
-
Benni Mack authored
TYPO3 now uses a lock strategy to avoid having to many request waiting for the generation of the error page (which cannot be generated via the external HTTP request, as there might be not enough workers / PHP processes available during a DoS attack). If a lock is in place, it directly returns a generic error response instead of waiting for the lock or that the error page is retrieved/rendered. Additionally, if the external error page could not be retrieved (HTTP status code other than 200), it will also create a generic response and cache that instead. This avoids keeping requesting for the errounous external HTTP page. This could happen when using external HTTP requests (Guzzle) to resolve an error page (via PageContentErrorHandler) for 404 sites. Only TYPO3 installations using the feature "subrequestPageErrors" via $TYPO3_CONF_VARS[SYS][features][subrequestPageErrors] = true are not affected as the error page is generated during the same PHP process, avoiding to create another external process. Resolves: #98384 Releases: 11.5, 10.4 Change-Id: Iae1cae882707a519b2cef85112525ea213a72eef Security-Bulletin: TYPO3-CORE-SA-2022-012 Security-References: CVE-2022-23500 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77089 Tested-by:
-
Oliver Hader authored
In case the web server scenario is not properly configured to deny HTTP host header injection, and the trustedHostsPattern is not explicit enough, a corresponding check in the reports module will issue an error message like * HTTP_HOST contained unexpected "a0a3aa2f59.random.example.org" * SERVER_NAME contained unexpected "a0a3aa2f59.random.example.org" Using the configuration directive `UseCanonicalName On` for Apache web server environments mitigates the risk. Resolves: #99347 Releases: main, 11.5, 10.4 Change-Id: Iaafd136fd817a0722f482d1d0e6b198382e40e3d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77025 Tested-by:
-
Benjamin Franzke authored
There are different versions of pdfinfo available and used by different providers/distributions. a) Debian/Fedora use pdfinfo (>v20) from the poppler-utils package. Also hosters like Hetzner use this version. This variant defaults to UTF-8 output for metadata: https://linux.die.net/man/1/pdfinfo > -enc encoding-name Sets the encoding to use for text output. This defaults to "UTF-8". pdfinfo -v pdfinfo version 21.08.0 Copyright 2005-2021 The Poppler Developers - http://poppler.freedesktop.org Copyright 1996-2011 Glyph & Cog, LLC b) Older servers and hosters with legacy software (Mittwald, Domainfactory) use pdfinfo v3. This one defaults to Latin1 output: https://www.xpdfreader.com/pdfinfo-man.html > −enc encoding-name > Sets the encoding to use for text output. […] > This defaults to "Latin1" pdfinfo -v pdfinfo version 3.02 Copyright 1996-2007 Glyph & Cog, LLC Both versions support an -enc UTF-8 option, which is nowused to circumvent the differences between these tools, instead of implying Latin1 output (as done in #80085) which breaks variant a) by interpreting valid UTF-8 as ISO-8859-1 and thus applying a double encoding. Resolves: #99352 Related: #80085 Releases: main, 11.5, 10.4 Change-Id: Ib8f7ae742c5edc73036afcb7d2608cd01f4176fd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77081 Reviewed-by:
-
Stephan Großberndt authored
Releases: main, 11.5, 10.4 Resolves: #99348 Change-Id: I43d305b0f02bd6049f32e65c95184a2d5bfa4fe5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77052 Tested-by:
-
- Dec 09, 2022
-
-
Chris Müller authored
Resolves: #99299 Releases: main, 11.5 Change-Id: I1b4e7d16cf32bfbcda757685c8b3759bb052a867 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77001 Reviewed-by:
Sybille Peters <sypets@gmx.de> Tested-by:
-
- Dec 07, 2022
-
-
Benni Mack authored
Resolves: #99296 Releases: main, 11.5 Change-Id: I7c7182b107afe30def50bf10f73018df2c888958 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76956 Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by:
-
Benni Mack authored
If a service is registered with ExtensionManagementUtility::addService(), that does not have a "os" flag, then a PHP 8 warning is raised (during loading). This change avoids this warning. Resolves: #99294 Releases: main, 11.5 Change-Id: Ie5427e1a48f32dccbf1c5618a199c9a4d55774d3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76955 Reviewed-by:
-
Oliver Hader authored
When working with variable interpolation and similar scenarios, in most cases variables, constants, expressions, ... are embedded in a solid string and can only be identified and extracted by the corresponding "reader" or "parser". This string fragment splitter aims to introduce a simpler way for extracting and working with these embedded fragments. Example: $pattern = new StringFragmentPattern( StringFragmentSplitter::TYPE_EXPRESSION, '%[^%]+%' ); $splitter = new StringFragmentSplitter($pattern); $collection = $splitter->split( 'Hello %variable% World!' FLAG_UNMATCHED_AS_NULL ); // results in having // + StringFragment(type: 'raw', value: 'Hello ') // + StringFragment(type: 'expression', value: '%variable%') // + StringFragment(type: 'raw', value: ' World!') Resolves: #97553 Releases: main, 11.5, 10.4 Change-Id: Ie2b02a247ca884fa44ab7b3ba21214c8ee9bc457 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76945 Tested-by:
