The patch implements a "configuration system" to the install tool
that bundles several settings to enable them on click
depending on system capabilities.

A "feature" is represented by a set of configuration options that
are filled by different presets. Presets have a priority, the
best preset is the first one. Presets can be available or
not available and active or not. For example the "image handling"
feature has the presets "GraphicsMagick" and "ImageMagick 6" and
a "Custom" preset if the others do not fit.

This first patch implements "Charset conversion", "Image handling",
"Development / Production" and "Extbase object cache" settings.

During installation the available preset with highest priority
are configured.

Change-Id: I7304ef001717989720924e7ae03951eb3874adfd
Resolves: #51454
Releases: 6.2
Reviewed-on: https://review.typo3.org/23321
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Adjust unittest to changed conditions.

Change-Id: Ia885ba544a159cb1666464cece30c3e6ea3558b6
Fixes: #49386
Releases: 6.2, 6.1, 6.0
Reviewed-on: https://review.typo3.org/23716
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny

Deleting a record will also delete all child records,
which are configured as type inline (field, list) within.
This patch adds a behaviour configuration option "enableCascadingDelete"
which is by default treated as true. If set to FALSE or '' or 0
deletion of inline child records will be disabled.

Resolves: #50391
Releases: 6.2
Change-Id: I7462e7721cd140880edeea82664ce4721aea63a7
Reviewed-on: https://review.typo3.org/22551
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Through a bug introduced by #31120, an Exception is thrown when a
TypoScript FORM object should be rendered.

Change-Id: Ie67484fd014620ea229a7bee8bfebd063a3b57ae
Fixes: #31572
Releases: 6.2, 6.1, 6.0, 4.7
Reviewed-on: https://review.typo3.org/6537
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Fixes the handling of the mismatch between the file info property
"mimetype" and the file object property "mime_type" by using the
exposed API methods.

Fixes: #49386
Releases: 6.2, 6.1, 6.0
Change-Id: If948de2a8bead340ae97097b3e4e391a27296362
Reviewed-on: https://review.typo3.org/21634
Reviewed-by: Steffen Ritter
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Adds a report about files flagged as missing.

Resolves: #51097
Releases: 6.2
Change-Id: I95f55fe9f0da9247e6960663dd315e82e18cc2b6
Reviewed-on: https://review.typo3.org/23143
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Fix missing translation for ext:sv in ext:reports.
This was not trasfered to the new location for
the locallang.xlf file.

Change-Id: I594d9c89afbc42c5b6447fc2306a88d3c027b40e
Resolves: #51873
Releases: 6.2
Reviewed-on: https://review.typo3.org/23711
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

When using Command Controllers as scheduled tasks the Extbase
Scheduled Task is serialized. Some singleton properties like
'objectManager', 'commandManager' and 'taskExecutor' are serialized
leading to duplicates of this objects.

Added magic "__sleep" and "__wakeup" methods destructing and
re-constructing the above objects.

Resolves: #50723
Releases: 6.2, 6.1, 6.0
Change-Id: I0a84487a1d8885f75dd4b4eaf004bb0dc93645c2
Reviewed-on: https://review.typo3.org/23634
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Philipp Gampe
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Replace \' with " in exceptions

Add missing PHP closing tag in StoragePermissionsAspect

Eestructure a select query in the
BackendUserAuthentication class.

Change-Id: Id161c761288be93b8f43a2f855254ac954c32d5b
Resolves: #51744
Releases: 6.2, 6.1, 6.0
Reviewed-on: https://review.typo3.org/23620
Reviewed-by: Sascha Egerer
Tested-by: Sascha Egerer
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

Replace double quotes in exceptions to single quotes

Change-Id: I1a98d783d34eaf4f131b14ab27098c6a4759c9a0
Resolves: #51743
Releases: 6.2, 6.1, 6.0
Reviewed-on: https://review.typo3.org/23619
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

It can happen that settings that are not defined in
userTSConfig can overwrite pageTSConfig settings
with a null value because of the change in #51007

This case is now checked so that in this case
the original pageTSConfig value is preserved.

Resolves: #51871
Releases: 6.0, 6.1, 6.2
Change-Id: I3fa356a1e5aa20716a6bc83f7c76b8b755fc0bbf
Reviewed-on: https://review.typo3.org/23701
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

In the security fix #50883 a canonicalize method
for folders has been used where items could
either be files or folders.

This added a trailing slash to files which triggered
a basedir PHP warning if basedir is configured
in PHP.

Use the canonicalize method for file paths instead
to fix this issue.

Resolves: #51761
Releases: 6.0, 6.1, 6.2
Change-Id: I9ef4b6a90ca257ad0104115bd7d48c4de68f135f
Reviewed-on: https://review.typo3.org/23696
Reviewed-by: Simon Schick
Tested-by: Simon Schick
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

This patch adds the upload form to the "Get Extensions" section in the
ExtensionManager.

Change-Id: Id8e698ba0d1c2cc1dddec61bba902d4913e1b01c
Resolves: #51776
Releases: 6.2
Reviewed-on: https://review.typo3.org/23639
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Markus Klein
Tested-by: Markus Klein

The preg_match to fetch the video id from an url do cover only a few
variation. The enhancement covers a lot more possibilities

Releases: 6.2
Fixes: #51728
Change-Id: Ie9d0b3b5dbfff4e129d37fcf351d1d8c5fcdfc98
Reviewed-on: https://review.typo3.org/23616
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

http://forge.typo3.org/issues/47609 introduced an Extbase
regression by changing the behaviour of viewObjectNamePattern
in the ActionController without deprecating it first.

This patch fixes this regression but keeps the wanted behaviour
by resetting the value of viewObjectNamePattern and introducing
a namespacedViewObjectNamePattern with the namespaced pattern.

Resolves: #51758
Releases: 6.2, 6.1, 6.0
Change-Id: Ie32b178e1799c396e969fd48f81f9fe6243f6e70
Reviewed-on: https://review.typo3.org/23668
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Mattias Nilsson
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

The selector values in BE-fields with type group->file_reference are
empty. The filename should be displayed at this place.

Resolves: #47414
Releases: 6.2, 6.1, 6.0
Change-Id: I9fa237d2cd14ff0e9b347736090bd2171eb8a747
Reviewed-on: https://review.typo3.org/23058
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter
Reviewed-by: Frans Saris
Tested-by: Frans Saris
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Exception is thrown when fixture data can not be loaded into database.

Resolves: #51783
Releases: 6.2
Change-Id: If23657555940cb98954e0ec72ee7d8be53bea1b4
Reviewed-on: https://review.typo3.org/23640
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe

In #49685 a more usable behavior of the override strategy
has been introduced for FAL usages. The new output from
TCEforms (FormEngine) lacks proper escaping of JavaScript
and HTML-Code.

This followup adds proper encoding and makes the
newly introduced isNew() method more robust.

Backports of the original patch will have to include
this patch-set directly.

Resolves: #51818
Related: #49685
Releases: 6.2
Change-Id: I2914b4606de4bee0f93861a2de0574362c98d166
Reviewed-on: https://review.typo3.org/23526
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

This prevents that previewing a page leads to an entry for this page
in the TYPO3 cache table because contents on this page might be set
hidden.

Resolves: #51682
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I154d790454bf6bf0215b83e493919107a6c5bd93
Reviewed-on: https://review.typo3.org/23558
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Make storage 0 folder readable, browsable and writable
to mitigate the problems that arise with non
readable processing directories.

Also allow file exists in general if the
identifier in subject is in processing folder.

Resolves: #51808
Releases: 6.0, 6.1, 6.2
Change-Id: I1959d7911d955592db1771d608e8fafcc26c45e9
Reviewed-on: https://review.typo3.org/23660
Reviewed-by: Horst-Dietrich Frank
Tested-by: Horst-Dietrich Frank
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Jakob Hombsch
Tested-by: Jakob Hombsch
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Get correct fieldConfig when in repeating flexform. Adjust
JavaScript a bit to make this work.

Resolves: #48474
Releases: 6.2, 6.1, 6.0
Change-Id: I7c8a5ecfc2f1d7cfb10ca86a40a3429d3a60ee1f
Reviewed-on: https://review.typo3.org/20990
Reviewed-by: Zach Davis
Tested-by: Zach Davis
Reviewed-by: Mattias Nilsson
Tested-by: Mattias Nilsson
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Adding new images to sprite

Resolves: #50573
Releases: 6.2
Change-Id: I586c206bc84dd44230a6b56ea6e9deaf1d63849f
Reviewed-on: https://review.typo3.org/23546
Reviewed-by: Tymoteusz Motylewski
Tested-by: Tymoteusz Motylewski
Reviewed-by: Piotr Molewski
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

When fetching the processing folder and it does not
exist, it is created on the fly. This should be done
without checking permissions. However by making
storage 0 not browsable, permissions will be checked
when fetching subfolders.

Instead we now fetch the folder objects directly
from the driver, where no permission checks are done.

Resolves: #51747
Releases: 6.0, 6.1, 6.2
Change-Id: I1a4c3b183323151c436969a478c669adb3856476
Reviewed-on: https://review.typo3.org/23633
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

In install tool context TYPO3_MODE is set to BE
but there is no backend user initialized.
Because of that the storage permission aspect
fails as it requires a valid backend user object.

Do not register the slot when in install tool context.

Releases: 6.0, 6.1, 6.2
Resolves: #51733
Change-Id: I2da95ccd357b730b97bcf99bef21b18c04469274
Reviewed-on: https://review.typo3.org/23621
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

When you opened the filelist module as user who just was allowed to see
a bunch of filemounts, the filemounts had either all or none the expand-
icon, based on the first file-mount of this storage the user has access
to.

Resolves: #48467
Releases: 6.2, 6.1, 6.0
Change-Id: I1e6a29e351a643f52c0f7a42fde38c9d9b2fc5cb
Reviewed-on: https://review.typo3.org/20981
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Manually accessing backend entry-points regarding files passing
an identifier with storage 0 may allow unfiltered access for read,
write, rename, create and delete actions.

The user interface must never deal with storage 0. Therefore
implement checks for storage 0 as protection.

Change-Id: Ia387dfac3057760800171163ff91cd9f55cab4b5
Releases: 6.2, 6.1, 6.0
Fixes: #50886
Security-Commit: b813a875ad76aa7860b76602eb1f32dcfc9fadcd
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23608
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The Driver needs to canonicalize all incoming identifiers at first,
and than check for their validity on every action performed.
If a canonicalized path resided inside a storage it does not contain
any ../ anymore.
An exception is thrown in that case.

Change-Id: I6114be2a517bb44753f92bea1b3b7dfdd42a2f1f
Releases: 6.2, 6.1, 6.0
Fixes: #50883
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23607
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Because the filename is sanitized in the driver
after the check for denied file extensions is
performed, it was still possible to rename files
with denied file extensions.

We now perform the file extension check
on the final filename which is going to be used
by the driver.

This change makes the sanitizing method public
and introduces a basic implementation in
AbstractDriver to not break existing driver
implementations.

Fixes: #51495
Releases: 6.2, 6.1, 6.0
Change-Id: I2c055b7b070a5e13c2172d1f20fdcd83ee597e08
Security-Commit: de60d4ef37fc582e6349d5fa8ed13ec30d4892ff
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23598
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

* User permissions are only applied to storage objects
  that are attached to a member variable of
  BackendUserAuthentication. This is error prone
  and leads to insufficient (no) checks if the code
  fetches a storage directly from the factory
  (like edit document controller does)
  Instead, apply the permissions by using a signal
  in StorageFactory directly after the storage object
  is built.

* Refactor the mount point handling, especially the
  user and group home directories, which was completely
  broken after the introduction of FAL. File mounts
  are now also applied to the storage on creation.

* Make fallback storage 0 read only and not browsable.

Fixes: #51327
Releases: 6.2, 6.1, 6.0
Change-Id: If1fa18486cf051a7f4489e36691d42786386df63
Security-Commit: 936dbaf5d16acd36b668dcf033eb343fc5e2f7bf
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23597
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

For admins and for front end request, we must be able
to deactivate permission checks completely, while
it must be possible to restrict backend users
to not have any file permissions thus, not be able to
see/change any file.

Fixes: #51326
Releases: 6.2, 6.1, 6.0

Change-Id: I0b2ba16562d412e4a3bb523a54f7de317ea25c25
Security-Commit: eceac26733d6dff1826b149494532fb321274611
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23596
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The ResourceStorage omits checks for the configured user and
group permissions within the actions on that Storage.

This patch refines some naming within the security methods
as well as adding security checks to every method.

PHP file extensions are now also removed from the
text file extension list.

Releases: 6.2, 6.1, 6.0
Fixes: #51079
Change-Id: I95a6d89da7eb2b6ea52afea1c49b1df8acb00707
Security-Commit: f5d926ec7a99098ad42117cf2e0b3b67dae057a4
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23595
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

This change adds a CommandContoller for EXT:extensionmanager;
this new ComandController contains two actions (install, uninstall)
which is then handled by the Utility which contains the actual logic.

Usage example: ./typo3/cli_dispatch.phpsh extbase extension:install [key]

Resolves: #51629
Releases: 6.2
Change-Id: I3561a427f4eff4c5041326f706ed8c77bbbbe9be
Reviewed-on: https://review.typo3.org/23535
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

The four variations of the Share font contain now over 550 glyphs.
The bold-italic variation is also added to complete the font family.

Change-Id: I04578cc7da74319662428e688e8152403dfc04b1
Resolves: #49996
Releases: 6.2
Reviewed-on: https://review.typo3.org/23482
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert

Add a checkbox to directly hide pages in the crpages wizard
of the "functions" module.

Resolves: #51017
Releases: 6.2
Change-Id: Iff6abfe862bd0a0f0e2e8ff3064c4a4f6ea001d9
Reviewed-on: https://review.typo3.org/23531
Reviewed-by: Tomita Militaru
Tested-by: Tomita Militaru
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Since the 6.0 Extension Manager, the "excludeFromUpdates" state
is ignored. It should be checked for and the update button in the
list view hidden in such a case.

Resolves: #51018
Releases: 6.0, 6.1, 6.2
Change-Id: I734331d1b85728dc86732f66ad495a9f83cd0aca
Reviewed-on: https://review.typo3.org/23098
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Check also for null port to avoid a fatal error.

Resolves: #31998
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: Ibf45b3c0783a70e5afba33f90d1d8e05f76834cf
Reviewed-on: https://review.typo3.org/23504
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Under Firefox the outer table's height and width of the backend layout
wizard is set to 100%. Since there is content before the table, this
leads to the table being cut of, as there are no scrollbars. According
to the suggestion of Philipp Gampe the table's height and width are
changed to 90%.

Resolves: #50424
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I589fdfd8de0a8d6ebb4b3ee4fd2a173341116016
Reviewed-on: https://review.typo3.org/23483
Reviewed-by: Kay Strobach
Tested-by: Kay Strobach
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe

Remove old class files in ext:rsaauth

Change-Id: I2bb437295adcccf5475e8c0f65b5bcd9cea17415
Resolves: #51596
Releases: 6.2
Reviewed-on: https://review.typo3.org/23501
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe

Remove old class files in ext:taskcenter

Change-Id: Ia998f65eb9c4b4e9b0abe1d5d63b145f36335434
Resolves: #51594
Releases: 6.2
Reviewed-on: https://review.typo3.org/23499
Reviewed-by: Kai Ole Hartwig
Tested-by: Kai Ole Hartwig
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Remove old class files in ext:sys_action

Change-Id: I89941f8ace57e1b5470cc3038ffcc583a84eb1b4
Resolves: #51595
Releases: 6.2
Reviewed-on: https://review.typo3.org/23500
Reviewed-by: Kai Ole Hartwig
Tested-by: Kai Ole Hartwig
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn