- Jul 25, 2023
-
-
Andreas Fernandez authored
The Icon API in general knows the icon size "mega", which renders an icon in the dimensions 64x64. However, the according constant was absent in the `Icon` class, which is now added. Resolves: #101431 Releases: main, 12.4 Change-Id: Ib889a1f8862591a4c78453ac24e15ce869781715 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80135 Reviewed-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
core-ci <typo3@b13.com> Tested-by:
-
Oliver Klee authored
This particularly helps PHPStan in extensions that call those methods detect unnecessary checks for empty strings if `GU::trimExplode` is called with `$removeEmptyValues = true`. Used command: > ./Build/Scripts/runTests.sh -s phpstanGenerateBaseline Resolves: #101395 Related: #99147 Releases: main, 12.4, 11.5 Change-Id: I6945cc0698b0777a05cb9327b342aa9aa7dee098 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80137 Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by:
-
Nikita Hovratov authored
The computed property '_ORIG_uid' is only set for workspace records, which are NOT moved (t3ver_state=4). It is better to check directly for the existence of this key as done in all other occurrences where it is retrieved. The presence already ensures that we are dealing with an overlaid workspace record and that there is need to fetch the original uid. Resolves: #101426 Releases: main, 12.4, 11.5 Change-Id: I7dd1072736b476015d5d44cb82f5e670fdd484a7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80136 Reviewed-by:
-
Stefan Bürk authored
This change increases the element wait time in one acceptance tests which tends to fail due to some timing issues during nightly ci execution. Resolves: #101440 Releases: main, 12.4 Change-Id: I7d2318fa78b32e40a6148a6d0f65da6d96a2ad91 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80134 Tested-by:
-
Oliver Hader authored
Change-Id: Ie2710dc2609a474a2e7c3ee5e523675d86d448c7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80165 Reviewed-by:
Oliver Hader <oliver.hader@typo3.org> Tested-by:
-
Oliver Hader authored
Change-Id: I39a7f300cec06d161db21149b163727b709a4884 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80164 Reviewed-by:
-
Oliver Hader authored
This change disallows calling an URI with page-id query parameters that are not part of a particular site - for instance the following URL `https://example.org/?id=3000&L=0` has two aspects: * the site `example.org` has the root page-id 1000 * the site `internal.example.org` has the root page-id 3000 The example above allows to call a page-id for an internal site, by using a valid and public entry point. The new feature flag `security.frontend.allowInsecureSiteResolutionByQueryParameters` allows to control this behavior for backward compatibility reasons. Per default `allowInsecureSiteResolutionByQueryParameters` is disabled. Resolves: #100889 Releases: main, 12.4, 11.5 Change-Id: I88d565b5d9bea556b4f754c3069d56124cea98bd Security-Bulletin: TYPO3-CORE-SA-2023-003 Security-References: CVE-2023-38499 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80159 Tested-by:
-
Oliver Hader authored
see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.1.2 composer req typo3/html-sanitizer:^2.1.2 composer req typo3/html-sanitizer:^2.1.2 \ -d typo3/sysext/core --no-update Resolves: #100917 Releases: main, 12.4, 11.5 Change-Id: If6f77217dfefe0a3c15a8a8760206b6cc5ba5687 Security-Bulletin: TYPO3-CORE-SA-2023-002 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80158 Tested-by:
-
Torben Hansen authored
When a domain model object has a lazy loading property (e.g. relation to another domain model object), the `AbstractGenericObjectValidator` may fail validation the domain model, if the database record for the related object has been deleted. This change fixes the problem by adding a null safe operator to the `$realInstance` variable in the magic `__get` call in LazyLoadingProxy. The return type for `_loadRealInstance` has been adapted, since the function actually can return `null`. This allows the removal of an entry in the phpstan baseline file. Additionally a todo in `AbstractGenericObjectValidator` has been removed, since the function actually supports lazy loading proxies as the initial error shows. Resolves: #101400 Releases: main, 12.4 Signed-off-by:
Torben Hansen <derhansen@gmail.com> Change-Id: Ib39da09fdc94ef529f672af7f948d6a7fd82e531 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80133 Tested-by:
Nikita Hovratov <nikita.h@live.de> Reviewed-by:
-
- Jul 24, 2023
-
-
Sybille Peters authored
Ckeditor 5 is used since TYPO3 12 which has significantly changed how elements in the DOM are handled. The `a` element is handled in the plugin typo3-link, but it did not handle some attributes correctly, specifically: - class - rel - target This resulted in only `href` and `title` being persisted when saving or switching between source and normal mode. This is now fixed, so that all 5 attributes will be handled correctly. Resolves: #101360 Related: #96874 Releases: main, 12.4 Change-Id: I403ec880a24ae582a8c73b2ac2ccae49ffcbc21f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80131 Tested-by:
Benjamin Franzke <ben@bnf.dev> Tested-by:
-
Ayke Halder authored
The `redirectMode=refererDomains` configuration allows to process a redirect after a successful login to an evaluated referer value. This patch fixes the evaluation of https urls as referer value. Without this patch only http urls are evaluated correctly. Also do not match hostnames that contain an invalid underscore in name. Additionally the regex matching for the domain was not quoting the configured domain names and thereby matching dots as 'any single character' instead of a dot. Resolves: #100215 Releases: main, 12.4, 11.5 Change-Id: I589638d82627283b5acdeec5da0243e082cc5ebf Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80071 Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
-
Stefan Bürk authored
PHP8.3 emits a warning for content handed over to unserialize() which contains superflous content at the end. The silence operator `@` is now used to suppress the test setup unserialize() to avoid this exact warning as preparation for PHP8.3 introduction. Can be verified before and after by executing: > Build/Scripts/runTests.sh -p 8.3 -s unitDeprecated Resolves: #101409 Releases: main, 12.4, 11.5 Change-Id: I5741cd86e8e0a8afedb49ad01676d0766d5fbfaa Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80069 Tested-by:
Stefan B�rk <stefan@buerk.tech> Reviewed-by:
-
- Jul 21, 2023
-
-
Tizian Schmidlin authored
When updating entries, the `updateFields` will provide `uid`, which works fine in MySQL but might lead to problems when working with stricter DBMS. Such an example of a DBMS not liking the update of an identity field, is SQL Server. Now, I know that SQL Server will not be supported in TYPO3 v12 going onward, but on the off-chance that somebody has another DBMS than MySQL or has DBMS that will break when trying to update an identify field, this bugfix might still be valuable. The bug exists back to TYPO3 10 at least. Releases: main, 12.4, 11.5 Resolves: #100175 Change-Id: Id4dd90579191da0cb770490256087209e749deb4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80067 Tested-by:
-
Andreas Fernandez authored
Due to color changes in the notifications, the spinner used in deferred actions was barely visible since then. This patch changes the icon identifier to `spinner-circle`, showing a darker spinner again. Resolves: #101399 Releases: main, 12.4 Change-Id: I1f3f8fa83b4c68103376ae154693c4381ce75c25 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80066 Tested-by:
-
Oliver Klee authored
Convert an improperly used array shape into a list. Resolves: #101390 Releases: main, 12.4 Change-Id: Ic02efafbb90caa010307716465b3a0adb447544c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80065 Tested-by:
-
- Jul 20, 2023
-
-
Stefan Bürk authored
Handling the pages slug changed event has been implemented with a dedicated hook handling class, consuming two DataHandler hooks to prepare and handle the redirect creation and slug update for subpages. Auto redirect creation and subpage slug updating are controlled by site setting configuration options. The chosen second hook `processDatamap_postProcessFieldArray()` is executed before the record is persisted into the database. This change switches to `processDatamap_afterDatabaseOperations()` as the second hook, so handling code can expect to have the changes persisted to the database already. For example, this would allow to use the slug generator in the `updateSlug()` method in a dedicated change as possible solution for #96928. Resolves: #101335 Related: #96928 Releases: main, 12.4 Change-Id: I5a83b6ecb9bebd7d1ebf1f3c704ca2ec2c10aa96 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80064 Tested-by:
-
Gerrit Mohrmann authored
Site settings have been extracted from `config.yaml` with #99047 by providing a dedicated `UpgradeWizard`. Site settings are now read from the `settings.yaml` in the site configuration folder, if it exists. During editing site configuration within the GUI, the deprecated settings in the `config.yaml` has been updated. That missbehaviour was corrected with #100162. Before these changes, symfony yaml placeholder have been replaced except if the SiteConfiguration have been loaded in edit context or context needing the raw configuraiton (couple of form engine elements). Loaded from `settings.yaml` the placeholder are not replaced anymore. This change now ensures that site settings loaded from the `settings.yaml` are loaded with replacing placeholder again. Additionally, a todo-comment is added to raise some precaution for an eventually coming settings GUI for the `settings.yaml`. Resolves: #101386 Related: #100162 Related: #99047 Releases: main, 12.4 Change-Id: I6c601226b404c1d1180d6702950af2cbd3e41529 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80063 Tested-by:
-
- Jul 19, 2023
-
-
Christian Kuhn authored
Some rather minor script modifications in runTests.sh to prepare #97566 Resolves: #101389 Related: #97566 Releases: main, 12.4, 11.5 Change-Id: I35e2acd7848f5b49c2a1359d2e976cb553d72ac0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80094 Tested-by:
-
Benni Mack authored
Resolves: #100853 Releases: main, 12.4, 11.5 Change-Id: I8a1284c2c859cde9d114fecbbe9c5a1e38a35c94 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80091 Tested-by:
-
Oliver Klee authored
The variable `$port` in the changed code is an array element from the return value of `GeneralUtility::trimExplode()` with the `$removeEmptyValues` argument set to `true`. Hence it is ensured to not be an empty string. This change should be backported as it otherwise would block improvements for the type annotations of `GeneralUtility::trimExplode()`. Resolves: #101384 Releases: main, 12.4, 11.5 Change-Id: I74ce433495fc3975c11991d21831db0244eacba0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80089 Tested-by:
-
Georg Ringer authored
Just clear potential the page being edited from indexed_search's index. The previous implementation did also take potential child pages, into account, but not the page itself. Resolves: #100877 Releases: main, 12.4, 11.5 Change-Id: I4c8e0c70e68744f629cb1b1c9f62b5f3028502fd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80062 Tested-by:
-
- Jul 18, 2023
-
-
Oliver Klee authored
A route option that is missing should either not be set at all, or it should be `null`, but it will never be `false`. Simplify the test by removing the missing option altogether to make the test more minimal. Resolves: #101382 Releases: main, 12.4 Change-Id: I76359e128b3d9715cf1a3741597ce7830374b613 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80061 Tested-by:
-
Nikita Hovratov authored
These tests verify the regression fix for #101379 Resolves: #101385 Related: #101379 Releases: main, 12.4 Change-Id: Ic98e87038de1c74d25190dc7b659c347e01d900a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80060 Tested-by:
-
Nikita Hovratov authored
Since the introduction of customizable page type icons, the fallback icons did no longer work. Only the icon and variations for "contentFromPid" worked. The reason is, that these icons are prefixed with "page" while the other ones are prefixed with the doktype ("1"). This is fixed now by providing an optional argument for the getRecordTypeForPageType method, which takes the type name as parameter. The default is "1". Resolves: #101379 Related: #90042 Releases: main, 12.4, 11.5 Change-Id: Ia4379899642ad477026dd73b1ac0c22b918a1629 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80058 Reviewed-by: -
Stefan Bürk authored
The main query execution builds a QueryBuilder instance out of different sub information. Additionally, several hooks can be used to influence the created query. On top of this, different type of search queries are possible. This change avoid consuming a lot of placeholder for list based `in()` expressions by using a corresponding QueryBuilder method suitable for the value type. This means that no placeholder are used any longer for list expressions. Note: Max query size may still be exceeded if the lists would getting bigger. This can be adjusted by database server administrators, but will lead to another exception for really large value lists. Resolves: #86859 Releases: main, 12.4, 11.5 Change-Id: Ic0ac51c13cb74a058d71152ad626c484f696b176 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80057 Reviewed-by: -
Stefan Bürk authored
RegEx redirects have been processed in the order how they have been inserted into the database ignoring the flag `respect_query_parameters` completely. Due to this fact, a non-query argument based regex redirect would match before a concrete query-argument aware regexp redirect have been matched - additionally favored by the changes introduced with #96480 to provide a fallback. To combine all use-cases and additionally fix the detected issues, this change now splits the cached regex redirects into two flavors: * `regexp_respect_query_parameters` * `regexp_flat` That follows the pre-selection for the non-regex redirects. Redirects respecting query paramaters have higher precedence above the non-respecting once. Therefore, the matching flow in the `RedirectService` has been aligned correspondingly to respect this separated workflow. The #96480 is now only applied for regex redirects which do not respect query-arguments at all. It should be considered if we should remove that safety fallback and enforce correct regex redirects in a dedicated future change. Furthermore, a deterministic sorting criteria chain has been added to the `RedirectCacheService` to ensure a deterministic loading and caching order of redirects. The changes play together, which is the reason why they are included in one change and to avoid a inbetween incorrect test chain. Regression tests have been added to cover the cases. Resolves: #101191 Related: #96480 Releases: main, 12.4, 11.5 Change-Id: I9638835c33809e92ba883efb65d86bb1e9f5031b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80056 Tested-by:
-
Helmut Hummel authored
Form elements are represented by PHP objects, which hold some state, which can be modified during form runtime. However it is impossible to access this state in a variant condition, because the instance of the current element is not passed to the expression language evaluation. The current renderable is now passed as additional variable to the condition evaluation. Resolves: #97079 Releases: main, 12.4 Change-Id: I9a4c77efcb8040b4424b30f1d80cd39ec92f2935 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80055 Tested-by:
-
Andreas Fernandez authored
The identifier for the icon cache used in the client's localStorage is now version-aware to get a chance of updated icons after a release. It now uses the same identifier as the backend cache. Previously, only the registry state itself was taken into account which may not change if icons assets get updated. Resolves: #101348 Releases: main, 12.4, 11.5 Change-Id: I15dfc9d4bf1288f9787f88f579beccf3b13a3fc6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80051 Reviewed-by:
-
- Jul 17, 2023
-
-
Torben Hansen authored
In redirects module it is possible to configure redirects to records available through the LinkHandler API. This currently fails with an exception, since the redirects module tries to resolve the link to the record in the list view. The reason for this is the `DatabaseRecordLinkBuilder`, which uses the `frontend.typoscript` attribute from the request object to retrieve the TypoScript setup. This attribute is not available in backend context. This change ensures that the `$typoScriptArray` will fall back to an empty array if the `frontend.typoscript` request attribute is not available. Resolves: #101344 Releases: main, 12.4 Signed-off-by:
-
Nikita Hovratov authored
If either optionValueField or optionLabelField is not set for array option values, the ViewHelper is not correctly configured and is throwing now a meaningful exception message. Resolves: #100790 Related: #100774 Releases: main, 12.4 Change-Id: Icb693a3e5bce6a87aed0e4acc90ed34aa609e3ee Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80053 Tested-by:
-
Christian Kuhn authored
The TypoScript traverser service classes should be stateless: They currently have a visitor property plus addVisitor() and resetVisitors() methods. The patch refacorts the traversers by handing the list of visitors directly to traverse() and avoids service class state this way. Change-Id: I4b69aeba8e7c1f2f8875d007ac1c55fc2c31c38b Resolves: #101364 Related: 97816 Releases: main, 12.4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80044 Tested-by:
-
Georg Ringer authored
Add the pid to the list of fields which should always be retrieved when selecting a record. This especially avoid a PHP warning in FormEngine when workspace records are overlaid. Resolves: #98181 Releases: main, 12.4, 11.5 Change-Id: Iaf5479e329693486c992495228fca1b711ba6161 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80042 Tested-by:
-
Andreas Fernandez authored
If a user decides to reset their configuration for whatever reason, all TYPO3-related items that are stored in localStorage are now removed as well. Resolves: #101353 Releases: main, 12.4 Change-Id: Ie0f1effefb004c77bb2b62647e89585640b8f06b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80052 Tested-by:
-
Andreas Fernandez authored
flatpicker uses the 12 hours format by default, offering an AM/PM selector next to the time dropdowns. In some regions, using this setting is rather unusual and may lead to user errors. To relax the sitation, browser API is used to determine the time format based on the client's language. Unfortunately, it seems browsers always assume the format based on the language only and ignore potentially overridden settings in the operating system. Resolves: #101347 Releases: main, 12.4 Change-Id: I96f92ea6c7ce52bf30bc96c1b8f5e49804fd85ab Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79991 Tested-by:
-
- Jul 15, 2023
-
-
Stefan Bürk authored
Existing upgrade wizards marked as done should not be considered as not existing and therefore not returning a error exit code in the cli command. This was the case before TYPO3 v12.2, changing that behavior with #99586 to support register upgrade wizard based on a PHP attribute. Postulating that this was a unintended side-effect for single upgrade execution, this change adds a early check if the upgrade wizards is marked as done to keep a non-error exit code and outputting a use-full note to the console. Note: Executing all possible upgrade-wizards are not related to this issue, and therefore do not need any adjustment. But this is the reason for keeping the `isWizardDone()` check in method `getWizard()`. This can be tested with: > bin/typo3 upgrade:run migrateSiteSettings ; echo "$?" for TYPO3 main or > bin/typo3 upgrade:run svgFilesSanitization ; echo "$?" for TYPO3 12.4.x (and 11.5.x as verification) Resolves: #101354 Related: #99586 Releases: main, 12.4 Change-Id: I126fccb014e418dc2e4f00aa4775753d17e11749 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79990 Reviewed-by:
-
- Jul 14, 2023
-
-
Georg Ringer authored
The method str_contains requires the 1st argument to be a string. So we need to ensure that it is a string. (It can be `null` if the command ran into an error.) Resolves: #101349 Related: #70869 Releases: main, 12.4, 11.5 Change-Id: Ic4267f1fd8290d340b5fc43acd47797b592d466e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79989 Tested-by:
Oliver Bartsch <bo@cedev.de> Reviewed-by:
-
Georg Ringer authored
Avoid exceptions due to wrong type in the link validator module. Resolves: #101352 Releases: main, 12.4, 11.5 Change-Id: Ic54b38e2fad6c203526fe27fa1b2ea6815f0578f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79988 Tested-by:
-
Andreas Fernandez authored
For cases when the FileBrowser doesn't receive any information of allowed or disallowed file extensions via the "bparams" query parameter, the code is slightly adjusted to handle this case to avoid PHP errors. Additonally, the avatar field of the user settings is adjusted to provide corresponding information, while the allowed types are set to the "imagefile_ext" list. Previously used "allowed" option in the configuration of the field is removed as it had no effect. The avatar image is always checked against the "imagefile_ext" list. Change-Id: Idfe946a5327e98958cd649ce4be18c729ab4cd9b Resolves: #101342 Related: #101231 Releases: main, 12.4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79987 Tested-by:
-
Georg Ringer authored
With #99047 settings has been extracted `(copied)` into the dedicated file `settings.yaml`. Starting with that, settings are also loaded only from that file and ignored from `config.yaml`. They have been left untouched in that file by intention, therefore the corresponding UpgradeWizard does not rewrite the `config.yaml` by intention. Removing them from the `config.yaml` should be done by hand. They may be removed with a dedicated change in the future, but not for now. Resolves: #100162 Related: #99047 Releases: main, 12.4 Change-Id: If1977ad3dc615b274536f88ae9507f59ddd09918 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80022 Tested-by:
-
- Jul 13, 2023
-
-
Benni Mack authored
The special case for "pages" is that there is always a record in sys_language_uid=0 and that the pages in the default language are usually used for linking and pointing to a page. For this reason, it is important to actually fetch the page in language variant "5" for example to also fetch the page. Resolves: #101187 Resolves: #101157 Releases: main, 12.4 Change-Id: Ieb7575f0f8c669c1737f55435d1ba991ec8b5019 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79986 Tested-by:
-
