Skip to content
Snippets Groups Projects
  1. Jun 20, 2014
  2. Jun 19, 2014
    • Claus Due's avatar
      [BUGFIX] Pass field name variable to flexform DS utility · 7f4cc74e
      Claus Due authored
      A field name parameter is not being passed from within
      DataHandler when copying a record which has a FlexForm
      DF associated with it. This causes dynamic FlexForm DS
      definitions to not be able to depend on the field name,
      in turn causing the problem that an incorrect DS may be
      returned from the DS utility which makes TYPO3 process
      the data value incorrectly (for example, not detecting
      file fields and processing the values accordingly).
      
      To solve this the $field parameter is passed.
      
      Resolves: #59423
      Releases: 6.3, 6.2, 6.1
      Change-Id: Icfafd553f76e17ad5db651bb3f5dea52b140dcf7
      Reviewed-on: https://review.typo3.org/30891
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      7f4cc74e
  3. Jun 13, 2014
    • Philipp Gampe's avatar
      [BUGFIX] Extensionmanager does not show error messages on update failure · 5dba6de7
      Philipp Gampe authored
      The extension manager fails to show any error message if an extension
      update fails.
      
      Convert exceptions (e.g. dependency fails, TER download fails) into a
      nice flashmessage.
      Convert any server errors (uncatchable PHP errors) into a flashmessage.
      
      Resolves: #56823
      Releases: 6.2, 6.1
      Change-Id: Ife3c6d3dcd23177ba22192dd6ae720352931b538
      Reviewed-on: https://review.typo3.org/29735
      Reviewed-by: Stefan Neufeind
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      5dba6de7
    • Francois Suter's avatar
      [BUGFIX] Erroneous date sorting in File List · 15ffdb20
      Francois Suter authored
      The sorting by date fails in the Filelist module when more
      than 9 files with the same date are found since the numerical
      suffix used to avoid overwriting existing entries in the
      sorting array is not properly padded.
      
      Fixes: #59458
      Releases: 6.2, 6.1
      Change-Id: I2c80a00dd1692b0987da3d461cc5a21fcea4c97d
      Reviewed-on: https://review.typo3.org/30711
      Reviewed-by: Francois Suter
      Tested-by: Francois Suter
      15ffdb20
  4. Jun 12, 2014
  5. Jun 06, 2014
    • Mathias Brodala's avatar
      [BUGFIX] Fix command description · ce838380
      Mathias Brodala authored
      Due to using array_pop instead of array_shift the last line
      of the command description is dropped instead of the first.
      
      Use array_shift instead to get the full description
      annotated for the command method.
      
      Resolves: #59324
      Releases: 6.2, 6.1, 4.7
      Change-Id: I4d7c320b0ef334adbd15997d15d8e7a56d5739c1
      Reviewed-on: https://review.typo3.org/30613
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      ce838380
    • Jan-Erik Revsbech's avatar
      [BUGFIX] getIndpEnv('TYPO3_SSL') fails to detect reverseProxyIp · 0f9bd665
      Jan-Erik Revsbech authored
      When running TYPO3 behind a reverse proxy, which also handles SSL,
      the setting reverseProxySSL should check if the site is requested
      from one of the reverse proxies in order to determine whether
      the site is using SSL.
      
      It incorrectly does this check via getIndpEnv('REMOTE_ADDR') which has
      already translated the proxy IP to the end-users IP, thus always
      returning FALSE.
      
      Resolves: #37467
      Releases: 6.2, 6.1
      Change-Id: I95615b0fea94e0ef0222e958e4e0bba5e6e9f60a
      Reviewed-on: https://review.typo3.org/30604
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      0f9bd665
  6. Jun 05, 2014
  7. Jun 04, 2014
    • Helmut Hummel's avatar
      [BUGFIX] Fix frontend unit tests if executed standalone · 2c8a4285
      Helmut Hummel authored
      * Unit tests are allowed for CLI anyway
      * Remove allow all in data provider
      
      The latter implicitly caused a global allow, as PHPUint parses
      all data providers before any test is run, thus setting globals there
      will cause them to be preserved (and restored when backup globals is true).
      
      Releases: 6.2, 6.1, 6.0
      Resolves: #59343
      Change-Id: I646294bb472027e22d6edc0622068698fe9a88fc
      Reviewed-on: https://review.typo3.org/30563
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      2c8a4285
  8. Jun 03, 2014
    • Markus Klein's avatar
      [BUGFIX] DataHandler::log() must not return NULL · cd81ccb5
      Markus Klein authored
      Ensure the DataHandler::log() function does return integers
      in all cases as denoted in the doc header.
      
      Resolves: #59185
      Releases: 6.2, 6.1, 6.0
      Change-Id: I2a6aa0415b7cc19f10b4a290e43bd20065e6c9e1
      Reviewed-on: https://review.typo3.org/30549
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      cd81ccb5
    • Markus Klein's avatar
      [BUGFIX] Fix wrong JS function name in RTE · 9576c32c
      Markus Klein authored
      RTE feature "userlinks" generates a wrong JS function
      name due to the automatic replacement during the
      namespace conversion.
      
      Revert this line to use the correct JS function name.
      
      Resolves: #59302
      Releases: 6.2, 6.1, 6.0
      Change-Id: Ia6b51e7e1b1dfa0e618106f4f039bd0774464a97
      Reviewed-on: https://review.typo3.org/30540
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      9576c32c
    • Markus Klein's avatar
      [BUGFIX] Fix double ? in eID url for encryption key · d7919b04
      Markus Klein authored
      The AJAX url for retrieving a new encryption key contains
      two question marks. This causes the request to fail.
      
      Fix this by removing the superflous ? from the parameters.
      
      Resolves: #59034
      Releases: 6.1, 4.7, 4.5
      Change-Id: Iab3833f50a48b71b25cf0205f7eb8d6b57dd859a
      Reviewed-on: https://review.typo3.org/30385
      Reviewed-by: Alexander Opitz
      Reviewed-by: Michael Schams
      Tested-by: Michael Schams
      Reviewed-by: Wouter Wolters
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      d7919b04
  9. May 29, 2014
    • Sebastian Michaelsen's avatar
      [BUGFIX] Flexform element title is cropped to hardcoded length · 34f254ba
      Sebastian Michaelsen authored
      The title of a flexform element is cropped to maximum length of 30
      characters. Instead it should obey the maximum title length in the user
      settings.
      
      Resolves: #58910
      Releases: 6.2, 6.1
      Change-Id: I28c6fc94b2d492217479bf014ff8f67463b4e98f
      Reviewed-on: https://review.typo3.org/30488
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      34f254ba
    • Markus Klein's avatar
      [BUGFIX] Fix redirect to install tool in new installations · 91640252
      Markus Klein authored
      When setting up a new TYPO3 installation, TYPO3 should redirect
      to the install tool, when accessing the frontend or backend.
      
      This redirect fails since introduction of the trustedHostsPattern
      since no configuration is available at this point, while the
      request itself is a BE or FE request, which will be denied in this
      case.
      Solution is to set the REQUEST_TYPE to INSTALL before doing the redirect
      to install tool so that creating the redirect is allowed.
      
      Resolves: #59087
      Releases: 6.2, 6.1
      Change-Id: I31bcbc20fa1c9bca0d6bf2b940bf26b9affe893b
      Reviewed-on: https://review.typo3.org/30487
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      91640252
  10. May 28, 2014
    • David Greiner's avatar
      [BUGFIX] Parent language is not applied to new child records · 3e6e8ec8
      David Greiner authored
      If localizing a parent-child structure, usually the language
      of the parent element shall be applied to related child records
      as well as new child records.
      
      Due to a missing array segment, the accordant section in the
      the InlineElement source code never was processed.
      
      Resolves: #57063
      Releases: 6.2, 6.1
      Change-Id: I7e563044f9889538f9b8171f71f7685722db8266
      Reviewed-on: https://review.typo3.org/30472
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      3e6e8ec8
  11. May 26, 2014
  12. May 23, 2014
    • Marc Bastian Heinrichs's avatar
      [BUGFIX] Alternative implementations for view helpers do not work · 003c6628
      Marc Bastian Heinrichs authored
      Extbase allows to register alternative implementations for
      objects. However that does not work for view helpers using
      a closing tag. The resolved (alternative) object is compared
      to the name of the original view helper and throws an
      exception like:
      
        #1224485398: Templating tags not properly nested. Expected:
        "AlternativeViewHelper"; Actual: "OriginalViewHelper"
      
      A simple solution is to save the class name of the object returned
      from the object manager in a runtime cache and check this when
      resolving a view helper name. A nice side effect is, that a same
      view helper name must not be calculated over and over again.
      
      Fixes: #52272
      Releases: 6.0, 6.1, 6.2
      Change-Id: Ie49e5e83c779b4748dc2059f8fbc85552ce4b406
      Reviewed-on: https://review.typo3.org/30349
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      003c6628
  13. May 22, 2014
    • Markus Klein's avatar
      [BUGFIX] Wrong HTML in locallang_csh_pages.xlf · 94f1e325
      Markus Klein authored
      lang/4.5/locallang_csh_pages.xlf contains invalid
      HTML structure a <p> tag should actually be a <b> tag.
      
      Resolves: #58936
      Releases: 6.2, 6.1, 4.5
      Change-Id: Id37d424296628202d8d434e0cf9cafd8529da2c3
      Reviewed-on: https://review.typo3.org/30330
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      94f1e325
    • Xavier Perseguers's avatar
      [BUGFIX] TCA tree fail to load with IRRE · f954a795
      Xavier Perseguers authored
      The TCA tree element fail to load inside IRRE, in some condition
      (when the record is not loaded/opened)
      
      Change-Id: Id077a71e2191b0cf91003611e11dc5aefafab0c9
      Resolves: #39035
      Releases: 6.2, 6.1
      Reviewed-on: https://review.typo3.org/29909
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      f954a795
    • Marc Bastian Heinrichs's avatar
      [BUGFIX] Fix description of userHomePath and groupHomePath · b908b7da
      Marc Bastian Heinrichs authored
      Since making userHomePath and groupHomePath FAL compatible
      the descriptions in DefaultConfiguration don't fit anymore.
      
      Resolves: #56986
      Releases: 6.2, 6.1
      Change-Id: Ia27193b967137dd3744c2fdcf5b5b0d3366c0080
      Reviewed-on: https://review.typo3.org/29906
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      b908b7da
    • Markus Klein's avatar
      [BUGFIX] Properly check existence of array item · f0ac518f
      Markus Klein authored
      The flexform converter in ContentObjectRenderer tries to access
      an array element on a non-array.
      
      Check existence with isset() first.
      
      Resolves: #57809
      Releases: 6.2, 6.1
      Change-Id: I8e6111afee3a639b3077dc59bc2e32b72fa12f5c
      Reviewed-on: https://review.typo3.org/29892
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      f0ac518f
    • Alexander Opitz's avatar
      [BUGFIX] Inaccessible pages on shortcuts/PageNotFound handler · 203c1eb9
      Alexander Opitz authored
      The var pageNotFound is set, if the called page has access
      restrictions. Afterwards starts a searching for an accessible page
      in the rootline upwards.
      
      If that page is a short link which also isn't accessible we stop
      instead of searching again in this new rootline. Limiting this to a
      maximum of 20 iterations to prevent endless loops.
      
      If an accessible page is found we do not reset the pageNotFound var.
      The PageNotFound handler reacts on this var and redirects to the 404
      page instead of presenting the accessible page we found later on.
      
      You can reproduce this with the introduction package, for example
      change the access to the Example/Tables page to "Customer".
      Afterwards go to http://yourdomain/?id=38 and you will see the 404
      page. If you disable the pageNotFound_handling you will see the
      content of the Example page.
      
      Resolves: #16472
      Releases: 6.2, 6.1
      Change-Id: I1e58ec1f96422c6bf3e5c9c74f1b1c1666b68762
      Reviewed-on: https://review.typo3.org/29897
      Reviewed-by: Alexander Opitz
      Tested-by: Alexander Opitz
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      203c1eb9
    • Helmut Hummel's avatar
      [BUGFIX] Fix failing unit tests for HTTP host check in CLI mode · 420b5c8d
      Helmut Hummel authored
      The unit tests for the recent HTTP host fix are failing
      if executed in CLI mode.
      In CLI mode no server environments and HTTP headers are available,
      that's why the behavior needs to know about the
      test execution process.
      
      We solve this by mocking allowed request types.
      
      Resolves: #59022
      Releases: 6.2, 6.1, 6.0
      Change-Id: I3c93d181dcec5f34064798e7c31240877fde610d
      Reviewed-on: https://review.typo3.org/30325
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      420b5c8d
    • TYPO3 Release Team's avatar
      [TASK] Set TYPO3 version to 6.1.10-dev · 2b0b9ad6
      TYPO3 Release Team authored
      Change-Id: I4f3b6dc5fe3e7e64365b632d6bd2656cd45d1378
      Reviewed-on: https://review.typo3.org/30315
      Reviewed-by: TYPO3 Release Team
      Tested-by: TYPO3 Release Team
      2b0b9ad6
    • TYPO3 Release Team's avatar
      [RELEASE] Release of TYPO3 6.1.9 · 211c2332
      TYPO3 Release Team authored
      Change-Id: I68884dbd5ac459c84ad18a14e7c7df30701ad72c
      Reviewed-on: https://review.typo3.org/30314
      Reviewed-by: TYPO3 Release Team
      Tested-by: TYPO3 Release Team
      TYPO3_6-1-9
      211c2332
    • Helmut Hummel's avatar
      [SECURITY] Add trusted HTTP_HOST configuration · 6fafbf7d
      Helmut Hummel authored
      TYPO3 uses the values of HTTP_HOST in several
      places without validating them. This could
      lead to a situation where links are generated
      using the host part from HTTP_HOST.
      
      Since HTTP_HOST headers are user input and
      can be spoofed by an attacker, it leads
      into several potential and actual security issues.
      
      To address this, a configuration option for
      trusted hosts is added, which is evaluated every
      time getIndpEnv('HTTP_HOST') is called.
      
      The configuration option is
      
      $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']
      
      and can contain either a regular expression or the
      value "SERVER_NAME"
      
      To properly output the exception message in case
      the trustedHostPattern does not match,
      we need to adapt the exception handlers slightly
      to not log information in this case and to actually
      show the message even in production context to not
      confuse admins on what is currently going wrong.
      
      To not break all existing installations, the default
      pattern is set to 'SERVER_NAME' which allows all
      HTTP_HOST values matching the SERVER_NAME (and
      optionally the SERVER_PORT if a port is specified
      in the HTTP_HOST value).
      
      This will secure all installation which use properly
      configured name based virtual hosts, but leaves
      installations where the web server is not bound
      to a specific host name still in an insecure state.
      
      Change-Id: I38e6a18a3e66e80abda2a4682bd1348198de1f8b
      Fixes: #30377
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30299
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      6fafbf7d
    • Nicole Cordes's avatar
      [SECURITY] XSS in (old) extension manager information function · 2994a1c5
      Nicole Cordes authored
      Needs to be fixed also in 6.x, but the affected function is not
      used anymore.
      
      Change-Id: I434689d4065496330a92e7086ec6899ddff1d2d6
      Fixes: #54111
      Fixes: #54113
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 383664ef458c2b978666311d294591d96a2d0eb9
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30298
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      2994a1c5
    • Marcus Krause's avatar
      [SECURITY] XSS in new content element wizard · 12741ad6
      Marcus Krause authored
      Sanitize user-input colPos in new content element wizard.
      
      Change-Id: I68ee05a9113b2a0266c0be612b1a10272cb986a2
      Fixes: #48695
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: eccb66a7ed4cb872f512f611395eae4ed0226e10
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30297
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      12741ad6
    • Marc Bastian Heinrichs's avatar
      [SECURITY] XSS in template tools on root page · 7595ad45
      Marc Bastian Heinrichs authored
      Change-Id: I2958dcc7cecf8ef980d90dae66c6bd2df432ce4b
      Fixes: #54109
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 788dfadc5c1339e9bc4533d595ce23a524cc5450
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30296
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      7595ad45
    • Helmut Hummel's avatar
      [SECURITY] XSS in Backend Layout Wizard · 69658064
      Helmut Hummel authored
      Change-Id: Ie3f08333e417d8d208b3b36b208056efd4dbcec0
      Fixes: #57576
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: cc840cb0438cfdae76219c3ac5f28a1f341ae9b7
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30295
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      69658064
    • Jigal van Hemert's avatar
      [SECURITY] Encode URL for use in JavaScript · 54e46912
      Jigal van Hemert authored
      The url for the Open in New Window button must be quoted for
      use in JavaScript to prevent XSS issues.
      
      Change-Id: I849534cd53d333f6e12846a8065ad7e5373b8e63
      Fixes: #48693
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 06a582c197dee4add0979f956f932ea03e2b3022
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30294
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      54e46912
    • Helmut Hummel's avatar
      [SECURITY] Fix insecure unserialize in colorpicker · b6826ff0
      Helmut Hummel authored
      Change-Id: Id3a692cdccb2d3a9ae46ae635ee5c316fa36e371
      Fixes: #56458
      Releases: 6.1, 6.0, 4.7, 4.5
      Security-Commit: 3981e7efef710d680a18f8a5537a7085e540aab3
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30293
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      b6826ff0
    • Helmut Hummel's avatar
      [SECURITY] Remove charts.swf to get rid of XSS vulnerability · 32efb1b0
      Helmut Hummel authored
      The file charts.swf is vulnerable to XSS, is delivered
      by ExtJS but not used in TYPO3 CMS at all.
      
      Since the vendor of ExtJS did not fix this vulnerability,
      we decided to remove it from TYPO3 sources.
      
      Change-Id: I4d4f871e9e89250b0b818b50e8342bd902485464
      Fixes: #54526
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 467ea328aaa23230bbe93b4deb18ec73fbd7b1e8
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30292
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      32efb1b0
  14. May 21, 2014
    • Markus Klein's avatar
      [BUGFIX] Indexer tries to insert NULL into DB · 6a91a909
      Markus Klein authored
      The Indexer of indexed_search tries to insert NULL values
      into NOT NULL columns of the database.
      
      Since #53662 NULL values are passed to the database,
      hence these insert statements now fail.
      
      Resolves: #54917
      Releases: 6.2, 6.1, 6.0
      Change-Id: Ia935abe14b9c3be2062f1b38ec98fb63921a1c2f
      Reviewed-on: https://review.typo3.org/30244
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      6a91a909
  15. May 15, 2014
  16. May 14, 2014
  17. May 08, 2014
    • Jigal van Hemert's avatar
      [BUGFIX] Solve stackoverflow in prototype in IE8 · fb8370d0
      Jigal van Hemert authored
      The reason for this behaviour is the combination of prototype.js
      and ExtJS. The ExtJS defer() method takes precedence. Calling the
      defer() method without any arguments would have resulted in using
      a default value of "0.01" seconds in standalone prototype.js, but
      results in directly calling the submitted function.
      
      The stack overflow is caused by not delaying the function call
      and thus ending in a recursive endless loop.
      
      Resolves: #58187
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Change-Id: I6db191ff67a3e869072877936d949fc733cda74f
      Reviewed-on: https://review.typo3.org/29907
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      fb8370d0
    • Stanislas Rolland's avatar
      [BUGFIX] Default image title in RTE contains the file name · 3abc7030
      Stanislas Rolland authored
      When inserting an image in the RTE, the default image title should be
      the image file title, not the image file name.
      
      Resolves: #58373
      Releases: 6.1, 6.2
      Change-Id: I5aa3aae4db83cbd36244b89cc37c78184b290228
      Reviewed-on: https://review.typo3.org/29780
      Reviewed-by: Stanislas Rolland
      Tested-by: Stanislas Rolland
      3abc7030
  18. May 05, 2014