The docker container image hub is slowly becoming more
and more problematic for open source organisations, it's
time to move to another container registry for core-testing
images. Images are now build and published to both Docker
HUB and GitHub Container Registry (`ghcr.io`).

To test the ghcr.io images, the patch changes runTests.sh
to use them them for local (non CI) execution already.

We can not fully switch to ghcr.io yet, since CI uses the
docker registry container as mirror for images to heavily
reduce network load and increase performance. The registry
container however can only mirror hub.docker.io images, so
we need a different solution for CI first. When this is
done, we'll stop uploading images to docker hub later.

Resolves: #100617
Releases: main, 11.5, 10.4
Change-Id: Ia309826618696dc25b15527b73fa704235285479
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78669


Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>

Change-Id: I1dad023b97567144be9e7f43f49911b7cfa076fb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78566


Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>

Change-Id: Ic71fc76b6e9fdb9d9f9f7ad5aa8ec34c39305073
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78565


Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

This changed adjusts the `Build/Scripts/runTests.sh` support for the
different database types and versions. That means, which version for
which types can be selected for functional and/or acceptance tests.

Additionally, the help text output is enhanced to list information
about the support of database versions provided by the vendors, on
actual published release informations:

* https://mariadb.com/kb/en/mariadb-server-release-dates/
* https://www.postgresql.org/support/versioning/
* https://endoflife.software/applications/databases/mysql

Available versions are choosen for supported versions of the TYPO3
core version, see following matrix as generic overview.

**NOTE** Be aware, that this does not mean that tests are green
         with all version. This only enables execution through
         `Build/Scripts/runTests.sh` for now. `CI` adjustments
         are done afterwards in a dedicated shuffle change.

mysql
-----

* 5.5 unmaintained since 2018-12    (11.5, 10.4)
* 5.6 unmaintained since 2021-02    (11.5, 10.4)
* 5.7 maintained until 2023-10      (11.5, 10.4)
* 8.0 maintained until 2026-04      (main, 11.5)

mariadb
-------

* 10.1  short-term, no longer maintained        (11.5, 10.4)
* 10.2  short-term, no longer maintained        (11.5, 10.4)
* 10.3  short-term, maintained until 2023-05-25 (main, 11.5, 10.4)
* 10.4  short-term, maintained until 2024-06-18 (main, 11.5, 10.4)
* 10.5  short-term, maintained until 2025-06-24 (main, 11.5, 10.4)
* 10.6  long-term, maintained until 2026-06     (main, 11.5, 10.4)
* 10.7  short-term, no longer maintained        (main, 11.5, 10.4)
* 10.8  short-term, maintained until 2023-05    (main, 11.5, 10.4)
* 10.9  short-term, maintained until 2023-08    (main, 11.5, 10.4)
* 10.10 short-term, maintained until 2023-11    (main, 11.5, 10.4)
* 10.11 long-term, maintained until 2028-02     (main, 11.5, 10.4)
* 11.0  development series                      (main) [not working]
* 11.1  short-term development series           (main) [not working]

postgres
--------

* 9.6 unmaintained since 2021-11-11 (11.5, 10.4)
* 10  unmaintained since 2022-11-10 (main, 11.5, 10.4)
* 11  maintained until 2023-11-09   (main, 11.5, 10.4)
* 12  maintained until 2024-11-14   (main, 11.5, 10.4)
* 13  maintained until 2025-11-13   (main, 11.5, 10.4)
* 14  maintained until 2026-11-12   (main, 11.5, 10.4)
* 15  maintained until 2027-11-11   (main, 11.5, 10.4)

Resolves: #100492
Releases: main, 11.5, 10.4
Change-Id: Iac5d4f799fd05ed7b766d1a9db95481caea2f898
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78500


Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>

Updates to the Final notes section:

* The Expert Advisory Board (EAB), which no longer exists, has been
  replaced with the TYPO3 Association Board, which does exist and has
  absorbed the functions of the EAB.

* Adds a link to information about the TYPO3 Association

* Reformats the "Donate to TYPO3" and "Become a member of the TYPO3
  Association" links.

* Explicitly links "Become a member of the TYPO3 Association" to the
  page listing membership options.

Resolves: #100217
Releases: main, 11.5, 10.4
Change-Id: I05ad4bf263fe93e62fc50e8f9f9af7e6387d85d8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78063


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

The PHPDoc block in the ViewHelper source is used to render
the ViewHelper documentation. Remove link to Changelog with
incorrect formatting in asset.css ViewHelper, which never worked.

As the Changelog is from version 10.4, there is little
benefit and more risk of linking to outdated information in
the future.

Resolves: #100151
Releases: main, 11.5, 10.4
Change-Id: I0b11e7ec90ccfa8864ca4ddaa7ca83004fe266c0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78106


Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Tested-by: core-ci <typo3@b13.com>

For variable arguments, the type annotation needs to match the
type of the single arguments, not an array of the single arguments.

Resolves: #100127
Releases: main, 11.5, 10.4
Change-Id: Ic107cff8e08c00b18ced783d61783ed182039fd3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78082


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Nikita Hovratov <nikita.h@live.de>
Tested-by: Nikita Hovratov <nikita.h@live.de>

The LiveSearch in the TYPO3 backend is configured to wait 250ms for
additional input before sending the request to the server. Previously,
every entered character triggered an independent search, unnecessarily
hammering the server with requests.

Resolves: #100011
Releases: 11.5, 10.4
Change-Id: Ifd2499b03ed6f149432f0224480a188a35ef7c88
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78048


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Due a regression since GitLab runner 15.1,we cannot
use the official docker dind image to raise runner
version to keep up with the TYPO3 gitlab instance.

Because of other issues, using a custom docker dind
image with changed expose port for the healthcheck
to work around that issue is needed.

See: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/29130

After Gitlab has released a proper fix for this,
this should be reverted and the official docker
dind image used again.

Resolves: #100086
Releases: main, 12.1, 11.5, 10.4
Change-Id: I4b433ba7f3a42c718b4d436cf42cdf619b9094ca
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77966


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Matomo comes with some custom tracking parameters
which should be excluded from cHash generation by default.
Previously they were prefixed with pk_ from Piwik but with
the name change, new parameters have been introduced.

Matomo tracking parameters in default instance:
mtm_campaign, mtm_keyword

Resolves: #99999
Releases: main, 11.5, 10.4
Change-Id: I17cf6c7071f378bd9a439628036d19f265dc19d8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77960


Tested-by: core-ci <typo3@b13.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

A couple of streamlinings with latest tag,
so we raise it.

> composer req --dev typo3/testing-framework:^6.16.7

Resolves: #99907
Releases: 11.5, 10.4
Change-Id: I4009e3a5b045ad990746d3da1237911ad944b391
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77810


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>

Change-Id: I8806815f0dc7f8362dde484649b728a97cf74641
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77749


Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benni Mack <benni@typo3.org>

Change-Id: I2de6fa89ec5ef52c6f9047719eebfc9c3ab76f66
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77748


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: Iabf27e8618bea80a398b8969bedfb653643cd984
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77743


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

Change-Id: I0caecf5246eb2af75cbb13a926fb6ca7c26a23af
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77742


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

As already started in #88304 (but only for NormalizedParams)
and later reverted in #89312 (because of cgi-bin problems),
PATH_INFO is no longer considered as a preferable SCRIPT_NAME
alternative. All known server configurations set SCRIPT_NAME
these days to a proper value when cgi.fix_pathinfo is set.

The fallback to PATH_INFO has been introduced with
the initial revision of TYPO3 and isn't needed at all nowadays,
it's actually wrong, as a REQUEST_URI like /index.php/foo/bar
would incorrectly be interpreted as $scriptName == "/foo/bar",
which let's all calculations on $scriptName fail and
even leads to XSS where values derived from $scriptName are
printed without being escaped.

Also any ORIG_SCRIPT_NAME evaluation is dropped, as this variable
contains the SCRIPT_NAME that was set by the webserver configuration
before PHP applied cgi.fix_pathinfo. Using ORIG_SCRIPT_NAME
effectively meant bypassing PHP's pathinfo fix. It usually contains
the cgi-wrapper paths, which is why PATH_INFO was used to overrule
wrong ORIG_SCRIPT_NAME values.

GeneralUtility::getIndpEnv('PATH_INFO') is adapted to trust the
servers PATH_INFO information, now that we no longer allow
servers to send SCRIPT_NAME as PATH_INFO (we enforce
cgi.fix_pathinfo=1 for CGI installations).

The normalized SCRIPT_NAME is now adapted to be encoded as a URL
path by default, as all TYPO3 usages expect this to be an URL path.
Note that $_SERVER['SCRIPT_NAME'] refers to the servers file
system path, not the URL encoded value.

This SCRIPT_NAME sanitization actually enables:

a) TYPO3 to be run in a subfolder that contains characters
that need URL encoding
e.g. `/test:site/` – url encoded that'd be `/test3Asite/`.

b) prevention of XSS in case third party extensions
missed to escape any URL that is derived from SCRIPT_NAME
(while making sure that properly escaped
output is not double escaped)

Resolves: #99651
Related: #88304
Related: #89312
Releases: main, 11.5, 10.4
Change-Id: Ief95253d764665db5182a15ce8ffd02ea02ee61e
Security-Bulletin: TYPO3-CORE-SA-2023-001
Security-References: CVE-2023-24814
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77737


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Make clear that the early-bail out for empty pageArguments is
done to prevent setting `disableCaches` to `true`.

Also makes that that the $pageNotFoundOnCacheHashError
condition is really tied to pageArguments being non-empty.
Prevents us from refactoring that code and missing this bit.

Resolves: #99860
Related: #99859
Releases: main, 11.5, 10.4
Change-Id: I98ffa3dffe76a37970784979a2c4f2a9a64aa5bf
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77753


Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Nikita Hovratov <nikita.h@live.de>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Nikita Hovratov <nikita.h@live.de>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Benjamin Franzke <bfr@qbus.de>

If $GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['enforceValidation']
is enabled and the HTTP request only contains the `?id` query parameter,
caching for the page is disabled - which should be avoided.

Resolves: #99859
Releases: main, 11.5, 10.4
Change-Id: I14a81f5a2ec3ecabedd1abf0756a3ee32e7af4e4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77732


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

When no cHash is given but GET parameters are handed in
which _would_ require cHash parameters, these are now
properly evaluated during the frontend request.

As this has a security impact,
a new option called
$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['enforceValidation']
is introduced, which then skips
the "requireCacheHashPresenceParameters" option.
The latter is an include list, but cache Hash
calculation should rather be based on
the exclude list such as "excludedParameters" and
"cachedParametersWhiteList".

If the new option is set, but some properties such
as tx_solr[q] should be allowed, then this needs
to be added to the excludedList ("excludedParameters")
by extension authors.

A new test "SlugSiteWithoutRequiredCHashRequestTest"
is added which works with a disabled feature
flag compared to "SlugSiteRequestTest" which
has the feature flag enabled.

Resolves: #95297
Releases: main, 11.5, 10.4
Change-Id: Ib72c6a34602e77d8c2044ad2e826c0474ebd2326
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77714


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Accessing a not available configuration via TypoScript can be
intentional (e.g. by using it in an if check).
Therefore the log entry severity should rather be downgraded to a notice.

Releases: 10.4, 11.5, main
Resolves: #99465
Change-Id: I26ed4e96290ce6839c32cc60a7cbcf7fa24d0f2b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77289


Tested-by: Helmut Hummel <typo3@helhum.io>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Helmut Hummel <typo3@helhum.io>

TYPO3's log is mostly covered with "Locale fr_FR.UTF-8 not found",
which can be simplified, if setlocale() is not working properly.
The POSIX Platform suffix "UTF-8" is then removed, and setlocale()
is called again with "fr_FR" instead of "fr_FR.UTF-8" thus avoiding
log flooding in some systems.

Resolves: #99591
Releases: main, 11.5, 10.4
Change-Id: I4609d453c29a306d448bcdc3277b51a344af28ae
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77435


Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Using CSP directive `style-src 'unsafe-inline'` seems to be fine
for directly requested SVG files, since corresponding definitions
are bound to the corresponding resource. Loading styles from any
other external resource is still denied.

Resolves: #93884
Releases: main, 11.5, 10.4
Change-Id: Ifddf8782ecaa81bf26026ae8850d8c53b7977bd7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77457


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

When this task is executed on CLI (scheduler), the global request variable
is not available, thus a null check must be added before checking the instance
of the value.

Releases: 10.4, 11.5, main
Resolves: #99464
Change-Id: Ie9c1b8e4fbc187d6ade569b1b152ce799a09a1f0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77222


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Helmut Hummel <typo3@helhum.io>
Tested-by: Helmut Hummel <typo3@helhum.io>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Update copyright year to 2023

Resolves: #99473
Releases: main, 11.5, 10.4
Signed-off-by: Torben Hansen <derhansen@gmail.com>
Change-Id: I9fc04e75b812622c5aec89138dd7daa8ccfcd90a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77224


Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

An unnecessary quote has been added with #91016 and should be removed
again.

Resolves: #99402
Releases: main, 11.5, 10.4
Change-Id: I42fdda31a1110efc540cc72fd0398db5bc03675f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77201


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Change-Id: I577c481866735d86d66c2c4247097687c07ef567
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77165


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: Id505113baa28f559ad94a479fea62151648f3789
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77164


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

$normalizedParams->getRequestDir() returns '/' for frontend
requests and `/typo3/` for backend requests. This results in
problems when the backend UriBuilder relies on getRequestDir()
to provide the `/typo3/` suffix for backend URL generation.

UriBuilder is now changed to base absolute URLs on
getSiteUrl(), which is defined to return equal values
for backend and frontend requests, the typo3 suffix
is added manually.

Note that v12 introduced similar behavior with #99234,
where UriBuilder was adapted to use BackendEntryPointResolver,
which rebases the backend URL calculation on the site path as well.

Also note that the ABSOLUTE_URL mode in backend UriBuilder isn't
actually used by the TYPO3 frontend, but some extensions started
to execute system reports in frontend context, which
exposed this bug with the introduction of #99347.

Releases: 11.5, 10.4
Resolves: #99368
Related: #99347
Related: #99234
Change-Id: Ifaaeb4725c0243d34603dc86b2c89d12d9c06bdd
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77160


Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: André Buchmann <andy.schliesser@gmail.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: André Buchmann <andy.schliesser@gmail.com>

ServerResponseCheck triggers a HTTP host header check which is
expected to fail. The more generic TransferException is used to
catch any other failed request, not only those with 4xx or 5xx
HTTP status codes. Besides that, TLS certificates shall not be
verified, and HTTP location redirects not be followed.

Resolves: #99368
Releases: main, 12.1, 11.5, 10.4
Change-Id: Id40457d4408c74d9229d4e6dcdedc0b69ffe9667
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77154


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>

The security fix for TYPO3-CORE-SA-2022-013 enforced the `pid`
HTTP parameter to be signed via HMAC during the frontend user
authentication process.

To provide better backward compatibility for those individual
scenarios, the new `security.frontend.enforceLoginSigning` feature
flag has been introduced, which is enabled per default, but can be
disabled individually.

Resolves: #99366
Releases: 11.5, 10.4
Change-Id: Ib633d7d3166a2f58caebc0a258699549b5cf2fa4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77130


Tested-by: core-ci <typo3@b13.com>
Tested-by: Helmut Hummel <typo3@helhum.io>
Reviewed-by: Frank Nägler <frank.naegler@typo3.com>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Robert van Kammen <rvkammen@hotmail.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Helmut Hummel <typo3@helhum.io>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Robert van Kammen <rvkammen@hotmail.com>

Resolves: #99358
Releases: 10.4
Change-Id: I028b0016a005acdcb79725600b29b2c8dbbc939d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77119


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Marco Huber <mail@marco-huber.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Marco Huber <mail@marco-huber.de>
Tested-by: Jonas Eberle <flightvision@googlemail.com>
Tested-by: Axel Böswetter <evilbmp@gmail.com>

Change-Id: I0549fe21ad21b7e61ec747a936b49968fce0642d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77106


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>

Change-Id: I0fb42b9563e80b9e5d4b6d303edb6d6bfe7f1c25
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77105


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.1.1

composer req typo3/html-sanitizer:^2.1.1
composer req typo3/html-sanitizer:^2.1.1 \
  -d typo3/sysext/core --no-update

Resolves: #99351
Releases: main, 11.5, 10.4
Change-Id: I25a17ce13a8f90cdd07a7cc51e515dff3b6bb03b
Security-Bulletin: TYPO3-CORE-SA-2022-017
Security-References: CVE-2022-23499
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77088


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Introducing Yaml placeholders in backend user interface can lead to
information disclosure and denial-of-service senarios. This change
disallows adding new placeholders and throws an exception - existing
placeholders are kept.

Resolves: #89401
Releases: main, 11.5, 10.4
Change-Id: I69e24de07b5327507e1bf8de990f84402078f7d4
Security-Bulletin: TYPO3-CORE-SA-2022-016
Security-References: CVE-2022-23504
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77087


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Only evaluate TypoScript-like instructions like

```
submitButtonLabel = TEXT
submitButtonLabel.value = Bar
```

defined within

`plugin.tx_form.settings.formDefinitionOverrides`
and
`plugin.tx_form.settings.yamlSettingsOverrides`

and **not** within form definition yaml files or
the form setup yaml files.

This is achieved by not searching the entire form
definition or form setup for TypoScript instructions,
but only the actual TypoScript.

Resolves: #98403
Releases: main, 11.5, 10.4
Change-Id: I7b066f109d6061715c2240b01ed15185c58fa9f5
Security-Bulletin: TYPO3-CORE-SA-2022-015
Security-References: CVE-2022-23503
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77086


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The password reset process for TYPO3 backend and
frontend users does not destroy possible existing
user sessions after the password has been changed.

With this patch, all existing user sessions are
destroyed when the password is changed in the
password reset process.

Resolves: #98462
Releases: main, 11.5, 10.4
Change-Id: I6744bfcf7cae56b4e525f2e0f9a44d06cf14396c
Security-Bulletin: TYPO3-CORE-SA-2022-014
Security-References: CVE-2022-23502
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77085


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

This change ensures that individual storage page ids are
valid by signing corresponding values with an HMAC.

Resolves: #98010
Releases: main, 11.5, 10.4
Change-Id: I34d474ab23adca6bbcf20c108bb60acf6998bc6f
Security-Bulletin: TYPO3-CORE-SA-2022-013
Security-References: CVE-2022-23501
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77084


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

TYPO3 now uses a lock strategy to avoid having to many request
waiting for the generation of the error page (which cannot be
generated via the external HTTP request, as there might be not
enough workers / PHP processes available during a DoS attack).
If a lock is in place, it directly returns a generic error
response instead of waiting for the lock or that the error
page is retrieved/rendered.

Additionally, if the external error page could not be retrieved
(HTTP status code other than 200), it will also create a generic
response and cache that instead. This avoids keeping requesting
for the errounous external HTTP page.

This could happen when using external HTTP requests (Guzzle) to
resolve an error page (via PageContentErrorHandler) for 404 sites.

Resolves: #98384
Releases: 11.5, 10.4
Change-Id: Iae1cae882707a519b2cef85112525ea213a72eef
Security-Bulletin: TYPO3-CORE-SA-2022-012
Security-References: CVE-2022-23500
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77083


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

In case the web server scenario is not properly configured to deny
HTTP host header injection, and the trustedHostsPattern is not explicit
enough, a corresponding check in the reports module will issue
an error message like

* HTTP_HOST contained unexpected "a0a3aa2f59.random.example.org"
* SERVER_NAME contained unexpected "a0a3aa2f59.random.example.org"

Using the configuration directive `UseCanonicalName On` for Apache
web server environments mitigates the risk.

Resolves: #99347
Releases: main, 11.5, 10.4
Change-Id: Iaafd136fd817a0722f482d1d0e6b198382e40e3d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77038


Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benni Mack <benni@typo3.org>