Resolves: #57676
Releases: 6.2
Change-Id: I6f694a2c595756595b09aa4a8a91cb795e8a47b7
Reviewed-on: https://review.typo3.org/29192
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Oliver Klee
Reviewed-by: Pascal Dürsteler
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

When exiting a simulated BE user, you return to the backend user module
instead of the default startup page.

Resolves: #22020
Releases: 6.2
Change-Id: I8de7b6f79e6ddb9bc03f62364f3246ef13a4ddf3
Reviewed-on: https://review.typo3.org/28689
Reviewed-by: Markus Klein
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Fixing a missing preg_quote() call in ExtensionManagementUtility,
which causes a PHP warning and a failing preg_match().

Resolves: #55662
Releases: 6.2
Change-Id: Iaf1e21546741ae282016f433bf83f7e5663e3c7b
Reviewed-on: https://review.typo3.org/29145
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Pascal Dürsteler
Tested-by: Pascal Dürsteler
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

The class name is submitted in a hidden form and is susceptible to XSS.
The patch introduced htmlspecialchars to prevent XSS possibility.

Resolves: #57603
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I4979e66f28a581e168c56d91327a1bbe2672448d
Reviewed-on: https://review.typo3.org/29121
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

* Check supplied options
* Apply default-values of validator if needed
* Check for required options
* Provide options via constructor instead of via setOptions()
  (which is deprecated)
* Add tests for AbstractValidator and AbstractCompositeValidator

Resolves: #52208
Resolves: #57164
Releases: 6.2, 6.1
Change-Id: I589a30bea74144eed51948ecad3143ab145c958f
Reviewed-on: https://review.typo3.org/28938
Reviewed-by: Marc Bastian Heinrichs
Tested-by: Marc Bastian Heinrichs
Reviewed-by: Pascal Dürsteler
Tested-by: Pascal Dürsteler
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Currently public and private RSA keys are generated when rendering the
login form. This has several drawbacks.

It can lead to strange and hard to debug errors when a second request is
done in the same browser, which invalidates the key for the current
login form (#38660), opening a second login in a different tab
invalidates the key on the first tab and finally when the login form
stays open until the PHP session expires (parts of the private key are
stored in the PHP session), the key is also invalid for the form.

Solution is to create a new key pair on the fly when a user clicks the
submit button and fetch the public key via Ajax.

This change implements this for the backend login. Frontend login should
be tackled in a different patch.

Resolves: #37421
Releases: 6.2
Change-Id: I0cd9a049d892ee872436347153a0e1114b17585d
Reviewed-on: https://review.typo3.org/28893
Reviewed-by: Nicole Cordes
Tested-by: Nicole Cordes
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Currently the Page Renderer is reset when calling
the render() method, even if only one part (header
or footer) is rendered, which causes a second call
to fail, when rendering another part.
This happens e.g in DocumentTemplate.php where
the render() method is called two times. Because of
the reset, the second call starts pageRenderer with
empty properties.

Solution is to only call reset if everything is rendered.

Resolves: #57294
Releases: 6.2
Change-Id: Ib4800e37ba0760617de71f9ca1181d1664463e33
Reviewed-on: https://review.typo3.org/28770
Reviewed-by: Nicole Cordes
Tested-by: Nicole Cordes
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Inform the user, if the database SELECT query fails during the wizard.

Resolves: #57572
Releases: 6.2
Change-Id: I0908aff5d58d6d309b471c810d924f26fc1ca577
Reviewed-on: https://review.typo3.org/29093
Reviewed-by: Alexander Opitz
Tested-by: Alexander Opitz
Reviewed-by: Steffen Müller
Tested-by: Steffen Müller

The cruser_id field is now guaranteed to be an integer.
This patch checks if a BE_USER is available and uses zero
otherwise.

Resolves: #57495
Related: #46020
Releases: 6.2
Change-Id: I8260604eb30ca32d2a5e079fa6f5b10a6d04714e
Reviewed-on: https://review.typo3.org/29028
Reviewed-by: Nicole Cordes
Reviewed-by: Jigal van Hemert
Reviewed-by: Frans Saris
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Alexander Opitz
Tested-by: Alexander Opitz
Reviewed-by: Markus Klein
Tested-by: Markus Klein

The HTML templates are missing the marker for the
introduced page.includeCSSLibs TS feature in 6.2

Resolves: #57467
Releases: 6.2
Change-Id: I83d7c7f34fc83c4c699bad7edfaa03c6684497fe
Reviewed-on: https://review.typo3.org/28997
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

The historical option "wide document" can
be safely removed, as the wide screen options
from 10 years ago are default by now.

Resolves: #57295
Releases: 6.2
Change-Id: I0e5c81046733f4ddd10cc7d084f0ef7b952c3cb0
Reviewed-on: https://review.typo3.org/28769
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Simon Schaufelberger
Tested-by: Simon Schaufelberger
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

The input field of the configuration module's search 
is never populated with the search term.

Solution: move one line some lines up to get the value.

Releases: 6.2
Resolves: #57486
Change-Id: I7ff86e3336cb473df259c3aeb7d0c918fbc48bab
Reviewed-on: https://review.typo3.org/29015
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

In GraphicalFunctions::imageMagickIdentify() the last line returned by
the executed command will be used as result.

This prevents the system from using possible error messages printed
before the actual result for further processing.

Resolves: #56574
Releases: 6.2
Change-Id: Ic179e0b68c7fa9a4f0f4b2342cb381c54fb740b9
Reviewed-on: https://review.typo3.org/28076
Reviewed-by: Xavier Perseguers
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

The extension manager often uses the extension
relative path to calculate paths to different files,
but does not take into account that this path
already has a trailing slash.

Remove excess slashes to avoid double slashes in paths.

Resolves: #57327
Related: #57312
Releases: 6.2
Change-Id: I60519d4d7075a615d0505bfc4cbb2b6ee1b0c222
Reviewed-on: https://review.typo3.org/28825
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Wouter Wolters
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Typo3DbQueryParser gets injected in Typo3DbBackend, thus
it has to be a Singleton.

Resolves: #57338
Releases: 6.2
Change-Id: I5b845ef280d23b6893d308bc9013ef965637a1ef
Reviewed-on: https://review.typo3.org/28843
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

EnvironmentService is a service and gets injected in different
classes, thus it has to be a Singleton.

Resolves: #57518
Releases: 6.2, 6.1
Change-Id: Ia8a3b8882be27c0f45569af818964036f0a9b16d
Reviewed-on: https://review.typo3.org/29042
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

We should check if directory is writable. Else fopen in acquireLock
would only fail with error after waiting time. Also we do not aspect
write permission issue here.

Resolves: #57463
Releases: 6.2
Change-Id: Ia767a2355aecf1e816d4c130b151443e50e1a311
Reviewed-on: https://review.typo3.org/28988
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

If you update from a 6.x installation there should be a backup of the
old, unmodified LocalConfiguration.php as it's getting changed during
PackageStates.php extraction. This is prevented with commit e755bcd9
as a check for the PackageStates.php file was introduced, which might
not be available at this point during upgrade.

Resolves: #57458
Releases: 6.2
Change-Id: Ic3634ab58e3e4112df5d8544cca9c42e8f1db91f
Reviewed-on: https://review.typo3.org/28980
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Although there is code in the package manager tests
to mock a PackageStates.php file, it does not work
as the path to the file is hardcoded in the initialize
action.

Move the code for setting the path and creating
the package factory to the constructor
and move the mocking of the path before initializing
in the test.

Resolves: #57490
Releases: 6.2
Change-Id: I2ca29016de288017ec73ff36d0dbed1e2be0e67d
Reviewed-on: https://review.typo3.org/29021
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Thomas Maroschik
Reviewed-by: Stefan Neufeind
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

TYPO3 uses a list of "known" languages defined in
TYPO3\CMS\Core\Localization\Locales.

This list can be extended by the user, but these changes
are not taken into account when using
$GLOBALS['TSFE']->sL() to fetch the translation.

Make TypoScriptFrontendController call the needed method
"initialize()" to make it work.

Resolves: #53973
Releases: 6.2, 6.1
Change-Id: I9fc80ba976bf796f272591ac741d8bf4e92cbeb3
Reviewed-on: https://review.typo3.org/25685
Reviewed-by: Wouter Wolters
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

Due to centralized standard styles for standard elements no
further special CSS definition is necessary.

Also removes an excessive closing bracket in CSS.

Resolves: #57451
Releases: 6.2
Change-Id: I54d1bacce4774a7cc6924870985cb747cc3b5a89
Reviewed-on: https://review.typo3.org/28972
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

The page module's notification on sysfolders to switch to list view
got an extra line which can be removed.

Resolves: #57449
Releases: 6.2
Change-Id: I3c646b1f4a258924ca46652eae7c3f60391f52ac
Reviewed-on: https://review.typo3.org/28968
Reviewed-by: Felix Kopp
Tested-by: Felix Kopp
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

2 possible information snippets can be outputted using
config.debug = 1 in TypoScript or [FE][debug]=1 in Install Tool.

- Parsetime
- Cached page generated time + expire date

TypoScript should override the general setting of the Install Tool
to make it possible to turn debugging of for specific PAGE objects.

This is especially needed if using e.g JSON output is invalid
having this information.

The change uses the same check as in index_ts where it works perfectly
fine.

Change-Id: I1520896476d97286627ab7f3b232b733dd3c50f7
Resolves: #57365
Releases: 6.2
Reviewed-on: https://review.typo3.org/28909
Reviewed-by: Helmut Hummel
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Due to some mystical IE8 behavior the global TYPO3 object gets reset
if any "var" occurs in Javascript. It is not necessary if its called or
not but it seems IE8 creates a new object. This patch adds the global
initialization of the TYPO3 object by using window[] syntax.

Resolves: #56988
Releases: 6.2
Change-Id: I5ce246790d1e3a1e388f106d085c96dae4e4304e
Reviewed-on: https://review.typo3.org/28929
Reviewed-by: Alexander Opitz
Tested-by: Alexander Opitz
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Releases: 6.2
Change-Id: I360c4ce290735ea76fe48e003a47e867bf5cf85b
Reviewed-on: https://review.typo3.org/28952
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny

On update process the extension which should be updated gets
uninstalled. This doesn't work if the extension is needed by other ones.
This patch removes the unload process before the update to make sure
system is working in the mean time.

Resolves: #57264
Releases: 6.2
Change-Id: I6f54cf8ba977e9c8038790ea3857ba6fff61a5f9
Reviewed-on: https://review.typo3.org/28883
Reviewed-by: Cedric Ziel
Tested-by: Cedric Ziel
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Due to a missing space in front of the FROM part, the SQL statement
currently errors and the meta data for files can't be split up.

Resolves: #57420
Releases: 6.2
Change-Id: I58aa0e20621e3e0d44028774452267dc0746a148
Reviewed-on: https://review.typo3.org/28944
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert

When using image compression with CSS styled content
all existing data in the $imgConf array is emptied.
If using a sys_file_reference, the file object
for resolving the file data does not consider
the option "treatIdAsReference" anymore as
it is unset as well.

How to reproduce: Add a file and select any image compression.
The wrong image is rendered, as the file UID is used
not the file reference UID.

If you have a sys_file UID 23, and a sys_file_reference ID 45
then the sys_file 45 is displayed instead of sys_file 23.

Releases: 6.2, 6.1
Resolves: #57346
Change-Id: Id503510b82df7bb4be9d236a1640322c92ffa5ec
Reviewed-on: https://review.typo3.org/28856
Reviewed-by: Tom Ruether
Tested-by: Tom Ruether
Reviewed-by: Wouter Wolters
Reviewed-by: Marc Bastian Heinrichs
Reviewed-by: Frans Saris
Tested-by: Frans Saris

Prioritise default salting hashing method when determining
the salting hashing method of a given salted hash.

Fixes rare cases when the method "isValidSaltedPW()" returns TRUE
for similar salting implementations.

Resolves: #54833
Releases: 6.2
Change-Id: I58eb214f171de9f285a7818edebd925eb8164888
Reviewed-on: https://review.typo3.org/26692
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Jigal van Hemert
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Because identifiers in css are using escaped entries, we
have to do another escaping for the javascript selectors.

Resolves: #56874
Releases: 6.2
Change-Id: Ie470def83409904963e8b6e89635a6734bc4088c
Reviewed-on: https://review.typo3.org/28522
Reviewed-by: Pascal Dürsteler
Tested-by: Pascal Dürsteler
Reviewed-by: Markus Klein
Tested-by: Markus Klein

In install tool there is migration script that copy part of sys_file
into sys_file_metadata. For long data sets (tested with 20.000 sys_file)
this update scripts returns FAIL.

Inserting using
https://dev.mysql.com/doc/refman/5.1/de/insert-select.html
overcomes all problems.

Resolves: #57103
Releases: 6.2
Change-Id: I1d2b97565f52bdd168f50651f285023f153fb3be
Reviewed-on: https://review.typo3.org/28580
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert
Reviewed-by: Markus Klein
Tested-by: Markus Klein

The RteFileLinksUpdateWizard, RteMagicImagesUpdateWizard
and TceformsUpdateWizard convert there error messages to
FlashMessages. But as the messages are now always wrapped in a
flashmessage tag in the template this isn't needed anymore.

Resolves: #57285
Releases: 6.2
Change-Id: Iada05effdc523d24726ec54c2ad017175be4451f
Reviewed-on: https://review.typo3.org/28760
Reviewed-by: Philipp Gampe
Reviewed-by: Alexander Opitz
Tested-by: Alexander Opitz
Reviewed-by: Markus Klein
Tested-by: Markus Klein

This patch enables frontend editing even if the adminPanel is closed
(minimized). Before adminPanel AND editing tab have to be opened which
isn't really user-friendly.

Resolves: #55896
Releases: 6.2
Change-Id: I892fe72380c3ede326f3da708dd5d495667eb09e
Reviewed-on: https://review.typo3.org/27557
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Pascal Dürsteler
Tested-by: Pascal Dürsteler
Reviewed-by: Xavier Perseguers
Reviewed-by: Nicole Cordes
Tested-by: Nicole Cordes

If you try to edit a MM field associated to a table which doesn't use
versioning (t3ver_* fields are missing) you get a database error.
This patch adds a check if versioning for the table is enabled.

Resolves: #57291
Releases: 6.2
Change-Id: I3fc5dfeb77ce9a67a6e4494a3b2247c3007d0d25
Reviewed-on: https://review.typo3.org/28783
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The path calculation of the source path contains
double slashes, which is an invalid path for
the isAllowedAbsPath check, thus no files
are copied.

Resolves: #57312
Releases: 6.2
Change-Id: I1840cfe580efbdbeedd94c8a7e5469b94e70fa30
Reviewed-on: https://review.typo3.org/28802
Reviewed-by: Wouter Wolters
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Francois Suter
Tested-by: Francois Suter
Reviewed-by: Benjamin Mack
Tested-by: Benjamin Mack

With activated DBAL, dispatching the scheduler from cli
currently fails. The SqlParser can't handle brackets
in an ON-clause, so remove them in the query.

Resolves: #57246
Releases: 6.2
Change-Id: I2efa92392d22c854dae925da9a2396ef08bae198
Reviewed-on: https://review.typo3.org/28805
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert

Change-Id: Ic5b68b4261667d52e2b7d974b0e8515fa18bb1ce
Reviewed-on: https://review.typo3.org/28788
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

Change-Id: Id1a38d8e337a3cdddeb3789b605f4314f8ef4726
Reviewed-on: https://review.typo3.org/28787
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

Releases: 6.2
Change-Id: If014e492906f8efd1b32fb9f3bbdac0c8392a706
Reviewed-on: https://review.typo3.org/28784
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny

Instead of using TYPO3-internal functions
for creating directories and moving files,
default PHP functions are used. This creates
problems with permissions e.g. when
installing the introduction package.

Releases: 6.2
Resolves: #57298
Change-Id: Ifa5e92fd245db033dacbc3bcd15d487bd7af2101
Reviewed-on: https://review.typo3.org/28772
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny