- Apr 18, 2016
-
-
Albrecht Köhnlein authored
When cURL is enabled with a proxy, the proxy’s HTTP header (sent as a response to the client CONNECT request) was not removed correctly for https requests. See also RFC 2817. Resolves: #73567 Releases: master, 7.6, 6.2 Change-Id: I0f11933f523b099dd23a5bef631699904ffcefc8 (cherry picked from commit 09f1f563) Reviewed-on: https://review.typo3.org/47308 Reviewed-by:
Jonas Götze <jonnsn@gmail.com> Tested-by:
Andreas Wolf <andreas.wolf@typo3.org> Tested-by:
Dmitry Dulepov <dmitry.dulepov@gmail.com> Reviewed-by:
Stefan Neufeind <typo3.neufeind@speedpartner.de> Reviewed-by:
Daniel Goerz <ervaude@gmail.com>
-
- Apr 12, 2016
-
-
TYPO3 Release Team authored
Change-Id: I1a3230b02001e02c7b0638a92af78ec7008a4a45 Reviewed-on: https://review.typo3.org/47624 Reviewed-by:
TYPO3 Release Team <typo3cms@typo3.org> Tested-by:
-
TYPO3 Release Team authored
Change-Id: I9b4d40bcfd4f204de75f873a695aef36825c31d0 Reviewed-on: https://review.typo3.org/47623 Reviewed-by:
-
Andreas Fernandez authored
Resolves: #75541 Releases: 6.2 Change-Id: I2377695852fe6a307d0a4736f0f2e5eb4d79b608 Reviewed-on: https://review.typo3.org/47622 Reviewed-by:
Oliver Hader <oliver.hader@typo3.org> Tested-by:
Frank Naegler <frank.naegler@typo3.org> Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Tested-by:
-
TYPO3 Release Team authored
Change-Id: Iba4804fc2b8e8280d5caef651f84d4e4332db3ca Reviewed-on: https://review.typo3.org/47613 Reviewed-by:
-
TYPO3 Release Team authored
Change-Id: I9e9ddd6b53aee8e9425dbc4ff864c1e8b36c8d04 Reviewed-on: https://review.typo3.org/47612 Reviewed-by:
-
Nicole Cordes authored
In case a backend or frontend user is stored in the database with an empty string as password (not possible through backend UI), it is possible to authenticate this user using an empty password with the standard TYPO3 username/password authentication services. By definition this should be prohibited. Resolves: #75055 Releases: master, 7.6, 6.2 Security-Commit: 1899bfa7166baae8d774fa7bd027f9c448e89686 Security-Bulletins: TYPO3-CORE-SA-2016-009, 010, 011, 012 Change-Id: I7b5ce35a6e5d817c2480cb81e616bfac25fbe2fb Reviewed-on: https://review.typo3.org/47599 Reviewed-by:
-
Nicole Cordes authored
To view a preview of a workspace page a backend user is simulated. Currently the user who created the preview link is taken into account. This patch creates a limited backend user to be able to process the web request. Resolves: #28175 Releases: master, 7.6, 6.2 Security-Commit: 4d89b8acd5af116444402b0fc2527fd8217e0fca Security-Bulletins: TYPO3-CORE-SA-2016-009, 010, 011, 012 Change-Id: I4ae4b46fa3345d179cd2748ae0caa48ed3a8e4d9 Reviewed-on: https://review.typo3.org/47598 Reviewed-by:
-
Markus Klein authored
Resolves: #51908 Releases: 6.2 Security-Commit: 716f84105ecba3202280a9c35893818c4dd078a0 Security-Bulletins: TYPO3-CORE-SA-2016-009, 010, 011, 012 Change-Id: I5a13860aca41b4401325d3a3f6f025e051f63010 Reviewed-on: https://review.typo3.org/47597 Reviewed-by:
-
Nicole Cordes authored
In Javascript context the title attribute of a selected option is passed as unescapd HTML argument to the function. Creating a new option tag without title validation results in a XSS possibility. This patch removes hardcoded attribute setting and uses jQuery function which take care of proper escaping. Resolves: #75164 Releases: master, 7.6, 6.2 Security-Commit: 1f0d09bfe5899fa189ee6bde102665956dc0f9b1 Security-Bulletins: TYPO3-CORE-SA-2016-009, 010, 011, 012 Change-Id: I6445259a8608fa7a592b4574cb01c672ae1a4b93 Reviewed-on: https://review.typo3.org/47596 Reviewed-by:
-
Steffen Müller authored
Resolves: #73459 Releases: 6.2 Security-Commit: ab36da69dbdf20e9940faf4ff7ead88657b9ed14 Security-Bulletins: TYPO3-CORE-SA-2016-009, 010, 011, 012 Change-Id: Ie9e38ee56c8df984653d4bab161087dd20cd065c Reviewed-on: https://review.typo3.org/47595 Reviewed-by:
-
Andreas Fernandez authored
Since the XEE security fix (I26701fc2ffb5aed7ccbd96c168aef571d012091e), the XML files in the Extension Manager may are not loaded anymore, depending on the machine. Change the way how the files are loaded to fix the issue. Change-Id: I2a3dffd089ed427b965bcbae8aa596c26a81770b Resolves: #75022 Releases: master, 7.6, 6.2 Reviewed-on: https://review.typo3.org/47590 Reviewed-by:
-
- Apr 07, 2016
-
-
Alexander Opitz authored
Detect WinCache 2.0 and newer not as opcode cache system. Resolves: #74131 Releases: 7.6, 6.2 Change-Id: If7ce68b884d84638484f7b8225d175f5875fb683 Reviewed-on: https://review.typo3.org/47530 Reviewed-by:
Wouter Wolters <typo3@wouterwolters.nl> Tested-by:
-
- Apr 06, 2016
-
-
Helmut Hummel authored
The newer version of composer installers has extendend features, but is fully backwards compatible and proven to work nicely with TYPO3 6.2. Resolves: #75423 Releases: 6.2 Change-Id: Iaa25df38a55cb0276931123b549f60b86d0c5088 Reviewed-on: https://review.typo3.org/47515 Reviewed-by:
Mathias Brodala <mbrodala@pagemachine.de> Tested-by:
Helmut Hummel <helmut.hummel@typo3.org> Tested-by:
-
- Apr 04, 2016
-
-
Bernhard Kraft authored
When using the "clearAllCache" button a warning message gets shown (or eventually just logged) when the APC file cache is used. Reason is that the method "OpcodeCacheUtility::clearAllActive()" will not allow to clear whole directories. Per definition the used method "apc_delete_file()" allows only to delete single file-cache entries from the APC cache when called with a string argument. So for this to work the method "apc_delete_file()" got changed to use the "ApcIterator" class using a regular expression matching the given directory. Change-Id: I7148fb3c176e05518901b032eccddfa2dd448c4a Resolves: #69773 Releases: 6.2 Reviewed-on: https://review.typo3.org/43289 Reviewed-by:
Markus Klein <markus.klein@typo3.org> Reviewed-by:
-
- Mar 31, 2016
-
-
Christian Opitz authored
The current version constraint doesn't allow composer to install bug fix versions of the 1.1 version branch of the composer installers which is unhandy when there are bug fixes such as for #75273. The new constraint matches all 1.1.* versions greater 1.1.4 Resolves: #75273 Releases: 6.2 Change-Id: I81ce319ea812d44bcf3dd23602e876eb0f0675d8 Reviewed-on: https://review.typo3.org/47414 Reviewed-by:
Morton Jonuschat <m.jonuschat@mojocode.de> Tested-by:
-
Daniel Neugebauer authored
When using sections for search, indexed_search now only trims the first character from the section path name if it is a slash. Resolves: #73631 Releases: 6.2 Change-Id: Ia67b411aeeb29af6d23b392a22dbcf381eb0b9f5 Reviewed-on: https://review.typo3.org/46846 Reviewed-by:
Tymoteusz Motylewski <t.motylewski@gmail.com> Tested-by:
-
- Mar 30, 2016
-
-
Gianluigi Martino authored
If you delete a file or folder by using the clickmenu, a confirmation message without reference count is shown. To streamline the confirmation message with the one from FileList, the reference count is added with this patch. Resolves: #75156 Releases: master, 7.6, 6.2 Change-Id: I84fe8c853199cdb4e0ff422cdb5fc327e4bdc683 Reviewed-on: https://review.typo3.org/47387 Reviewed-by:
Andreas Fernandez <typo3@scripting-base.de> Tested-by:
Nicole Cordes <typo3@cordes.co> Tested-by:
Michael Oehlhof <typo3@oehlhof.de> Tested-by:
-
- Mar 29, 2016
-
-
Andreas Fernandez authored
The patch fixes the quotation in the description of the parameters ``$serviceType`` and ``$serviceKey``. This ensures a correct rendering by Doxygen. Resolves: #75283 Releases: master, 7.6, 6.2 Change-Id: Ic7d91c1c108465b50f7637667ff6f3a8b451eb26 Reviewed-on: https://review.typo3.org/47401 Reviewed-by:
-
Sascha Egerer authored
Change-Id: I792f5534780675278cbd7d540c96b60568b2647e Resolves: #75287 Releases: 7.6, 6.2 Reviewed-on: https://review.typo3.org/47399 Reviewed-by:
-
- Mar 23, 2016
-
-
Andreas Fernandez authored
Due to a wrong assignment, modSharedTSconfig is always used to set the default language label in PageLayoutController, even if modTSconfig is set. modTSconfig is now used if possible. Resolves: #75242 Releases: master, 7.6, 6.2 Change-Id: I517c03f02ffc8d05ed74a865517ee775e1542bfe Reviewed-on: https://review.typo3.org/47375 Reviewed-by:
-
- Mar 12, 2016
-
-
Nicole Cordes authored
Within ajax requests currently the ajaxUrls are exported to the TYPO3.settings variable which overwrites the parent state with all other information (e.g. format setting). This patch prevents the output of new TYPO3.settings in the ajax response. Resolves: #72606 Releases: 6.2 Change-Id: I0907be4564b6210b816eb607cd81156f987852d6 Reviewed-on: https://review.typo3.org/46070 Reviewed-by:
Stefan Froemken <froemken@gmail.com> Reviewed-by:
Mathias Schreiber <mathias.schreiber@wmdb.de> Tested-by:
Benni Mack <benni@typo3.org> Tested-by:
-
- Mar 11, 2016
-
-
Tymoteusz Motylewski authored
Add two unit tests for Indexer, covering content extraction from between TYPO3SEARCH_begin and TYPO3SEARCH_end markers. Add note to documentation that it's possible to have multiple TYPO3SEARCH marker pairs. Resolves: #74815 Releases: master, 7.6, 6.2 Change-Id: I37c67dfc055dc30698831eef6d0231d929fef957 Reviewed-on: https://review.typo3.org/47191 Reviewed-by:
-
- Mar 10, 2016
-
-
Andreas Fernandez authored
Since the XEE security fix (I26701fc2ffb5aed7ccbd96c168aef571d012091e), the XML files in the t3editor are not loaded anymore. Change the way how the files are loaded to fix the issue. Change-Id: I26c622e47ee0f791b998886837f4443f5bddf11b Resolves: #74508 Releases: master, 7.6, 6.2 Reviewed-on: https://review.typo3.org/47177 Reviewed-by:
-
- Mar 06, 2016
-
-
Oliver Hader authored
Workspace page previews collide with that configuration that might have been set by using a preview link containing a ADMCMD_prev command. The keyword "IGNORE" is introduced to actually ignore these configurations when viewing a page from the workspace module. Resolves: #72225 Releases: master, 7.6, 6.2 Change-Id: I6a73e860a76308028f0a3b1bcd182e41082adcd6 Reviewed-on: https://review.typo3.org/45254 Reviewed-by:
-
- Mar 05, 2016
-
-
Nicole Cordes authored
This patch fixes an issue with unclean t3d export due to string to array conversion. This is important to be able to import a t3d files which was exported with 7.6 and above even in 6.2. This is needed as we do not have any chance to see which TYPO3 version was used for the export. Resolves: #74127 Releases: master, 7.6, 6.2 Change-Id: I6ba7b825241c2ca439c485aaf597b019b7ac8997 Reviewed-on: https://review.typo3.org/47091 Reviewed-by:
-
- Mar 04, 2016
-
-
Benjamin Kott authored
Resolves: #70373 Releases: master, 7.6, 6.2 Change-Id: I8cb505a051ecfbc0f423d32cbc121545cec35bf4 Reviewed-on: https://review.typo3.org/47073 Reviewed-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by:
-
Gianluigi Martino authored
Keep the currently selected page active when editing the page properties of another page as non-admin user. Change-Id: I8f69ed0ded1dc5be3e50023c912c759d559cbbee Resolves: #71094 Releases: master,7.6,6.2 Reviewed-on: https://review.typo3.org/46133 Reviewed-by:
Jan Helke <typo3@helke.de> Tested-by:
-
Björn Jacob authored
The documentation of EXT:form is outdated. The whole documentation has been proof read and revised. Furthermore, the document has experienced a huge structural change. The long pages have been split into smaller parts. A lot of content was duplicated. Following the DRY principle, the descriptions of functions/ attributes etc. are now documented at a central place and references are used. Resolves: #69346 Releases: master,7.6,6.2 Change-Id: I45ddcf2f93c94f2982ac5fdecd5a942fad2eef21 Reviewed-on: https://review.typo3.org/47060 Reviewed-by:
-
- Mar 03, 2016
-
-
Eric Chavaillaz authored
Since mod_filter is available since Apache 2.3.7 we need to check for the apache version in the htaccess file. Older versions of apache will work as well, even though they do not need to check for the existence of mod_filter. A comment is added to inform older Apache versions. Resolves: #72886 Releases: master, 7.6, 6.2 Change-Id: Ia4905c992b52b2bd540ece0a1c1866aeacf6de85 Reviewed-on: https://review.typo3.org/47021 Reviewed-by:
-
- Feb 25, 2016
-
-
Oliver Hader authored
The workspace preview in the frontend shows the buttons to the previous and next stage if the user is not responsible for the current stage. Clicking the button does not forward the records to the names stage however - this is caught by DataHandlerHook in EXT:version. Resolves: #73243 Releases: master, 7.6, 6.2 Change-Id: I233629cb393d5786048ab7ead39cd3316780b488 Reviewed-on: https://review.typo3.org/46597 Reviewed-by:
-
- Feb 23, 2016
-
-
TYPO3 Release Team authored
Change-Id: Ic5dbf3cb43af040d761f2cfd1894c0a6b9ea00b8 Reviewed-on: https://review.typo3.org/46838 Reviewed-by:
-
TYPO3 Release Team authored
Change-Id: Iee319320400b384e4af96ca13e0e5c0ea4221a4e Reviewed-on: https://review.typo3.org/46837 Reviewed-by:
-
Benni Mack authored
Indexed Search allows to show up to 100.000 entries per page by configuring the paging entry via a GET/POST variable, leading to a possible DoS attack. The max limit is set to 100 entries per page, as a reasonable limit for the website search results. Resolves: #73458 Releases: master, 7.6, 6.2 Security-Commit: 8dc6e3c41d53788966b1ab220acd49a815ccfe7f Security-Bulletins: TYPO3-CORE-SA-2016-005, 006, 007, 008 Change-Id: I46d825d918d716c6059bb732d3b808dd4bafdc9c Reviewed-on: https://review.typo3.org/46830 Reviewed-by:
-
Georg Ringer authored
Escape the value of the field CType in tt_content.default. Resolves: #73450 Releases: master, 7.6, 6.2 Security-Commit: fa4c55b136648dd01115c346d9fd0c90b303f2d1 Security-Bulletins: TYPO3-CORE-SA-2016-005, 006, 007, 008 Change-Id: Ica19c572bf46b6f2b11333b6759804d3537e7469 Reviewed-on: https://review.typo3.org/46829 Reviewed-by:
-
Wouter Wolters authored
Resolves: #73449 Releases: 6.2 Security-Commit: c4df50a433362c2a3976f40bcbc5be82d4cb3cb6 Security-Bulletins: TYPO3-CORE-SA-2016-005, 006, 007, 008 Change-Id: I7881425226a6a23b9acf6a1870b82c4dcf0fee93 Reviewed-on: https://review.typo3.org/46828 Reviewed-by:
-
Benni Mack authored
Remote XML entites can be loaded in places where TYPO3 expects only local files to be fetched. All places are changed so the option to load entities is disabled. Resolves: #61269 Releases: master, 7.6, 6.2 Security-Commit: ed1cd758fafc81ed44f8f829ad3ed3a86c5db649 Security-Bulletins: TYPO3-CORE-SA-2016-005, 006, 007, 008 Change-Id: Ic5513ce257f0a6aa1a9cce7a617b59ed09341a78 Reviewed-on: https://review.typo3.org/46827 Reviewed-by:
-
- Feb 22, 2016
-
-
Christian Kuhn authored
There is a list of patches we applied to adodb manually in typo3/sysext/adodb/Documentation/Index.rst. This, together with 'git log' should be enough in case adodb is updated. The diff file is pain to maintain and also does not contain all changes that were done to adodb. Change-Id: If0525ce90b637541d659569f697377f011b8ad37 Resolves: #73607 Releases: master, 7.6, 6.2 Reviewed-on: https://review.typo3.org/46817 Reviewed-by:
-
- Feb 20, 2016
-
-
Mathias Brodala authored
TYPO3 6.2 is not compatible with PHP 7.x thus properly declare this for Composer installations. Resolves: #73480 Releases: 6.2 Change-Id: I857a07199109f63b51079094d035b6f1ab9efb52 Reviewed-on: https://review.typo3.org/46707 Reviewed-by:
-
- Feb 18, 2016
-
-
Mathias Brodala authored
This fixes an issue introduced with the backport of the change in #73083 to TYPO3 6.2. Resolves: #73518 Related: #73083 Releases: 6.2 Change-Id: I8fef570b15e8bbf94da124f47a5bd4b3158c1b9f Reviewed-on: https://review.typo3.org/46743 Reviewed-by:
Mario Rimann <typo3-coding@rimann.org> Tested-by:
David Hoeckele <david@hoeckele.net> Reviewed-by:
-
