The following changes to system categories should be mentioned
in NEWS.md:

* activation by default on pages and tt_content tables
* new menu types for categories-based menus

Resolves: #54368
Releases: 6.2
Change-Id: I1ca95ea6354f52a68bd31cf284d6a103563190a4
Reviewed-on: https://review.typo3.org/26362
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

This reverts commit 2d6e8dea
This merge broke travis unit and functional tests.
Needs some work on these components to get in again.

[ci skip]

Change-Id: Ifa96df8c60472def99707431793de291043d23e4
Reviewed-on: https://review.typo3.org/26488
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

New fields were added to the tt_content table to be used when creating
categories-based menus (of pages or content elements).
Those fields are currently missing CSH.

Resolves: #54366
Releases: 6.2
Change-Id: I0fea98a7c3ecd29ffca6559314bd3f790845e3e7
Reviewed-on: https://review.typo3.org/26361
Reviewed-by: Francois Suter
Tested-by: Francois Suter

During installation of extensions the Extension Manager does
not take the Category API into account. The code to do so is
present in the Install Tool in the Database Compare Tool. It is
cumbersome to switch to the install tool to update the database
in order to use the category fields. The install tool and extension
manager currently need to know which components manipulate
the table definitions and this is bad coupling of components
which shouldn't know each other.

This fix replaces the individual calls to the components by two
signals and thus a generic approach.

Fixes: #53016
Releases: 6.2
Change-Id: Ibaea293b96fb1b8df1eacdcdd2f98acf74fb155b
Reviewed-on: https://review.typo3.org/24942
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Fabien Udriot
Tested-by: Fabien Udriot
Reviewed-by: Thomas Maroschik
Tested-by: Thomas Maroschik

This is a follow up to 7efcf2a4 which marks the newly
introduced method as internal.
https://review.typo3.org/25851

Resolves: #54126
Releases: 6.2
Change-Id: Iaffa3cf96e7e43487f4249a70460f64fc3a066ea
Reviewed-on: https://review.typo3.org/26486
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Where onclick and oncontextmenu behave the same avoid duplicating
JavaScript-code and simply call the click()-functionality.

Change-Id: Iaa0b96fd311ea1a8367ef474b483e6c92bb1bcff
Resolves: #54288
Releases: 6.2
Reviewed-on: https://review.typo3.org/26094
Reviewed-by: Frans Saris
Tested-by: Frans Saris
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Avoid having to use the substr/strlen-magic.
Also strlen(PATH_site) can be statically cached.

Change-Id: I0ef942e331e2039e2ece9a55dd740db2a3896e2c
Resolves: #54126
Releases: 6.2
Reviewed-on: https://review.typo3.org/25851
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Since #53655, reviewed at https://review.typo3.org/25481 the indexer
takes care of updating file objects and index records if a file or
folder is moved.

The unit tests have not been adapted to that change accordingly.
This changeset fixes the tests for LocalDriver and ResourceStorage.

Change-Id: Id17b01b8e47dd63750d1c11c2d4e24313b053695
Resolves: #54499
Releases: 6.2
Reviewed-on: https://review.typo3.org/26477
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Under certain circumstances the Failsafe Package Manager
could interfer with the Update Package Manager in the Install Tool.

In order to reduce this friction the migration logic is integrated
into the migration step.

Resolves: #53886
Releases: 6.2
Change-Id: I0300b9c74736262b03f9f9b59a49576b7edf5b2f
Reviewed-on: https://review.typo3.org/25648
Reviewed-by: Markus Klein
Reviewed-by: Thomas Maroschik
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Due to the nature of the Flow Package Manager, packages cannot
be activated and directly used during runtime. Before the Package
Manager it was possible to activate/deactivate extensions in
AdditionalConfiguration.php under certain custom conditions.

This patch introduces a new setting in $GLOBALS['TYPO3_CONF_VARS']
['EXT']['runtimeActivatedPackages'] = array('{packageKey}') that
gets initialized right after the package management initialization.

Resolves: #53015
Releases: 6.2
Change-Id: Id3b85a3feb00876d2a04a02e85450a4568eb5bff
Reviewed-on: https://review.typo3.org/24939
Reviewed-by: Thomas Maroschik
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Tested-by: Alexander Stehlik
Tested-by: Frans Saris
Reviewed-by: Stefan Froemken
Tested-by: Stefan Froemken
Reviewed-by: Markus Klein
Tested-by: Markus Klein

The processChangedAndNewFiles() method in the Indexer class now uses
the $fileIndexEntry variable for retrieving a file object from the
resource factory instead of the invalid $data variable which is NULL.

Resolves: #54312
Releases: 6.2
Change-Id: I3b9c2ce99f7b4b7c575cc4055c02912c306ed789
Reviewed-on: https://review.typo3.org/26339
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter
Reviewed-by: Markus Klein
Tested-by: Markus Klein

The system extension filemetadata adds access restriction fields
for selecting frontend user groups as known from tt_content or
pages. Behind the scenes of the TCEform this relation is stored
in a MM table which is incompatible to the usual access checks.

In addition a opposite relation is added to fe_groups which
queries all files to show in a selector.

This change removes the MM table and reconfigures the fe_groups
field in the same way as it is done for tt_content and pages.

Resolves: #54236
Resolves: #54237
Releases: 6.2
Change-Id: I8a05073dee9e57e48335e1fe2a3917313563ac7d
Reviewed-on: https://review.typo3.org/25987
Reviewed-by: Markus Klein
Reviewed-by: Stefan Froemken
Tested-by: Stefan Froemken
Reviewed-by: Frans Saris
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

The ResourceStorage does not properly make use of the Indexer.
As result the indexRecord is not properly updated after a
file change.

This patch cleans up the ResourceStorage so it doesn't update
the index properties itself but leaves that to the indexer.

Resolves: #53655
Releases: 6.2
Change-Id: I249505a1bc0b93f8b3ffb0e9cb2b7f10a9a9968e
Reviewed-on: https://review.typo3.org/25481
Reviewed-by: Stefan Neufeind
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

ElementBrowser calls Folder::getFiles() with wrong parameters.
Properly implement the file extensions filter.

Resolves: #51752
Releases: 6.2, 6.1, 6.0
Change-Id: I56468c79225e2d3baa5e5784571074532e2287ad
Reviewed-on: https://review.typo3.org/25359
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

If an editor has got no file mounts, an uncaught exception
is shown in the element browser.

Fix this by checking if there is a selected folder at all.

Resolves: #52969
Releases: 6.2
Change-Id: I5f9e8cc7994edd69f6db6ae1cc647ee31e4930c6
Reviewed-on: https://review.typo3.org/25357
Reviewed-by: Stefan Neufeind
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

A regular expression in FrontendLoginController
contains an unknown modifier. Fix it by replacing the
/ to # at the beginning and the end of the regular
expression.

Change-Id: Id4d3439c1cdbec691d977570bf76ba0c7bad493c
Resolves: #52059
Releases: 6.2, 6.1, 6.0
Reviewed-on: https://review.typo3.org/23881
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

This fixes a wrong parsing of \r\n characters for radio
button options.

Resolves: #53727
Releases: 6.2, 6.1, 6.0
Change-Id: I9a88be010a7dd982776bee4a98ba99d97fcc406b
Reviewed-on: https://review.typo3.org/25482
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

ElementBrowser::isReadOnlyFolder is not required any more because the
check if the folder is writable has been moved to the methods that
create the file upload and folder creation forms.

The method and the parts where it was used were removed.

Additionally the check if the user is allowed to create folders
by TSConfig was moved to the createFolder method to reduce the amount
of duplicate code.

Resolves: #47648
Releases: 6.2, 6.1, 6.0
Change-Id: Ic6504c8def80012cbe420fc83539cfa859a53c0d
Reviewed-on: https://review.typo3.org/25358
Reviewed-by: DANIEL Rémy
Tested-by: DANIEL Rémy
Reviewed-by: Fabien Udriot
Tested-by: Fabien Udriot
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

Icons in the pagetree should show cursor:pointer on hover.
This changed with ExtJS-upgrade in #52933 because of
x-unselectable.

Since in the pagetree we need x-unselectable unfortunately
manually bring back the old cursor-behaviour.

Change-Id: If6fa45b0e3491d9180855a4d0a462c5fb559d476
Resolves: #54238
Releases: 6.2
Reviewed-on: https://review.typo3.org/26099
Reviewed-by: Alexander Stehlik
Tested-by: Alexander Stehlik
Reviewed-by: Marcin S?gol
Tested-by: Marcin S?gol
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

Change-Id: Id2dc49c9a5e5ca3ede14bc82218dd9ccdc7628ca
Resolves: #54123
Releases: 6.2
Reviewed-on: https://review.typo3.org/25844
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Xavier Perseguers
Reviewed-by: Markus Klein
Tested-by: Markus Klein

In the class "DefaultFactory", "fileadmin" is hardcoded.
The function "getDefaultStructureDefinition"
must take care of the $GLOBALS['TYPO3_CONF_VARS']
['BE']['fileadminDir'] configuration variable.

Resolves: #53872
Releases: 6.2
Change-Id: I17c836a58ea70d218170a33e28ca578bb50eef0b
Reviewed-on: https://review.typo3.org/25640
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Stefan Neufeind
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Fix superfluous comparison against boolean in
OpendocsController::checkAccess

Change-Id: I0682042848f2f25856506d5949fc724853c43948
Resolves: #54052
Releases: 6.2
Reviewed-on: https://review.typo3.org/25739
Reviewed-by: Jo Hasenau
Reviewed-by: Michiel Roos
Tested-by: Michiel Roos
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Fix superfluous comparison against boolean in
DataHandler::versionizeRecord

Change-Id: I345917b9eb29f3cbb39a137f624926888dec623a
Resolves: #54051
Releases: 6.2
Reviewed-on: https://review.typo3.org/25738
Reviewed-by: Jo Hasenau
Reviewed-by: Michiel Roos
Tested-by: Michiel Roos
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Fix superfluous comparison against boolean in
RelationHandler::readForeignField

Change-Id: I77f17dee6a14da7779dfe8e37bc73f33a3d02cb5
Resolves: #54048
Releases: 6.2
Reviewed-on: https://review.typo3.org/25735
Reviewed-by: Jo Hasenau
Reviewed-by: Michiel Roos
Tested-by: Michiel Roos
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Fix superfluous comparison against boolean in
Laguage::getLanguages

Change-Id: Idbf4c1f234eb1c60c01ea130095759ef49ce71c0
Resolves: #54054
Releases: 6.2
Reviewed-on: https://review.typo3.org/25741
Reviewed-by: Xavier Perseguers
Reviewed-by: Michiel Roos
Tested-by: Michiel Roos
Reviewed-by: Markus Klein
Tested-by: Markus Klein

With commit 6eb7a548 performance optimized class
instantiation code has been committed. This code
removed the side effect of a reflection exception
being thrown when a not existing class is instantiated.

Code in ContentObjectRenderer relied on this side
effect, so we have to fix that and properly test
if the class exists instead.

Additionally this change adds some more comments
to the new instantiation code that has been forgotten
in the last commit.

Resolves: #54425
Releases: 6.2
Change-Id: I8962434d60f80daf77ccdce7a8148e26f8fee267
Reviewed-on: https://review.typo3.org/26440
Reviewed-by: Marcin S?gol
Tested-by: Marcin S?gol
Reviewed-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Anja Leichsenring
Reviewed-by: Anja Leichsenring
Tested-by: Tobias Liegl
Reviewed-by: Frans Saris
Tested-by: Frans Saris
Reviewed-by: Dmitry Dulepov
Tested-by: Dmitry Dulepov
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

PHP reflection has quite an overhead in performance.
Use a switch construct like in Flow instead to
instantiate classes with up to 8 arguments without
reflection.

Resolves: #53682
Releases: 6.2, 6.1, 6.0
Change-Id: I82ecf0b1ea9a412a39b4429d7689f2bb6489f3df
Reviewed-on: https://review.typo3.org/26363
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

This patch prevents the creation of sys_refindex entries that point to no
table and no record.

Additionally it fixes the array structure for the creation of
sys_refindex records for sys_file relations.

For deleted file references no reference will be created between
sys_file and the referenced table.

The configuration for the uid_foreign field was changed from a select
field for tt_content records to a normal input field to prevent the
creation of invalid refindex data. To which table uid_foreign is
pointing depends on the tablenames field.

To make sure both sides of the relation of a sys_file_reference appear
in the refindex table the exclusion of sys_file_reference as
foreign_table is removed.

Resolves: #53712
Releases: 6.2, 6.1, 6.0
Change-Id: Ic864ade10e4e97fbd9017b9c779be68d911dd626
Reviewed-on: https://review.typo3.org/25476
Reviewed-by: Fabien Udriot
Tested-by: Fabien Udriot
Reviewed-by: Frans Saris
Tested-by: Frans Saris
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

In the previously merged patch are some glitches and a regression:
- The usage (and test for existence) of deprecated functions has been
  removed.
- The value passed by the old behaviour is now considered last place
  in the array providing the lookup paths
- The typo preventing usage setLayoutPaths() has been removed.

Intended usage:
plugin.tx_a.view.templateRootPaths {
	default = <some default path>
	extendedA = <some additional path>
}
The array gets reversed and the first hit will be used as template.
In case only numeric indizes are used, the entries get ordered.
See unit tests for a more specific description.

Change-Id: If4fa75347614cf9b352c6016430a928833cc62cd
Resolves: #52971
Documentation: #52761
Releases: 6.2
Reviewed-on: https://review.typo3.org/24903
Reviewed-by: Alexander Stehlik
Tested-by: Alexander Stehlik
Reviewed-by: Marc Bastian Heinrichs
Tested-by: Marc Bastian Heinrichs

Since the labels and values of select items are run through
htmlspecialchars by the FormEngine there is no need to use
htmlspecialchars in the renderTceformsSelectDropdown() method which
generates the select items for the filemount Backend form.

The current code will htmlencode the select value twice which results
in a htmlencoded value in the database which causes problems with
directory names that contain special characters.

Resolves: #54027
Releases: 6.2, 6.1, 6.0
Change-Id: I7ec8262f6c3d20879cde0679636a6a8e5c1d19cd
Reviewed-on: https://review.typo3.org/25770
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Oliver Klee
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Due some regressions on side of travis
(https://github.com/travis-ci/travis-ci/issues/1710) an older git version
is used which doesn't support things like "--single-branch".

To avoid this, git is updated to latest version on the build server before
starting cloning

Change-Id: Ic5f698e84f378b9fed6bd64398b8058a20be860e
Resolves: #54369
Releases: 6.2
Reviewed-on: https://review.typo3.org/26366
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

To make sure calls to filesize() etc. return correct values the PHP
method clearstatcache() is called in the LocalDriver after contents
were written to a file.

Resolves: #54302
Releases: 6.2
Change-Id: Ia30e519d17aa3cf37856096f1cdac567b5729aec
Reviewed-on: https://review.typo3.org/26278
Reviewed-by: Markus Klein
Reviewed-by: Frans Saris
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

The second typolink parameter, that is the target, can be abused to
introduce XSS code into the generated link. Escaping the parameter
with quoteJSvalue solves the problem.

Change-Id: Ie91b022a2ffed039fb365e6b0be2ea39f7096514
Fixes: #31206
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 484cf1aea8d3e66db547325fe4d843d50a668162
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26225
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Encode user-input in JavaScript context for colorpicker.

Change-Id: I1121d6d20c90e476a2d0ea4f000b180e843a4ce0
Fixes: #42772
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: b6fec0611604ccdce95d4d33cd7dcae0911a5d9a
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26224
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

An hmac of the editor controlled auto respond message was used to verifiy
the correctness of this message on submit. To prevent this, we add an
additional secret.

Change-Id: I1551feebd4dd84abeb3fb098175384f425f605a9
Fixes: #45043
Releases: 4.5, 4.7, 6.0, 6.1, 6.2
Security-Commit: 344975268f4b9eb4ce7c664958647b9268ea03a8
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26223
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Change-Id: I88807af69635d75f1fbefc62b4672e945397fb07
Fixes: #48691
Releases: 6.2, 6.1, 6.0
Security-Commit: 715b2c58c53f0109acce8c52df08d5dffea79f49
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26222
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

It has been possible for authenticated editors
to show content of arbitrary tables and fields
that are defined in TCA by manipulating
GET parameters of the forms and table wizard.

This change adds a check if the editor has access
to the given record.

Change-Id: I8e27e5ffbccf148d951b50b21d9e15cc8e317442
Fixes: #41714
Releases: 4.5, 4.7, 6.0, 6.1, 6.2
Security-Commit: 52d4e3eced81639820db6d75f3d65d14c5234072
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26221
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The eID script of the openid extension does not
validate the given redirect url, leading to
an open redirection vulnerability.

Add and verify hmac of the redirect url.

Change-Id: I0d65390b61dd5cf92151d36e490a194624b98b8f
Fixes: #54099
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 5c6a45c0f843a93ab048a3df4bb352b8e02099b2
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26220
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Usage of unverified input parameters in wizard URL leads to a possible
XSS vulnerability in backend_layout wizard.
The solution is the introduction of a hmac validation of the parameters
used in JavaScript.

Change-Id: I48f89309fc062d132e283d4fd9179ccbfdcfda4c
Fixes: #36768
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: a3ac48f5d66c566d241295d87cc8d7eb4d10c274
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26219
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The tree Display/* ViewHelpers introduce a XSS vulnerability by
using unescaped parameters in HTML.

Change-Id: I0dadb03105d3eaa520f10f0375a46c83fa56c269
Fixes: #47086
Releases: 6.2, 6.1, 6.0
Security-Commit: 1e0f51f204efd9efacec8aef8ea08e2a8122177b
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26218
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader