Change-Id: I2d0ca5bacc7de24d933e2d05a7edae59e6e229a3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77107


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.1.1

composer req typo3/html-sanitizer:^2.1.1
composer req typo3/html-sanitizer:^2.1.1 \
  -d typo3/sysext/core --no-update

Resolves: #99351
Releases: main, 11.5, 10.4
Change-Id: I25a17ce13a8f90cdd07a7cc51e515dff3b6bb03b
Security-Bulletin: TYPO3-CORE-SA-2022-017
Security-References: CVE-2022-23499
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77094


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Introducing Yaml placeholders in backend user interface can lead to
information disclosure and denial-of-service senarios. This change
disallows adding new placeholders and throws an exception - existing
placeholders are kept.

Resolves: #89401
Releases: main, 11.5, 10.4
Change-Id: I69e24de07b5327507e1bf8de990f84402078f7d4
Security-Bulletin: TYPO3-CORE-SA-2022-016
Security-References: CVE-2022-23504
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77093


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Only evaluate TypoScript-like instructions like

```
submitButtonLabel = TEXT
submitButtonLabel.value = Bar
```

defined within

`plugin.tx_form.settings.formDefinitionOverrides`
and
`plugin.tx_form.settings.yamlSettingsOverrides`

and **not** within form definition yaml files or
the form setup yaml files.

This is achieved by not searching the entire form
definition or form setup for TypoScript instructions,
but only the actual TypoScript.

Resolves: #98403
Releases: main, 11.5, 10.4
Change-Id: I7b066f109d6061715c2240b01ed15185c58fa9f5
Security-Bulletin: TYPO3-CORE-SA-2022-015
Security-References: CVE-2022-23503
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77092


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

The password reset process for TYPO3 backend and
frontend users does not destroy possible existing
user sessions after the password has been changed.

With this patch, all existing user sessions are
destroyed when the password is changed in the
password reset process.

Resolves: #98462
Releases: main, 11.5, 10.4
Change-Id: I6744bfcf7cae56b4e525f2e0f9a44d06cf14396c
Security-Bulletin: TYPO3-CORE-SA-2022-014
Security-References: CVE-2022-23502
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77091


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

This change ensures that individual storage page ids are
valid by signing corresponding values with an HMAC.

Resolves: #98010
Releases: main, 11.5, 10.4
Change-Id: I34d474ab23adca6bbcf20c108bb60acf6998bc6f
Security-Bulletin: TYPO3-CORE-SA-2022-013
Security-References: CVE-2022-23501
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77090


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

TYPO3 now uses a lock strategy to avoid having to many request
waiting for the generation of the error page (which cannot be
generated via the external HTTP request, as there might be not
enough workers / PHP processes available during a DoS attack).
If a lock is in place, it directly returns a generic error
response instead of waiting for the lock or that the error
page is retrieved/rendered.

Additionally, if the external error page could not be retrieved
(HTTP status code other than 200), it will also create a generic
response and cache that instead. This avoids keeping requesting
for the errounous external HTTP page.

This could happen when using external HTTP requests (Guzzle) to
resolve an error page (via PageContentErrorHandler) for 404 sites.

Only TYPO3 installations using the feature "subrequestPageErrors"
via $TYPO3_CONF_VARS[SYS][features][subrequestPageErrors] = true
are not affected as the error page is generated during the
same PHP process, avoiding to create another external process.

Resolves: #98384
Releases: 11.5, 10.4
Change-Id: Iae1cae882707a519b2cef85112525ea213a72eef
Security-Bulletin: TYPO3-CORE-SA-2022-012
Security-References: CVE-2022-23500
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77089


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

In case the web server scenario is not properly configured to deny
HTTP host header injection, and the trustedHostsPattern is not explicit
enough, a corresponding check in the reports module will issue
an error message like

* HTTP_HOST contained unexpected "a0a3aa2f59.random.example.org"
* SERVER_NAME contained unexpected "a0a3aa2f59.random.example.org"

Using the configuration directive `UseCanonicalName On` for Apache
web server environments mitigates the risk.

