Resolves: #101451
Resolves: https://github.com/TYPO3-Documentation/TYPO3CMS-Reference-CoreApi/issues/3244
Related: #90522
Releases: main, 12.4, 11.5
Change-Id: Ib6cd19b35f72138ee4667714d5fe9c8dbd8bbcca
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80145


Reviewed-by: Stefan B�rk <stefan@buerk.tech>
Tested-by: Stefan B�rk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>

Resolves: #101452
Releases: main, 12.4, 11.5
Change-Id: Idf803dff6b4941380dbdde30f53548d31b6df575
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80142


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan B�rk <stefan@buerk.tech>
Reviewed-by: Stefan B�rk <stefan@buerk.tech>

With #101231 a missing URL encoding in FormEngine was triggered
which caused contents like "svg;disallowed=|irre-object-id" to be
added to bparams which got transformed into "svg&disallowed" in
some setups (ddev, most likely caused by the ddev-router-proxy).

This "change" causes the irre object id to be cut off from the
bparams in IREE file list element browser, which is why "select"
actions on file list elements were silently ignored.

Resolves: #101433
Related: #101231
Releases: main, 12.4, 11.5
Change-Id: I89dd53131f9ecb3b199bbcd2d1abf6be87f819da
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80172


Tested-by: Benjamin Franzke <ben@bnf.dev>
Reviewed-by: Benjamin Franzke <ben@bnf.dev>
Tested-by: core-ci <typo3@b13.com>

runTests.sh uses of docker-compose to run tests.

The patch ditches docker-compose in favor of
direct docker cli commands for the following
reasons:

* runTests.sh is more concise and does not
  need to deal with writing a .env for
  docker-compose anymore.
* Establish a foundation to use podman
  as alternative container runner.
* Ditch the lengthy docker-compose.yml file
  that repeats things over and over again.
* Better control of running containers.
* Allow running multiple runTests.sh instances
  in parallel without disturbing each other by
  establishing unique names for networks and
  containers.
* Minor performance improvements by getting
  rid of the docker-compose python overhead.
* Simplified quoting in scripts.
* Less path headaches.

Resolves: #97566
Releases: main, 12.4, 11.5
Change-Id: I7ae50d1cec4c770b54dc9d4a1053420ad85f5ff0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80126


Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Review...

This particularly helps PHPStan in extensions that call those methods
detect unnecessary checks for empty strings if
`GU::trimExplode` is called with `$removeEmptyValues = true`.

Used command:

> ./Build/Scripts/runTests.sh -s phpstanGenerateBaseline

Resolves: #101395
Related: #99147
Releases: main, 12.4, 11.5
Change-Id: I6945cc0698b0777a05cb9327b342aa9aa7dee098
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80138


Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>

The computed property '_ORIG_uid' is only set for workspace records,
which are NOT moved (t3ver_state=4). It is better to check directly for
the existence of this key as done in all other occurrences where it is
retrieved. The presence already ensures that we are dealing with an
overlaid workspace record and that there is need to fetch the original
uid.

Resolves: #101426
Releases: main, 12.4, 11.5
Change-Id: I7dd1072736b476015d5d44cb82f5e670fdd484a7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80168


Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>

Change-Id: Ic561c16dd8f95af99b9d27f78633193968574118
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80163


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: I41cc21334354b86a347d35eaca63014f433c0e46
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80162


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

See
https://github.com/w8tcha/CKEditor-WordCount-Plugin/security/advisories/GHSA-q9w4-w667-qqj4

yarn add ckeditor-wordcount-plugin@^1.17.12

Resolves: #101234
Releases: 11.5
Change-Id: I7400bc7405a91e62fb7dc5b3565ee2f9d5b4cc06
Security-Bulletin: TYPO3-CORE-SA-2023-004
Security-References: CVE-2023-37905
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80157


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

This change disallows calling an URI with page-id query parameters
that are not part of a particular site - for instance the following
URL `https://example.org/?id=3000&L=0` has two aspects:

* the site `example.org` has the root page-id 1000
* the site `internal.example.org` has the root page-id 3000

The example above allows to call a page-id for an internal site,
by using a valid and public entry point.

