- Feb 14, 2023
-
-
Benni Mack authored
Change-Id: Ieaf638de14ebccbe4b2fb18e722224cba03c1351 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77847 Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
-
- Feb 13, 2023
-
-
sypets@gmx.de authored
Handle missing image dimensions (width, height) without throwing an exception. In same cases, image dimension may not be able to be set properly. Resolves: #99406 Releases: main, 11.5 Change-Id: I81124dcaf29932448a87b69ab5bf6445eeb7469c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77757 Reviewed-by:
Stefan Bürk <stefan@buerk.tech> Tested-by:
core-ci <typo3@b13.com>
-
Thomas Hohn authored
Added Null coalescing operator, when value of $this->mconf['sectionIndex.']['type'] is used. Resolves: #99866 Releases: main, 11.5 Change-Id: I0b6969b353bf7a55b640f71ced64c06c7539cf27 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77840 Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by:
-
Elias Häußler authored
The `GU::revExplode` and `GU::trimExplode` methods return lists of elements. Thus, we can safely annotate them as `list` instead of `array` to allow better static code analysis. The annotation for `GU::intExplode` is not changed at the moment since this method behaves differently. Resolves: #99881 Releases: main, 11.5 Change-Id: I111bb5d9482c165f6cee81ab542d2048f3634c13 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77835 Reviewed-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
-
Markus Klein authored
switchablecontrolleractions Resolves: #99935 Releases: 11.5 Change-Id: If1a58d078ef92a2789ae7ada3c50f44c86f9e400 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77834 Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by:
Oliver Bartsch <bo@cedev.de> Reviewed-by: Thomas Hohn Reviewed-by:
-
- Feb 12, 2023
-
-
Georg Ringer authored
Added Null coalescing operator, when accessing $this->register['SYS_LASTCHANGED']. Resolves: #99876 Releases: main, 11.5 Change-Id: I56a94d20195fdb82000259fdbe3e2eb723695383 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77819 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Tested-by:
-
- Feb 10, 2023
-
-
Benni Mack authored
When showing the available locales in the SiteLanguage configuration, the selection is now sorted and also filtered, by only showing "de_DE" and skipping locales with modifiers, such as "de_DE.UTF-8" or "de_DE.ISO8859-1" in order to make life easier for integrators. Resolves: #99923 Related: #93651 Releases: main, 11.5 Change-Id: I03b38bb19207615e82a7f7917037aad0ac26b997 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77756 Tested-by:
-
Sybille Peters authored
Resolves: #99846 Releases: main, 11.5 Change-Id: Ie635412ce817f537c34143aac493e4038e3b9afc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77755 Tested-by:
-
- Feb 09, 2023
-
-
Thomas Hohn authored
Handle faulty HTML tags that can cause a PHP warning. This is done by adding a isset() guard. Resolves: #99896 Releases: main, 11.5 Change-Id: I69c03fa55d7ad3d3f355bf76c43b3fff6e0a1f85 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77812 Tested-by:
-
Christian Kuhn authored
A couple of streamlinings with latest tag, so we raise it. > composer req --dev typo3/testing-framework:^6.16.7 Resolves: #99907 Releases: 11.5, 10.4 Change-Id: I4009e3a5b045ad990746d3da1237911ad944b391 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77809 Reviewed-by:
-
Thomas Hohn authored
Handle faulty HTML tags missing an ending ' or ". This is done by adding a missing Null coalescing operator. Resolves: #99892 Releases: main, 11.5 Change-Id: I8a514f365699ab15fc0004141597e7e32d7ccb8c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77811 Tested-by:
-
Jochen Roth authored
Hidden task groups are not shown in the dropdown when editing a task. When a task was saved the selected (hidden) group is lost. This has been fixed by extending the query to include hidden groups. Resolves: #99855 Releases: main, 11.5 Change-Id: I8bd94fd3dfad4d0c19e08e8f91904ec2c2f32367 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77803 Tested-by:
-
Franz Holzinger authored
use TYPO3\CMS\Core\Http\ApplicationType; Releases: main, 11.5 Resolves: #99888 Change-Id: Ifd2e9bcb46fb08efba5579e2b2ed45605f31157d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77800 Tested-by:
-
- Feb 08, 2023
-
-
Lukas Köhler authored
Update the finisher documentation to accomodate changes made within the deprecation notices: - remove mixins from finisher backend configuration - add note to explain "mixins" have been removed in TYPO3 v11 - add a header as well as a removeButton in Backend UI config to restore functionality - add a reminder to clear all caches to help newbies to see their changes while testing Releases: main Resolves: #99691 Change-Id: Icad673f1e23f595b6ffbae9afef8d01425bd1ea2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77556 Reviewed-by:
Björn Jacob <bjoern.jacob@tritum.de> Tested-by:
-
Stefan Bürk authored
Use null coalescing operator to guard against undefined array key "templateName" accesss in `\TYPO3\CMS\Form\Controller\FormEditorController`. Resolves: #99870 Releases: main, 11.5 Change-Id: I3ebc40e6caab8c2f5bb32563848e836171c44f7b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77785 Tested-by:
-
- Feb 07, 2023
-
-
Oliver Hader authored
Change-Id: I33718967eea20678d806cf20361e3405dbaf41f2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77745 Reviewed-by:
-
Oliver Hader authored
Change-Id: I6c297a32fcce55040489f13cd121a7d8ea4ab91e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77744 Reviewed-by:
Oliver Hader <oliver.hader@typo3.org> Tested-by:
-
Benjamin Franzke authored
As already started in #88304 (but only for NormalizedParams) and later reverted in #89312 (because of cgi-bin problems), PATH_INFO is no longer considered as a preferable SCRIPT_NAME alternative. All known server configurations set SCRIPT_NAME these days to a proper value when cgi.fix_pathinfo is set. The fallback to PATH_INFO has been introduced with the initial revision of TYPO3 and isn't needed at all nowadays, it's actually wrong, as a REQUEST_URI like /index.php/foo/bar would incorrectly be interpreted as $scriptName == "/foo/bar", which let's all calculations on $scriptName fail and even leads to XSS where values derived from $scriptName are printed without being escaped. Also any ORIG_SCRIPT_NAME evaluation is dropped, as this variable contains the SCRIPT_NAME that was set by the webserver configuration before PHP applied cgi.fix_pathinfo. Using ORIG_SCRIPT_NAME effectively meant bypassing PHP's pathinfo fix. It usually contains the cgi-wrapper paths, which is why PATH_INFO was used to overrule wrong ORIG_SCRIPT_NAME values. GeneralUtility::getIndpEnv('PATH_INFO') is adapted to trust the servers PATH_INFO information, now that we no longer allow servers to send SCRIPT_NAME as PATH_INFO (we enforce cgi.fix_pathinfo=1 for CGI installations). The normalized SCRIPT_NAME is now adapted to be encoded as a URL path by default, as all TYPO3 usages expect this to be an URL path. Note that $_SERVER['SCRIPT_NAME'] refers to the servers file system path, not the URL encoded value. This SCRIPT_NAME sanitization actually enables: a) TYPO3 to be run in a subfolder that contains characters that need URL encoding e.g. `/test:site/` – url encoded that'd be `/test3Asite/`. b) prevention of XSS in case third party extensions missed to escape any URL that is derived from SCRIPT_NAME (while making sure that properly escaped output is not double escaped) Resolves: #99651 Related: #88304 Related: #89312 Releases: main, 11.5, 10.4 Change-Id: Ief95253d764665db5182a15ce8ffd02ea02ee61e Security-Bulletin: TYPO3-CORE-SA-2023-001 Security-References: CVE-2023-24814 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77738 Reviewed-by: -
Benjamin Franzke authored
Make clear that the early-bail out for empty pageArguments is done to prevent setting `disableCaches` to `true`. Also makes that that the $pageNotFoundOnCacheHashError condition is really tied to pageArguments being non-empty. Prevents us from refactoring that code and missing this bit. Resolves: #99860 Related: #99859 Releases: main, 11.5, 10.4 Change-Id: I98ffa3dffe76a37970784979a2c4f2a9a64aa5bf Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77752 Tested-by:
Nikita Hovratov <nikita.h@live.de> Tested-by:
Benjamin Franzke <bfr@qbus.de> Reviewed-by:
-
Oliver Hader authored
If $GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['enforceValidation'] is enabled and the HTTP request only contains the `?id` query parameter, caching for the page is disabled - which should be avoided. Resolves: #99859 Releases: main, 11.5, 10.4 Change-Id: I14a81f5a2ec3ecabedd1abf0756a3ee32e7af4e4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77734 Tested-by:
-
- Feb 06, 2023
-
-
Benni Mack authored
