- Jun 19, 2022
-
-
Stefan Bürk authored
This change replaces invalid namespaces in some files to ensure PSR-4 loading compatibility. Additional missing namespace autoloading configuration for `tstemplate` test files is added to root composer.json. Resolves: #97791 Releases: main Change-Id: I52a473f71dd284a3ecb7e0bda397331db3b4b47d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74931 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Oliver Klee <typo3-coding@oliverklee.de> Tested-by:
Simon Schaufelberger <simonschaufi+typo3@gmail.com> Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by:
-
- Jun 17, 2022
-
-
Chris Müller authored
Additionally, fix some flaws and typos. Resolves: #97760 Releases: main, 11.5 Change-Id: Ic661dec8a180db640a30fb7305b93e6cdb777efe Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74877 Tested-by:
Björn Jacob <bjoern.jacob@tritum.de> Tested-by:
Nikita Hovratov <nikita.h@live.de> Reviewed-by:
-
Benni Mack authored
When using compressed files such as JS / CSS files, the files are now put in a ".gz" file extension instead of ".gzip" as this is more wide-spread and possible by default. Also see https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types Resolves: #93182 Releases: main Change-Id: I27aa2dbf5d36809eb85c77701b47e03cf5618692 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67272 Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
Mathias Bolt Lesniak <mathias@pixelant.no> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
crell <larry@garfieldtech.com> Reviewed-by:
-
Chris Müller authored
Additionally, use "On" as value for ExpiresActive directive as this is the preferred notation. Resolves: #97764 Releases: main, 11.5 Change-Id: Iee2433cf88cc7b7200a72c7d5308da0202fe3e78 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74922 Tested-by:
Stefan Bürk <stefan@buerk.tech> Tested-by:
-
Larry Garfield authored
Resolves: #97742 Releases: main Change-Id: If4944dd1d45b3e8c9522689f472fec9f6810eacb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74827 Tested-by:
Joey Bouten <joey.bouten@beech.it> Reviewed-by:
-
- Jun 15, 2022
-
-
Oliver Hader authored
The security fix TYPO3-CORE-SA-2022-005 introduced a synchronization of backend user and admin tool sessions - without considering these two documented aspects: + If no system maintainer is set up, then all administrators are assigned the system maintainer role. + In Development context, all administrators are system maintainers as well. Resolves: #97768 Releases: main, 11.5, 10.4 Change-Id: I81dbfc5d07a41a4fa254e1fb50210c74f5e6f02c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74910 Tested-by:
Rudy Gnodde <rudy@famouswolf.com> Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
Xavier Perseguers <xavier@typo3.org> Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Thomas Hohn Reviewed-by:
-
- Jun 14, 2022
-
-
Oliver Hader authored
Admin tools sessions are revoked in case the initiatin backend user does not have admin or system maintainer privileges anymore. Besides that, revoking backend user interface sessions now also revokes access to admin tools. Standalone install tool is not affected. Resolves: #92019 Releases: main, 11.5, 10.4 Change-Id: I367098abd632fa34caa59e4e165f5ab1916894c5 Security-Bulletin: TYPO3-CORE-SA-2022-005 Security-References: CVE-2022-31050 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74905 Tested-by:
-
Andreas Fernandez authored
The `receiverName` variable used in the password recovery mail of the Extbase felogin plugin was susceptible to HTML injection due to missing sanitization. The variable is now passed thru the `f:format.htmlspecialchars` ViewHelper. Resolves: #96559 Releases: main, 11.5, 10.4 Change-Id: I60e23c161f7f2fcc87b8870345b10a4c31d7b8db Security-Bulletin: TYPO3-CORE-SA-2022-004 Security-References: CVE-2022-31049 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74904 Tested-by:
-
Gabe Troyan authored
Multivalue items in the form editor user interface were previewed as HTML, but should be treated as scalar text only. Resolves: #96743 Releases: main, 11.5, 10.4 Change-Id: I5e8dab26119490ecf19ac5d48c2bc7a5a00daaad Security-Bulletin: TYPO3-CORE-SA-2022-003 Security-References: CVE-2022-31048 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73297 Tested-by:
-
Torben Hansen authored
When a TYPO3 exception is handled through registered exception handlers, log writers may log sensitive information to logs, since the full stacktrace is logged. With this change, exception handlers that extend AbstractExceptionHandler except DebugExceptionHandler will by default not include the exception object any more and thereby not log the full stacktrace. Resolves: #96866 Releases: main, 11.5, 10.4 Change-Id: Iaf233eefc9a1a60334a47753baf457e8282e68c0 Security-Bulletin: TYPO3-CORE-SA-2022-002 Security-References: CVE-2022-31047 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74903 Tested-by:
-
Torben Hansen authored
The import functionality of the import/export module is already restricted to admin users or users, who explicitly have access through the user TSConfig setting "options.impexp.enableImportForNonAdminUser". The export functionality has the following security drawbacks: * Export for editors is not limited on field level * The "Save to filename" functionality saves to a shared folder, which other editors with different access rights may have access to. Both issues are not easy to resolve and also the target audience for the Import/Export functionality are mainly TYPO3 admins. Therefore, now also the export functionality is restricted to TYPO3 admin users and to users, who explicitly have access through the new user TSConfig setting "options.impexp.enableExportForNonAdminUser". Additionally, the contents of the temporary "importexport" folder in file storages is now only visible to users who have access to the export functionality. In general, it is recommended to only install the Import/Export extension when the functionality is required. Resolves: #94951 Releases: main, 11.5, 10.4 Change-Id: Iae020baf051aeec0613366687aa8ebcbf9b3d8b2 Security-Bulletin: TYPO3-CORE-SA-2022-001 Security-References: CVE-2022-31046 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74902 Tested-by:
-
Oliver Bartsch authored
The action to delete an indexed item in the IndexedSearch backend module used the "id" parameter to pass the indexed item id to the method. The controller is based on extbase and previously, those parameters were prefixed with the plugin namespace. However, with #97096 the parameters in extbase backend modules are no longer prefix by default, which therefore lead to a collision. The "id" parameter should always represent the currently selected page, underlying code performs access checks on this value. This is now resolved by using a dedicated parameter, which is not already "reserved" by underlying functionality. Resolves: #97766 Related: #97096 Releases: main Change-Id: If7ccb1dfbdad6f907eb4f27187eb7eb9b753e9dc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74885 Tested-by:
Oliver Bartsch <bo@cedev.de> Reviewed-by:
-
- Jun 13, 2022
-
-
Oliver Bartsch authored
TYPO3's Mailer implementation does now dispatch two new PSR-14 events. The `BeforeMailerSentMessageEvent` can be used to manipulate the message and the envelope before being sent. The `AfterMailerSentMessageEvent` can be used to add further processing after the message has been sent. Resolves: #93689 Releases: main Change-Id: I02ec5ad5b7a18f9f6f4f7146b676f7ce773d3b29 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74825 Tested-by:
André Buchmann <andy.schliesser@gmail.com> Reviewed-by:
-
Torben Hansen authored
The package guzzlehttp/guzzle has been updated to version 7.4.4 and 6.5.7 which both fix the security issues [1] and [2]. Since TYPO3 is not affected by the issues by default, this is handled as a public bugfix. 3rd party extensions may however be affected by the vulnerabilities if `Authorization` or `Cookie` headers are used. Executed commands: composer require \ guzzlehttp/guzzle:^7.4.4 \ -W composer require \ -d typo3/sysext/core \ guzzlehttp/guzzle:^7.4.4 \ --no-update [1] https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q [2] https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9 Resolves: #97759 Releases: main, 11.5, 10.4 Change-Id: I6ed48f2b03e5e0ca82a9aa493499a5eaf65b184c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74876 Tested-by:
-
- Jun 11, 2022
-
-
Jochen Roth authored
Currently the clearFilterReloadsPageTreeWithoutFilterApplied randomly fails due to a still existing element. This seems to be caused by performance issues in CI. This is now solved by waiting for the element to actually disappear. Resolves: #97749 Releases: main, 11.5 Change-Id: Ib417fc97dcff6ddf0f3c1370ffa419a79f21eba6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74858 Tested-by:
-
Stefan Bürk authored
This change adds the ability to clean rendered documentation folder and files in all system extension folders in one go. Mentioned folders are `typo3/sysext/*/Documentation-GENERATED-temp`. Added command/testsuite: * `Build/Scripts/runTests.sh -s cleanRenderedDocumentation` Additionally the already combined cleaning command `-s clean` is extended to delete rendered documentation in the same run. Resolves: #97673 Releases: main, 11.5, 10.4 Change-Id: I344f897769cd5f475d43db67dd1b27693f49a658 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74717 Tested-by:
-
- Jun 10, 2022
-
-
Stefan Bürk authored
This patch adds the ability to run commands with PHP8.2 using `Build/Scripts/runTests.sh`. Support is added early to check which issues may raise up with new major PHP version. Help text of script is adopted to state the possibility of the new PHP version with proper example commands. Additionally, a note and check for currently not supported xdebug with PHP8.2 is added. Resolves: #97755 Releases: main, 11.5 Change-Id: I9df13d35278793fba8c5475c8abd602bd1c27896 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74869 Tested-by:
-
Oliver Klee authored
PHP 8.1.7 introduced a bug that it considers the month number 100 to be valid, which breaks one of our tests. As it is not relevant for the test whether the invalid month is exactly 100 or 99, we now are using a number that does not trigger the PHP bug. https://github.com/php/php-src/issues/8749 Resolves: #97756 Releases: main, 11.5 Change-Id: I2ca2b90a2c1e46f16cfeddda29d80e6a83779b1c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74871 Tested-by:
-
Oliver Hader authored
A dialog trying to prevent overriding existing files in the filelist module shows an incorrect modification date of files that are existing on the server-side. When using regular unix timestamps (instead of micro-timestamps), dedicated `moment.unix` function has to be used. Resolves: #97724 Releases: main, 11.5, 10.4 Change-Id: Ieb5a00aaf87410e9721e39d91b9e0da13a109bc6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74805 Tested-by:
-
Chris Müller authored
Resolves: #97612 Releases: main, 11.5 Change-Id: Ia23a15f0beb864a8b53c568ed27642ec7ac8c7b2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74818 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Tested-by:
-
Markus Klein authored
By making the modal's primary button a submit button and binding it to the form, the user can now use the ENTER key to submit the password. Resolves: #97746 Releases: main, 11.5 Change-Id: Icc380057259a0c44511098d640bdd8c4ca395a55 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74831 Tested-by:
Jonas Eberle <flightvision@googlemail.com> Tested-by:
-
Larry Garfield authored
Resolves: #97741 Releases: main Change-Id: Ic346680b2f3fcaf8ffef5f9b9bd1cb903da61e0b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74826 Reviewed-by:
-
- Jun 09, 2022
-
-
Oliver Bartsch authored
The MailerAdapterInterface, related to SwiftMailer is removed, since it is unused in core since v7. Resolves: #97752 Releases: main Change-Id: Ibb0a97dd17a06cb7b4d43d8d9aa4326194f550f5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74860 Tested-by:
-
Larry Garfield authored
More code paths identified as dead by PHPStan, or that PHPStan isn't understanding correctly. Used command: > Build/Scripts/runTests.sh -s phpstanGenerateBaseline Resolves: #97649 Releases: main, 11.5 Change-Id: I8ff67b7ebda5d64624d4e42a9775e4709bff3f08 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74677 Tested-by:
-
- Jun 08, 2022
-
-
Larry Garfield authored
Resolves: #97745 Releases: main Change-Id: I903f04c8eba97e7e4fb148041288da843ea1647d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74830 Tested-by:
-
André Buchmann authored
Some default fields (e.g. tt_content.bodytext) can contain null values. TYPO3 first fetches the data in the default language and then overlays the rows data with the translation values. The overlay method inspects each array item with the php isset() function. This validates not only the existence of the array key, but also the values. null and false values evaluated as false. Empty strings evaluate as true. This leads to inconsistent output in the frontend. The overlay now valides only the array key existence and applies also empty values. Resolves: #97616 Releases: main, 11.5, 10.4 Change-Id: I4b01c52e9ac7adde786b3395bce870bc0a354b58 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74632 Tested-by:
-
Oliver Klee authored
This helps avoid breakage when GeneralUtility will switch to strict mode. This change also prevents a whole bunch of possible invalid array access warnings. Resolves: #97581 Releases: main Change-Id: Ie167d05a9d8e4c231eec5d86336405627deceb2b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74599 Tested-by:
-
- Jun 07, 2022
-
-
Simon Schaufelberger authored
Searched for "/** @var " and went through all results manually. Skipped results where GeneralUtility::makeInstance is called with a variable. This reduces the PHPStan baseline further. Imported some namespaces on the go. Run commands: > Build/Scripts/runTests.sh -s phpstanGenerateBaseline > Build/Scripts/runTests.sh -s cglGit Resolves: #97705 Releases: main,11.5 Change-Id: I700ba596234af8cd3d32507fb03d77cfe30c678a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74785 Tested-by:
-
Andreas Fernandez authored
Executed commands: cd Build yarn add --dev typescript@~4.7.0 Resolves: #97698 Releases: main, 11.5 Change-Id: I1b8d2134b6403f1f9672325beabe62436d8b8901 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74774 Tested-by: -
Benni Mack authored
This change introduces three new PSR-14 Events in favor of the following hooks: * $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['tslib/class.tslib_fe.php']['determineId-PreProcessing'] replaced by "BeforePageIsResolvedEvent" * $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['tslib/class.tslib_fe.php']['fetchPageId-PostProcessing'] * $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['tslib/class.tslib_fe.php']['settingLanguage_preProcess'] replaced by "AfterPageWithRootLineIsResolvedEvent" * $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['tslib/class.tslib_fe.php']['determineId-PostProc'] * $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['tslib/class.tslib_fe.php']['settingLanguage_postProcess'] replaced by "AfterPageAndLanguageIsResolvedEvent" Due to the restructuring of TSFE in the past versions, it became obvious that several hooks are called right after each other, making them superfluous. For this reason, they have been unified. The new PSR-14 Events are more powerful as they also contain the current request. In addition TSFE->determineId() can now intercept the process by properly returning a Response object. Resolves: #97737 Releases: main Change-Id: I9f82ba79c89826208a1131663a1b8b5e2e2781c9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74516 Tested-by:
-
Lina Wolf authored
Releases: main Resolves: #97735 Change-Id: I703595777f4bb7727cc72b7ab92cb2446f3cf30e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74820 Tested-by:
-
Josua Vogel authored
Guard invalid argument type exception by using null coalescing operator in `\TYPO3\CMS\Form\Domain\Finishers\FinisherVariableProvider`. Resolves: #97699 Releases: main, 11.5 Change-Id: I6312fb35d52857004e0467a20e215fc4095e0037 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74775 Tested-by:
-
- Jun 06, 2022
-
-
Simon Schaufelberger authored
Also add some (indirect) basic tests for GifBuilder::calculateValue. Used command: > Build/Scripts/runTests.sh -s phpstanGenerateBaseline Resolves: #97690 Releases: main, 11.5 Change-Id: I836db8570f64ecb2729c1707fcfe9fc1af672151 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74743 Tested-by:
-
Simon Schaufelberger authored
Sometimes it happens that the page tree is not updated within a certain amount of time resulting in failing tests. This patch will add a timeout and makes sure that the page tree is updated. Resolves: #97714 Releases: main, 11.5 Change-Id: Id28d955ccda6838701aea63e6aa97b5ee9c602b5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74793 Tested-by:
-
Chris Müller authored
Resolves: #97658 Releases: main, 11.5 Change-Id: Ic4e18d64849e64404dca0eef240060d882476526 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74817 Tested-by:
-
Simon Schaufelberger authored
In CLI context the full path to the temporary generated file by the GIFBUILDER can't be resolved. Because of this inconsistency, absolute file paths are used from now on. Resolves: #95379 Releases: main Change-Id: If3a8613ed8e8d11a1b8a474fa564f947ef8a5c0c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73932 Tested-by:
-
Oliver Klee authored
This is now covered by the annotations using generics in the testing framework base class, and hence not needed anymore. (Removing it also helps get consistent behavior from PhpStorm's static type analysis.) Resolves: #97736 Releases: main, 11.5, 10.4 Change-Id: Ia7d7e790bb92eaf1c9b7ffa4f9d97b2b0a50dee3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74822 Tested-by:
-
- Jun 05, 2022
-
-
Oliver Bartsch authored
For translating / synchronizing (inline) records, the DataHandler dispatches the data map to the DataMapProcessor. This components' implementation of the translation prefix however differed from the one in DataHandler, leading to inconsistency, as some fields still got the "Translate to:" prefix added, while others did not. This is now fixed by aligning the functionality with the one used in the DataHandler. Resolves: #97721 Releases: main, 11.5 Change-Id: I425ca172f2c66cf43613fb62be0e35fa1dff76fe Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74815 Tested-by:
-
- Jun 04, 2022
-
-
Georg Ringer authored
The pagination links of the redirects module must respect a given ordering. Resolves: #97645 Releases: main, 11.5 Change-Id: Iaa65b8e365e9014796c463118504182f66b49ccb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74673 Tested-by:
-
Oliver Klee authored
For empty storages, we need to avoid accessing inexistent array elements. Resolves: #97417 Relates: #97554 Releases: main, 11.5 Change-Id: Ieee36b4c0ede9726ce936030f631a3322e3813a9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74342 Tested-by:
-
