Accessing a not available configuration via TypoScript can be
intentional (e.g. by using it in an if check).
Therefore the log entry severity should rather be downgraded to a notice.

Releases: 10.4, 11.5, main
Resolves: #99465
Change-Id: I26ed4e96290ce6839c32cc60a7cbcf7fa24d0f2b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77289


Tested-by: Helmut Hummel <typo3@helhum.io>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Helmut Hummel <typo3@helhum.io>

TYPO3's log is mostly covered with "Locale fr_FR.UTF-8 not found",
which can be simplified, if setlocale() is not working properly.
The POSIX Platform suffix "UTF-8" is then removed, and setlocale()
is called again with "fr_FR" instead of "fr_FR.UTF-8" thus avoiding
log flooding in some systems.

Resolves: #99591
Releases: main, 11.5, 10.4
Change-Id: I4609d453c29a306d448bcdc3277b51a344af28ae
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77435


Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Using CSP directive `style-src 'unsafe-inline'` seems to be fine
for directly requested SVG files, since corresponding definitions
are bound to the corresponding resource. Loading styles from any
other external resource is still denied.

Resolves: #93884
Releases: main, 11.5, 10.4
Change-Id: Ifddf8782ecaa81bf26026ae8850d8c53b7977bd7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77457


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

When this task is executed on CLI (scheduler), the global request variable
is not available, thus a null check must be added before checking the instance
of the value.

Releases: 10.4, 11.5, main
Resolves: #99464
Change-Id: Ie9c1b8e4fbc187d6ade569b1b152ce799a09a1f0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77222


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Helmut Hummel <typo3@helhum.io>
Tested-by: Helmut Hummel <typo3@helhum.io>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Update copyright year to 2023

Resolves: #99473
Releases: main, 11.5, 10.4
Signed-off-by: Torben Hansen <derhansen@gmail.com>
Change-Id: I9fc04e75b812622c5aec89138dd7daa8ccfcd90a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77224


Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

An unnecessary quote has been added with #91016 and should be removed
again.

Resolves: #99402
Releases: main, 11.5, 10.4
Change-Id: I42fdda31a1110efc540cc72fd0398db5bc03675f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77201


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Change-Id: I577c481866735d86d66c2c4247097687c07ef567
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77165


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: Id505113baa28f559ad94a479fea62151648f3789
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77164


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

$normalizedParams->getRequestDir() returns '/' for frontend
requests and `/typo3/` for backend requests. This results in
problems when the backend UriBuilder relies on getRequestDir()
to provide the `/typo3/` suffix for backend URL generation.

UriBuilder is now changed to base absolute URLs on
getSiteUrl(), which is defined to return equal values
for backend and frontend requests, the typo3 suffix
is added manually.

Note that v12 introduced similar behavior with #99234,
where UriBuilder was adapted to use BackendEntryPointResolver,
which rebases the backend URL calculation on the site path as well.

Also note that the ABSOLUTE_URL mode in backend UriBuilder isn't
actually used by the TYPO3 frontend, but some extensions started
to execute system reports in frontend context, which
exposed this bug with the introduction of #99347.

Releases: 11.5, 10.4
Resolves: #99368
Related: #99347
Related: #99234
Change-Id: Ifaaeb4725c0243d34603dc86b2c89d12d9c06bdd
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77160


Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: André Buchmann <andy.schliesser@gmail.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: André Buchmann <andy.schliesser@gmail.com>

ServerResponseCheck triggers a HTTP host header check which is
expected to fail. The more generic TransferException is used to
catch any other failed request, not only those with 4xx or 5xx
HTTP status codes. Besides that, TLS certificates shall not be
verified, and HTTP location redirects not be followed.

Resolves: #99368
Releases: main, 12.1, 11.5, 10.4
Change-Id: Id40457d4408c74d9229d4e6dcdedc0b69ffe9667
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77154


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>

The security fix for TYPO3-CORE-SA-2022-013 enforced the `pid`
HTTP parameter to be signed via HMAC during the frontend user
authentication process.

To provide better backward compatibility for those individual
scenarios, the new `security.frontend.enforceLoginSigning` feature
flag has been introduced, which is enabled per default, but can be
disabled individually.