When no cHash is given but GET parameters are handed in which _would_ require cHash parameters, these are now properly evaluated during the frontend request. As this has a security impact, a new option called $GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['enforceValidation'] is introduced, which then skips the "requireCacheHashPresenceParameters" option. The latter is an include list, but cache Hash calculation should rather be based on the exclude list such as "excludedParameters" and "cachedParametersWhiteList". If the new option is set, but some properties such as tx_solr[q] should be allowed, then this needs to be added to the excludedList ("excludedParameters") by extension authors. A new test "SlugSiteWithoutRequiredCHashRequestTest" is added which works with a disabled feature flag compared to "SlugSiteRequestTest" which has the feature flag enabled. Resolves: #95297 Releases: main, 11.5, 10.4 Change-Id: Ib72c6a34602e77d8c2044ad2e826c0474ebd2326 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77712 Tested-by:
-
- Feb 04, 2023
-
-
Benni Mack authored
This change updates the main TYPO3 code base vendor/ directory to lock to latest packages from our main dependencies, ready for the next v12.x release, so the "non-composer mode" has various updated dependencies shipped. Used commands: composer update "symfony/*" "doctrine/*" "psr/*" "firebase/php-jwt" "bacon/bacon-qr-code" -W Resolves: #99831 Releases: main, 11.5 Change-Id: If208b89062dab7dac98b140fe6e16a545bf9226f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77703 Reviewed-by:
-
Nikita Hovratov authored
Since the recent release of PHPUnit 9.6 some new deprecations were added which signal breaking changes for version 10. As deprecations are causing our tests to fail, they need to be addressed immediately. Method `expectErrorMessage` replaced with `expectExceptionMessage`. Method `getMockClass` replaced with `createMock` and a subsequent get_class call. Move test with deprecations to UnitDeprecated and remove expectation. Also update phpunit/phpunit and dependencies to latest version: > composer req --dev phpunit/phpunit:^9.6.1 -W Resolves: #99817 Releases: main, 11.5 Change-Id: I6d01ccca398a8ff5db735a35b19061b711c843cc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77693 Tested-by:
-
- Feb 03, 2023
-
-
Thomas Hohn authored
The method getTemplateQueryBuilder has a reference to $GLOBALS['BE_USER']->workspace. This value should be fetched via the WorkspaceAspect. Resolves: #99795 Releases: 11.5 Change-Id: Ia5444b582da7436ab653923bbd8f91d87710a7b8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77670 Reviewed-by:
-
- Feb 02, 2023
-
-
Andreas Fernandez authored
When using drag&drop in the page tree, many style changes happen: * a shadow node is rendered that is moved around * the content within the shadow node changes depending on whether dropping is allowed * CSS classes are changed The previous implementation was not optimal in several ways: * the nodes wrapper (aka the "tree") was updated twice which each `dragover` event, being expensive on huge trees * adding and removing CSS classes may have become redundant in some cases, triggering a re-paint every time All these cases are handled in this patch by executing tasks only when absolutely necessary. Resolves: #99786 Releases: main, 11.5 Change-Id: Ibc8cbce2785e2de646e254590b4eddbdc42839c1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77669 Reviewed-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
-
- Feb 01, 2023
-
-
Thomas Hohn authored
Sanitize the mountPointParameter in class constructor. Resolves: #99731 Releases: main, 11.5 Change-Id: Ic6fec228c462c7ec4a75a7efc934d7d17fc5c1e0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77657 Tested-by:
-
Thomas Hohn authored
Added a guard around the calculation of $sameBeginEnd. Resolves: #99752 Releases: main, 11.5 Change-Id: I754b4e67b2b04db20dc9adb8ee26bbd2ab2651ad Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77581 Tested-by:
-
Thomas Hohn authored
The variable sameBeginEnd should have the type bool, since the comparison calculation yields a bool. Resolves: #99776 Releases: main, 11.5 Change-Id: Iddbd04197b1b2f99bc96d365c0c4dde1615568da Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77580 Tested-by:
-
- Jan 31, 2023
-
-
Česlav Przywara authored
Releases: main, 11.5 Resolves: #99773 Change-Id: Ife6196a387db61ab7d81506cd32d7adc14bf609d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77579 Reviewed-by:
-
- Jan 30, 2023
-
-
Oliver Bartsch authored
The method `getContentObject()` might return null. This is now properly handled in the MenuProcessor and LanguageMenuProcessor. Resolves: #99722 Releases: main, 11.5 Change-Id: Iebaa2324c59032bd10610c2a63156168777070db Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77614 Tested-by:
-
- Jan 27, 2023
-
-
Andreas Fernandez authored
The class `PageLayoutController` has some custom methods to fetch data of localized pages: * `getLocalizedPageRecord()` * `getLocalizedPageTitle()` The same data can be retrieved using the standardized method `PageRepository->getPageOverlay()`, which replaces the aforementioned methods. Resolves: #99613 Releases: main, 11.5 Change-Id: I06a374411b34211ed45d57f30d142ead7c7e6fba Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77620 Reviewed-by:
-
Oliver Bartsch authored
The "titleLen" setting is now respected in the page modules' "language mode" to prevent overlapping of long page titles. Note: Overlapping might still happen, depending on the configured "titleLen" value, the current display resolution and the number of languages being displayed (when "All languages" is selected). Resolves: #99729 Releases: main, 11.5 Change-Id: I02458e5b7b0d136303499a83fb6c2fcb5bbc0ef8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77618 Tested-by:
-
Thomas Hohn authored
If fe_groups are deleted building the labels for the fe_groups in titleAttribForPages will throw a PHP warning. Resolves: #99712 Releases: main, 11.5 Change-Id: I61a340b74096c0da6eccc2eb0cd425c9fe02b71c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77578 Tested-by:
-
- Jan 26, 2023
-
-
Oliver Bartsch authored
When calculating the number of hidden elements for the currently displayed language columns in the page module, the corresponding language constraint is now properly set. Considering more then one language is now only done, in case language mode with a language > 0 is selected. Additionally, L=-1 is now properly taken into account. Some further cleanup of the method is done. The actually defined field names of corresponding enable columns are now used instead of the static ones. Resolves: #99720 Releases: main, 11.5 Change-Id: I751ea0d2f2de88d5eb208215bb81543fc01ca32b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77617 Tested-by:
Fabien Udriot <fudriot@omic.ch> Tested-by:
-
Andreas Fernandez authored
The method `sendChangeCommand()` now builds a proper payload by pushing data into `params.data.copy` prior to the non-exisiting `data.copy` array. Resolves: #99726 Releases: main, 11.5 Change-Id: I96f279cb2f5eedc4a6658f89f0975c8a14bd42c1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77612 Tested-by:
-
- Jan 25, 2023
-
-
Achim Fritz authored
EXT:frontend's Preview simulation already sets the userGroup values properly, which allows to simulate a usergroup. However, this change also needs to be set in EXT:adminpanel in order to allow usergroups. This change adds the same change (see #96381) as in PreviewSimulator in EXT:adminpanel. This is required as otherwise, the Frontend user would re-set the userGroup in FrontendUserAuthentication->createUserAspect() Resolves: #99718 Related: #96381 Releases: main, 11.5 Change-Id: I346f14e2c7bd655efe3883c3a1543bddff8364e8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77577 Tested-by:
-
Benni Mack authored
Resolves: #98630 Releases: main, 11.5 Change-Id: Iae48bf68a9f18a33e86d79cf7826617e2b3d48c6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77570 Reviewed-by:
-
Oliver Bartsch authored
Prior to the introduction of the column selector in #84184, did a boolean flag "$addDateFields" define whether record date fields (tstamp and crdate) should be added to the available field list. Actually, those fields were always added, because all usages of the corresponding method set either "$addDateFields" or "$dontCheckUser" to TRUE. This fact is now restored by always adding the mentioned fields. Resolves: #98574 Related: #84184 Releases: main, 11.5 Change-Id: I4f212aaf62d9dec26530f6f7a39f1135d684d015 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77601 Tested-by:
-
- Jan 24, 2023
-
-
Thomas Hohn authored
Since $conf['externalBlocks.'][$tagName . '.'] can be null, added a null coalescing check to ensure that $cfg contains a valid value. Resolves: #99706 Releases: main, 11.5 Change-Id: Ia80bc50504e27eb0155232e1f1eb956f9b88ac79 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77576 Reviewed-by:
-
Benni Mack authored
Resolves: #98681 Releases: main, 11.5 Change-Id: I4d7bc72efe4256c5e5d9009afd9327428f2661d4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77567 Tested-by:
-
