- Jun 20, 2014
-
-
Jigal van Hemert authored
If paths or filenames of external documents contain utf-8 characters the system locale must be used. Functions like escapeshellarg and basename are locale aware. Change-Id: I50a73a42d60de569c63e5ba27ad6a6a3a66fd6c8 Fixes: #30244 Releases: 4.5, 6.0, 6.1, 6.2 Reviewed-on: https://review.typo3.org/26918 Reviewed-by: Markus Klein Tested-by: Markus Klein
-
- Jun 19, 2014
-
-
Claus Due authored
A field name parameter is not being passed from within DataHandler when copying a record which has a FlexForm DF associated with it. This causes dynamic FlexForm DS definitions to not be able to depend on the field name, in turn causing the problem that an incorrect DS may be returned from the DS utility which makes TYPO3 process the data value incorrectly (for example, not detecting file fields and processing the values accordingly). To solve this the $field parameter is passed. Resolves: #59423 Releases: 6.3, 6.2, 6.1 Change-Id: Icfafd553f76e17ad5db651bb3f5dea52b140dcf7 Reviewed-on: https://review.typo3.org/30891 Reviewed-by: Markus Klein Tested-by: Markus Klein
-
- Jun 13, 2014
-
-
Philipp Gampe authored
The extension manager fails to show any error message if an extension update fails. Convert exceptions (e.g. dependency fails, TER download fails) into a nice flashmessage. Convert any server errors (uncatchable PHP errors) into a flashmessage. Resolves: #56823 Releases: 6.2, 6.1 Change-Id: Ife3c6d3dcd23177ba22192dd6ae720352931b538 Reviewed-on: https://review.typo3.org/29735 Reviewed-by: Stefan Neufeind Reviewed-by: Markus Klein Tested-by: Markus Klein
-
Francois Suter authored
The sorting by date fails in the Filelist module when more than 9 files with the same date are found since the numerical suffix used to avoid overwriting existing entries in the sorting array is not properly padded. Fixes: #59458 Releases: 6.2, 6.1 Change-Id: I2c80a00dd1692b0987da3d461cc5a21fcea4c97d Reviewed-on: https://review.typo3.org/30711 Reviewed-by: Francois Suter Tested-by: Francois Suter
-
- Jun 12, 2014
-
-
Alexander Opitz authored
Set RteHtmlParser in dontHSC_rte modus to fix garbled output. Resolves: #25188 Releases: 6.2, 6.1 Change-Id: Ib01c3f6dcf1729b1979003c207aa622cc5c9b5c3 Reviewed-on: https://review.typo3.org/30690 Reviewed-by: Xavier Perseguers Tested-by: Xavier Perseguers
-
- Jun 06, 2014
-
-
Mathias Brodala authored
Due to using array_pop instead of array_shift the last line of the command description is dropped instead of the first. Use array_shift instead to get the full description annotated for the command method. Resolves: #59324 Releases: 6.2, 6.1, 4.7 Change-Id: I4d7c320b0ef334adbd15997d15d8e7a56d5739c1 Reviewed-on: https://review.typo3.org/30613 Reviewed-by: Helmut Hummel Tested-by: Helmut Hummel
-
Jan-Erik Revsbech authored
When running TYPO3 behind a reverse proxy, which also handles SSL, the setting reverseProxySSL should check if the site is requested from one of the reverse proxies in order to determine whether the site is using SSL. It incorrectly does this check via getIndpEnv('REMOTE_ADDR') which has already translated the proxy IP to the end-users IP, thus always returning FALSE. Resolves: #37467 Releases: 6.2, 6.1 Change-Id: I95615b0fea94e0ef0222e958e4e0bba5e6e9f60a Reviewed-on: https://review.typo3.org/30604 Reviewed-by: Markus Klein Tested-by: Markus Klein
-
- Jun 05, 2014
-
-
Robert Vock authored
Logoff sets user property to an empty string instead of NULL. This leads to a PHP Warning in PHP 5.4 Change-Id: Ib0e1a31dbf2fd3fcbcf1e7afd972b53d60c3ab5d Resolves: #59364 Releases: 6.2, 6.1 Reviewed-on: https://review.typo3.org/30595 Reviewed-by: Wouter Wolters Tested-by: Wouter Wolters
-
Christian Zenker authored
$this->sWArr is not defined SearchController. Fix this to use the correct $this->searchWords variable. Change-Id: Iba888f1a47dcc0952ffbbb1e3bb4413435c2a95e Resolves: #59277 Releases: 6.2, 6.1 Reviewed-on: https://review.typo3.org/30587 Reviewed-by: Markus Klein Tested-by: Markus Klein
-
- Jun 04, 2014
-
-
Helmut Hummel authored
* Unit tests are allowed for CLI anyway * Remove allow all in data provider The latter implicitly caused a global allow, as PHPUint parses all data providers before any test is run, thus setting globals there will cause them to be preserved (and restored when backup globals is true). Releases: 6.2, 6.1, 6.0 Resolves: #59343 Change-Id: I646294bb472027e22d6edc0622068698fe9a88fc Reviewed-on: https://review.typo3.org/30563 Reviewed-by: Helmut Hummel Tested-by: Helmut Hummel
-
- Jun 03, 2014
-
-
Markus Klein authored
Ensure the DataHandler::log() function does return integers in all cases as denoted in the doc header. Resolves: #59185 Releases: 6.2, 6.1, 6.0 Change-Id: I2a6aa0415b7cc19f10b4a290e43bd20065e6c9e1 Reviewed-on: https://review.typo3.org/30549 Reviewed-by: Wouter Wolters Tested-by: Wouter Wolters
-
Markus Klein authored
RTE feature "userlinks" generates a wrong JS function name due to the automatic replacement during the namespace conversion. Revert this line to use the correct JS function name. Resolves: #59302 Releases: 6.2, 6.1, 6.0 Change-Id: Ia6b51e7e1b1dfa0e618106f4f039bd0774464a97 Reviewed-on: https://review.typo3.org/30540 Reviewed-by: Markus Klein Tested-by: Markus Klein
-
Markus Klein authored
The AJAX url for retrieving a new encryption key contains two question marks. This causes the request to fail. Fix this by removing the superflous ? from the parameters. Resolves: #59034 Releases: 6.1, 4.7, 4.5 Change-Id: Iab3833f50a48b71b25cf0205f7eb8d6b57dd859a Reviewed-on: https://review.typo3.org/30385 Reviewed-by: Alexander Opitz Reviewed-by: Michael Schams Tested-by: Michael Schams Reviewed-by: Wouter Wolters Reviewed-by: Helmut Hummel Tested-by: Helmut Hummel Reviewed-by: Markus Klein Tested-by: Markus Klein
-
- May 29, 2014
-
-
Sebastian Michaelsen authored
The title of a flexform element is cropped to maximum length of 30 characters. Instead it should obey the maximum title length in the user settings. Resolves: #58910 Releases: 6.2, 6.1 Change-Id: I28c6fc94b2d492217479bf014ff8f67463b4e98f Reviewed-on: https://review.typo3.org/30488 Reviewed-by: Wouter Wolters Tested-by: Wouter Wolters
-
Markus Klein authored
When setting up a new TYPO3 installation, TYPO3 should redirect to the install tool, when accessing the frontend or backend. This redirect fails since introduction of the trustedHostsPattern since no configuration is available at this point, while the request itself is a BE or FE request, which will be denied in this case. Solution is to set the REQUEST_TYPE to INSTALL before doing the redirect to install tool so that creating the redirect is allowed. Resolves: #59087 Releases: 6.2, 6.1 Change-Id: I31bcbc20fa1c9bca0d6bf2b940bf26b9affe893b Reviewed-on: https://review.typo3.org/30487 Reviewed-by: Wouter Wolters Tested-by: Wouter Wolters
-
- May 28, 2014
-
-
David Greiner authored
If localizing a parent-child structure, usually the language of the parent element shall be applied to related child records as well as new child records. Due to a missing array segment, the accordant section in the the InlineElement source code never was processed. Resolves: #57063 Releases: 6.2, 6.1 Change-Id: I7e563044f9889538f9b8171f71f7685722db8266 Reviewed-on: https://review.typo3.org/30472 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
- May 26, 2014
-
-
Nicole Cordes authored
Due to patch https://review.typo3.org/#/c/30305/ the string comparison on colPos fails and new content elements are always stored on pid 0. This patch corrects the check for an integer colPos type by setting the unused variable to NULL. Resolves: #59059 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Change-Id: Iecd7f0cacf5c9315d882eebeb3893bcfa63ae7eb Reviewed-on: https://review.typo3.org/30416 Reviewed-by: Markus Klein Tested-by: Markus Klein
-
- May 23, 2014
-
-
Marc Bastian Heinrichs authored
Extbase allows to register alternative implementations for objects. However that does not work for view helpers using a closing tag. The resolved (alternative) object is compared to the name of the original view helper and throws an exception like: #1224485398: Templating tags not properly nested. Expected: "AlternativeViewHelper"; Actual: "OriginalViewHelper" A simple solution is to save the class name of the object returned from the object manager in a runtime cache and check this when resolving a view helper name. A nice side effect is, that a same view helper name must not be calculated over and over again. Fixes: #52272 Releases: 6.0, 6.1, 6.2 Change-Id: Ie49e5e83c779b4748dc2059f8fbc85552ce4b406 Reviewed-on: https://review.typo3.org/30349 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
- May 22, 2014
-
-
Markus Klein authored
lang/4.5/locallang_csh_pages.xlf contains invalid HTML structure a <p> tag should actually be a <b> tag. Resolves: #58936 Releases: 6.2, 6.1, 4.5 Change-Id: Id37d424296628202d8d434e0cf9cafd8529da2c3 Reviewed-on: https://review.typo3.org/30330 Reviewed-by: Markus Klein Tested-by: Markus Klein
-
Xavier Perseguers authored
The TCA tree element fail to load inside IRRE, in some condition (when the record is not loaded/opened) Change-Id: Id077a71e2191b0cf91003611e11dc5aefafab0c9 Resolves: #39035 Releases: 6.2, 6.1 Reviewed-on: https://review.typo3.org/29909 Reviewed-by: Wouter Wolters Tested-by: Wouter Wolters
-
Marc Bastian Heinrichs authored
Since making userHomePath and groupHomePath FAL compatible the descriptions in DefaultConfiguration don't fit anymore. Resolves: #56986 Releases: 6.2, 6.1 Change-Id: Ia27193b967137dd3744c2fdcf5b5b0d3366c0080 Reviewed-on: https://review.typo3.org/29906 Reviewed-by: Wouter Wolters Tested-by: Wouter Wolters
-
Markus Klein authored
The flexform converter in ContentObjectRenderer tries to access an array element on a non-array. Check existence with isset() first. Resolves: #57809 Releases: 6.2, 6.1 Change-Id: I8e6111afee3a639b3077dc59bc2e32b72fa12f5c Reviewed-on: https://review.typo3.org/29892 Reviewed-by: Markus Klein Tested-by: Markus Klein
-
Alexander Opitz authored
The var pageNotFound is set, if the called page has access restrictions. Afterwards starts a searching for an accessible page in the rootline upwards. If that page is a short link which also isn't accessible we stop instead of searching again in this new rootline. Limiting this to a maximum of 20 iterations to prevent endless loops. If an accessible page is found we do not reset the pageNotFound var. The PageNotFound handler reacts on this var and redirects to the 404 page instead of presenting the accessible page we found later on. You can reproduce this with the introduction package, for example change the access to the Example/Tables page to "Customer". Afterwards go to http://yourdomain/?id=38 and you will see the 404 page. If you disable the pageNotFound_handling you will see the content of the Example page. Resolves: #16472 Releases: 6.2, 6.1 Change-Id: I1e58ec1f96422c6bf3e5c9c74f1b1c1666b68762 Reviewed-on: https://review.typo3.org/29897 Reviewed-by: Alexander Opitz Tested-by: Alexander Opitz Reviewed-by: Markus Klein Tested-by: Markus Klein
-
Helmut Hummel authored
The unit tests for the recent HTTP host fix are failing if executed in CLI mode. In CLI mode no server environments and HTTP headers are available, that's why the behavior needs to know about the test execution process. We solve this by mocking allowed request types. Resolves: #59022 Releases: 6.2, 6.1, 6.0 Change-Id: I3c93d181dcec5f34064798e7c31240877fde610d Reviewed-on: https://review.typo3.org/30325 Reviewed-by: Helmut Hummel Tested-by: Helmut Hummel
-
TYPO3 Release Team authored
Change-Id: I4f3b6dc5fe3e7e64365b632d6bd2656cd45d1378 Reviewed-on: https://review.typo3.org/30315 Reviewed-by: TYPO3 Release Team Tested-by: TYPO3 Release Team
-
TYPO3 Release Team authored
Change-Id: I68884dbd5ac459c84ad18a14e7c7df30701ad72c Reviewed-on: https://review.typo3.org/30314 Reviewed-by: TYPO3 Release Team Tested-by: TYPO3 Release Team
-
Helmut Hummel authored
TYPO3 uses the values of HTTP_HOST in several places without validating them. This could lead to a situation where links are generated using the host part from HTTP_HOST. Since HTTP_HOST headers are user input and can be spoofed by an attacker, it leads into several potential and actual security issues. To address this, a configuration option for trusted hosts is added, which is evaluated every time getIndpEnv('HTTP_HOST') is called. The configuration option is $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] and can contain either a regular expression or the value "SERVER_NAME" To properly output the exception message in case the trustedHostPattern does not match, we need to adapt the exception handlers slightly to not log information in this case and to actually show the message even in production context to not confuse admins on what is currently going wrong. To not break all existing installations, the default pattern is set to 'SERVER_NAME' which allows all HTTP_HOST values matching the SERVER_NAME (and optionally the SERVER_PORT if a port is specified in the HTTP_HOST value). This will secure all installation which use properly configured name based virtual hosts, but leaves installations where the web server is not bound to a specific host name still in an insecure state. Change-Id: I38e6a18a3e66e80abda2a4682bd1348198de1f8b Fixes: #30377 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Security-Bulletin: TYPO3-CORE-SA-2014-001 Reviewed-on: https://review.typo3.org/30299 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
Nicole Cordes authored
Needs to be fixed also in 6.x, but the affected function is not used anymore. Change-Id: I434689d4065496330a92e7086ec6899ddff1d2d6 Fixes: #54111 Fixes: #54113 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Security-Commit: 383664ef458c2b978666311d294591d96a2d0eb9 Security-Bulletin: TYPO3-CORE-SA-2014-001 Reviewed-on: https://review.typo3.org/30298 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
Marcus Krause authored
Sanitize user-input colPos in new content element wizard. Change-Id: I68ee05a9113b2a0266c0be612b1a10272cb986a2 Fixes: #48695 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Security-Commit: eccb66a7ed4cb872f512f611395eae4ed0226e10 Security-Bulletin: TYPO3-CORE-SA-2014-001 Reviewed-on: https://review.typo3.org/30297 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
Marc Bastian Heinrichs authored
Change-Id: I2958dcc7cecf8ef980d90dae66c6bd2df432ce4b Fixes: #54109 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Security-Commit: 788dfadc5c1339e9bc4533d595ce23a524cc5450 Security-Bulletin: TYPO3-CORE-SA-2014-001 Reviewed-on: https://review.typo3.org/30296 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
Helmut Hummel authored
Change-Id: Ie3f08333e417d8d208b3b36b208056efd4dbcec0 Fixes: #57576 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Security-Commit: cc840cb0438cfdae76219c3ac5f28a1f341ae9b7 Security-Bulletin: TYPO3-CORE-SA-2014-001 Reviewed-on: https://review.typo3.org/30295 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
Jigal van Hemert authored
The url for the Open in New Window button must be quoted for use in JavaScript to prevent XSS issues. Change-Id: I849534cd53d333f6e12846a8065ad7e5373b8e63 Fixes: #48693 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Security-Commit: 06a582c197dee4add0979f956f932ea03e2b3022 Security-Bulletin: TYPO3-CORE-SA-2014-001 Reviewed-on: https://review.typo3.org/30294 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
Helmut Hummel authored
Change-Id: Id3a692cdccb2d3a9ae46ae635ee5c316fa36e371 Fixes: #56458 Releases: 6.1, 6.0, 4.7, 4.5 Security-Commit: 3981e7efef710d680a18f8a5537a7085e540aab3 Security-Bulletin: TYPO3-CORE-SA-2014-001 Reviewed-on: https://review.typo3.org/30293 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
Helmut Hummel authored
The file charts.swf is vulnerable to XSS, is delivered by ExtJS but not used in TYPO3 CMS at all. Since the vendor of ExtJS did not fix this vulnerability, we decided to remove it from TYPO3 sources. Change-Id: I4d4f871e9e89250b0b818b50e8342bd902485464 Fixes: #54526 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Security-Commit: 467ea328aaa23230bbe93b4deb18ec73fbd7b1e8 Security-Bulletin: TYPO3-CORE-SA-2014-001 Reviewed-on: https://review.typo3.org/30292 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
- May 21, 2014
-
-
Markus Klein authored
The Indexer of indexed_search tries to insert NULL values into NOT NULL columns of the database. Since #53662 NULL values are passed to the database, hence these insert statements now fail. Resolves: #54917 Releases: 6.2, 6.1, 6.0 Change-Id: Ia935abe14b9c3be2062f1b38ec98fb63921a1c2f Reviewed-on: https://review.typo3.org/30244 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
- May 15, 2014
-
-
Markus Klein authored
Resolves: #58842 Releases: 6.2, 6.1 Change-Id: Ibaf87d32778349d5a87009bcd2b365447e6488fa Reviewed-on: https://review.typo3.org/30151 Reviewed-by: Markus Klein Tested-by: Markus Klein
-
- May 14, 2014
-
-
Markus Klein authored
Remove the superfluous count() call. Resolves: #58529 Releases: 6.2, 6.1, 6.0 Change-Id: I0933650b52063009de52268034480f6e06af56ac Reviewed-on: https://review.typo3.org/29883 Tested-by: Stefan Neufeind Reviewed-by: Markus Klein Reviewed-by: Nicole Cordes Tested-by: Nicole Cordes Reviewed-by: Helmut Hummel Tested-by: Helmut Hummel
-
- May 08, 2014
-
-
Jigal van Hemert authored
The reason for this behaviour is the combination of prototype.js and ExtJS. The ExtJS defer() method takes precedence. Calling the defer() method without any arguments would have resulted in using a default value of "0.01" seconds in standalone prototype.js, but results in directly calling the submitted function. The stack overflow is caused by not delaying the function call and thus ending in a recursive endless loop. Resolves: #58187 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Change-Id: I6db191ff67a3e869072877936d949fc733cda74f Reviewed-on: https://review.typo3.org/29907 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
Stanislas Rolland authored
When inserting an image in the RTE, the default image title should be the image file title, not the image file name. Resolves: #58373 Releases: 6.1, 6.2 Change-Id: I5aa3aae4db83cbd36244b89cc37c78184b290228 Reviewed-on: https://review.typo3.org/29780 Reviewed-by: Stanislas Rolland Tested-by: Stanislas Rolland
-
- May 05, 2014
-
-
Marc Bastian Heinrichs authored
A TypoScript condition like "[globalString = GP:anEmptyGetPostVarKey = ]" returns a false value instead of the expected true value. Fixes: #45183 Releases: 4.5,6.0, 6.1, 6.2 Change-Id: I114b702f4b5ae5f68236874325e82974a8ba6107 Reviewed-on: https://review.typo3.org/27249 Reviewed-by: Stefan Neufeind Tested-by: Stefan Neufeind
-