Resolves: #99366
Releases: 11.5, 10.4
Change-Id: Ib633d7d3166a2f58caebc0a258699549b5cf2fa4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77130


Tested-by: core-ci <typo3@b13.com>
Tested-by: Helmut Hummel <typo3@helhum.io>
Reviewed-by: Frank Nägler <frank.naegler@typo3.com>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Robert van Kammen <rvkammen@hotmail.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Helmut Hummel <typo3@helhum.io>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Robert van Kammen <rvkammen@hotmail.com>

Resolves: #99358
Releases: 10.4
Change-Id: I028b0016a005acdcb79725600b29b2c8dbbc939d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77119


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Marco Huber <mail@marco-huber.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Marco Huber <mail@marco-huber.de>
Tested-by: Jonas Eberle <flightvision@googlemail.com>
Tested-by: Axel Böswetter <evilbmp@gmail.com>

Change-Id: I0549fe21ad21b7e61ec747a936b49968fce0642d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77106


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>

Change-Id: I0fb42b9563e80b9e5d4b6d303edb6d6bfe7f1c25
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77105


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.1.1

composer req typo3/html-sanitizer:^2.1.1
composer req typo3/html-sanitizer:^2.1.1 \
  -d typo3/sysext/core --no-update

Resolves: #99351
Releases: main, 11.5, 10.4
Change-Id: I25a17ce13a8f90cdd07a7cc51e515dff3b6bb03b
Security-Bulletin: TYPO3-CORE-SA-2022-017
Security-References: CVE-2022-23499
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77088


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Introducing Yaml placeholders in backend user interface can lead to
information disclosure and denial-of-service senarios. This change
disallows adding new placeholders and throws an exception - existing
placeholders are kept.

Resolves: #89401
Releases: main, 11.5, 10.4
Change-Id: I69e24de07b5327507e1bf8de990f84402078f7d4
Security-Bulletin: TYPO3-CORE-SA-2022-016
Security-References: CVE-2022-23504
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77087


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Only evaluate TypoScript-like instructions like

```
submitButtonLabel = TEXT
submitButtonLabel.value = Bar
```

defined within

`plugin.tx_form.settings.formDefinitionOverrides`
and
`plugin.tx_form.settings.yamlSettingsOverrides`

and **not** within form definition yaml files or
the form setup yaml files.

This is achieved by not searching the entire form
definition or form setup for TypoScript instructions,
but only the actual TypoScript.

Resolves: #98403
Releases: main, 11.5, 10.4
Change-Id: I7b066f109d6061715c2240b01ed15185c58fa9f5
Security-Bulletin: TYPO3-CORE-SA-2022-015
Security-References: CVE-2022-23503
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77086


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The password reset process for TYPO3 backend and
frontend users does not destroy possible existing
user sessions after the password has been changed.

With this patch, all existing user sessions are
destroyed when the password is changed in the
password reset process.

Resolves: #98462
Releases: main, 11.5, 10.4
Change-Id: I6744bfcf7cae56b4e525f2e0f9a44d06cf14396c
Security-Bulletin: TYPO3-CORE-SA-2022-014
Security-References: CVE-2022-23502
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77085


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

This change ensures that individual storage page ids are
valid by signing corresponding values with an HMAC.

Resolves: #98010
Releases: main, 11.5, 10.4
Change-Id: I34d474ab23adca6bbcf20c108bb60acf6998bc6f
Security-Bulletin: TYPO3-CORE-SA-2022-013
Security-References: CVE-2022-23501
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77084


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

TYPO3 now uses a lock strategy to avoid having to many request
waiting for the generation of the error page (which cannot be
generated via the external HTTP request, as there might be not
enough workers / PHP processes available during a DoS attack).
If a lock is in place, it directly returns a generic error
response instead of waiting for the lock or that the error
page is retrieved/rendered.

Additionally, if the external error page could not be retrieved
(HTTP status code other than 200), it will also create a generic
response and cache that instead. This avoids keeping requesting
for the errounous external HTTP page.

This could happen when using external HTTP requests (Guzzle) to
resolve an error page (via PageContentErrorHandler) for 404 sites.

Resolves: #98384
Releases: 11.5, 10.4
Change-Id: Iae1cae882707a519b2cef85112525ea213a72eef
Security-Bulletin: TYPO3-CORE-SA-2022-012
Security-References: CVE-2022-23500
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77083


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

In case the web server scenario is not properly configured to deny
HTTP host header injection, and the trustedHostsPattern is not explicit
enough, a corresponding check in the reports module will issue
an error message like

* HTTP_HOST contained unexpected "a0a3aa2f59.random.example.org"
* SERVER_NAME contained unexpected "a0a3aa2f59.random.example.org"

Using the configuration directive `UseCanonicalName On` for Apache
web server environments mitigates the risk.

Resolves: #99347
Releases: main, 11.5, 10.4
Change-Id: Iaafd136fd817a0722f482d1d0e6b198382e40e3d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77038


Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benni Mack <benni@typo3.org>

There are different versions of pdfinfo available and used
by different providers/distributions.

a) Debian/Fedora use pdfinfo (>v20) from the poppler-utils package.
   Also hosters like Hetzner use this version.
   This variant defaults to UTF-8 output for metadata:
   https://linux.die.net/man/1/pdfinfo
   > -enc encoding-name
   Sets the encoding to use for text output. This defaults to "UTF-8".

   pdfinfo -v
   pdfinfo version 21.08.0
   Copyright 2005-2021 The Poppler Developers -
                       http://poppler.freedesktop.org
   Copyright 1996-2011 Glyph & Cog, LLC

b) Older servers and hosters with legacy software (Mittwald,
   Domainfactory) use pdfinfo v3. This one defaults to Latin1 output:
   https://www.xpdfreader.com/pdfinfo-man.html
   > −enc encoding-name
   > Sets the encoding to use for text output. […]
   > This defaults to "Latin1"

   pdfinfo -v
   pdfinfo version 3.02
   Copyright 1996-2007 Glyph & Cog, LLC

Both versions support an -enc UTF-8 option, which is nowused to
circumvent the differences between these tools, instead of implying
Latin1 output (as done in #80085) which breaks variant a) by
interpreting valid UTF-8 as ISO-8859-1 and thus applying
a double encoding.

Resolves: #99352
Related: #80085
Releases: main, 11.5, 10.4
Change-Id: Ib8f7ae742c5edc73036afcb7d2608cd01f4176fd
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77082


Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

Releases: main, 11.5, 10.4
Resolves: #99348
Change-Id: I43d305b0f02bd6049f32e65c95184a2d5bfa4fe5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77053


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

When working with variable interpolation and similar scenarios, in
most cases variables, constants, expressions, ... are embedded in
a solid string and can only be identified and extracted by the
corresponding "reader" or "parser".

This string fragment splitter aims to introduce a simpler way for
extracting and working with these embedded fragments.

Example:
    $pattern = new StringFragmentPattern(
      StringFragmentSplitter::TYPE_EXPRESSION,
      '%[^%]+%'
    );
    $splitter = new StringFragmentSplitter($pattern);
    $collection = $splitter->split(
      'Hello %variable% World!'
      FLAG_UNMATCHED_AS_NULL
    );

    // results in having
    // + StringFragment(type: 'raw', value: 'Hello ')
    // + StringFragment(type: 'expression', value: '%variable%')
    // + StringFragment(type: 'raw', value: ' World!')

Resolves: #97553
Releases: main, 11.5, 10.4
Change-Id: Ie2b02a247ca884fa44ab7b3ba21214c8ee9bc457
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76947


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Resolves: #99281
Releases: main, 11.5, 10.4
Change-Id: Ic65f08aa0bb67f97880d0ff5bb4c692fe7e6ffde
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76953


Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>

<figure> is allowed in HTML5 outside of paragraphs,
thus it should also be configured like that out-of-the-box

See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/figure

Since CKEditor5 is using <figure> around tables, and also
might add a <figcaption> both variants are now enabled by default.

Resolves: #99273
Releases: main, 11.5, 10.4
Change-Id: I9356cc13ccef764f475ba42cc47f43f7ecd624a1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76898


Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benni Mack <benni@typo3.org>

see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.1.0

composer req typo3/html-sanitizer:^2.1.0
composer req typo3/html-sanitizer:^2.1.0 \
  -d typo3/sysext/core --no-update

To use custom output rules, the Behavior object must be known in
the Sanitizer, see https://github.com/TYPO3/html-sanitizer/pull/98

Resolves: #99271
Releases: main, 11.5, 10.4
Change-Id: I160f8b49284566afde87d07dde7a4fb69e3174c9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76921


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

This patch ensures that search term like Ärmel and Æble
is also working. Currently the match didn't work if a
uppercase special char was used.

