In install tool context TYPO3_MODE is set to BE
but there is no backend user initialized.
Because of that the storage permission aspect
fails as it requires a valid backend user object.

Do not register the slot when in install tool context.

Releases: 6.0, 6.1, 6.2
Resolves: #51733
Change-Id: I2da95ccd357b730b97bcf99bef21b18c04469274
Reviewed-on: https://review.typo3.org/23621
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

When you opened the filelist module as user who just was allowed to see
a bunch of filemounts, the filemounts had either all or none the expand-
icon, based on the first file-mount of this storage the user has access
to.

Resolves: #48467
Releases: 6.2, 6.1, 6.0
Change-Id: I1e6a29e351a643f52c0f7a42fde38c9d9b2fc5cb
Reviewed-on: https://review.typo3.org/20981
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Manually accessing backend entry-points regarding files passing
an identifier with storage 0 may allow unfiltered access for read,
write, rename, create and delete actions.

The user interface must never deal with storage 0. Therefore
implement checks for storage 0 as protection.

Change-Id: Ia387dfac3057760800171163ff91cd9f55cab4b5
Releases: 6.2, 6.1, 6.0
Fixes: #50886
Security-Commit: b813a875ad76aa7860b76602eb1f32dcfc9fadcd
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23608
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The Driver needs to canonicalize all incoming identifiers at first,
and than check for their validity on every action performed.
If a canonicalized path resided inside a storage it does not contain
any ../ anymore.
An exception is thrown in that case.

Change-Id: I6114be2a517bb44753f92bea1b3b7dfdd42a2f1f
Releases: 6.2, 6.1, 6.0
Fixes: #50883
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23607
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Because the filename is sanitized in the driver
after the check for denied file extensions is
performed, it was still possible to rename files
with denied file extensions.

We now perform the file extension check
on the final filename which is going to be used
by the driver.

This change makes the sanitizing method public
and introduces a basic implementation in
AbstractDriver to not break existing driver
implementations.

Fixes: #51495
Releases: 6.2, 6.1, 6.0
Change-Id: I2c055b7b070a5e13c2172d1f20fdcd83ee597e08
Security-Commit: de60d4ef37fc582e6349d5fa8ed13ec30d4892ff
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23598
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

* User permissions are only applied to storage objects
  that are attached to a member variable of
  BackendUserAuthentication. This is error prone
  and leads to insufficient (no) checks if the code
  fetches a storage directly from the factory
  (like edit document controller does)
  Instead, apply the permissions by using a signal
  in StorageFactory directly after the storage object
  is built.

* Refactor the mount point handling, especially the
  user and group home directories, which was completely
  broken after the introduction of FAL. File mounts
  are now also applied to the storage on creation.

* Make fallback storage 0 read only and not browsable.

Fixes: #51327
Releases: 6.2, 6.1, 6.0
Change-Id: If1fa18486cf051a7f4489e36691d42786386df63
Security-Commit: 936dbaf5d16acd36b668dcf033eb343fc5e2f7bf
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23597
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

For admins and for front end request, we must be able
to deactivate permission checks completely, while
it must be possible to restrict backend users
to not have any file permissions thus, not be able to
see/change any file.

Fixes: #51326
Releases: 6.2, 6.1, 6.0

Change-Id: I0b2ba16562d412e4a3bb523a54f7de317ea25c25
Security-Commit: eceac26733d6dff1826b149494532fb321274611
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23596
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The ResourceStorage omits checks for the configured user and
group permissions within the actions on that Storage.

This patch refines some naming within the security methods
as well as adding security checks to every method.

PHP file extensions are now also removed from the
text file extension list.

Releases: 6.2, 6.1, 6.0
Fixes: #51079
Change-Id: I95a6d89da7eb2b6ea52afea1c49b1df8acb00707
Security-Commit: f5d926ec7a99098ad42117cf2e0b3b67dae057a4
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23595
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

This change adds a CommandContoller for EXT:extensionmanager;
this new ComandController contains two actions (install, uninstall)
which is then handled by the Utility which contains the actual logic.

Usage example: ./typo3/cli_dispatch.phpsh extbase extension:install [key]

Resolves: #51629
Releases: 6.2
Change-Id: I3561a427f4eff4c5041326f706ed8c77bbbbe9be
Reviewed-on: https://review.typo3.org/23535
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

The four variations of the Share font contain now over 550 glyphs.
The bold-italic variation is also added to complete the font family.

Change-Id: I04578cc7da74319662428e688e8152403dfc04b1
Resolves: #49996
Releases: 6.2
Reviewed-on: https://review.typo3.org/23482
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert

Add a checkbox to directly hide pages in the crpages wizard
of the "functions" module.

Resolves: #51017
Releases: 6.2
Change-Id: Iff6abfe862bd0a0f0e2e8ff3064c4a4f6ea001d9
Reviewed-on: https://review.typo3.org/23531
Reviewed-by: Tomita Militaru
Tested-by: Tomita Militaru
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Since the 6.0 Extension Manager, the "excludeFromUpdates" state
is ignored. It should be checked for and the update button in the
list view hidden in such a case.

Resolves: #51018
Releases: 6.0, 6.1, 6.2
Change-Id: I734331d1b85728dc86732f66ad495a9f83cd0aca
Reviewed-on: https://review.typo3.org/23098
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Check also for null port to avoid a fatal error.

Resolves: #31998
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: Ibf45b3c0783a70e5afba33f90d1d8e05f76834cf
Reviewed-on: https://review.typo3.org/23504
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Under Firefox the outer table's height and width of the backend layout
wizard is set to 100%. Since there is content before the table, this
leads to the table being cut of, as there are no scrollbars. According
to the suggestion of Philipp Gampe the table's height and width are
changed to 90%.

Resolves: #50424
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I589fdfd8de0a8d6ebb4b3ee4fd2a173341116016
Reviewed-on: https://review.typo3.org/23483
Reviewed-by: Kay Strobach
Tested-by: Kay Strobach
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe

Remove old class files in ext:rsaauth

Change-Id: I2bb437295adcccf5475e8c0f65b5bcd9cea17415
Resolves: #51596
Releases: 6.2
Reviewed-on: https://review.typo3.org/23501
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe

Remove old class files in ext:taskcenter

Change-Id: Ia998f65eb9c4b4e9b0abe1d5d63b145f36335434
Resolves: #51594
Releases: 6.2
Reviewed-on: https://review.typo3.org/23499
Reviewed-by: Kai Ole Hartwig
Tested-by: Kai Ole Hartwig
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Remove old class files in ext:sys_action

Change-Id: I89941f8ace57e1b5470cc3038ffcc583a84eb1b4
Resolves: #51595
Releases: 6.2
Reviewed-on: https://review.typo3.org/23500
Reviewed-by: Kai Ole Hartwig
Tested-by: Kai Ole Hartwig
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Remove old class files in ext:perm

Change-Id: I8dc580ce07a3489a27ed92f427b504e9959af2ba
Resolves: #51597
Releases: 6.2
Reviewed-on: https://review.typo3.org/23502
Reviewed-by: Kai Ole Hartwig
Tested-by: Kai Ole Hartwig
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Remove old class files in ext:extensionmanager

Change-Id: I2c5589b0feb37b8608eae6241e0f6c35d61e9a38
Resolves: #51599
Releases: 6.2
Reviewed-on: https://review.typo3.org/23503
Reviewed-by: Oliver Klee
Reviewed-by: Kai Ole Hartwig
Tested-by: Kai Ole Hartwig
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

* Remove old class files
* Move image and language files to ExtBase structure
* Delete unused CSS file

Change-Id: Icbf13d62397f0f5a1eb2bcccd76e9b81541d27b1
Resolves: #51593
Releases: 6.2
Reviewed-on: https://review.typo3.org/23481
Reviewed-by: Kai Ole Hartwig
Tested-by: Kai Ole Hartwig
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

A global variable is reset to not call a sub section of the method
under test that may trigger errors.

Change-Id: If486523f231c7463804ac03a663834a820cdd3f1
Releases: 6.2
Resolves: #51581
Reviewed-on: https://review.typo3.org/23487
Reviewed-by: Sascha Egerer
Tested-by: Sascha Egerer
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Despite getting rid of this warning, extending the lifetime of this file
gets more robust by a second method, which is recreating it (which should
be possible even if the file is not owned by the PHP process).

Resolves: #51542
Releases: 6.2
Change-Id: Icb7805ee1f6a08654c3f11eb317a2ad3cadbad76
Reviewed-on: https://review.typo3.org/23477
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

The sprite manager cache entry is created and then required
directly again. This may lead to runtime issues if the file
is required already before it is fully written.
The patch optimizes that by setting the runtime information
directly from the given data.

Change-Id: I3f6250d8513dad32e266538a075abc8e3daeb68c
Resolves: #51544
Releases: 6.2, 6.1, 6.0
Reviewed-on: https://review.typo3.org/23478
Reviewed-by: Sascha Egerer
Tested-by: Sascha Egerer
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

To install distribution like the introduction or government
package, the extension manager needs a distribution management.

The distribution management consists of a controller that shows
all available distributions and additions to several actions.
The controller lists the packages to be installed. After
click on installing the distribution extension is downloaded,
all dependencies get resolved via the existing dependency
handling and the user is redirected to the configuration. Upon
saving the configuration the user is redirected to a package
welcome side from where he can jump directly to Web>View and
Web>page.

Resolves: #51537
Releases: 6.2
Change-Id: I4aeecc2d2c2d44bdc138bd502d1b2317d33325fd
Reviewed-on: https://review.typo3.org/23476
Reviewed-by: Kai Ole Hartwig
Tested-by: Kai Ole Hartwig
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Change-Id: I5d631cf408758e89c69b129bb414d1ee14289bdd
Resolves: #51158
Releases: 6.2
Reviewed-on: https://review.typo3.org/23182
Reviewed-by: Kai Ole Hartwig
Tested-by: Kai Ole Hartwig
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

According to the HTML5 specs the header element should be used for
grouping elements. Currently the header element is used if there is any
content in lib.stdheader, for instance a single hx.

This patch fixes this by wrapping lib.stdheader with the header element
only when the date is added to the header. Otherwise it will use the
default div wrapping.

Change-Id: I3e1335e1b1d64962a8488b8177d72eb1126e89dd
Fixes: #47575
Releases: 6.2
Reviewed-on: https://review.typo3.org/20149
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny
Reviewed-by: Kai Ole Hartwig
Tested-by: Kai Ole Hartwig
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Some tests in GeneralUtilityTest rely on a working internet
connection and fail if offline. Skip those tests if no needed.

Change-Id: Ia5e828cee6a834b971ad8d9c7da0598867a275f8
Resolves: #51496
Releases: 6.2
Reviewed-on: https://review.typo3.org/23445
Reviewed-by: Susanne Moog
Tested-by: Susanne Moog
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

The problem came from a row of icons which was always rendered below
the select list with a hardcoded width of "250px", regardless if there
was content or not. Solution is not to render this icon row if there are
no icons, thus allowing the select list to be reduced in width.

Releases: 6.2, 6.1, 6.0
Resolves: #50707
Change-Id: I23520c1c547de1155091e38c69013a18fed9e559
Reviewed-on: https://review.typo3.org/23391
Reviewed-by: Kai Ole Hartwig
Tested-by: Kai Ole Hartwig
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

If a file or directory below uploads/ is not readable by the
executing user, the integrity check system in db check module
menu may fatal. This is sanatized by the patch.

Resolves: #51460
Releases: 6.2, 6.1, 6.0
Change-Id: Ide3401c014aa7bec33585083f81f30c00100da09
Reviewed-on: https://review.typo3.org/23424
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

When the feature introducing categories-based page menu was
introduced, a utility class was eventually forgotten. This
patch restores it.

Resolves #51524
Releases: 6.2

Change-Id: I447b22a80252eb8c7ede80daa11cfc7db5144479
Reviewed-on: https://review.typo3.org/23466
Reviewed-by: Francois Suter
Tested-by: Francois Suter

In ContentObjectRenderer->getQuery() the pid where clause is build
using getTreeList() to fetch recursive pids. But for the inclusion
of the uppermost pid, string concatenation is used.
The method getTreeList() offers the option to include the uppermost
pid into the returned result by passing it as a negative value. Method
getQuery() should use this opportunity instead of doing its own magic.

Additionally some cleanup is done for getTreeList, optimizing the
returned string, and unittests were added.

Resolves: #51067
Resolves: #51503
Releases: 6.2
Change-Id: Ie72103ca66d847cb0eb0f3ef5e33a1896d86de5b
Reviewed-on: https://review.typo3.org/23092
Reviewed-by: Kai Ole Hartwig
Tested-by: Kai Ole Hartwig
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Resolves: #51480
Releases: 6.2
Change-Id: Ieaff9ddaf43e339979ecb5fff48678d28b9b0e61
Reviewed-on: https://review.typo3.org/23438
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

In table sys_category the TCA for field "t3ver_label" appears twice,
the first time with the expected definition, the second time with a
slightly different one, never seen in the Core. Since the second
definition overrides the first, it should be removed.

Resolves: #51513
Releases: 6.2
Change-Id: I4d7d642dadb884199b6f2a0aa3bcc1c93993c309
Reviewed-on: https://review.typo3.org/23452
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

If you create an empty ext_autoload.php or an empty classAliasMap.php
file or fail to return an array, NULL is merged with the existing
array which results in NULL for the array $classRegistry or
$aliasToClassNameMapping
This patch casts the required Array(which is possibly NULL) to an
Array to prevent array_merge with NULL values.

Fixes: #51474
Releases: 6.2, 6.1, 6.0
Change-Id: I1887da3a942b17e441338a95cb7da49a17535907
Reviewed-on: https://review.typo3.org/23441
Reviewed-by: Kai Ole Hartwig
Tested-by: Kai Ole Hartwig
Reviewed-by: Christoph Dörfel
Tested-by: Christoph Dörfel
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

This method was supposed to be in the interface, but due to a syntax
error in the closing comment tag, it was not (and was not detected as a
PHP syntax error).

This finally adds this method and implements it also in the class
FileReference which hadn't had this method before but also implements
this interface.

Resolves: #51509
Releases: 6.2, 6.1, 6.0
Change-Id: I8ee1ecc155e9cfaeec7ac0ac7086f75df13f4c34
Reviewed-on: https://review.typo3.org/23453
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

Some parts of the install tool can throw fatal PHP errors if
broken extensions are loaded. Currently the database analyzer and
the upgrade wizards are affected by this.

The patch implements a shutdown function that is called even if a
fatal error is thrown and redirects to a special action that renders
the "Check for broken extensions".

Resolves: #51499
Releases: 6.2
Change-Id: Ie64781e59732fb1ef05efd6bd9da1e136241b22e
Reviewed-on: https://review.typo3.org/23440
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

As preparation for the new distribution (introduction package ...)
handling extensions should be able to provide initial file imports.
These are then imported to fileadmin/<extensionname>
upon installing the extension.

The files have to be located in <extension>/Initialisation/Files/*.

The files are imported only once (even if you reinstall the extension),
execution state is saved via the core registry.

Resolves: #51466
Releases: 6.2
Change-Id: Icbf63227aa8bbb9fcfb0335bfa5ae92b549a94ba
Reviewed-on: https://review.typo3.org/23427
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Now that system categories are activated by default for pages,
provide a simple way of display categorized pages with a new
typee of menu for the menu/sitemap content element.

The rendering uses a new type of special HMENU called "categories",
which means that it is also possible to create categories-based
menus in pure TypoScript.

Resolves: #51161
Documentation: #51162
Releases: 6.2
Change-Id: I137158f39607ad65dff13a604210a647cb8dda6f
Reviewed-on: https://review.typo3.org/23184
Reviewed-by: Mattias Nilsson
Tested-by: Mattias Nilsson
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

As the report tool checks system environment with the use of the hook
witin that function, we can deprecate the function in the BackendUtility
and move the hook to the appropriate extension "aboutmodules".

Resolves: #51434
Releases: 6.2
Change-Id: If39a82680a8797782bcbf620d7a3e59193468a9c
Reviewed-on: https://review.typo3.org/23400
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

The test for insecure passwords handles empty passwords as insecure and
recommends to use the saltedpasswords scheduler task to convert all
insecure passwords. But the scheduler task doesn't convert empty
passwords, so a never ending story exists. Therefore this patch exludes
empty passwords being handled as insecure.

Resolves: #36244
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I6bdd5c8807a07841850c1e4c22afe57eec28b335
Reviewed-on: https://review.typo3.org/23421
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters