This reverts commit 1bd63f45.

This change caused a regression which basically affected users of Mozilla
Firefox - details are described in issue #84503. Besides that the initial
bug report address the frontend part, changing backend login behavior was
not required in order for the bug fix.

Releases: master, 8.7, 7.6
Resolves: #84503
Reverts: #76120
Change-Id: I45fe6086afa48eed71be635e8cf4a1f3fa138ab2
Reviewed-on: https://review.typo3.org/56396


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>

This patch adds the name and value of the first submit button found in a
form to the input field used to send the form.

RsaEncryptionWithLib.min.js created with:
../../../../../../Build/node_modules/uglify-js/bin/uglifyjs \
RsaLibrary.js RsaEncryption.js > RsaEncryptionWithLib.min.js

Resolves: #76120
Releases: master, 8.7, 7.6
Change-Id: I3f0fdc7e933267689114d5bcf62d3fcfe2db5146
Reviewed-on: https://review.typo3.org/56104


Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>

This patch removes the hard dependency to RsaEncryptionModule and adds
a check if the module can be loaded.

It on the go adds a hardening to the RsaEncryptionModule to avoid
registration of form event handlers twice, which is now needed to cover
all potential loading orders of RsaEncryptionModule and LoginRefresh. 

Resolves: #78299
Related: #75911
Releases: master, 7.6
Change-Id: Ie03f1c7bc34e48f03213dec70c62d8ccc339ab31
Reviewed-on: https://review.typo3.org/50239


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

The RsaEncryption and the LoginRefresh module are loaded
independently by requireJS, which means they are loaded
asynchronous. This means that either one of those modules
is initialized first.

However the RsaEncryption module scans the DOM for form elements
and the LoginRefresh inserts a form. This means if the RsaEncryption
is initialized first, then the form created by LoginRefresh
will not be intercepted, leading to the (heisen-)bug described.

This change enforces the loading order by adding the RsaEncryption
as dependency to LoginRefresh and registering the form manually,
to make sure it will be intercepted and passwords
will transmitted encrypted.

Resolves: #75911
Releases: 7.6, master
Change-Id: Ib4aba70b3545f163a16a4eee62bed9e5a48b2fe7
Reviewed-on: https://review.typo3.org/49478


Tested-by: Bamboo TYPO3com <info@typo3.com>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>

Resolves: #70966
Releases: master
Change-Id: Ic78753be0facd860e5ab30ce6d7340e040dee59c
Reviewed-on: https://review.typo3.org/44170


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Also remove useless closures and public exposure of modules, which are not
used via the TYPO3 global.
Moreover use single quotes for 'use strict' consistently.

Resolves: #70601
Releases: master
Change-Id: If7183f91a5b9fab320cea8eb1759e78b47141984
Reviewed-on: http://review.typo3.org/43999


Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Tested-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>

The namespace and name of an AMD module is not needed.
The resolving of names works without the defined name of a module
and should be removed to anonymize the modules.

Resolves: #70607
Releases: master
Change-Id: I9e1a81d30de7764ffbccf0b0985b55ed5b6cb96d
Reviewed-on: http://review.typo3.org/44002


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

The AjaxRequestHandler now first checks in the Router if an AJAX
route exists. A new flag "ajax" in the routing mechanism allows to call
ajax-based URLs which are then handed to the AJAX Request Handler.

All controllers now receive proper Request and Response objects.

All previous logic still works, but can slowly be migrated to the Routing
concept.

Resolves: #69916
Releases: master
Change-Id: I1e67d5a341a4dd2769247531246c9e1fad900c76
Reviewed-on: http://review.typo3.org/43365


Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>

Stores the original submit handler, remove it from the form element and
add it back only at a later point, when the RSA module wants to submit
the form. This prevents Chrome to submit a form twice if it contains a
RSA password protected field.

Resolves: #69713
Releases: master
Change-Id: I085b68dfeb901be960096e3d570da097adf0327b
Reviewed-on: http://review.typo3.org/43239


Reviewed-by: Stephan Großberndt <stephan@grossberndt.de>
Tested-by: Stephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>

DOM Level 2 provides collections for forms and form elements,
thus make use of them.

Resolves: #68765
Releases: master
Change-Id: I795b2c3348d7a39fdbe277df4c6661e3427c5e1f
Reviewed-on: http://review.typo3.org/42281


Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>

This patch adds rsa encryption to password fields. It introduces an own
rsaInput render type which turns fields into true password fields and
removes JavaScript default value '********'.
Furthermore the rsa Api is adjusted to handle the incoming data
correctly.

Releases: master
Resolves: #68166
Change-Id: I4eb8186f77e5b9215310f65d606bc49c71b19880
Reviewed-on: http://review.typo3.org/41286


Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

If you have an enabled rsaauth, the frontend login gets hashed before
sending the data. Due to a request to an ajax handler in rsaauth,
a backend user cookie is set in frontend mode as well.
This patch re-adds an eID script for frontend calls to prevent
unnecessary cookies.

Resolves: #68525
Releases: master
Change-Id: I67a12e617aaa766e839f3a9b6b535a5618236ecb
Reviewed-on: http://review.typo3.org/41939


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>

Resolves: #68284
Releases: master
Change-Id: Ie825267fea2ce160d8f31a945019f760f8368bb0
Reviewed-on: http://review.typo3.org/41572


Reviewed-by: Andreas Wolf <andreas.wolf@typo3.org>
Tested-by: Andreas Wolf <andreas.wolf@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

This patch introduces new API which eases the use of RSA encryption
across the core and for third party extensions.

For backend encryption a new RequireJS module is included which finds
fields to encrypt automatically by their data attribute.

For frontend encryption the JavaScript was rewritten to work the same
way the RequireJS module works but with plain (vanilla) JavaScript.

Releases: master
Resolves: #67932
Resolves: #34568
Change-Id: Id35dd65d1019a8c16858f03989ff48e3434698e4
Reviewed-on: http://review.typo3.org/40938


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>

With the new login screen (introduced in 7.2) the possibility to
override or extend the login template was removed.
The old globals ``$GLOBALS['TBE_STYLES']['htmlTemplates']`` was
removed without replacement.

With this patch we introduce a new way to extend the login form and
add a BE login form API.

Resolves: #66669
Releases: master
Change-Id: I36ab4cdabbab55f370d1fd19b7212cf2f858db57
Reviewed-on: http://review.typo3.org/39234


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Frank Nägler <typo3@naegler.net>
Tested-by: Frank Nägler <typo3@naegler.net>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

* Remove (super)challenged login security levels
* Make loginSecurityLevel 'normal' the new default
* Change Backend login JS to use real submit event
* Refine hook usage of LoginController
* Remove unused code in ext:sv

Note:
OpenId login is broken due to hidden, but required, password field.
This will be resolved with the new Backend login API. #66669

Resolves: #66997
Releases: master
Change-Id: I280783588aabc78bc9bd9d1c7ee12e67bac9ed63
Reviewed-on: http://review.typo3.org/39576


Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Following security best practices, a user should
to be able to update his password only when giving
the previous password. Currently no need to know
the current password when changing it.

Change-Id: Id0c52d8f7e0d06177c0e4f7076b71d5e6fbca466
Resolves: #35807
Releases: master
Reviewed-on: http://review.typo3.org/10224


Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Tested-by: Markus Klein <klein.t3@reelworx.at>
Reviewed-by: Frederic Gaus <frederic.gaus@flagbit.de>
Tested-by: Frederic Gaus <frederic.gaus@flagbit.de>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>

This regular expression was used to replace PHPDoc style comments
with ordinary comments:

Search:
/\*\*(\n \* This file is part of the TYPO3 CMS project.)

Replace with:
/*$1

Resolves: #63328
Releases: master
Change-Id: Ic8f11dbfefee94a19657c8fe8426c81d1cb435d8
Reviewed-on: http://review.typo3.org/35103


Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>

Does not touch extbase and fluid.

Resolves: #62670
Releases: master
Change-Id: I853fd1814b7ea5853cdf75abf16be238a27af9f5
Reviewed-on: http://review.typo3.org/33768


Reviewed-by: Stefan Froemken <froemken@gmail.com>
Reviewed-by: Benjamin Mack <benni@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Benjamin Mack <benni@typo3.org>

Resolves: #61478
Releases: 6.3
Change-Id: I81a8ae747e59649999c5372b51b8fc866a4dd4dd
Reviewed-on: http://review.typo3.org/32687


Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

The backend login process uses various
JavaScript parts.

1) Some basic redirects on pure JavaScript
that is inline in the LoginController.

2) A flat and hardcoded JS file in the
login.html template which actually
uses ExtJS and Prototype for various
cookie checks and usability checks.

3) RSA Authentication with Backend Login
for doing an AJAX call. This is done in
ExtJS.

All of the parts above are rewritten
using the proper API calls based on
jQuery.

Resolves: #60576
Releases: 6.3
Change-Id: Ie64c4736c79327b816c39da5bba533bcc65cee45
Reviewed-on: http://review.typo3.org/31826


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>

Renames the folder "resources" to "Resources"
and moves the JS files into
"Resources/Public/JavaScript".

Resolves: #60582
Releases: 6.3
Change-Id: Id549c4d006e8690b49b7800399fca95410ee641c
Reviewed-on: http://review.typo3.org/31832


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>