The new feature flag
`security.frontend.allowInsecureSiteResolutionByQueryParameters`
allows to control this behavior for backward compatibility reasons.
Per default `allowInsecureSiteResolutionByQueryParameters` is disabled.

Resolves: #100889
Releases: main, 12.4, 11.5
Change-Id: I88d565b5d9bea556b4f754c3069d56124cea98bd
Security-Bulletin: TYPO3-CORE-SA-2023-003
Security-References: CVE-2023-38499
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80156


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.1.2

composer req typo3/html-sanitizer:^2.1.2
composer req typo3/html-sanitizer:^2.1.2 \
  -d typo3/sysext/core --no-update

Resolves: #100917
Releases: main, 12.4, 11.5
Change-Id: If6f77217dfefe0a3c15a8a8760206b6cc5ba5687
Security-Bulletin: TYPO3-CORE-SA-2023-002
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80155


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The `redirectMode=refererDomains` configuration allows to process a
redirect after a successful login to an evaluated referer value.

This patch fixes the evaluation of https urls as referer value. Without
this patch only http urls are evaluated correctly.

Also do not match hostnames that contain an invalid underscore in name.

Additionally the regex matching for the domain was not quoting the
configured domain names and thereby matching dots as 'any single
character' instead of a dot.

Resolves: #100215
Releases: main, 12.4, 11.5
Change-Id: I589638d82627283b5acdeec5da0243e082cc5ebf
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80132


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

PHP8.3 emits a warning for content handed over to
unserialize() which contains superflous content at
the end.

The silence operator `@` is now used to suppress
the test setup unserialize() to avoid this exact
warning as preparation for PHP8.3 introduction.

Can be verified before and after by executing:

> Build/Scripts/runTests.sh -p 8.3 -s unitDeprecated

Resolves: #101409
Releases: main, 12.4, 11.5
Change-Id: I5741cd86e8e0a8afedb49ad01676d0766d5fbfaa
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80070


Tested-by: Stefan B�rk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Stefan B�rk <stefan@buerk.tech>

When updating entries, the `updateFields` will provide `uid`, which
works fine in MySQL but might lead to problems when working with
stricter DBMS.

Such an example of a DBMS not liking the update of an identity field,
is SQL Server.

Now, I know that SQL Server will not be supported in TYPO3 v12 going
onward, but on the off-chance that somebody has another DBMS than MySQL
or has DBMS that will break when trying to update an identify field,
this bugfix might still be valuable.

The bug exists back to TYPO3 10 at least.

Releases: main, 12.4, 11.5
Resolves: #100175
Change-Id: Id4dd90579191da0cb770490256087209e749deb4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80068


Tested-by: Stefan B�rk <stefan@buerk.tech>
Reviewed-by: Stefan B�rk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>

Some rather minor script modifications in runTests.sh
to prepare #97566

Resolves: #101389
Related: #97566
Releases: main, 12.4, 11.5
Change-Id: I35e2acd7848f5b49c2a1359d2e976cb553d72ac0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80095


Reviewed-by: Stefan B�rk <stefan@buerk.tech>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Stefan B�rk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Resolves: #100853
Releases: main, 12.4, 11.5
Change-Id: I8a1284c2c859cde9d114fecbbe9c5a1e38a35c94
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80092


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

The variable `$port` in the changed code is an array element
from the return value of `GeneralUtility::trimExplode()` with
the `$removeEmptyValues` argument set to `true`. Hence it
is ensured to not be an empty string.

This change should be backported as it otherwise would block
improvements for the type annotations of
`GeneralUtility::trimExplode()`.

Resolves: #101384
Releases: main, 12.4, 11.5
Change-Id: I74ce433495fc3975c11991d21831db0244eacba0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80088


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Just clear potential the page being edited from indexed_search's
index. The previous implementation did also take potential child
pages, into account, but not the page itself.

Resolves: #100877
Releases: main, 12.4, 11.5
Change-Id: I4c8e0c70e68744f629cb1b1c9f62b5f3028502fd
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80090


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan B�rk <stefan@buerk.tech>
Reviewed-by: Stefan B�rk <stefan@buerk.tech>

Since the introduction of customizable page type icons,
the fallback icons did no longer work. Only the icon
and variations for "contentFromPid" worked. The reason
is, that these icons are prefixed with "page" while the
other ones are prefixed with the doktype ("1").

This is fixed now by providing an optional argument
for the getRecordTypeForPageType method, which takes
the type name as parameter. The default is "1".

Resolves: #101379
Related: #90042
Releases: main, 12.4, 11.5
Change-Id: Ia4379899642ad477026dd73b1ac0c22b918a1629
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80059


Tested-by: core-ci <typo3@b13.com>
Tested-by: Nikita Hovratov <nikita.h@live.de>
Reviewed-by: Nikita Hovratov <nikita.h@live.de>

The main query execution builds a QueryBuilder instance out of
different sub information. Additionally, several hooks can be
used to influence the created query. On top of this, different
type of search queries are possible.

This change avoid consuming a lot of placeholder for list based
`in()` expressions by using a corresponding QueryBuilder method
suitable for the value type. This means that no placeholder are
used any longer for list expressions.

Note: Max query size may still be exceeded if the lists would
      getting bigger. This can be adjusted by database server
      administrators, but will lead to another exception for
      really large value lists.

Resolves: #86859
Releases: main, 12.4, 11.5
Change-Id: Ic0ac51c13cb74a058d71152ad626c484f696b176
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80080


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan B�rk <stefan@buerk.tech>
Reviewed-by: Stefan B�rk <stefan@buerk.tech>

RegEx redirects have been processed in the order how they
have been inserted into the database ignoring the flag
`respect_query_parameters` completely. Due to this fact,
a non-query argument based regex redirect would match
before a concrete query-argument aware regexp redirect
have been matched - additionally favored by the changes
introduced with #96480 to provide a fallback.

To combine all use-cases and additionally fix the detected
issues, this change now splits the cached regex redirects
into two flavors:

* `regexp_respect_query_parameters`
* `regexp_flat`

That follows the pre-selection for the non-regex redirects.
Redirects respecting query paramaters have higher precedence
above the non-respecting once. Therefore, the matching flow
in the `RedirectService` has been aligned correspondingly to
respect this separated workflow.

The #96480 is now only applied for regex redirects which do
not respect query-arguments at all. It should be considered
if we should remove that safety fallback and enforce correct
regex redirects in a dedicated future change.

Furthermore, a deterministic sorting criteria chain has been
added to the `RedirectCacheService` to ensure a deterministic
loading and caching order of redirects.

The changes play together, which is the reason why they are
included in one change and to avoid a inbetween incorrect
test chain.

Regression tests have been added to cover the cases.

Resolves: #101191
Related: #96480
Releases: main, 12.4, 11.5
Change-Id: I9638835c33809e92ba883efb65d86bb1e9f5031b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80079


Tested-by: Stefan B�rk <stefan@buerk.tech>
Reviewed-by: Stefan B�rk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>

The identifier for the icon cache used in the client's localStorage is
now version-aware to get a chance of updated icons after a release. It
now uses the same identifier as the backend cache.

Previously, only the registry state itself was taken into account which
may not change if icons assets get updated.

Resolves: #101348
Releases: main, 12.4, 11.5
Change-Id: I15dfc9d4bf1288f9787f88f579beccf3b13a3fc6
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80073


Tested-by: Benjamin Franzke <ben@bnf.dev>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benjamin Franzke <ben@bnf.dev>

Add the pid to the list of fields which should always be
retrieved when selecting a record. This especially avoid
a PHP warning in FormEngine when workspace records are
overlaid.

Resolves: #98181
Releases: main, 12.4, 11.5
Change-Id: Iaf5479e329693486c992495228fca1b711ba6161
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80043


Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

The method str_contains requires the 1st argument to be a string.
So we need to ensure that it is a string.

