Sanitize user-input colPos in new content element wizard.

Change-Id: Ifa90ea1ede3b6c2a5436c505993c533803306d01
Fixes: #48695
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: bad0160450fb5786e1cb1e393c76c3da38c2ffe7
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30305
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Change-Id: I2b5214e666d1c9edc5354dd3983401038e9aaf66
Fixes: #54109
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: e17bc3297e95f6ffd5d1df682235bfaac7a5ad53
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30304
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Change-Id: I096d26b3eee20493b146633bda11529890be59dc
Fixes: #57576
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: b49bd72b12f709e1c3dffd4f471d138ad1dcceb5
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30303
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The url for the Open in New Window button must be quoted for
use in JavaScript to prevent XSS issues.

Change-Id: I3e55f31c3c857989d71a5ef1a0368b96aa5e2c31
Fixes: #48693
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 4d9cd3e6f589c77b5a366497a33f7eb2099dc749
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30302
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Fix the AbstractUserAuthentication class to properly invalidate
the current session if it timed out.

Change-Id: Id50ee1abd197674fa9379b52b46b63ecf770c964
Fixes: #57673
Releases: 6.2
Security-Commit: 38e24be1ff26fa181f16b91c57a0fcbe4da5065a
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30301
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The file charts.swf is vulnerable to XSS, is delivered
by ExtJS but not used in TYPO3 CMS at all.

Since the vendor of ExtJS did not fix this vulnerability,
we decided to remove it from TYPO3 sources.

Change-Id: Ib30cac84983f5a30956d0a09af933b0fbca1d6ff
Fixes: #54526
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 2402b6cfa3ab2a054ef3e28f3d8de8f7dfee17ec
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30300
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The remove format function with msword selected removes too much
content when there is more than one style block in content.

Note: Thanks to Volker Burggräf

Resolves: #58310
Releases: 6.2, 6.1, 4.5
Change-Id: Ia29767239d92fde20ceee97ece47786d3fd3a9a5
Reviewed-on: https://review.typo3.org/30223
Reviewed-by: Stanislas Rolland
Tested-by: Stanislas Rolland

The experimental extbase plugin of indexed_search is not
translatable on Pootle because it is still using locallang.xml
instead of a XLIFF translation file.

Change-Id: Ia3a45573737f8be0f802bfdbf5bd4f36add66b07
Resolves: #58796
Releases: 6.2, 6.1
Reviewed-on: https://review.typo3.org/30103
Reviewed-by: Dmitry Dulepov
Tested-by: Dmitry Dulepov
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers

As a result of a missing check if $row['t3ver_state'] exists,
an exception is thrown when IconUtility::getIcon() is called
with only the required params set.

This patch adds the missing check.

Resolves: #58846
Releases: 6.2
Change-Id: I70da9ee79a5c0ee1ad4fe8892e8ed28f904a11da
Reviewed-on: https://review.typo3.org/30152
Reviewed-by: Fabien Udriot
Tested-by: Fabien Udriot
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Some DataHandler functional test cases are duplicated or are not
required anymore. Here's a list of what has changed and moved
into some existing testing structure:

Core:
* DataHandlerTest::canCreateTtContent
** Regular\Modify\ActionTest::createContents
* DataHandlerTest::canLocalizeTtContent
** Regular\Modify\ActionTest::localizeContent
* DataHandlerTest::canCopyPasteTtContent
** Regular\Modify\ActionTest::copyPasteContent
* DataHandlerTest::canCutPasteTtContent
** Regular\Modify\ActionTest::movePasteContentToDifferentPage
* IRRE\MtoNMMAsymetricLocalizationKeepTest::*
** IRRE\CSV\Modify\ActionTest::localizeParentContent*
** IRRE\ForeignField\Modify\ActionTest::localizeParentContent*
* IRRE\MtoNMMAsymetricLocalizationSelectTest::*
** IRRE\CSV\Modify\ActionTest::localizeParentContent*
** IRRE\ForeignField\Modify\ActionTest::localizeParentContent*

