- Jun 27, 2019
-
-
Benni Mack authored
This issue was raised that translated pages do not show up in the list of records to be published/staged, as translated pages are in the same table. So, page handling needs to consider l10n_parent fields, and check for the UID/l10n_parent, whereas other records (like pages_language_overlay before) only are checked for the "pid". Resolves: #88446 Releases: master, 9.5 Change-Id: I9fe0b0290d4dd52104e15a08bb55e0aa7ab7473c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60944 Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
matseriks <mats@pixelant.se> Tested-by:
Daniel Goerz <daniel.goerz@posteo.de> Reviewed-by:
-
Benni Mack authored
In order to run a subrequest in Frontend, TYPO3_MODE kills most of the functionality. Although it is clear, that TYPO3 Core is not 100% there yet, some very obvious changes can actually be replaced with simple TSFE checks instead of TYPO3_MODE. This is only focused on rendering content (Fluid), and this happens in FE after TSFE is initialized, for eID scripts, this would break already. Resolves: #88581 Releases: master, 9.5 Change-Id: I9c97da60e7df572290e54d53da5eb8dac69e8f7e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61084 Tested-by:
Daniel Gorges <daniel.gorges@b13.de> Tested-by:
Alexander Schnitzler <review.typo3.org@alexanderschnitzler.de> Reviewed-by:
-
Daniel Siepmann authored
As `\` is escaping, there has to be an additional `\` in front, in order to display the `\` as expected. Resolves: #88634 Releases: master, 9.5 Change-Id: I790079dd3de6e0a3ceb6ebfb93e1a52ad9bb4249 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61154 Tested-by:
Mathias Brodala <mbrodala@pagemachine.de> Reviewed-by:
-
Benni Mack authored
The Context API can be used now within TemplateService to fetch a version overlay, which now only relies on the PageRepository (which also uses Context API), to avoid certain magic detection of Frontend/Backend mode. TemplateService is only used to fetch sys_template records in this use-case. Resolves: #88626 Releases: master Change-Id: I5f6526868af090915748031d50eeaf245049e655 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61126 Tested-by:
-
Benni Mack authored
The same if() loop is used for checking menu generation item states (ACT/IFSUB etc), this can be very much simplified by using a loop over the available item states which are now defined as a constant. Resolves: #88477 Releases: master Change-Id: If8b7ddbcb2d367954d5757d2957bea6b34f8ed60 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60865 Tested-by:
Susanne Moog <look@susi.dev> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
-
Benni Mack authored
Due to #88498 a bug within the Extension Scanner was introduced where the scanner did not find the expected results due to wrong information. Resolves: #88639 Related: #88498 Releases: master Change-Id: I47f0393fafd4860f058eeba6828b5143b6e1b8c2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61157 Tested-by:
-
Sascha Egerer authored
The return type annotation must be `static` instead of `self` as the method returns an instance of the inheriting class. Do also replace some occurrences of get_calling_class() by static::class Resolves: #88587 Releases: master, 9.5, 8.7 Change-Id: Ib14d016ef733b94ed5a732ed36af8fcfcdee149b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61086 Tested-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
- Jun 26, 2019
-
-
Benni Mack authored
There are some leftovers where PseudoSite is mentioned. Since TYPO3 v10.0 is built on Site Handling completely, this logic is removed. Resolves: #88625 Releases: master Change-Id: I9f3b3a6c9a4bf29c2b509246c02d64aa5f536b4e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61123 Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by:
-
Benni Mack authored
Checking if cHash matches any GET parameters can be done without $TSFE->cHash_array and $TSFE->hash as all data is built inside PageArguments already. However, $TSFE->cHash_array is still necessary and filled as before when ->setPageArguments() is called. This is a precursor to re-structure the dependencies within TSFE and PSR-15 middlewares. Resolves: #88460 Releases: master Change-Id: I43c2fdc1049d451b3fc9bc06a57b744703a7a323 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60841 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
-
Benni Mack authored
Modules which do not set a proper route path themselves now have a different route path, basically "/module/file/list" for example, whereas there is a proper prefix with "/module/" and no trailing slash anymore. It is still possible to build links to the route paths, and resolve them properly. The "old" route paths will stop working in TYPO3 v11.0. Resolves: #82669 Releases: master Change-Id: If976df458e87b1199933cf1c42c5d3d8ff2407ba Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60433 Tested-by:
-
Benni Mack authored
The introduction of the Session Framework API in v8 introduced generators for fetching authentication service objects within `AbstractUserAuthentication`. Some places were however forgotten, which can safely replaced with the `$this->getAuthServices()` method. Resolves: #88594 Releases: master Change-Id: I987150be574232b549340f4766bb963baa17fd60 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61095 Tested-by:
-
- Jun 25, 2019
-
-
Oliver Hader authored
Serialized values in l18n_diffsource are vulnerable to insecure deserialization when being invoked in FormEngine or DataHandler. Resolves: #88323 Releases: master, 9.5, 8.7 Security-Commit: 215de3e52140dc69ccb0e5802ab4234922b1aa63 Security-Bulletin: TYPO3-CORE-SA-2019-020 Change-Id: I03704b35d94e2575e9231656977f3760e6f04e2b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61146 Tested-by:
-
Oliver Hader authored
Fields `TSconfig` and `tsconfig_includes` of table `pages` can be misused by restricted users to contain malicious instructions and lead to cross-site scripting as well as arbitrary code execution. Since user input cannot be sanitized properly, the field is now available for admin users only. In addition directory traversal in TSconfig static includes has been mitigated. Resolves: #88565 Releases: master, 9.5, 8.7 Security-Commit: b4ab9cd1f0539b3af675b94aa01d26e5c4b3a1d9 Security-Bulletin: TYPO3-CORE-SA-2019-019 Change-Id: I712364fde6a76ad761a0b738756cb151dc5c22e1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61145 Tested-by:
-
Oliver Hader authored
When frontend users logged out their session data (e.g. shopping cart) was transfered into an anonymous session. This session could have been reused by a different user working with the very same browser. In order to enhance security aspects on this topic session data is purged when an according frontend user is logging out. Since this might be breaking for some scenarios a new feature toggle has been introduced which allows to keep the previous behavior: boolean 'security.frontend.keepSessionDataOnLogout' in $GLOBALS['TYPO3_CONF_VARS']['SYS']['features'] Resolves: #88139 Releases: master, 9.5, 8.7 Security-Commit: 89c45f80388f24f08f827c474daa5ab8fda63da2 Security-Bulletin: TYPO3-CORE-SA-2019-018 Change-Id: I869f3bee7c6bf6e2ae51bcd86273b6abc15f09c5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61144 Tested-by:
-
Oliver Hader authored
Due to an incomplete condition it was possible for regular backend users to make use of the import module - which only would be accessible to admin users or to those users have User TSconfig `options.impexp.enableImportForNonAdminUser` enabled. Resolves: #88284 Releases: master, 9.5 Security-Commit: a3ca05df1e9e9269b45daf9dd79517df9d202604 Security-Bulletin: TYPO3-CORE-SA-2019-017 Change-Id: I9ac9a026d5715f9c03eda37f0ef84178640b2f1d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61143 Tested-by:
-
Benni Mack authored
The symfony/cache component is not directly used by the core but is a dependency of symfony/expression-language which is used in the core. The affected symfony/cache packages have been marked as "conflict" in the composer.json. See https://symfony.com/blog/cve-2019-10912-prevent-destructors-with-side-effects-from-being-unserialized Resolves: #88215 Releases: master, 9.5 Security-Commit: d13c36e9e9951030a0787c63674634a52ff0aae3 Security-Bulletin: TYPO3-CORE-SA-2019-016 Change-Id: If98391ceef88561507d0095d26455a8da128f01e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61142 Tested-by:
-
Oliver Hader authored
URLs defined using TYPO3's internal t3://url/?url=... notation are now hardened against using `javascript:` and`data:` URL schemes. Resolves: #88476 Releases: master, 9.5, 8.7 Security-Commit: 1a873c662524a62b192661da45d27e223e517d18 Security-Bulletin: TYPO3-CORE-SA-2019-015 Change-Id: Ia9ca8784a1779492762e5a36fcb1ada67bb6c56a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61141 Tested-by:
-
Andreas Fernandez authored
The ElementInformationController now checks a backend user has sufficient permissions to see each referenced record. Resolves: #88317 Releases: master, 9.5, 8.7 Security-Commit: 4322d6b827c09b98b35ab4ef47753e9c20f7f117 Security-Bulletin: TYPO3-CORE-SA-2019-014 Change-Id: I49d077e5628465111b4460dd3cb673182d09eaa0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61140 Tested-by:
-
Benni Mack authored
The functionality to set a custom TCEMAIN.previewDomain via PageTS is not in use anymore as SiteHandling is using the proper domain anyway already. Conceptually this does not work anymore, as the base (domain + path prefix) determines Language + Site / PageTree entry point. Setting this to something else via TCEMAIN.previewDomain would not work anyways, so this hack is removed, as we now can safely determine the full (speaking) URL with Site Handling. In addition, the method BackendUtility::getViewDomain() is now deprecated. Resolves: #88499 Releases: master Change-Id: Id88c16e2e86ccce8a2e7be02af0e2a39802624c0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60773 Tested-by:
-
- Jun 24, 2019
-
-
Alexander Schnitzler authored
In order to have a meaningful class doc block for the BitSet class, the former doc block has been replaced with an explanation of how to use the BitSet class. The explanation is similar to the one in the rst file which has been introduced along the class. Releases: master Resolves: #88611 Releates: #88596 Change-Id: Ie6c5043a38db612f050438123ab9cd12d8030e9c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61100 Reviewed-by:
Björn Jacob <bjoern.jacob@tritum.de> Reviewed-by:
Alexander Schnitzler <typo3@alexanderschnitzler.de> Tested-by:
-
Benni Mack authored
The configuration within `sys_preview` contained the Backend User ID. Previously, until TYPO3 v9, this was used to simulate a backend user with his/her permissions, however this was changed with the introduction of Middlewares and a custom PreviewUserAuthentication object. This information does not need to be stored, as it hasn't been evaluated anymore anyways. Resolves: #88601 Releases: master Change-Id: I2b3c4979f38a3c1343a0f5bff3c2bd762affc0e1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61108 Tested-by:
-
Joerg Kummer authored
Correct closing tag in PHP comment example. Resolves: #88619 Releases: master, 9.5 Change-Id: Ic90351399eccc4435231bbd4ccbc74c33727d70c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61120 Tested-by:
Daniel Siepmann <daniel.siepmann@typo3.org> Tested-by:
-
- Jun 21, 2019
-
-
Alexander Schnitzler authored
The BitSet class has been put into a DataStructure namespace although the core puts classes of these kind into a Type namespace. Therefore, the class has been moved. Releases: master Resolves: #88596 Change-Id: I18385a5c761e002f36bc33dcaeeb26ce7f6d187e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61098 Reviewed-by:
-
Daniel Siepmann authored
As this is what its called. This also should make searches easier, as there is only one way to write it. Relates: #88600 Releases: master, 9.5 Change-Id: Ib6fcd4402b4a34aeaf0735a40788a18a324587dd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61103 Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Tested-by:
Tom Warwick <tom.warwick@typo3.org> Tested-by:
Claus Due <claus@phpmind.net> Reviewed-by:
-
Helmut Hummel authored
By concept for frontend rendering the page title and meta tags are not meant to be stored in page cache in order to allow non cachable plugins to modify those. Currently both page title and meta tags are stored in separate cache entries, which violates the concept above and unnecessarily tightly couples those code parts to the TypoScriptFrontendController and internal logic of it. This patch removes these caches. In order to properly handle the uncached rendering state, we make sure the meta tag registry is properly serialized with all managers. Resolves: #88179 Releases: master, 9.5 Change-Id: If5200398bf9ab9db09ab97403c976d82cb33d01d Signed-off-by:
Frank Naegler <frank.naegler@typo3.org> Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60520 Tested-by:
Helmut Hummel <typo3@helhum.io> Tested-by:
Richard Haeser <richard@maxserv.com> Reviewed-by:
-
Susanne Moog authored
Some tests still use hardcoded 'typo3temp' for creating files and folders. Where possible, this has been changed to use varPath from Environment class instead. Resolves: #88551 Releases: master Change-Id: I2d9a8edfb3fb33cc8f86f8e487603d0c72ef3ff0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60946 Tested-by:
-
Benni Mack authored
In preparation for our next maintenance release, symfony components are updated to their latest versions. Composer Command: composer update symfony/* --with-all-dependencies Resolves: #88595 Releases: master, 9.5 Change-Id: Ib380cbe7fec57488bf0ca10328486bc9c5fcbd5c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61096 Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
-
- Jun 19, 2019
-
-
Oliver Hader authored
With #88366 "cache_" prefix has been deprecated. However, when retrieving a deprecated cache like "cache_subject" its identifier gets transformed to just "subject" which is (probably) not available in cache configuration keys. That's why keys of cache configurations have to be transformed as well. Resolves: #88512 Releases: master Change-Id: I224d55e71011a437ed2e990d13b1edbee08770b7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60892 Tested-by:
-
Benni Mack authored
Profiling shows that when linking to 100 pages, SiteFinder (which instantiates SiteConfiguration) is instantiated 100 times. Although SiteFinder information might change during one request, the SiteConfiguration does not (except when updating the Configuration via API). So, a first-level-cache can be used to avoid calls to "cache_core" multiple times during one request, and SiteConfiguration can become a Singleton instance. Resolves: #88577 Releases: master, 9.5 Change-Id: I3d9167da9442d684d32a73d6cf2003c91bdf4d68 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61078 Tested-by:
Benjamin Franzke <bfr@qbus.de> Tested-by:
-
Devid Messner authored
Resolves: #87147 Releases: master, 9.5 Change-Id: Ia909104bc663d4191f21cb1bf0e25c0212388e2f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/59133 Tested-by:
-
Benni Mack authored
This change removes the "TCEforms" option when parsing FlexForms data in DataHandler, when dealing with FlexForms that contain sheets. This way, FlexForms RTE configuration is properly set and no double spacings for linebreaks are used. According to the issue, this only happened when fields specifically within sheets are configured, for fields without sheets, this has been working already. In order to ensure both cases are working, tests are applied for both variants. Resolves: #80778 Resolves: #81748 Releases: master, 9.5, 8.7 Change-Id: I38facfa9e1065d4730f895aa178a049c07c443f8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60902 Tested-by:
Jan Kornblum <jan.kornblum@gmx.de> Tested-by:
-
- Jun 18, 2019
-
-
Andreas Fernandez authored
All modules of the Install Tool used in modal windows now share a common abstract class that contains some boilerplate code required for most modules. Resolves: #88518 Releases: master Change-Id: I0c2f03f098c731e5a0c499ce91400c22a8c1f890 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60897 Tested-by:
Jonas Eberle <flightvision@googlemail.com> Tested-by:
Simon Gilli <typo3@gilbertsoft.org> Reviewed-by:
-
Susanne Moog authored
composer require --dev typo3/testing-framework:~5.0.10 Releases: master Resolves: #88580 Change-Id: I1dcef11cee0caa730463919146b3732d7838e683 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61081 Tested-by:
-
Manuel Selbach authored
doctrine/dbal 2.8.x ran into unmaintained mode: https://www.doctrine-project.org/projects/dbal.html We should upgrade to at least 2.9: composer req doctrine/dbal:^2.9 Resolves: #88579 Releases: master Change-Id: I18962bd313018abec8e52bada6df9aca6aa4143f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61080 Tested-by:
-
Sybille Peters authored
Resolves: #88578 Releases: master, 9.5 Change-Id: I5fc57a9c61d5f02838f3afd3c305ae0b7b037dfc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61079 Tested-by:
Joerg Kummer <typo3@enobe.de> Reviewed-by:
-
Benjamin Franzke authored
As it produced a warning: 1) TYPO3\CMS\Frontend\Tests\Unit\DataProcessing\SiteProcessorTest:: nullIsProvidedIfSiteCouldNotBeRetrieved Trying to configure method "getSiteFinder" which cannot be configured because it does not exist, has not been specified, is final, or is static Resolves: #88576 Related: #88568 Releases: master Change-Id: Icf72100282ce24c87b6bb9f49fc978b6187a817e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61074 Tested-by:
-
- Jun 17, 2019
-
-
Jonas Eberle authored
Rephrases button title and success message for user preference reset. Resolves: #88520 Releases: master, 9.5 Change-Id: Ib2d3180a417366249df8fa9c1faa47c74cca022a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61040 Tested-by:
Tymoteusz Motylewski <t.motylewski@gmail.com> Reviewed-by:
-
Manuel Selbach authored
doctrine/dbal 2.8.x ran into unmaintained mode: https://www.doctrine-project.org/projects/dbal.html We should upgrade to at least 2.9: composer req doctrine/dbal:^2.8.1 which installs 2.9.2 Resolves: #88553 Releases: master, 9.5 Change-Id: Id0c20cbb3102b5086e1c4d9dcef1b32fed67db7d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60994 Tested-by:
Manuel Selbach <manuel_selbach@yahoo.de> Reviewed-by:
-
Benni Mack authored
Locales resolves the user-defined TYPO3-languages and its dependencies via TYPO3_CONF_VARS, which are only finally available when all extensions' ext_localconf.php is included. For this reason, Locales::initialize() can be deprecated and moved into the regular constructor, but then the Bootstrap should not do the initialization anymore, which happens at the point now, when Locales first gets initialized (which happens in Frontend within TSFE and PageRenderer and in Backend within $LANG). For this reason, it is removed from Bootstrap, where it was first placed in TYPO3 4.6 when no proper bootstrap set up was given. Resolves: #88569 Releases: master Change-Id: Ife2e248412c1b206abffcdd21df0d01e44834cea Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61046 Tested-by:
-
Benni Mack authored
SiteMatcher is a container around SiteFinder now as PseudoSite handling was removed, so SiteFinder can be used directly. Resolves: #88568 Releases: master Change-Id: Ib0f5a42351ed5c11c25458b74074b80f5c574bbd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61043 Tested-by:
-