(It can be `null` if the command ran into an error.)

Resolves: #101349
Related: #70869
Releases: main, 12.4, 11.5
Change-Id: Ic4267f1fd8290d340b5fc43acd47797b592d466e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80032


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Avoid exceptions due to wrong type in the link validator module.

Resolves: #101352
Releases: main, 12.4, 11.5
Change-Id: Ic54b38e2fad6c203526fe27fa1b2ea6815f0578f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80028


Reviewed-by: Stefan B�rk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan B�rk <stefan@buerk.tech>

In very rare cases it may happen that a backend session is not valid
anymore when an icon is loaded within the TYPO3 backend. If the icon
is not in the user's localStorage, the TYPO3 backend login is stored
in localStorage instead.

To catch this issue in the future, additional checks were implemented:

* the response shall not come from a redirected request, which could be
  an indicator for unwanted markup
* the received markup must start with "<span"

Resolves: #101339
Releases: main, 12.4, 11.5
Change-Id: Ic30672b770b7d12aa078e423cb595966247d5506
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80016


Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: core-ci <typo3@b13.com>

Fix some failures that occur if the internal classes in EXT:backend
use strict typing.

Resolves: #101325
Releases: main, 12.4, 11.5
Change-Id: I964b802762991b6409e599d7a746bdbe22740dfb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80015


Tested-by: Stefan B�rk <stefan@buerk.tech>
Reviewed-by: Stefan B�rk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>

egrep is deprecated since 2.5.3 (2007) and is
marked as obsolete in grep 3.8, see
https://lists.gnu.org/archive/html/info-gnu/2022-09/msg00001.html

Also remove a stray \ before the # symbol,
which doesn't need escaping in grep.

Prevents the following warnings during the
commit-msg hook:

  egrep: warning: egrep is obsolescent; using grep -E
  egrep: warning: egrep is obsolescent; using grep -E
  egrep: warning: egrep is obsolescent; using grep -E
  grep: warning: stray \ before #
  egrep: warning: egrep is obsolescent; using grep -E

Resolves: #101329
Releases: main, 12.4, 11.5
Change-Id: I2777d8ffd640598d7c92bed166b793b285e5fa06
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79979


Tested-by: Benjamin Franzke <ben@bnf.dev>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benjamin Franzke <ben@bnf.dev>

Change-Id: I1608d379e6becff4a45b9afb972b02cc91645947
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79966


Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benni Mack <benni@typo3.org>

Change-Id: I0c4b5c42c6254d4d63f2f125b58862bcc119613c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79965


Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

`GeneralUtility::sanitizeLocalUrl` expects a string. So
the fallback value when calling this method also needs
to be a string, not null. This patch adjusts two of
such calls.

Resolves: #101310
Related: #101305
Releases: main, 12.4, 11.5
Change-Id: I737eea4910e95f653982cbe5b268c782cdf8a502
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79977


Tested-by: Stefan B�rk <stefan@buerk.tech>
Reviewed-by: Stefan B�rk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>

With the upgrade to Bootstrap 5, modals unintentionally don't support
the `data-content` attribute anymore as this was automatically migrated
to the namespaced variant `data-bs-content`. While this is technically
correct for Bootstrap 5, Core still needs to support the old variant as
documented.

Resolves: #98067
Releases: main, 12.4, 11.5
Change-Id: I544cbd779c808727c472575654adca3dc4c91197
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79961


Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

There already was a data provider for the negative case of this
method, but no tests using this data provider.

Resolves: #101308
Releases: main, 12.4, 11.5
Change-Id: If32b5f2943240f224031e20d9849f849275358a5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79973


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Stage-change notification mails have only been delivered to the last
recipient off the list of possible recipients, because
Utility.convertFormToObject failed to detect checkbox elements
from (other) frames.
In this case the to-be-converted form elements are created on the top
frame (modal contents are placed outside list frame on the top frame).

Due to JavaScript being prototype based, instanceof checks do
only operate per-frame. Prototypes are bound to the current window.
`foo instanceof HTMLInputElement` is basically a shortcut
and equivalent to `foo instanceof window.HTMLInputElement`
while `window != top.window`.

Instead of `instanceof` checks, we switch to a `tagName` comparision
which is usable for cross-frame HTMLElement type detection.

Resolves: #99784
Releases: main, 12.4, 11.5
Change-Id: If9bfd7be1e46d8c04619be3563d3bdba9d9de549
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79924


Reviewed-by: Benjamin Franzke <ben@bnf.dev>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Benjamin Franzke <ben@bnf.dev>

Map backend URLs like
/typo3/install.php?install%5Bcontroller%5D=settings
to /typo3/module/tools/settings for display in the
browsers URL bar.

Resolves: #101287
Releases: main, 12.4, 11.5
Change-Id: I5177146e28b01011f946c578804a8141fe9a371f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79925


Tested-by: Benjamin Franzke <ben@bnf.dev>
Reviewed-by: Benjamin Franzke <ben@bnf.dev>
Tested-by: core-ci <typo3@b13.com>

The GlobalEventHandler changes the location of the current (target)
window. The location is set to a given destination without any ability
to interrupt. The existing ConsumerScope API isn't used even if the
current window is the ContentContainer. This patch extends the handling
of a navigation action by checking its target window and using proper
ContentContainer API to set the location. Therefore registered listener
can deny a location change and trigger own functions.

Resolves: #95474
Resolves: #100114
Releases: main, 12.4, 11.5
Change-Id: If6a3b1cc546e1f2ff0b8e9fed3f83055f3f55e49
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77720


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benjamin Franzke <ben@bnf.dev>
Reviewed-by: Benjamin Franzke <ben@bnf.dev>

When using GA4, Google's scripts add "_gl" param to track cross domain links.

See https://support.google.com/analytics/answer/10071811?hl=en

Resolves: #101302
Related: #101180
Releases: main, 12.4, 11.5
Change-Id: I6c32db355a7a1306710cff9768187f687ce4b5a9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79935


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Stefan B�rk <stefan@buerk.tech>
Tested-by: Stefan B�rk <stefan@buerk.tech>

Replace link to the documentation of the "crawler"
community extension.

Releases: main, 12.4, 11.5
Resolves: #101300
Change-Id: Ie284fcb1850f655fb3541653326f7c6c0ed79c9d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79933


Reviewed-by: Lina Wolf <112@linawolf.de>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Bj�rn Jacob <bjoern.jacob@tritum.de>
Tested-by: Bj�rn Jacob <bjoern.jacob@tritum.de>
Tested-by: Lina Wolf <112@linawolf.de>

Resolves: #98178
Releases: main, 12.4, 11.5
Change-Id: I6ebcbb67b9cc51d7d56b1da945fdd8b05d5081dc
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79869


Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>

With #99920 the HTTP referrer evaluation has been extended to not
overwrite the evaluated HTTP referrer on failed logins. The fix however
broke the HTTP referrer evaluation, when the login plugin is placed on
a page which is configured as 403 error page. In this case, the page
is called via sub-request and a possible available HTTP referrer from
the initiating request is used as redirect url.

This patch extends the HTTP referrer evaluation, so the URL of the
initiating request is used as HTTP referrer variable, if the plugin
is called via sub-request. This ensures, that the user is redirected
to the URL which the 403 error handler intercepted.

In order to do so, the `PageContentErrorHandler` is extended to pass
the original request as request attribute `originalRequest`
to the sub-request. Additionally, the evaluation of the referrer
URL has been moved to `RedirectHandler` and all scenarios have been
covered with tests.

It has to be noted, that in TYPO3 11.5 the fix will only work, if the "Subrequest page errors" feature toggle is enabled.

Resolves: #100715
Releases: main, 12.4, 11.5
Signed-off-by: Torben Hansen <derhansen@gmail.com>
Change-Id: Ibcfdf5093eac72f1796d15f40ef9426d0597d7f3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79704


Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Thomas Hohn <tho@gyldendal.dk>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79786


Tested-by: Oliver Klee <typo3-coding@oliverklee.de>