Workspaces:
* IRRE\MToNMMTest::*
** ManyToMany\Modify\ActionTest::*
** ManyToMany\Publish\ActionTest::*
** ManyToMany\PublishAll\ActionTest::*
* IRRE\OneToNCSVTest::*
** IRRE\CSV\Modify\ActionTest::*
** IRRE\CSV\Publish\ActionTest::*
** IRRE\CSV\PublishAll\ActionTest::*
* IRRE\OneToNForeignFieldTest::*
** IRRE\ForeignField\Modify\ActionTest::*
** IRRE\ForeignField\Publish\ActionTest::*
** IRRE\ForeignField\PublishAll\ActionTest::*

Resolves: #58870
Releases: 6.2
Change-Id: I0c75fcf826d05f8515a5609cb00c153992ba7b44
Reviewed-on: https://review.typo3.org/30177
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Extend CSV and ForeignField test with
* copyParentContentToDifferentPage
* modifyHotelChild

Resolves: #58854
Releases: 6.2
Change-Id: Iba332ccee1728bf1e28ff5719029b6ab73a30c53
Reviewed-on: https://review.typo3.org/30176
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Resolves: #58868
Releases: 6.2
Change-Id: I0f5aeb1d211e542cb323fba11b07a0b8be7d3ed0
Reviewed-on: https://review.typo3.org/30175
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Resolves: #58842
Releases: 6.2, 6.1
Change-Id: Ibaf87d32778349d5a87009bcd2b365447e6488fa
Reviewed-on: https://review.typo3.org/30150
Reviewed-by: Johannes Kasberger
Tested-by: Johannes Kasberger
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

The [BE][installToolPassword] contains a suggestion to additionally
protect the Install Tool by protecting its folder by some server means.
The path specified is the legacy path /typo3/install/ which is only
a redirect to typo3/sysext/install/Start/, so the protection should
be on that folder.

Resolves: #58720
Releases: 6.2
Change-Id: I593b54878d0be7bd0307a6a5625173e6bbc58fa0
Reviewed-on: https://review.typo3.org/30027
Reviewed-by: Christian Ludwig
Tested-by: Christian Ludwig
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Having an empty image list or a list of images with empty values
will not restore the loaded registers.
So we must restore the registers before any return.

Additionally, the $conf array does not need to contain any
values when calling RESTORE_REGISTER, since it won't handle
parameters anyway, so parameters would just waste memory.

Resolves: #56796
Releases: 6.2
Change-Id: I3e81c614b5c37a14da4b97e18a310e202ae7b766
Reviewed-on: https://review.typo3.org/28280
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Jo Hasenau
Tested-by: Jo Hasenau
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

The function exec_SELECTgetSingleRow could also return
FALSE in addition to NULL, so add a additional check.

Resolves: #58688
Resolves: #57348
Releases: 6.2
Change-Id: Ic04071f67f02cce12b11c34d46c084bc28ccc83a
Reviewed-on: https://review.typo3.org/29993
Reviewed-by: Marc Bastian Heinrichs
Reviewed-by: Nicole Cordes
Tested-by: Nicole Cordes
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

DataPreprocessor is taking care of preparing data for the form
view processed in the FormEngine. However, MM relations are not
correctly resolved in a workspace context.

The method DataPreprocessor::getDataIdList() is used for a mixed
kind of relations there, without properly applying the differences
for MM records. The rule is, to always use the live default id,
except for MM relations - use the specific workspace value.

Resolves: #58735
Releases: 6.2
Change-Id: I256969adb46bfea80681160e2901387a8c7c9a7d
Reviewed-on: https://review.typo3.org/30037
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer
Reviewed-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Fix the double htmlspecialchars call by removing the one
in the controller. Fluid does it anyway.

Resolves: #58719
Releases: 6.2
Change-Id: I1a62c41b94150494e429cec913eb43e1ec3f7ca8
Reviewed-on: https://review.typo3.org/30026
Reviewed-by: Mathias Brodala
Tested-by: Mathias Brodala
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
Reviewed-by: Wouter Wolters
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

If first hit after clearing cache was not in BE context
some icons are not part of the sprite css.

This patch makes sure that these icons are registered
in every context.