Resolves: #99347
Releases: main, 11.5, 10.4
Change-Id: Iaafd136fd817a0722f482d1d0e6b198382e40e3d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77025


Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Benni Mack <benni@typo3.org>

There are different versions of pdfinfo available and used
by different providers/distributions.

a) Debian/Fedora use pdfinfo (>v20) from the poppler-utils package.
   Also hosters like Hetzner use this version.
   This variant defaults to UTF-8 output for metadata:
   https://linux.die.net/man/1/pdfinfo
   > -enc encoding-name
   Sets the encoding to use for text output. This defaults to "UTF-8".

   pdfinfo -v
   pdfinfo version 21.08.0
   Copyright 2005-2021 The Poppler Developers -
                       http://poppler.freedesktop.org
   Copyright 1996-2011 Glyph & Cog, LLC

b) Older servers and hosters with legacy software (Mittwald,
   Domainfactory) use pdfinfo v3. This one defaults to Latin1 output:
   https://www.xpdfreader.com/pdfinfo-man.html
   > −enc encoding-name
   > Sets the encoding to use for text output. […]
   > This defaults to "Latin1"

   pdfinfo -v
   pdfinfo version 3.02
   Copyright 1996-2007 Glyph & Cog, LLC

Both versions support an -enc UTF-8 option, which is nowused to
circumvent the differences between these tools, instead of implying
Latin1 output (as done in #80085) which breaks variant a) by
interpreting valid UTF-8 as ISO-8859-1 and thus applying
a double encoding.

Resolves: #99352
Related: #80085
Releases: main, 11.5, 10.4
Change-Id: Ib8f7ae742c5edc73036afcb7d2608cd01f4176fd
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77081


Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: core-ci <typo3@b13.com>

Releases: main, 11.5, 10.4
Resolves: #99348
Change-Id: I43d305b0f02bd6049f32e65c95184a2d5bfa4fe5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77052


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Resolves: #99299
Releases: main, 11.5
Change-Id: I1b4e7d16cf32bfbcda757685c8b3759bb052a867
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77001


Reviewed-by: Sybille Peters <sypets@gmx.de>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Tested-by: core-ci <typo3@b13.com>

Resolves: #99296
Releases: main, 11.5
Change-Id: I7c7182b107afe30def50bf10f73018df2c888958
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76956


Tested-by: core-ci <typo3@b13.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

If a service is registered with ExtensionManagementUtility::addService(),
that does not have a "os" flag, then a PHP 8 warning
is raised (during loading).

This change avoids this warning.

Resolves: #99294
Releases: main, 11.5
Change-Id: Ie5427e1a48f32dccbf1c5618a199c9a4d55774d3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76955


Reviewed-by: Nikita Hovratov <nikita.h@live.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Nikita Hovratov <nikita.h@live.de>

When working with variable interpolation and similar scenarios, in
most cases variables, constants, expressions, ... are embedded in
a solid string and can only be identified and extracted by the
corresponding "reader" or "parser".

This string fragment splitter aims to introduce a simpler way for
extracting and working with these embedded fragments.

Example:
    $pattern = new StringFragmentPattern(
      StringFragmentSplitter::TYPE_EXPRESSION,
      '%[^%]+%'
    );
    $splitter = new StringFragmentSplitter($pattern);
    $collection = $splitter->split(
      'Hello %variable% World!'
      FLAG_UNMATCHED_AS_NULL
    );

    // results in having
    // + StringFragment(type: 'raw', value: 'Hello ')
    // + StringFragment(type: 'expression', value: '%variable%')
    // + StringFragment(type: 'raw', value: ' World!')

Resolves: #97553
Releases: main, 11.5, 10.4
Change-Id: Ie2b02a247ca884fa44ab7b3ba21214c8ee9bc457
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76945


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>

Cast decimals input arguments to integer before using them in
number_format().

Resolves: #99283
Releases: main, 11.5
Change-Id: If0f49d644c99b212ffb7dd3a774e4dcba8baa2c7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76954


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Resolves: #99281
Releases: main, 11.5, 10.4
Change-Id: Ic65f08aa0bb67f97880d0ff5bb4c692fe7e6ffde
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76952


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

<figure> is allowed in HTML5 outside of paragraphs,
thus it should also be configured like that out-of-the-box

See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figure

Since CKEditor5 is using <figure> around tables, and also
might add a <figcaption> both variants are now enabled by default.

Resolves: #99273
Releases: main, 11.5, 10.4
Change-Id: I9356cc13ccef764f475ba42cc47f43f7ecd624a1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76897


Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>

Way back until early stage of v11 development the page section
cache entry included only the rootline of the default language
for the page. This changed with #23736, when language loading
has been moved more forward to allow language based matching
in TypoScript.

However, the used identifier for the section cache did not
include the language in any kind. Thus making the rootLine
flipping in the cache, and getting eventually a cache entry
with the wrong rootLine set. This also leads to a flipping
identifier for the page content cache identifier `newHash`.

This leads to the reported behaviour of regulary ignoring
the cache and rebuilding the page, also it should not have
been necessary.

This change extend the page-section cache identifier with
the language id. This means, that we now have one cache
entry per language, instead of a generic one as in the
good old days. Back than, one entry was enough as it has
always included only the default language rootline.

Better having dedicated cache entries per language than
a on-going rebuild of the cache which can take complete
down in a really bad way.

To avoid changing method signatures, the already existing
context is used in TemplateService to properly calculate
the cache identifier with the language id included.

Resolves: #98126
Related: #23736
Releases: 11.5
Change-Id: Ice4b3b77bd5dd4acc3bdb054dcd05e1a065a2b2a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76302


Tested-by: Meelis Karulin <mkarulin@icloud.com>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Sybille Peters <sypets@gmx.de>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Joey Bouten <joey.bouten@beech.it>

see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.1.0

composer req typo3/html-sanitizer:^2.1.0
composer req typo3/html-sanitizer:^2.1.0 \
  -d typo3/sysext/core --no-update

To use custom output rules, the Behavior object must be known in
the Sanitizer, see https://github.com/TYPO3/html-sanitizer/pull/98

Resolves: #99271
Releases: main, 11.5, 10.4
Change-Id: I160f8b49284566afde87d07dde7a4fb69e3174c9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76920


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

To improve the listing of mfa providers in the configuration
module are possible language label keys now displayed,
next to the resolved label.

Resolves: #99246
Releases: main, 11.5
Change-Id: I978ff19f5c3299dff84d306a3c3b2c5ba0154ca2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76896


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Oliver Bartsch <bo@cedev.de>

This patch ensures that search term like Ärmel and Æble
is also working. Currently the match didn't work if a
uppercase special char was used.

With the additional modifier, this is now working, and
there will be matches on both lowercase and uppercase
matching words.

Resolves: #97986
Releases: main, 11.5, 10.4
Change-Id: If7ff1669ead57557964ed5372c4af749c316d7bf
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76894


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Stefan Bürk <stefan@buerk.tech>

Used commands:

  composer req -W \
    -d typo3/sysext/core --no-update \
    guzzlehttp/guzzle:^7.5.0 \
    guzzlehttp/psr7:^2.4.3

  composer req -W \
    -d typo3/sysext/install --no-update \
    guzzlehttp/promises:^1.5.2

  composer req -W \
    guzzlehttp/guzzle:^7.5.0 \
    guzzlehttp/promises:^1.5.2 \
    guzzlehttp/psr7:^2.4.3

Resolves: #99242
Releases: main, 11.5
Change-Id: Iec5f53533860f3811127b1a4463e7a4a7fd70877
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76879


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Stefan Bürk <stefan@buerk.tech>

This encodes the PDF metadata to UTF-8 to ensure that special chars
like æ ø å ü ö ä are allowed without cutting of the metadata text.

Resolves: #80085
Releases: main, 11.5, 10.4
Change-Id: I02b0730dd659b54c0d8c7186a2089419bd56d2a2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76892


Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>

doctrine/dbal 2.x version has reached EOL, which means that
there will be no new version in this version range. Sadly,
doctrine/dbal triggers a deprecation warning in PHP8.2 which
will not be fixed upstream.

Raising that dependency is out of the scope for TYPO3 v11. This
issue is mitigated by adding the well-known composer dependency
`cweagans/composer-patches` as dev dependency. Additionally, a
corresponding composer patch targeting the PHP8.2 variable
interpolation deprecation warning is applied in CI for testing
purpose.

UpgradeCest acceptance tests is adjusted to execute some steps
only for appropriate dbms/drivers, as they are not targeting the
newer versions.

This change:
* Adds composer patcher `cweagans/composer-patches`
* Adds composer patch for doctrine/dbal variable
  interpolation issue in postgres platform class
* re-arranging pre-merge and nightly tests
* Ensures to execute some acceptance and functional
  tests against MariaDB 10.6 (LTS)
* Adds a little workaround (ignore-platform-reqs)
  for composer install min and max with PHP8.2 in
  `Build/Scripts/runTests.sh` and docker-compose.yml

Used command(s):

> composer2-74 config --no-plugins --no-interaction \
    allow-plugins.cweagans/composer-patches true
> composer2-74 config --no-plugins --no-interaction \
    extra.composer-exit-on-patch-failure true
> composer2-74 config --no-plugins --no-interaction \
    extra.patches-file "Build/patches/patches.json"
> composer2-74 require --dev \
    "cweagans/composer-patches":"^1.7.1"

Resolves: #99173
Releases: 11.5
Change-Id: If7abd9e66c409c5417343658fe789ee38b35f082
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76011


Reviewed-by: Nikita Hovratov <nikita.h@live.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Nikita Hovratov <nikita.h@live.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Stefan Bürk <stefan@buerk.tech>

Resolves: #99207
Releases: main, 11.5
Change-Id: I222a861578a7b1b683b7922bcdf55776b96b4648
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76781


Tested-by: core-ci <typo3@b13.com>
Tested-by: Nikita Hovratov <nikita.h@live.de>
Reviewed-by: Nikita Hovratov <nikita.h@live.de>

Guard invalid array key access in LanguageServices, also it
relates to an invalid xliff translation identifier. However,
the PHP warning should be guarded properly.

Resolves: #99190
Resolves: #98713
Releases: 11.5
Change-Id: Ied1894b4863804cfda4840379c0472cf3807a4d2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76838


Tested-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Nikita Hovratov <nikita.h@live.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Nikita Hovratov <nikita.h@live.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Stefan Bürk <stefan@buerk.tech>

With this the list of grouped sql queries is
much shorter and better understandable.

Resolves: #99187
Releases: main,11.5

Change-Id: Id78568bbe987d8047860f32d58c79644436671d1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76780


Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: core-ci <typo3@b13.com>

It doesn't make much sense to keep the shortcut menu open once an entry
is opened, therefore it will be closed now.

Resolves: #99164
Releases: main, 11.5
Change-Id: I559f59feeb72c48fda6bb73748f89481a18e760a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76817


Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: core-ci <typo3@b13.com>

While the assumption that sys_language_uid 0 is enabled is probably
always true, there are scenarios where this isn't the case (e.g.
disabling sys_language_uid 0 for different default languages on
different sites while still allowing cross-domain-links in the correct
language).

In PHP 7.4 the LanguageMenuProcessor did a graceful fallback to nothing,
in PHP 8.1 calling a LanguageMenuProcessor with disabled base language
results in an exception `Trying to access array offset on value of type
null`

Resolves: #99156
Releases: main, 11.5
Change-Id: I443e94f6dd45d7462f5925ff014a5bfc0df40ef8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76779


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Resolves: #99151
Releases: main, 11.5
Change-Id: Ibddea0cd6b4f869632899b7887f573bb7a6856b8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76778


Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Resolves: #99158
Releases: main, 11.5
Change-Id: I7cc2760f7f7ec4f329e8ec2dac127da3b2ba9648
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76777


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Resolves: #99154
Releases: main, 11.5
Change-Id: Iff01454dffb3afc0ebd4dff440467c0170d05934
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76776


Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>

Resolves: #99159
Releases: main, 11.5
Change-Id: I7a130b7471528dbd0a7e98257f119def8bb648ce
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76775


Reviewed-by: Nikita Hovratov <nikita.h@live.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Nikita Hovratov <nikita.h@live.de>

The ViewHelper `f:format.nl2br` must be applied after
`f:format.htmlspecialchars()`.

Resolves: #99160
Releases: main, 11.5
Change-Id: If20a25cf86479fa8d8e533fc5d820dc6931c3a5b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76774


Tested-by: Nikita Hovratov <nikita.h@live.de>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Nikita Hovratov <nikita.h@live.de>

If `FE|checkFeUserPid` is set, the storagePids must evaluate
to an empty set instead of the pid "0".

Resolves: #95119
Releases: main, 11.5
Change-Id: If749d465f6e4d474794f0818de7c67bf36d5475b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76773


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>

IconRegistry->detectIconProvider() may receive a null value for
the $iconReference parameter. E.g. in
IconRegistry->registerModuleIcons(). Therefore, a cast to string is
needed for strtolower.

Resolves: #99152
Releases: main, 11.5
Change-Id: Ia45c8a52ff12fa4d988977e1265b204df8217d2b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76756


Tested-by: Nikita Hovratov <nikita.h@live.de>
Reviewed-by: Nikita Hovratov <nikita.h@live.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: Oliver Klee <typo3-coding@oliverklee.de>

The test does not make sense and is skipped for a
while already. Remove it.

Resolves: #97112
Releases: main, 11.5
Change-Id: If00b0b607263531359393cff7793624a12b878bb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76743


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>

The default duplication behaviour action for the
file upload is now properly assigned to the view again.

Resolves: #97357
Releases: main, 11.5
Change-Id: Id472dff8154dd4263827863a118f5da4390a7924
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76744


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Stefan Bürk <stefan@buerk.tech>

This allows to use the mask property from the TypoScript
imgResource function again.

Resolves: #96116
Releases: main, 11.5
Change-Id: Ia069a687e98a91437959e1bbd4efc5d59fb2017c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76708


Tested-by: core-ci <typo3@b13.com>
Tested-by: Nikita Hovratov <nikita.h@live.de>
Reviewed-by: Nikita Hovratov <nikita.h@live.de>

Resolves: #99136
Releases: main, 11.5
Change-Id: I7851afb5f6417bb538895768fe4ae35d8b75d0b9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76678


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>