It has been possible for authenticated editors
to show content of arbitrary tables and fields
that are defined in TCA by manipulating
GET parameters of the forms and table wizard.

This change adds a check if the editor has access
to the given record.

Change-Id: I8e27e5ffbccf148d951b50b21d9e15cc8e317442
Fixes: #41714
Releases: 4.5, 4.7, 6.0, 6.1, 6.2
Security-Commit: 52d4e3eced81639820db6d75f3d65d14c5234072
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26221
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The eID script of the openid extension does not
validate the given redirect url, leading to
an open redirection vulnerability.

Add and verify hmac of the redirect url.

Change-Id: I0d65390b61dd5cf92151d36e490a194624b98b8f
Fixes: #54099
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 5c6a45c0f843a93ab048a3df4bb352b8e02099b2
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26220
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Usage of unverified input parameters in wizard URL leads to a possible
XSS vulnerability in backend_layout wizard.
The solution is the introduction of a hmac validation of the parameters
used in JavaScript.

Change-Id: I48f89309fc062d132e283d4fd9179ccbfdcfda4c
Fixes: #36768
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: a3ac48f5d66c566d241295d87cc8d7eb4d10c274
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26219
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The tree Display/* ViewHelpers introduce a XSS vulnerability by
using unescaped parameters in HTML.

Change-Id: I0dadb03105d3eaa520f10f0375a46c83fa56c269
Fixes: #47086
Releases: 6.2, 6.1, 6.0
Security-Commit: 1e0f51f204efd9efacec8aef8ea08e2a8122177b
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26218
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

As parameters passed to an ErrorObject can be user input, the
output of those parameters in the ActionController::errorAction() method
could lead to a cross side scripting possibility.

The offending output has been removed without substitution.

Change-Id: I01385c54bb384a86fc6428f67171e7010b821cc2
Fixes: #54074
Releases: 6.2, 6.1, 6.0, 4.7. 4,5
Security-Commit: ec947ba22bd673827899c5e82857b293dff8b4b0
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26217
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

If the TCEforms wizard "add" is used, the original opened document
is closed and a new one is created in which you then add a new
element to be related.

In order to "store" the originating document which has been
edited, the Wizard/AddController and EditDocumentController
exchange state data in an URL-parameter.

This state-array is serialized in the EditDocumentController
and again unserialized in the Wizard/AddController from that
GET parameter. Without any checks, every code can be injected
to be unserialized here - even though we just need an array
with some data.

This patch changes serialize/unserialize to json_encode and
json_decode. Since the GET parameter only is used in
conjunction of these two classes it is save to changes the
format how the URL parameters are serialized.

Change-Id: I3b41bd0a688f067af2ea4a345ce0264f61bdecf7
Fixes: #54073
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 7148349140f9c8ccb6d847ef58cf1e032711315b
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26216
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

This reverts commit 8e022bcb

Merged a Feature after Feature Freeze is not acceptable. Sorry. Patch is pushed new but will not be available in 6.2.

Change-Id: I39baa58c70b0e942d01c1c37bbf793b873db385d
Reviewed-on: https://review.typo3.org/26055
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

In order to provide the full functionality known from the
switch/case PHP function, a default case possibility is
introduced. Use it like:
<f:switch expression="{person.gender}">
  <f:case value="female">Mrs.</f:case>
  <f:case value="male">Mr.</f:case>
  <f:case default="TRUE">Mrs. or Mr.</f:case>
</f:switch>

Resolves: #49371
Documentation: #54283
Change-Id: I6b71ec39173ab957aa392bd595a65ceddadc81c9
Releases: 6.2
Reviewed-on: https://review.typo3.org/23739
Reviewed-by: Cedric Ziel
Tested-by: Cedric Ziel
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

The filemetadata extension adds additional fields to the sys_file_metadata
table. The field creator_tool is defined in SQL and TCA, but not added to
any palette or tab. This patch adds the field to the palette with
related authoring information.

Releases: 6.2
Fixes: #54259
Change-Id: I9e3c3af618b04ddde1c96b3dcb1e4cdf209f6eec
Reviewed-on: https://review.typo3.org/25993
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

The Context-Menu of files misses the editing pen allowing
to directly edit the metadata of the file. Currently it
only shows the edit-content possibility in case it is a
text file.

This patch adds the missing option.

Resolves: #52835
Releases: 6.2
Change-Id: I869d8a57d2cacc04455df5189b5cc7af02c2e9cf
Reviewed-on: https://review.typo3.org/25811
Reviewed-by: Steffen Müller
Tested-by: Steffen Müller
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

When the file list has been reworked to use FAL instead of
plain PHP file functions the feature to go one level up has
been removed accidentilly. This patch reintroduces the
original behaviour known from TYPO3 CMS 4.x.

Releases: 6.2
Resolves: #51866
Change-Id: Iad334c90d575f2b2f3b47af71e23c721edd76e1e
Reviewed-on: https://review.typo3.org/25812
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Steffen Müller
Tested-by: Steffen Müller

Fix superfluous comparison against boolean in
CronCommand::dayMatchesCronCommand

Change-Id: Ia1d852ffbbc772dd89587d304b1234e11e372d2d
Resolves: #54050
Releases: 6.2
Reviewed-on: https://review.typo3.org/25737
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Markus Klein
Tested-by: Markus Klein

When using aliased ViewHelper class names and old Tx_ namespace in
template and ViewHelper uses closing tag (not self-closing) an
error is thrown, saying closing tag ViewHelper is not the same
as openening tag ViewHelper (closing tag uses old class name,
opening tag uses new). To solve, TemplateParser now checks if
resolved ViewHelper class names are aliases of other classes and
if so, uses the real class name instead of the alias.

Steps to reproduce error:

* template namespace: {namespace myext=Tx_Myext_ViewHelpers}
* template code: <myext:vh>test</myext:vh>
* namespaced VH class: \Myext\ViewHelpers\VhViewHelper
* ClassAliasMap: Tx_Myext_ViewHelpers_VhViewHelper ->
  \Mext\ViewHelpers\VhViewHelper
* framework: render template using any View

Error 1224485398 "closing tag does not match opening tag" thrown.

Steps taken to fix error:

* run constructed class name through alias resolve method.

Fixes: #54115
Releases: 6.2, 6.1, 6.0
Change-Id: I070b6199095ec84c7213cfc0c3775f5f08340840
Reviewed-on: https://review.typo3.org/25814
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Since the Release of Microsoft IE 11 there is no "MSIE" hint in
its user agent header anymore. Therefore the existing patterns
fail and the browser is detected as unknown browser.

TYPO3 deactivates several features for unknown browser. As a
result f.e. the RTE does not load.

This change adds special treatment for IE11+ by introducing an
additional regular expression matching the new user agent format
and looking for the Trident engine to be present.

In addition unit tests for common IE 9-11 user agents are added.

Change-Id: I389f344a498ac77f3e6445656dd125fd5d236a98
Resolves: #54124
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/25848
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Needed to workaround a login-problem with IE11.

ExtJS tries to clear a cookie with different settings than when
setting the cookie. In IE11 this leads to problems with the cookie
being set twice on the next call to set(). The get() however
would return the first (empty) cookie.

Using set() with a date in the past also clears the cookie but
will correctly use the same path-settings.

Change-Id: Ieff22129895cd89ca2e1429703daf1636596ecb6
Resolves: #53818
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/25852
Reviewed-by: Henrik Ziegenhain
Tested-by: Henrik Ziegenhain
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Steffen Ritter
Reviewed-by: Markus Klein
Tested-by: Markus Klein

The defaultTypoScript_setup has a different configuration than
defaultTypoScript_constants.
Make them equal.

Resolves: #53852
Releases: 6.2
Change-Id: Ide8be9b4653ed17e3a0ee7a0222bd384a986b3ce
Reviewed-on: https://review.typo3.org/25634
Reviewed-by: Wouter Wolters
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

There is faulty and superfluous code in import/export module:
* ModuleFunctionController does not work at all, this points
  back to issue #22921 during TYPO3 4.4 development
* ImportExportTask fetches thumbnail files from a (faulty)
  storage that are not used at all

Since the required class "mod_user_task" has been removed in
TYPO3 4.4, the module function component was broken since then.
Thus, it will be removed completely with this change.

Fixes: #53555
Releases: 6.2, 6.1, 6.0
Change-Id: I1cbdd967dc47ac2fcd256e7eefc756278822ad84
Reviewed-on: https://review.typo3.org/25302
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Oliver Klee
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

The LegacyClassesForIde.php contains some class definition
which extend non-existing or wrong classes.

Also fix some issues in ClassAliasMaps of ext:frontend

Resolves: #54059
Releases: 6.2
Change-Id: Id0918cfc3b187ea1110ad5e745a2b904ea50502c
Reviewed-on: https://review.typo3.org/25750
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Remove second (no longer evaluated) _GP() function call parameter.

Resolves: #54106
Releases: 6.2
Change-Id: I5b8f6401a07a7291c893a7e82f224c89f0e6404e
Reviewed-on: https://review.typo3.org/25803
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Adds phpinfo() information in System Environment section from
the Install Tool, after warning / error messages.

Fixes: #53271
Releases: 6.2
Change-Id: I8582a65247de998f373d3143f013fa91cb47bff9
Reviewed-on: https://review.typo3.org/25263
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe

writeLocalConfiguration() and writeAdditionalConfiguration()
have return statements like:
return $result === FALSE ? FALSE : TRUE;

This can be reduced to:
return $result;

Moreover the return value of canWriteConfiguration()
can be optimized as well.

Change-Id: I8e571459179e4bfeca3bba0a4969fb76d18058e2
Resolves: #54019
Releases: 6.2
Reviewed-on: https://review.typo3.org/25715
Reviewed-by: Markus Klein
Reviewed-by: Michiel Roos
Tested-by: Michiel Roos
Tested-by: Markus Klein
Reviewed-by: Oliver Klee
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe

Extension adodb can be used together with TER extension "datasource".
ext:adodb delivers a wizard and flexform code to connect to this
third party extension. Last release of ext:datasource was in 2005,
the extension in unmaintained and always had an experimental
character. Since core extension functionality should not depend on
third party code, the datasource related code of ext:adodb is fully
removed with this patch in 6.2.

Change-Id: Ib7de137599d9bb55d6b9dd98667cbbe3dd70c986
Resolves: #42651
Releases: 6.2
Reviewed-on: https://review.typo3.org/25759
Reviewed-by: Oliver Klee
Tested-by: Oliver Klee
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Franz G. Jahn
Tested-by: Franz G. Jahn
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Remove some ancient and obsolete patch files from ext:adodb/doc.

Change-Id: Ib2183abb3358de8b4d7e1dad71731b1df96a9a80
Fixes: #54078
Releases: 6.2
Reviewed-on: https://review.typo3.org/25758
Reviewed-by: Oliver Klee
Tested-by: Oliver Klee
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter
Reviewed-by: Franz G. Jahn
Tested-by: Franz G. Jahn
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Instead of making a slow array traversal simply check if there is
a hook object for the cObject being rendered by using an array access.
And check if the object exists before.

Change-Id: I6b16703b1194eca4d1ed5c3d5543076e2cae495d
Resolves: #51283
Releases: 6.2
Reviewed-on: https://review.typo3.org/23267
Reviewed-by: Oliver Klee
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Helmut Hummel
Reviewed-by: Markus Klein
Tested-by: Markus Klein

From 3.4.0, released June 9, 2011
To 3.4.1.1, released March 29, 2013

Change-Id: I009c472975262f1813711b8b204518c9f1c8f463
Resolves: #52933
Releases: 6.2
Reviewed-on: https://review.typo3.org/24883
Reviewed-by: Tomita Militaru
Tested-by: Tomita Militaru
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Fix superfluous comparison against boolean in
InlineElement::renderForeignRecord().

Change-Id: I75bb1625ad7ead08e8e38fe46daa03071bc76113
Resolves: #54018
Releases: 6.2
Reviewed-on: https://review.typo3.org/25714
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

GeneralUtility::inList() does a comparison resulting in a boolean value.
Then based on this value it will return TRUE or FALSE.

It suffices to return the result of the comparison.

Change-Id: I12f9dd699a643a187f871940175e32ab2bcca7de
Resolves: #54017
Releases: 6.2
Reviewed-on: https://review.typo3.org/25713
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

The old issue tracker on http://bugs.typo3.org will be shut down
by the end of 2013.

Therefore replace *all* occurrences of such URLs with the new
location on http://forge.typo3.org.

Change-Id: Ia44742efeab22837dd5be7076f21eb286aaf5a82
Resolves: #54020
Releases: 6.2
Reviewed-on: https://review.typo3.org/25716
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

The option disableDocModuleInAB has already been removed in the
documentation since TYPO3 4.2 according to
http://wiki.typo3.org/Documentation_changes_in_4.2

Current documentation also lacks information about this option.

Change-Id: I0ae2ddd88956c8936ae24091f64d95f4195ebf12
Resolves: #53991
Releases: 6.2
Reviewed-on: https://review.typo3.org/25703
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

The t3skin extension adds icon sprites for each language. And that's
great, but not so great that it calls addIconSprite for each language.

Instead the iconArray can be built up and submitted once to
addIconSprite.

This saves 248 calls to addIconSprite which calls array_merge etc.

This saves ~ 22 ms for each request.

Change-Id: I0fdc09de46899e4160f907aefd8b3b3b596a2df3
Resolves: #53918
Releases: 6.0, 6.1, 6.2
Reviewed-on: https://review.typo3.org/25670
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe

Replaces the test with empty() by isset() and
strlen() > 0. So other strings which are
handled by PHP as empty can be used for padding.

Resolves: #51650
Releases: 6.2, 6.1
Change-Id: Iee62f19f97b958ab2d02c6ca73052810a3c91117
Reviewed-on: https://review.typo3.org/23536
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

If multiple stages exist and a user is member of only a few stages,
then in many cases the ordering of the stages is mixed up.

Change-Id: Ifab7e0afd412f63de574ef262ad4b982cfe1e5e4
Fixes: #36469
Releases: 6.2, 6.1, 6.0
Reviewed-on: https://review.typo3.org/21107
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

* add missing class properties, that are used in the code
* fix invalid PHPDoc variable types
* remove unused variables
* fix or remove invalid return values
* fix invalid variable types
* make sure unused variables are initialized

Resolves: #53718
Releases: 6.2
Change-Id: I90c1b73d0a4a7bb4666679e772805460786c805d
Reviewed-on: https://review.typo3.org/25479
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

Since quite a long time it was not possible to paste a content
element into an empty column of the page module. This patch
introduces an icon in the top right corner of each column if
a tt_content element is on the clipboard (Default pad). When
the icon gets clicked the content elements from the clipboard
get moved/copied into the selected column/language.

Resolves: #15080
Releases: 6.2, 6.1
Change-Id: If52905446eb11c268d0fee83f150efae0945fa29
Reviewed-on: https://review.typo3.org/25532
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

The hardcoded username "admin" is removed from the HTML template
since the username can now be freely chosen.

Resolves: #53905
Releases: 6.2
Change-Id: I1c2846e60ee57f5e220405a9217fc1023d4d8bee
Reviewed-on: https://review.typo3.org/25668
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

The class loader can now use all available cache backends
for retrieval of class loading information.

Using it with APC for example brings a good performance
boost.

Resolves: #53744
Releases: 6.2
Change-Id: I55db9686fa2d5b6462b4cb56c452ad2e99e1d2e7
Reviewed-on: https://review.typo3.org/25489
Reviewed-by: Wouter Wolters
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Alexander Opitz
Tested-by: Alexander Opitz
Reviewed-by: Thorsten Kahler
Tested-by: Thorsten Kahler

Resolves: #53811
Releases: 6.2
Change-Id: I14574f3725bc77b130255d8f70cedabd78d74947
Reviewed-on: https://review.typo3.org/25548
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

Change-Id: I2e11bc29d40124ffb5d026633c182b542a9e3dd2
Reviewed-on: https://review.typo3.org/25624
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

Change-Id: Ie872f8aa920c00feb82784957e6ea02b826c6e7c
Reviewed-on: https://review.typo3.org/25623
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

When a file or folder is moved between 2 storages the target
storages is asked for the filepermissions of the source
file/folder. This breaks because current storages + driver
can not access/find source.

This patch makes sure that on places where a source can be
from an other storage the source storage is used for the
permission check.

Releases: 6.0, 6.1, 6.2
Resolves: #53802
Change-Id: Ib2c1443fad295a3b7eeeb01ab38359fcdf6849ab
Reviewed-on: https://review.typo3.org/25553
Reviewed-by: Fabien Udriot
Reviewed-by: Alexander Opitz
Tested-by: Alexander Opitz
Reviewed-by: Markus Klein
Tested-by: Markus Klein