Releases: 6.2
Resolves: #58758
Change-Id: I4c44c0f241f096c15e8257975b665ec89b60d2e4
Reviewed-on: https://review.typo3.org/30046
Reviewed-by: Fabien Udriot
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

As a result of the TCA caching changes the order of
the manipulations done in the sys_file_metadata TCA
have changed. As a result the categories tab disappears
when you install ext:filemetadata.

This patch ads an extra check in the TCA override and
adds the categories tab when sys_file_metadata is categorized.

Resolves: #58620
Releases: 6.2
Change-Id: I75c7d7ccf40d5a2cc200c7d0a4e69f674024f628
Reviewed-on: https://review.typo3.org/29945
Reviewed-by: Jan Kiesewetter
Tested-by: Jan Kiesewetter
Reviewed-by: Oliver Hader
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

This patch takes care about removing extracted extension folders if an
installation fails. For new extensions the folder is simply removed, for
already existing ones a backup in typo3temp is done before the
installation process and restored if anything fails.

Resolves: #57606
Releases: 6.2
Change-Id: If6f251ebc5950aecfcdb97d722146d95cb7cfa74
Reviewed-on: https://review.typo3.org/29123
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Resolves: #58731
Releases: 6.2
Change-Id: Ic3c5417d19b165009ae500a19b565569e2d8b2b2
Reviewed-on: https://review.typo3.org/30028
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Do not forget to "composer update" test instances!

Updating from phpunit 3.7 to 4.1 is smooth, except two details:

* The mock framework dropped staticExpects, two test cases must
  be refactored to circumvent this.

* The mocker now tries to resolve method argument type hints, so
  those classes must exist and autoloaded, some FLOW dependencies
  are affected here.

Change-Id: Ie74bdad000182dde808d3771fa6eec4764a133da
Resolves: #58676
Releases: 6.2
Reviewed-on: https://review.typo3.org/29584
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Tymoteusz Motylewski
Tested-by: Tymoteusz Motylewski
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Do not cache the enable fields part of queries. This part
needs to be added on each query dynamically to reflect the
current context. (Time restrictions, User restrictions)

Resolves: #58369
Releases: 6.2
Change-Id: I492d5983ff6a06d72cd18cf9a08a0d62d304ac2b
Reviewed-on: https://review.typo3.org/29932
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Marcin Sągol
Reviewed-by: Jan Kiesewetter
Tested-by: Jan Kiesewetter
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

When editing a file mount in the backend, we need to check if
the storage backend actually exists.

Change-Id: I76e677f9b44eea7694005a4939eb9489dc4f71de
Fixes: #57986
Releases: 6.2
Reviewed-on: https://review.typo3.org/29634
Reviewed-by: Wouter Wolters
Reviewed-by: Frans Saris
Reviewed-by: Sebastian Fischer
Tested-by: Sebastian Fischer
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers

Instead of using the file identifier, the actual file name
is used when asking if a file should be deleted.

This is important for non-local FAL storage drivers that
do not use paths as identifiers.

Change-Id: I34e42ed1716f08a4133e02bbc36ee805c6a108c7
Fixes: #58150
Releases: 6.2
Reviewed-on: https://review.typo3.org/29635
Reviewed-by: Frans Saris
Tested-by: Frans Saris
Reviewed-by: Wouter Wolters
Reviewed-by: Stefan Neufeind
Reviewed-by: Sebastian Fischer
Reviewed-by: Marcin Sągol
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers

All public methods of LocalizationUtility are static, but two
protected methods are not. Make those static, too.

Change-Id: I267805cad3f008f24e053f69670fac0f805f7ad2
Resolves: #58600
Releases: 6.2
Reviewed-on: https://review.typo3.org/29921
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Markus Klein
Tested-by: Markus Klein

travis-ci already provides a PHP 5.6 beta build.
It currently executes unit, functional and linting successfully
and is added to the list of standard environments for now.

Change-Id: Ibde2364564afe18f602f75174b779527b55c25bc
Reviewed-on: https://review.typo3.org/29913
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Change-Id: I14eab875e340e6d779b4f224de9cc801d84559d1
Reviewed-on: https://review.typo3.org/29911
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

Change-Id: Id59a7279b29d882221d8afa1f582c5c1ff791d33
Reviewed-on: https://review.typo3.org/29910
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

Remove the old magic as classes are loaded properly already.

Resolves: #58567
Related: #47852
Releases: 6.2
Change-Id: Iec20bf0dbd6955950225936911eba604faf720d6
Reviewed-on: https://review.typo3.org/29898
Reviewed-by: Oliver Klee
Reviewed-by: Wouter Wolters
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Exporting a content element leads to a fatal error.
A wrong url encoding is the cause of the problem.

Resolves: #58576
Releases: 6.2
Change-Id: Ib2105aa9dc95e35eba9515cfc3d62b174919870a
Reviewed-on: https://review.typo3.org/29903
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Marc Bastian Heinrichs
Tested-by: Marc Bastian Heinrichs

Resolves: #58451
Releases: 6.2
Change-Id: I296720fd83343ea0d82b4461aaae46c4c9a14932
Reviewed-on: https://review.typo3.org/29904
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Resolves: #58582
Related: #58010
Related: #57294
Releases: 6.2
Change-Id: I89e9bea10c24944ad2efb1fb9029ec75dc2f78db
Reviewed-on: https://review.typo3.org/29579
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Also add tests to enforce this behavior.

Resolves: #58581
Releases: 6.2
Change-Id: Ife3894fe6dd5fc476bba9c9c74ae26bf310b9245
Reviewed-on: https://review.typo3.org/29582
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Simalar to UnitTests.xml, FunctionalTests.xml no longer register
single test suites but find all functional tests cases using a
wildcard.

For travis-ci, single tests cases are now given to parallel using
gnu find. This leads to a nice performance improvement on travis
since more but shorter processes are executed, sharing the available
hardware more effectively.

Change-Id: I8dc34ed2fcc1ae8390bc05dbe6f5e7009af17a36
Resolves: #58578
Related: #58533
Releases: 6.2
Reviewed-on: https://review.typo3.org/29901
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

To allow running of all functional tests, instead of
relying on travis.yml, we want to clean up broken and
abandoned tests.

So we remove the tests that fatal because they are not
meant to be used in the functional testing framework.

Resolves: #58445
Releases: 6.2
Change-Id: I8fd021a9814dec43f71200641c9ba1ebbc0e32d0
Reviewed-on: https://review.typo3.org/29848
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Jan Helke
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

The CommandLineBackend using exec "openssl genrsa" outputs its key
generation to standard error. If SAPI is cli (eg. in unit tests),
this is is shown to the user. The patch silences openssl by
redirecting stderr to /dev/null (NUL on Windows systems).

Resolves: #58530
Related: #51436
Releases: 6.2
Change-Id: I702d2d3180bc2e32e5548a4402d4eefb02dd2523
Reviewed-on: https://review.typo3.org/29877
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Stefan Neufeind
Reviewed-by: Markus Klein
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Nicole Cordes
Tested-by: Nicole Cordes

The var pageNotFound is set, if the called page has access
restrictions. Afterwards starts a searching for an accessible page
in the rootline upwards.

If that page is a short link which also isn't accessible we stop
instead of searching again in this new rootline. Limiting this to a
maximum of 20 iterations to prevent endless loops.

If an accessible page is found we do not reset the pageNotFound var.
The PageNotFound handler reacts on this var and redirects to the 404
page instead of presenting the accessible page we found later on.

You can reproduce this with the introduction package, for example
change the access to the Example/Tables page to "Customer".
Afterwards go to http://yourdomain/?id=38 and you will see the 404
page. If you disable the pageNotFound_handling you will see the
content of the Example page.

Resolves: #16472
Releases: 6.2, 6.1
Change-Id: I1e58ec1f96422c6bf3e5c9c74f1b1c1666b68762
Reviewed-on: https://review.typo3.org/21390
Reviewed-by: Sascha Wilking
Tested-by: Sascha Wilking
Reviewed-by: Markus Klein
Tested-by: Markus Klein

As saltedpasswords is required for backend and can't be uninstalled, we
can remove the implicit dependency on extension "setup" by adjusting
the default settings there.

Resolves: #58192
Releases: 6.2
Change-Id: I6490b9962924c0e384243f663f3e5057c947749e
Reviewed-on: https://review.typo3.org/29656
Reviewed-by: Nicole Cordes
Tested-by: Nicole Cordes
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn