- Aug 24, 2021
-
-
Benni Mack authored
This reverts commit e2e59fb3 due to certain incompatibilities with direct "index.php" calls in certain server setups. Resolves: #94968 Reverts: #94537 Releases: master, 10.4, 9.5 Change-Id: I558c4764e1e0399b7d92da9be0da83cb36c85cba Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70698 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
-
- Aug 16, 2021
-
-
Oliver Hader authored
Change-Id: I0c6b55a4d4027bf2c381ec0914f386cc5090599c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70634 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Oliver Hader authored
Change-Id: I7632848019be704a039ba1820d927d4cffb1d589 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70633 Tested-by:
-
Oliver Hader authored
composer req typo3/html-sanitizer:^2.0.9 composer req typo3/html-sanitizer:^2.0.9 \ -d typo3/sysext/core --no-update Resolves: #94883 Releases: master, 11.3, 10.4, 9.5 Change-Id: I997ddc423ffcb216927e3ba807e303e604174ee8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70617 Tested-by:
-
Oliver Hader authored
As a result of TYPO3-CORE-SA-2021-013, new `htmlSanitize` behavior - when invoking `ContentObjectRenderer::parseFunc` - is enabled per default, in case it was not declared otherwise. That also happened when no processing configuration was given (or could be resolved). Without having any configuration, it was obviously not possible to disable `htmlSanitize`. Fluid's `HtmlViewHelper` can be used with an empty `parseFuncTSPath` (e.g. `<f:format.html parseFuncTSPath="">`) - due to missing (empty) configuration, sanitization was enabled per default in `parseFunc`. With this change, property `htmlSanitize` either needs to be enabled or disabled explicitly - otherwise deprecation logs will be generated, if not given, the fall-back behavior is inferred from new feature flag `security.frontend.htmlSanitizeParseFuncDefault`. Invoking `ContentObjectRenderer::parseFunc` without any configuration behaves like before TYPO3-CORE-SA-2021-013 was applied - it just does not process anything. Resolves: #94786 Releases: master, 11.3, 10.4, 9.5 Change-Id: I4aee54d712ce4758f6c9c2e64a43f80b6c076406 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70588 Tested-by:
-
Oliver Hader authored
`ContentObjectRenderer` and `AbstractMenuContentObject` are still relying HTML event attribute `onclick` to open new client window instances, which were (correctly) removed by HTML sanitizer. In order to keep the functionality, exceptional declarations have been added, and `vHWin=window.open(...)` substituted by `openPic(...)`. Resolves: #94866 Releases: master, 11.3, 10.4, 9.5 Change-Id: I961746b3776d12f302933ebb775ab215bdcd85ab Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70584 Tested-by:
-
- Aug 13, 2021
-
-
Oliver Hader authored
New `<f:sanitize.html build="default">` view-helper is introduced which directly invokes processing of `typo3/html-sanitize` package. An optional view-helper argument `build` allows using a defined preset, or a fully qualified class name of a builder instance as alternative, which has to implement `\TYPO3\HtmlSanitizer\Builder\BuilderInterface`. In contrast to `<f:format.html>`, this does NOT invoke `lib.parseFunc`, and does NOT rely on TypoScript configuration being loaded and parsed. Resolves: #94825 Releases: master, 11.3, 10.4, 9.5 Change-Id: Id0720120fea7d5d517a8c61d10bdbb6b03658adf Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70526 Tested-by:
-
Stefan Bürk authored
Remove resolved scriptName with leading slash from url in PageRouter matchRequest method. This prevent to change the url to a invalid url if PageTypeSuffix Decorator with .php is used and a page slugs ends in index. Resolves: #94537 Releases: master, 10.4, 9.5 Change-Id: I5057bb6888c228a4ca5b53d363ecf1bc7a6af1c6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70554 Tested-by:
-
Georg Ringer authored
Skip a real check of the file system for SVG files in advance in the SvgFilesSanitization wizard to avoid timeouts in e.g. the reports module. Resolves: #94801 Releases: master, 11.3, 10.4, 9.5 Change-Id: I4ed52d357effec4a8e698d5b117f024150a01beb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70448 Tested-by:
Wouter Wolters <typo3@wouterwolters.nl> Tested-by:
-
- Aug 12, 2021
-
-
Oliver Hader authored
Resolves: #94857 Releases: master, 11.3, 10.4, 9.5 Change-Id: I7654fb4cec38d38044441e885a21676dcacf9a8f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70523 Tested-by:
-
Oliver Hader authored
A new `SanitizerInitiator` is added and forwarded to `typo3/html-sanitizer`. This allows getting a full stack-trace when HTML nodes have been sanitized/modified and to debug the actual cause (initiator) much better. To receive corresponding initiator stack-traces * logging for TYPO3.HtmlSanitizer namespace needs to be enabled * TypoScript `config.debug = 1` must be set, or as a fall-back `$GLOBALS['TYPO3_CONF_VARS']['FE']['debug'] = true;` must be set * HTML sanitizer must have found and modified invalid tags/attributes Resolves: #94837 Releases: master, 11.3, 10.4, 9.5 Change-Id: I0239785d347d2c4ad6153ccb26130556399949d8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70510 Tested-by:
-
Alexander Nitsche authored
Sometimes acceptance tests fail due to a failed TYPO3 backend request, which is recorded in the TYPO3 log file. Save this log file along with the Acceptance Reports folder in the gitlab-ci job artifacts. Resolves: #94843 Releases: master, 10.4, 9.5 Change-Id: I0b260c197a6a71dc23e6f9da547fc20a55fc4ce7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70508 Reviewed-by:
Alexander Nitsche <typo3@alexandernitsche.com> Reviewed-by:
Christian Kuhn <lolli@schwarzbu.ch> Tested-by:
-
Oliver Hader authored
https://github.com/TYPO3/html-sanitizer/releases/tag/v2.0.8 composer req typo3/html-sanitizer:^2.0.8 Resolves: #94849 Releases: master, 11.3, 10.4, 9.5 Change-Id: I367343abe5b18445ddc28023ef45c65bc6d0de23 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70502 Tested-by:
-
Andreas Fernandez authored
The Core Updater and Reports module were modified to render correct information about non-community supported TYPO3 releases (aka ELTS) with while no ELTS was released yet, in contrast to the Core Updater. The missing case is added with this patch. Resolves: #94827 Related: #94745 Releases: master, 10.4, 9.5 Change-Id: Ib4d8791478b89ad7e9b92930d882a98c76b809a3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70422 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
-
- Aug 11, 2021
-
-
Torben Hansen authored
When TYPO3 is configured to spam protect email addresses using an offset, then the HTML sanitizer introduced in #94375 will remove the generated JavaScript in the href link attribute. This change makes the HTML sanitizer aware of the `javascript:linkTo_UnCryptMailto` pattern for href attribute. Resolves: #94776 Releases: master, 11.3, 10.4, 9.5 Change-Id: If5f4ab22a686274401390a66b580a24e6d5a8f0c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70415 Tested-by:
-
Tomas Norre Mikkelsen authored
* remove superfluous `}` literal from PHP example * add "Troubleshooting" section of reported side-effects * add "Logging" section, supporting to spot those side-effects Resolves: #94797 Releases: master, 11.3, 10.4, 9.5 Change-Id: I4b154c849b158d920b380f40d1415762d227ae6d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70419 Tested-by:
-
- Aug 10, 2021
-
-
Oliver Hader authored
This reverts commit 3bae5925. Not defining replaced version of `t3g/svg-sanitizer` leads to problems with `roave/security-advisories`. Overall it seems to be better, to completely revert previous change. Resolves: #94782 Reverts: #94719 Releases: master, 11.3, 10.4, 9.5 Change-Id: I43c2ea986ffec72bc0c8eb740a84daad33e9257f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70436 Tested-by:
-
Oliver Hader authored
Change-Id: Idef500cdaaf791fd9d03c5668233312ca2e89bc4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70347 Tested-by:
-
Oliver Hader authored
Change-Id: I2d1a435c3d3a221a6a8d523f105d2b9f052e8513 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70346 Tested-by:
-
Oliver Hader authored
Due to missing internal handling of provided RTE configuration, it was possible to directly persist XSS in database fields. Unless full blown backend RTE tag configuration is available, this patch still allows persisting potentially malicious data - which is not reflected in the backend user interface - but to be sanitized during frontend rendering (see below). Corresponding configuration directives (`removeTags`, `allowedAttribs`) are now considered again. Besides that a new, but simplified sequential HTML parser ensures that runaway node-boundaries are detected & denied. To sanitize and purge XSS from markup during frontend rendering, new custom HTML sanitizer has been introduced, based on `masterminds/html5`. Both `DefaultBuilder` and `CommonVisitor` provide common configuration which is in line with expected tags that are allowed in backend RTE. Using a custom builder instance, it is possible to adjust for individual demands - however, configuration possibilities cannot be modified using TypoScript - basically since the existing syntax does not cover all necessary scenarios. Resolves: #94375 Related: #83027 Related: #94484 Releases: master, 11.3, 10.4, 9.5 Change-Id: I5f8de43faab57b00052614ad37bd10ea9e384dc0 Security-Bulletin: TYPO3-CORE-SA-2021-013 Security-References: CVE-2021-32768 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70342 Tested-by:
-
Oliver Hader authored
Functionality of package t3g/svg-sanitizer has been integrated into the TYPO3 core. Resolves: #94719 Releases: master, 11.3, 10.4, 9.5 Change-Id: I9bef46af0b76275844aa4acb2b54214f37936ecc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70339 Tested-by:
-
Oliver Hader authored
Addresses work-around of issues #94565 and #94582 concerning libxml2 segmentation faults. https://github.com/darylldoyle/svg-sanitizer/compare/0.14.0...0.14.1 Resolves: #94768 Releases: master, 11.3, 10.4, 9.5 Change-Id: I10f6386f0986f514a1387fb1153bbfc36f9c9dcc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70336 Tested-by:
-
- Aug 09, 2021
-
-
Andreas Fernandez authored
Currently, the TYPO3 backend shows incomplete version information regarding updates in the Core Updater and the reports. Both take community-supported releases into account only and ignore the fact that certain versions are covered by the ELTS program and thus render messages about unsupported or invalid versions, which are false statements. We now use the full information from get.typo3.org, and added lengthy tests to avoid any further issues. The internally used CoreVersionService is now able to handle ELTS releases as well and give proper information to admins. Resolves: #94745 Releases: master, 10.4, 9.5 Change-Id: I6485d36ded943acba723d55e23275554484e4f82 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70311 Tested-by:
-
Pierrick Caillon authored
After query filers for file storages have been used, those settings have to be reset. `StorageRepository::$storageInstances` actually applies an implicit singleton pattern to file storage objects. Resolves: #94714 Releases: master, 11.3, 10.4, 9.5 Change-Id: I353b782f8e98c55df6f9cb2e14a0745d83bfdc70 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70297 Tested-by:
-
- Aug 08, 2021
-
-
Christian Kuhn authored
Honor -x option for acceptance tests: Both 'Tester' and 'System under test' allow break points with -s acceptance and -s install. Resolves: #93734 Releases: master, 10.4, 9.5 Change-Id: Ia3f5a518089be675e33ddc673ebd4c99b2dbfaf6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70174 Tested-by:
-
- Aug 06, 2021
-
-
Christian Kuhn authored
A couple of minor testing-framework patches are worth to be pulled into core v9. composer req --dev typo3/testing-framework:^4.15.5 composer req --dev typo3/testing-framework:^4.15.5 -d typo3/sysext/core/ --no-update Change-Id: I1a4de0ac8b93bd2373db28180ea5642785af54c4 Resolves: #94732 Releases: 9.5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70274 Tested-by:
Oliver Bartsch <bo@cedev.de> Tested-by:
-
- Aug 02, 2021
-
-
Larry Garfield authored
Resolves: #94189 Releases: master, 10.4, 9.5 Change-Id: Idd70dda6b26c4e6462b351d61ac03e76b7fd9533 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70172 Tested-by:
crell <larry@garfieldtech.com> Reviewed-by:
-
- Jul 29, 2021
-
-
Simon Gilli authored
For the covenience when creating files with code snippets the indent of .rst is changed to 4 spaces. This works for all cases also for lists where normally 3 spaces are used. Resolves: #94669 Releases: master, 10.4, 9.5 Change-Id: If1ed5927a1e5e17e56edf0696eb4c528599b788c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70160 Tested-by:
-
Lina Wolf authored
Fixes Layout problems: Malformed lists, malformed headlines, non-working links to documentation or other changelogs. Directive `:ts:` and `.. code-block:: ts` is only used for typescript, exchanged it into `:typoscript:` for typoscript examples. Resolves: #94534 Releases: master, 10.4, 9.5 Change-Id: I61e3c5910d6a5bc97f1ec887ce5b2c1e6d59a2db Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70158 Tested-by:
-
Christian Kuhn authored
The nifty ruleset for handling core changelog files described at https://docs.typo3.org/c/typo3/cms-core/10.4/en-us/Changelog/Howto.html sometimes gets violated by the one or the other patch. This happens, so we occassionally synchronize Changelog files between versions. Resolves: #94668 Releases: master, 10.4, 9.5 Change-Id: Ia02af5909687a6f200257b791fee098ced7f32b5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70156 Tested-by:
-
- Jul 27, 2021
-
-
Oliver Bartsch authored
#94612 introduced the realpath command for retrieving the "CORE_ROOT" path. This however leads to execution failures on MacOS systems, which did not manually install this command (as it's not installed by default). To prevent the script from failing on default MacOS systems, a check for the existence of the realpath command is added. If not installed, the previous behaviour is used while displaying a short information. Resolves: #94635 Related: #94612 Releases: master, 10.4, 9.5 Change-Id: I30792f1e5492b57adf7ff28a7fa2c415ac2e094c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70133 Tested-by:
-
- Jul 26, 2021
-
-
Benni Mack authored
The GitHub main repository has been renamed from "TYPO3/TYPO3.CMS" to "typo3/typo3". The new URL is https://github.com/typo3/typo3 This change reflects all places in TYPO3 Core to adapt to this renaming. Resolves: #94639 Releases: master, 10.4, 9.5 Change-Id: Ia5c3136a48b8b4580283277da4b7b11768c32132 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70075 Tested-by:
Susanne Moog <look@susi.dev> Tested-by:
-
- Jul 22, 2021
-
-
Jochen Roth authored
docker-compose.yml is now working with v2.0.0beta. Restored old behavior to retrieve the actual CORE_ROOT path using "realpath" which also works on MacOS. Resolves: #94612 Releases: master, 10.4, 9.5 Change-Id: I62ab40870e285b3533a259105dac241e3c4a6af2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70053 Tested-by:
-
- Jul 20, 2021
-
-
Oliver Hader authored
Change-Id: I06e6dfb94b03924457e918dd8ae8e767259370ea Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69996 Tested-by:
-
Oliver Hader authored
Change-Id: I5fa0c57b0498f4335546f1a7462ad41ae51f210c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69995 Tested-by:
-
Benni Mack authored
When having the debug logging activated for the authentication process, sensitive data is not being logged anymore. This change * removes password from being logged * hashes the cookie value processed for logging Resolves: #93925 Releases: master, 11.3, 10.4, 9.5 Change-Id: I8c610a72014de571ef52b4430c43f8d149b273d9 Security-Bulletin: CORE-SA-2021-012 Security-References: CVE-2021-32767 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69982 Tested-by:
-
Oliver Bartsch authored
The column names, defined in backend layouts, were not properly encoded at some places and therefore led to a XSS vulnerability. The issue is addressed by properly encoding user input. Resolves: #93683 Releases: master, 11.3, 10.4, 9.5, 8.7 Change-Id: I787cee9f56a30aeaf69294412c8d5198a144e31c Security-Bulletin: CORE-SA-2021-011 Security-References: CVE-2021-32669 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69981 Tested-by:
-
Oliver Hader authored
Properly encodes error messages to be used in HTML output in Query View component. Resolves: #93868 Releases: master, 11.3, 10.4, 9.5 Change-Id: I05812ac7c1cded39edbf10d50bb4dc0fd8faf577 Security-Bulletin: CORE-SA-2021-010 Security-References: CVE-2021-32668 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69980 Tested-by:
-
Oliver Bartsch authored
The `viewpage` module contains a preset selection, where users can select different browser viewports. Since the corresponding preset labels, configurable via TSconfig, had not been encoded properly, is was vulnerable to XSS. The issue is addressed by properly encoding the labels. Resolves: #93702 Releases: master, 11.3, 10.4, 9.5 Change-Id: Ia22c5ab4332816614dd07a93d7e739d9fc1d8bac Security-Bulletin: CORE-SA-2021-009 Security-References: CVE-2021-32667 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69979 Tested-by:
-
Oliver Hader authored
* uses stream filter to enclose multi-line content * adds three choosable strategies dealing with control literals + TYPE_REMOVE_CONTROLS - removes control literals (default) + TYPE_PREFIX_CONTROLS - prefixes control literal sequence with `'` + TYPE_PASSTHROUGH - nothing, passthrough data The default strategy is `TYPE_REMOVE_CONTROLS` when invoking `\TYPO3\CMS\Core\Utility\CsvUtility::csvValues`. Resolves: #94271 Releases: master, 11.3, 10.4, 9.5 Change-Id: I2568a0c2dfa6d4636e211e97d66a513984532cc9 Security-Bulletin: TYPO3-PSA-2021-002 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69971 Tested-by:
-
