Change-Id: I1deba856f74b1cb8cb47b032fbf3c17b29a3ed22
Reviewed-on: https://review.typo3.org/59112


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: I422ccae7cf5d42fa090876d32ded5c474defafb2
Reviewed-on: https://review.typo3.org/59111


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Resolves: #87123
Releases: master, 8.7, 7.6
Change-Id: Idceecb174682261b967ea284e12e1836bb7e7bea
Reviewed-on: https://review.typo3.org/59109


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Skip those tests on systems which do not properly resolve ::1 to localhost.
Travis CI is one example.

Resolves: #87119
Releases: 8.7, 7.6
Change-Id: I8d96f8da1c19f3d9924dcc048466b5f88d8f18dd
Reviewed-on: https://review.typo3.org/59106


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

The "recs" query parameter allows to write
arbitrary entries into a session, leading
to a possibility to create a reasonable amount
of frontend user sessions.

In order to prevent this situation, a new configuration
option $TYPO3_CONF_VARS[FE][enableRecordRegistration]
is added to disable the functionality completely.

The feature is disabled per default in order to apply
strong security defaults. Installations that rely on this
functionality have to manually enable the feauture and
its vulnerability by changing the according TYPO3_CONF_VARS
setting in the install tool.

A security report is added to display a warning
in the TYPO3 Backend.

Resolves: #80979
Releases: 8.7, 7.6
Security-Commit: e94871da34275de6b47e10f44a1fb16219598aa9
Security-Bulletin: TYPO3-CORE-SA-2018-012
Change-Id: I1c79525cde0f8a268b2e8747db55735e10668e75
Reviewed-on: https://review.typo3.org/59090


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Using large media files (*.youtube, *.vimeo in the TYPO3 core)
might lead to denial of service scenarios. In order to avoid
that, media files are limited to have a content size of 2048
bytes as a maximum. Usually these files contain just the remote
identifier - thus, ~20 bytes should have been sufficient already.

Resolves: #85381
Releases: master, 8.7, 7.6
Security-Commit: 0e334ba09c9676616598162c0212db931fa38c6e
Security-Bulletin: TYPO3-CORE-SA-2018-011
Change-Id: I50fd11932d9acc9990a92e1a6c9da873d340e619
Reviewed-on: https://review.typo3.org/59089


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

When installing TYPO3, the current version
is shown without any kind of authentication
provided (no FIRST_INSTALL). This information
disclosure is solved.

Resolves: #86254
Releases: master, 8.7, 7.6
Security-Commit: 03727f3018fabb5ed1cbf2349833d5a97d29e870
Security-Bulletin: TYPO3-CORE-SA-2018-010
Change-Id: I495efeb0e6fe6124515d0cb8b8bba51dd7eaddd9
Reviewed-on: https://review.typo3.org/59088


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Resolves: #86955
Releases: master, 8.7, 7.6, 6.2
Security-Commit: d554a3f8d40df0e9019b89f7bb4f8fec85e15331
Security-Bulletin: TYPO3-CORE-SA-2018-009
Change-Id: I6d74cc2bc2ba876986887564bb48eb5d5d8ae3ac
Reviewed-on: https://review.typo3.org/59087


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Two occurrences allow to render data of the currently logged in
frontend user that is not sanitized and thus allow XSS attacks
by frontend users.

1. EXT:fe_login adds ###FEUSER_{fieldname}### for each
field that exists in the fe_users DB table, which CAN be processed
by TypoScript but is insecure by default.

2. config.USERNAME_substToken = <!--###USERNAME###-->
sets the username dynamically, which is then insecure.

Adding htmlspecialchars as a default configuration
solves this problem.

Resolves: #87053
Releases: master, 8.7, 7.6
Security-Commit: 7f7a326fc656360ffec71415d730e40df99d63a0
Security-Bulletin: TYPO3-CORE-SA-2018-008
Change-Id: I973e350b727d20d137dd70f755913d02e8f5644e
Reviewed-on: https://review.typo3.org/59086


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Resolves: #84190
Releases: master, 8.7, 7.6
Security-Commit: 4e75300bebae5e06887f3234a32a0bae9635c047
Security-Bulletin: TYPO3-CORE-SA-2018-007
Change-Id: I29ca9803823825066af87b2534aaf407183c1b4e
Reviewed-on: https://review.typo3.org/59085


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Resolves: #83184
Releases: master, 8.7, 7.6
Security-Commit: 8da8a3c1609fbd83b025c8a815d9c3b667c7722c
Security-Bulletin: TYPO3-CORE-SA-2018-006
Change-Id: Iaab42d0c00d465582cb48fe473cc345c68144031
Reviewed-on: https://review.typo3.org/59084


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Intercept has been adapted, the variable to label handing
can be simplified a bit.

Resolves: #87109
Releases: master, 8.7, 7.6
Change-Id: I27255ef9f5eb515c89f5d89e7061fc473e2abec1
Reviewed-on: https://review.typo3.org/59065


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Resolves: #87026
Releases: master, 8.7, 7.6
Change-Id: Idfbf4bbf0bab8a6e4bedc37e92903ed2c85af494
Reviewed-on: https://review.typo3.org/58970


Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-on: https://review.typo3.org/58973

Extension dbal needs a patch with PHP 7.3 for
"continue inside switch" blocks, similar to
what has been done with #86589.

Change-Id: I202d6292b3d110e8e87bf3c882f25af22c0c040e
Resolves: #86813
Related: #86589
Releases: 7.6
Reviewed-on: https://review.typo3.org/58809


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

PharStreamWrapper has been released as standalone package under
the MIT license: https://github.com/TYPO3/phar-stream-wrapper

Stream invocation is handled by the new composer package, previous
classes PharStreamWrapper and PharStreamWrapperException have been
removed from the TYPO3 core but are still kept in class alias maps
for compatibility reasons. Since the standalone package is now
independent from TYPO3 constraints, the TYPO3 specific logic to
intercept Phar invocations has been moved to the new class
PharStreamWrapperInterceptor.

`composer require typo3/phar-stream-wrapper:^2.0.1`

Related: #85984
Resolves: #86666
Releases: 8.7, 7.6
Change-Id: I724c4238d1a8184a8c7c908f16d71c06f87244d8
Reviewed-on: https://review.typo3.org/58778


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

This adds current URL to the ToTop link when css_styled_content is used.
Fixes broken linkToTop URL's since config.prefixLocalAnchors was removed.
Also compatible with TYPO3 v7 where compatibility6 is installed
and typoscript config.prefixLocalAnchors is configured.

Resolves: #81202
Releases: 8.7, 7.6
Change-Id: Id7b9f1c24575de297d2ca60af686fd6d299343e2
Reviewed-on: https://review.typo3.org/57778


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Johannes Seipelt <johannes.seipelt@3m5.de>
Reviewed-by: Riny van Tiggelen <info@online-gamer.nl>
Reviewed-by: Richard Vollebregt <richard.vollebregt@maxserv.com>
Reviewed-by: Rudy Gnodde <rgn@windinternet.nl>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

preg_quote since PHP 7.3.0 also quotes #.
Simply use a different placeholder.

Resolves: #86586
Releases: master, 8.7, 7.6
Change-Id: I8ed9bd39605341a09347e21dd38c9a1824a01ee5
Reviewed-on: https://review.typo3.org/58766


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

Calling continue inside a switch-block would work just like break.
This is usually not intended and thus triggers a warning since
PHP 7.3.0.

Resolves: #86589
Releases: master, 8.7, 7.6
Change-Id: Ic35998b8a37bd35110b9d3494f1cf258e845097a
Reviewed-on: https://review.typo3.org/58764


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

Facebook adds the `fbclid` argument to outbound URLs which triggers a
recalculcation of the cache hash. The argument is now added to the
blacklist for chash parameters.

Resolves: #86715
Releases: master, 8.7, 7.6
Change-Id: I8cd66fdfa2c549c65750d6ef896261cccba4b54d
Reviewed-on: https://review.typo3.org/58676


Reviewed-by: Tim Schreiner <schreiner.tim@gmail.com>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Resolves: #83755
Releases: master, 8.7, 7.6
Change-Id: I6e13133f221137c63283ec1575fc405a38668b1a
Reviewed-on: https://review.typo3.org/58580


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

Tiny patch level release with cosmetical fixes.

composer update typo3/class-alias-loader

Resolves: #86555
Releases: master, 8.7, 7.6
Change-Id: Ib949e1aa961ea9aede1eeaebd5da9995a2a65bc0
Reviewed-on: https://review.typo3.org/58568


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Change-Id: I865a2f40fc32902ed002dd67220f16f0b6d20ccf
Resolves: #86528
Releases: 8.7, 7.6
Reviewed-on: https://review.typo3.org/58542


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

The mountpoint variable must be respected in the key used for the
menu runtime cache. Without that part in the key all links generated
to a mount-point sub-page will link to the first mount target page
in the menu.

Resolves: #80970
Resolves: #62248
Releases: master, 8.7, 7.6
Change-Id: I8ccfebabd515d6da9f78388de51d24603e9fe532
Reviewed-on: https://review.typo3.org/58491


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Change-Id: Ic76264a855a4731a5e90be954b55b0dd6a449c92
Resolves: #86130
Releases: 8.7, 7.6
Reviewed-on: https://review.typo3.org/58169


Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Resolves: #85525
Releases: 7.6
Change-Id: I529db33ed6712db7c1d6bdbb13d0066c6bc457a2
Reviewed-on: https://review.typo3.org/57517


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Mona Muzaffar <mona.muzaffar@gmx.de>
Tested-by: Mona Muzaffar <mona.muzaffar@gmx.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Improve LocalizationRepository queries to handle case
when records were copied from another page (thus t3_origuid)
is pointing to records from the other page.

Now LocalizationRepository uses l10n_source field instead of t3_origuid.
Tests for LocalizationRepository covering the case were added.

Resolves: #79443
Resolves: #78599
Releases: master, 7.6
Change-Id: Ibae4a276ea814f0ce3d453cffef1d22afeff1eb9
Reviewed-on: https://review.typo3.org/57628


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Johannes Kasberger <johannes.kasberger@reelworx.at>
Tested-by: Johannes Kasberger <johannes.kasberger@reelworx.at>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Łukasz Uznański <l.uznanski@macopedia.pl>
Tested-by: Łukasz Uznański <l.uznanski@macopedia.pl>
Reviewed-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
Tested-by: Tymoteusz Motylewski <t.motylewski@gmail.com>

Change-Id: I86538380d738c7e746268f6824c107eeea234428
Reviewed-on: https://review.typo3.org/57737


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: I68338ebd80cd3db7b3e45d1c5a26d25b149d0b2c
Reviewed-on: https://review.typo3.org/57736


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Resolves: #85658
Releases: master, 8.7, 7.6
Change-Id: I6acdc235dff4b3c0c84a8a6d762d497f8d9664cc
Reviewed-on: https://review.typo3.org/57701


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-on: https://review.typo3.org/57711

The toolbar item for open documents now properly checks whether there are
any open document to avoid actions on a null value. Additionally, the
arrays holding the state are now correctly initialized.

Resolves: #85465
Related: #78051
Releases: 7.6
Change-Id: I2adb52504d8131a695b4775ed21caf813d9657e1
Reviewed-on: https://review.typo3.org/57457


Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Michael Oehlhof <typo3@oehlhof.de>
Reviewed-by: Alexander Grein <alexander.grein@gmail.com>
Tested-by: Alexander Grein <alexander.grein@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Resolves: #85641
Related: #60019
Releases: master, 8.7, 7.6
Change-Id: If9c94c020da6991dc070fa6aa8395042686b2752
Reviewed-on: https://review.typo3.org/57681


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

typo3.org git/gerrit show flakiness lately. To not torture
the poor servers with our pesky testing so much we switch
the git clones to github/TYPO3/TYPO3.CMS and hope merges
are mirrored over there more quickly and they sustain our
testing load easily.

Resolves: #85606
Releases: master, 8.7, 7.6
Change-Id: I772d945a3bf697172cb26edb761f01e6cb8da4bf
Reviewed-on: https://review.typo3.org/57645


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

The bamboo containers need a better passwd mapping
per agent to set a proper home directory, otherwise
ssh tasks may fail.

Resolves: #85582
Releases: master, 8.7, 7.6
Change-Id: I42b59df7512dd5bd6e00c2c07eee9441cf1aa28c
Reviewed-on: https://review.typo3.org/57620


Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

A new bamboo agent infrastructure has been deployed that
significantly changes how tests are executed: The agent
docker containers are now "stupid" and no longer bundle
specific php versions or daemons. Instead, they can run
own containers to start needed daemons for specific jobs
and execute needed php commands in ad-hoc containers that
provide the required php version.
Daemons needed for single jobs are defined in a
docker-compose.yml file provided by core itself.
This docker-compose.yml file can not be used directly for
local test execution since it has to fiddle quite a bit
with docker volume mounts, networks and executing users
that is specific to the bamboo environment.
However, another yml file can be added later to ease local
test execution in a similar way.
The patch rewrites the bamboo plan pre-merge and nightly
specs of core master to use the new infrastructure and brings
a couple of minor changes to tests that rely on a running
memcached or redis to retrieve the daemon host from an
environment variable.

Patch for core v7.

Change-Id: I65777eeee6e28fca5b3d3d979498293cc91a77af
Resolves: #85563
Resolves: #36934
Releases: 7.6
Reviewed-on: https://review.typo3.org/57605


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Including files from Phar archives (e.g. "phar://file.phar/autoload.php")
does not work properly with having PHP setting open_basedir defined. The
reason for that is, that TYPO3's custom PharStreamWrapper tries to find
the appropriate base Phar file using file_exists() calls internally. In
case those files are not part of the open_basedir restriction - which is
the case for everything prefixed with the "phar://" scheme - a PHP
warning is shown.

Resolves: #85547
Releases: master, 8.7, 7.6
Change-Id: I72fdd7f0c016c0a8b1ed56a82b6b4042cac4d930
Reviewed-on: https://review.typo3.org/57596


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Change-Id: I2263cb37e5395eb48d7d07908dd52c3f3d48c55c
Reviewed-on: https://review.typo3.org/57574


Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: TYPO3com <no-reply@typo3.com>

Change-Id: Ief75740d3b83ebcef47da97800743e64677079f0
Reviewed-on: https://review.typo3.org/57573


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Resolves: #85385
Releases: master, 8.7, 7.6
Security-Commit: 8cd7fa85f5b60c508aaac3184101008ba2e8df7f
Security-Bulletin: TYPO3-CORE-SA-2018-002
Change-Id: I2494702e67a180fff36173645b8478a12680b870
Reviewed-on: https://review.typo3.org/57542


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

SoftReferenceIndex throws exceptions on phar streams
LegacyLinkNotationConverter throws exceptions on phar streams

Resolves: #85385
Releases: master, 8.7, 7.6
Security-Commit: 0311b6c0cc7fed584f59f34adba5b693e75797d8
Security-Bulletin: TYPO3-CORE-SA-2018-002
Change-Id: Ic57514e1bcdb30ec612a39bcb3c49287cc0c5330
Reviewed-on: https://review.typo3.org/57541


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

This custom stream wrapper for the phar:// protocol overrides
PHP's native handling. In case Phar bundles shall be loaded from
a valid directory, the custom wrapper falls back to the native PHP
wrapper in order to invoke Phar-related actions.

In case the location is not trustworthy, an according exception
is thrown. The custom stream wrapper is registered in the beginning
of TYPO3's bootstrap class.

Truested locations are those in typo3conf/ext/* - anything else is
denied and not considered as trustworthy.

Releases: master, 8.7, 7.6
Resolves: #85385
Security-Commit: 86f79d23a2c198fb3054b1d1f9414226f955c66d
Security-Bulletin: TYPO3-CORE-SA-2018-002
Change-Id: I8c6499ca8dea31bdfc7ed9fba0b479b4a7715f4a
Reviewed-on: https://review.typo3.org/57540


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>