- May 17, 2023
-
-
Oliver Hader authored
Currently, CSP nonce values are used per default during the frontend rendering process (which basically would be fine). However, this also leads to the situation, that the page is not considered to be fully cached anymore (`INTincScript`). With this change, CSP nonce values are only used if the corresponding CSP feature is enabled for the frontend scope. Resolves: #100886 Releases: main, 12.4 Change-Id: I874b16a2c3f4791bfa4b0e9eb508c97b5485f1d0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79058 Tested-by:
Torben Hansen <derhansen@gmail.com> Reviewed-by:
Georg Ringer <georg.ringer@gmail.com> Tested-by:
core-ci <typo3@b13.com>
-
- May 16, 2023
-
-
Chris Müller authored
Resolves: #100883 Releases: main, 12.4, 11.5 Change-Id: I89f566a1bdf45f214a175cd389ef143c6334cda3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79055 Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
-
- May 15, 2023
-
-
linawolf authored
Resolves: #100827 Releases: main, 12.4 Change-Id: I2c553894af4b25c2f4731782f0d9cf2293ec3211 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78958 Tested-by:
Stefan Bürk <stefan@buerk.tech> Reviewed-by:
Oliver Bartsch <bo@cedev.de> Reviewed-by:
-
Markus Klein authored
Fix some left-over places where an int-cast is possibly necessary to avoid PHP warnings. Resolves: #100866 Releases: main, 12.4, 11.5 Change-Id: If9111e0c2e2de8c90a94202cf518abdbe8c987fb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79021 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Oliver Hader authored
Issue #93884 provided and adjusted CSP header for SVG inline styles: | default-src 'self'; script-src 'none'; | style-src 'unsafe-inline'; object-src 'none'; For SVG files, having 'unsafe-inline' for style-src is fine, since it only applies to the very same file and cannot include other local or remote resources. Resolves: #100041 Releases: main, 12.4, 11.5 Change-Id: I198e0a8225ef6c0e729a3ae78981581b2d2b2205 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78005 Tested-by:
Benni Mack <benni@typo3.org> Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
-
- May 14, 2023
-
-
Andreas Nedbal authored
Resolves: #100868 Resolves: https://github.com/TYPO3-Documentation/Changelog-To-Doc/issues/430 Releases: main, 12.4 Change-Id: I12e8b1fe6b627c48bd5af1acc8e6d8ee451c5fb8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79022 Reviewed-by:
Simon Schaufelberger <simonschaufi+typo3@gmail.com> Tested-by:
Chris Müller <typo3@krue.ml> Reviewed-by:
-
Anja Leichsenring authored
After providing full PSR-4 compliance for all test extensions, no exception is needed anymore for the to run the integrity check. Resolves: #100835 Releases: main, 12.4 Change-Id: Id00349f4c5baf1e4361130faa4e6a4ac45a641ea Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78963 Reviewed-by:
-
- May 11, 2023
-
-
Sybille Peters authored
It is possible to send a test email in the Environment section of the Install Tool / Admin Tools. Previously, if the sender email was not configured via $GLOBALS['TYPO3_CONF_VARS']['MAIL']['defaultMailFromAddress'] a default no-reply email address was used. Also, the sender email was not checked with GeneralUtility::validEmail. We now display a message in the dialog if the defaultMailFromAddress is not configured or is configured with an invalid email address. In this case, the form with input field and button is also not displayed. Sending with an invalid sender address is no longer possible in Test Mail Setup. The problem with the previous behavior was: - Not setting the value or setting it incorrectly is incomplete configuration. We should make the user aware of this. The point of sending a test mail is to test the configuration as well. - Emails with a sender address which does not exist or is not registered for the mail account might get rejected by the email server but the user gets no error message, so is kept in the dark. - Notifications from the mail server cannot be sent back if a no-reply email is used. If someone configures it that way, that is their responsibility, but we should not fall back to it. Resolves: #100084 Releases: main, 12.4 Change-Id: Ie9ad6eda320791ac27d81f109c4d253da63ace20 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78027 Reviewed-by:
Stefan Froemken <froemken@gmail.com> Tested-by:
-
Daniel Siepmann authored
Relates: #98487 Releases: main, 12.4 Change-Id: I081e3be261d80ca59b0b170d5f9a8c3e836adae8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79009 Tested-by:
Jasmina Ließmann <minapokhalo+typo3@gmail.com> Tested-by:
-
Anja Leichsenring authored
A new patch level requires to regenerate baseline. > composer req --dev phpstan/phpstan:^1.10.15 > Build/Scripts/runTests.sh -s phpstanGenerateBaseline Change-Id: I50afb973f762f3a4f30105d3cac4445fb81f71df Resolves: #100850 Releases: main, 12.4, 11.5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79005 Reviewed-by:
Thomas Hohn <tho@gyldendal.dk>
-
Benni Mack authored
SchemaMigrator / ConnectionMigrator calls ClearCacheService->clearAll(), which in turn just re-applies ext_localconf.php and ext_tables.php, which in turn could re-apply hooks which have been registered via $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = MyHook::class; Thus, for such cases, it is important the ext_localconf.php is not loaded again. clearAll() now has an optional argument, to flush caches (due to configuration changes, or with DB upgrade in place) so they are completely emptied This is less "brutal" than the original "clearAll" method, as it does not re-load TYPO3_CONF_VARS. This problem comes from https://review.typo3.org/c/Packages/TYPO3.CMS/+/76553/20/typo3/sysext/core/Classes/Database/Schema/SchemaMigrator.php The solution can be found in the now corrected test in EXT:webhooks, which actually registers a hook like this. Resolves: #100840 Related: #99062 Releases: main, 12.4 Change-Id: I9d53df80b119cfec37a5d8d40d5fbd881b14307f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78968 Reviewed-by:
-
- May 10, 2023
-
-
Stefan Froemken authored
While building the TypoScript AST tree the label of the options argument in TS constant comments will now be translated before output. Resolves: #100854 Releases: main, 12.4 Change-Id: I7860bc84e014b5bb91b99c47d3f4c758b46a2cfa Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79010 Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by:
-
Anja Leichsenring authored
After all test extensions received proper composer.json files, they can be autoloaded via PSR-4. The classmap is therefor unused and can be removed. Resolves: #100825 Releases: main, 12.4 Change-Id: I83251a53bedd4f640af323ed88afdd2aa8db85a3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78957 Reviewed-by:
-
- May 09, 2023
-
-
Georg Ringer authored
Use an empty string instead of null as default value for username and password to avoid warnings with PHP8. Resolves: #100739 Releases: main, 12.4, 11.5 Change-Id: Ie06431f27cab919a7df8467f1b5711d7b2b42291 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78816 Tested-by:
-
Oliver Hader authored
An entire wildcard `UriValue`, which is just `'*'`, was incorrectly encoded. In the scope of CSP `'*'` is valid. Using wildcards should be avoided in favor of being specific. Resolves: #100798 Releases: main, 12.4 Change-Id: Iaf13b1d2095a672653894a6da5f10ad7115a2538 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78933 Tested-by:
Nikita Hovratov <nikita.h@live.de> Tested-by:
-
Georg Ringer authored
Resolves: #100824 Relates: #100739 Releases: main, 12.4, 11.5 Change-Id: I91bf93adbf390e84beda871c399f4785a83d8571 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78956 Tested-by:
-
Andreas Fernandez authored
The fields used in the table wizard are only used for internal handling to be able to compose the final table markup sent to DataHandler. The "management fields" are not interesting on server side and therefore their respective `name` attributes are removed to avoid sending potentially huge, superfluous data. Resolves: #100354 Releases: main, 12.4 Change-Id: If833f2bd1208a050dc88bc1844a19d9fbb209614 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78330 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
-
Torben Hansen authored
After saving the state of the feature toggles in ext:install, the save button remains disabled. This change fixes the problem. Resolves: #100839 Releases: main, 12.4 Signed-off-by:
-
- May 08, 2023
-
-
Nikita Hovratov authored
Resolves: #82481 Releases: main, 12.4, 11.5 Change-Id: Ieffc20f64cac7b546e20964e5f0deeab6e523771 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78944 Tested-by:
Henrik Ziegenhain <henrik@ziegenhain.me> Tested-by:
Daniel Haupt <mail@danielhaupt.de> Reviewed-by:
-
Nikita Hovratov authored
This cleans up some PHPStan reports. Resolves: #100836 Releases: main, 12.4 Change-Id: I909d361a3b4b0b6f535b4f25de9ce832b9e4e205 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78964 Tested-by:
-
Oliver Bartsch authored
Since we are in the scope of a web component, access to "document" is now consistently avoided. Resolves: #100814 Releases: main, 12.4 Change-Id: I38b0b9f1796a3ff512bbf62bd518105cbaf273b0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78946 Tested-by:
Jochen <rothjochen@gmail.com> Tested-by:
-
Oliver Klee authored
Resolves: #100821 Releases: main, 12.4 Change-Id: Ifc5652cf25bcf1d71580cfe207b2a22652735a2e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78950 Tested-by:
-
- May 07, 2023
-
-
Oliver Bartsch authored
The record title in the delete confirmation modal of FilesControlContainer is now properly replaced. Resolves: #100815 Releases: main, 12.4 Change-Id: I6a66242a9d2e5fdea28191d3d98da036c3af77aa Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78947 Tested-by:
-
- May 06, 2023
-
-
Stefan Bürk authored
Used command(s): > composer req --dev "sokil/php-isocodes-db-i18n":"^4.0.13" > Build/Scripts/updateIsoDatabase.php Resolves: #100822 Releases: main, 12.4 Change-Id: I5412a28306892af4fe3bb7ea511f138256c738db Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78951 Reviewed-by:
-
- May 05, 2023
-
-
Oliver Klee authored
Resolves: #100820 Releases: main, 12.4 Change-Id: I56e1bafc3f8036aa3b43ca374f0427947056c53c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78948 Tested-by:
-
Oliver Bartsch authored
Selecting an offline folder in element and link browsers no longer triggers a `FolderDoesNotExistException`. Resolves: #100793 Releases: main, 12.4 Change-Id: I7942f791a9376def3ae2ba869f0cbcc6d68072da Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78926 Reviewed-by:
-
Andreas Fernandez authored
The identifier used to get a container in `type=files` based on `querySelector()` which flawed if the identifier contained a dot. The example identifier "#foo-data-foo.bar" resulted in "find an element with id 'foo-data-foo', having the class 'bar'", which is wrong. To solve this issue, while still limiting the scope to the web component, the selector is changed to use the `[id='']` syntax, which doesn't show the erroneous behavior. Resolves: #100777 Releases: main, 12.4 Change-Id: I9edff128c612cc6a614b65866533c3fb1c731f4e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78943 Reviewed-by:
-
Oliver Bartsch authored
In case a site is missing a proper site configuration - having no default language a fallback SiteLanguage object is used in the page module. This fallback however does provide an empty string as flag identifier, which does no longer result in a broken icon. Resolves: #100799 Releases: main, 12.4, 11.5 Change-Id: I23f3d9347d2ea8a63520086054b9fa842a9f5cfd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78929 Reviewed-by:
-
Christian Kuhn authored
Minor release update from ^2.7.4 to ^2.8.0: - main/v13: Require ^2.8.0 - v12: Require ^2.8.0, projects will update with next core patch level release - v11: No change, projects *may* be able to update if running PHP ^8.1 and having mbstring - v10: No change, projects won't be able to update since core does not allow PHP 8.1 Notable changes: - Require PHP ^8.1 and mbstring - Syntax improvement: A comma with spaces and line breaks on last fluid "arrays" and inline syntax is now parsed as expected. <f:variable name="myArray" value="{ 0: 'first item', 1: 'second item', }" /> {f:if( condition: myVariable, then: 'yes', else: 'no', )} - Syntax improvement: Resolve multi variable references correctly. {foo}bar{baz} foo.{bar}.{baz} - PHP 8.1 fix when resolving invalid variable references {{notExistingVariable}} - General performance improvements when resolving variables. This boosts templates that access lots of variables which resolve to object methods like {object.name} to $object->getName(). This has measurable impact for instance in the backend "log" module when rendering many rows, and reduces overall parsetime by about 1/4 in the TypoScript "Active TypoScript" module when rendering bigger TypoScript trees like the bootstrap package. Commands: > composer req typo3fluid/fluid:^2.8.0 > composer req --no-update typo3fluid/fluid:^2.8.0 -d typo3/sysext/adminpanel > composer req --no-update typo3fluid/fluid:^2.8.0 -d typo3/sysext/core > composer req --no-update typo3fluid/fluid:^2.8.0 -d typo3/sysext/fluid > composer req --no-update typo3fluid/fluid:^2.8.0 -d typo3/sysext/redirects Change-Id: Iaad13cdd327642b52e9e706997485f95ab951032 Releases: main, 12.4 Resolves: #100812 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78939 Tested-by: -
Anja Leichsenring authored
In preparation of composer based test setups, all fixture extensions require fully functional `composer.json` files. For starters, the minimal required `composer.json` is added. We will adjust as we go. Extensions without classes don't receive PSR-4 class loading definitions as those are not needed. As a convention, all fixture extensions have their composer name use the vendor `typo3tests`. Classes will have the vendor `TYPO3Tests`. This way, fixture extensions are easy to identify, both by providing tests that use the extensions, as well as in development to not accidentally use such an extension or class. Resolves: #100783 Releases: main, 12.4 Change-Id: I476864b528eaab1acec0a950c85d5ff92be7b516 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78913 Tested-by:
-
Anja Leichsenring authored
In preparation of composer based test setups, all fixture extensions require fully functional `composer.json` files. For starters, the minimal required `composer.json` is added. We will adjust as we go. Extensions without classes don't receive PSR-4 class loading definitions as those are not needed. As a convention, all fixture extensions have their composer name use the vendor `typo3tests`. Classes will have the vendor `TYPO3Tests`. This way, fixture extensions are easy to identify, both by providing tests that use the extensions, as well as in development to not accidentally use such an extension or class. Resolves: #100782 Releases: main, 12.4 Change-Id: If609f995dd31bd4549248436e660b3f86ce91687 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78914 Tested-by:
-
- May 04, 2023
-
-
Jan Delius authored
With this change it is again possible to give backend users their own password when creating. Previously, any new user record was created with a random password - even if the given password matched the password policy. Resolves: #100762 Releases: main, 12.4 Change-Id: I61a0a3ddc7fbb6322c2f7dab0caa8825f5a9961a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78877 Reviewed-by:
Jan Delius <me@jandelius.eu> Tested-by:
Rico Drexler <rico.drexler@gmx.de> Reviewed-by:
-
Chris Müller authored
The method "withAttribute()" expects a string or null as second argument. Resolves: #100801 Related: #96641 Releases: main, 12.4 Change-Id: I2b8ef43c51159bd92730edbc47b07c2350d5f399 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78931 Tested-by:
-
- May 03, 2023
-
-
Andreas Nedbal authored
RecoveryService::prepareMail creates a FluidEmail, but returns it as Symfony\Component\Mime\Email. Setting the signature to the proper type, which also is used in the SendRecoveryEmailEvent, allows easier adjustment of the sent email. Resolves: #100174 Releases: main, 12.4 Change-Id: Ic88e23fea52cfc6f61efc885eb24267fb461628f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78384 Reviewed-by:
-
Oliver Hader authored
Change-Id: Iceddddf38a028e8587848a88d7ec1a3dc7c0888a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78925 Tested-by:
-
Georg Ringer authored
The mime type 'audio/x-wav' must be added to the AudioTagRenderer to render those files as audio file. Resolves: #100138 Releases: main, 11.5 Change-Id: Icce1698f2de725161fc5add2b711a8b764ee6c59 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78087 Reviewed-by:
Guido Schmechel <guido.schmechel@brandung.de> Tested-by:
abohn_hebotek <alexander.bohn@hebotek.at> Tested-by:
Florian Heder <florian.heder@hebotek.at> Tested-by:
-
Oliver Hader authored
The fix for issue #100695 reorganized the logic for setting new cookies. However, the assumption - to only set a cookie when the class property `$dontSetCookie` is disabled or a permanent cookie is used - is wrong. Previous TYPO3 versions were issuing new cookies, when `AbstractUserAuthentication::setSessionCookie()` was invoked. This change restores the previous behavior. Resolves: #100787 Releases: main Change-Id: I661a64546b99459eb81e466fdd5b03e56aeb6e93 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78923 Tested-by:
-
- May 02, 2023
-
-
Oliver Bartsch authored
Since #100623, the content object might be NULL as it is no longer set up when initializing the UriBuilder, but instead when handing in the current PSR-7 request. This patch adds a fallback for v12 to ensure having the content object available when generating frontend urls. Resolves: #100788 Related: #100623 Releases: main Change-Id: I733b0019a974889970d63845e3afcff5113570d5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78920 Tested-by:
-
Helmut Hummel authored
When defining a default value in column overrides e.g. for tt_content TCA field sys_language_uid this value from TCA will override the value that will be set via the page module when adding a content element for a different language, because the change introduced in #86876 does not respect default values that are set via defVals (which are passed to form engine as defaultValues) A check if such values are set is now added, so that the fix for #86876 will still work, but default values set via editing forms are also respected Resolves: #99381 Releases: main, 11.5 Change-Id: Ib4270665b396bbe520afb21a7f145d0d549305ac Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77172 Tested-by:
-
Andreas Fernandez authored
Clicking the "Remove all" button in the CSP backend module now closes any open report. Resolves: #100757 Releases: main Change-Id: Ie6b4b5d581c2b44385f40c9db8d3b5bcbd1b8a2a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78879 Tested-by:
-