-
- Dec 06, 2022
-
-
Achim Fritz authored
Cast decimals input arguments to integer before using them in number_format(). Resolves: #99283 Releases: main, 11.5 Change-Id: If0f49d644c99b212ffb7dd3a774e4dcba8baa2c7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76954 Tested-by:
-
Benjamin Kott authored
Resolves: #99281 Releases: main, 11.5, 10.4 Change-Id: Ic65f08aa0bb67f97880d0ff5bb4c692fe7e6ffde Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76952 Tested-by:
-
Benni Mack authored
<figure> is allowed in HTML5 outside of paragraphs, thus it should also be configured like that out-of-the-box See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figure Since CKEditor5 is using <figure> around tables, and also might add a <figcaption> both variants are now enabled by default. Resolves: #99273 Releases: main, 11.5, 10.4 Change-Id: I9356cc13ccef764f475ba42cc47f43f7ecd624a1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76897 Tested-by:
-
- Dec 05, 2022
-
-
Stefan Bürk authored
Way back until early stage of v11 development the page section cache entry included only the rootline of the default language for the page. This changed with #23736, when language loading has been moved more forward to allow language based matching in TypoScript. However, the used identifier for the section cache did not include the language in any kind. Thus making the rootLine flipping in the cache, and getting eventually a cache entry with the wrong rootLine set. This also leads to a flipping identifier for the page content cache identifier `newHash`. This leads to the reported behaviour of regulary ignoring the cache and rebuilding the page, also it should not have been necessary. This change extend the page-section cache identifier with the language id. This means, that we now have one cache entry per language, instead of a generic one as in the good old days. Back than, one entry was enough as it has always included only the default language rootline. Better having dedicated cache entries per language than a on-going rebuild of the cache which can take complete down in a really bad way. To avoid changing method signatures, the already existing context is used in TemplateService to properly calculate the cache identifier with the language id included. Resolves: #98126 Related: #23736 Releases: 11.5 Change-Id: Ice4b3b77bd5dd4acc3bdb054dcd05e1a065a2b2a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76302 Tested-by:
Meelis Karulin <mkarulin@icloud.com> Reviewed-by:
Joey Bouten <joey.bouten@beech.it>
-
Oliver Hader authored
see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.1.0 composer req typo3/html-sanitizer:^2.1.0 composer req typo3/html-sanitizer:^2.1.0 \ -d typo3/sysext/core --no-update To use custom output rules, the Behavior object must be known in the Sanitizer, see https://github.com/TYPO3/html-sanitizer/pull/98 Resolves: #99271 Releases: main, 11.5, 10.4 Change-Id: I160f8b49284566afde87d07dde7a4fb69e3174c9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76920 Reviewed-by:
-
Oliver Bartsch authored
To improve the listing of mfa providers in the configuration module are possible language label keys now displayed, next to the resolved label. Resolves: #99246 Releases: main, 11.5 Change-Id: I978ff19f5c3299dff84d306a3c3b2c5ba0154ca2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76896 Tested-by:
-
- Dec 03, 2022
-
-
Tomas Norre Mikkelsen authored
This patch ensures that search term like Ärmel and Æble is also working. Currently the match didn't work if a uppercase special char was used. With the additional modifier, this is now working, and there will be matches on both lowercase and uppercase matching words. Resolves: #97986 Releases: main, 11.5, 10.4 Change-Id: If7ff1669ead57557964ed5372c4af749c316d7bf Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76894 Tested-by:
-
- Dec 02, 2022
-
-
Benni Mack authored
Used commands: composer req -W \ -d typo3/sysext/core --no-update \ guzzlehttp/guzzle:^7.5.0 \ guzzlehttp/psr7:^2.4.3 composer req -W \ -d typo3/sysext/install --no-update \ guzzlehttp/promises:^1.5.2 composer req -W \ guzzlehttp/guzzle:^7.5.0 \ guzzlehttp/promises:^1.5.2 \ guzzlehttp/psr7:^2.4.3 Resolves: #99242 Releases: main, 11.5 Change-Id: Iec5f53533860f3811127b1a4463e7a4a7fd70877 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76879 Tested-by:
-
- Dec 01, 2022
-
-
Tomas Norre Mikkelsen authored
This encodes the PDF metadata to UTF-8 to ensure that special chars like æ ø å ü ö ä are allowed without cutting of the metadata text. Resolves: #80085 Releases: main, 11.5, 10.4 Change-Id: I02b0730dd659b54c0d8c7186a2089419bd56d2a2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76892 Reviewed-by:
-