With the additional modifier, this is now working, and
there will be matches on both lowercase and uppercase
matching words.

Resolves: #97986
Releases: main, 11.5, 10.4
Change-Id: If7ff1669ead57557964ed5372c4af749c316d7bf
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76895


Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>

This encodes the PDF metadata to UTF-8 to ensure that special chars
like æ ø å ü ö ä are allowed without cutting of the metadata text.

Resolves: #80085
Releases: main, 11.5, 10.4
Change-Id: I02b0730dd659b54c0d8c7186a2089419bd56d2a2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76893


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

This patch updates `moment-timezone`, having a fixed vulnerability,
along with the related `moment` library.

Executed commands:

    yarn add \
        moment@^2.29.4 \
        moment-timezone@^0.5.35
    grunt build

Resolves: #99061
Releases: main, 11.5, 10.4
Change-Id: I36376bad194aa63dda0146c8bc0f481b932dc89d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76558


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Invalid file names containing special characters like `<` or `>`
are not correctly represented as text node. Error messages wrapped
in an XML node need to be properly encoded.

This was originally reported as a vulnerability, after analyzing the
scenario, the TYPO3 Security Team came to the conclusion to handle it
in public. It cannot be exploited directly without knowing the backend
form protection token of a particular user session.

Resolves: #98382
Releases: 11.5, 10.4
Change-Id: Icd73de28ef3b702b45cbc8f232b5595b6fda127b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76350


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

With #85044, HMAC validation for form definitions in the backend form
editor was introduced. However, nested multi-valued options have not
been signed with corresponding HMAC values - which lead to error
messages when persisting the form again in the backend.

The exception for `_value` and `_label` (properties used for those
multi-valued items) have been removed when generating HMAC values.

Resolves: #94106
Resolves: #97235
Related: #85044
Releases: main, 11.5, 10.4
Change-Id: Iaf6798e0f5aa43bdaf90b2c1866745abaab25de1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76164


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

JetBrains created a new product named `Fleet` as
lightweight editor. This tool tends to write it's
config files to `.fleet/` folders, like all of the
IntellJ based IDE's like PHPStorm uses the `.idea`
folder.

This change adds this config folder to .gitignore
to avoid adding this folder to a patch if `Fleet`
is used to create a patch.

Resolves: #98615
Releases: main, 11.5, 10.4
Change-Id: I4f629a37904c2e9fda57df830377c98a88bec69c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76067


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

The doc comments for some functions in `\TYPO3\CMS\Core\Database\Connection`
state, that table expressions and columns are not escaped. This is actually
not true and it seems those doc comments have been adopted directly from
`doctrine/dbal` back in 2016, when Doctrine DBAL was introduced to TYPO3.

Resolves: #98318
Releases: main, 11.5, 10.4
Change-Id: If23d568b23ef1b3c6f40efd50e907af54c349b3d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75650


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

`GeneralUtility::flushInternalRuntimeCaches` now also flushes the caches
used by `makeInstance` to determine the final class name for
instantiating classes. This allows unit tests to test that classes can
be XCLASSed without the dummy XCLASS configuration spilling over into
the next unit test.

Resolves: #98346
Releases: main, 11.5, 10.4
Change-Id: Iea1d85231c5b51bb743f48ab018340997e39c3d3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75647


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Change-Id: Ib8ba8cc8c720f50691897abc59fda00fef32e905
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75722


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: I6dc1c8bd8f1c308ccc283de2d801e0821fb7253e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75721


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.0.16

composer req masterminds/html5:^2.7.6 typo3/html-sanitizer:^2.0.16
composer req masterminds/html5:^2.7.6 typo3/html-sanitizer:^2.0.16 \
  -d typo3/sysext/core --no-update

Resolves: #98340
Releases: main, 11.5, 10.4
Change-Id: I254ea25410e01f7610b0c4ef8b83441ab216f1ca
Security-Bulletin: TYPO3-CORE-SA-2022-011
Security-References: CVE-2022-36020
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75708


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Variables in child nodes like `<f:asset.css>{value}</f:asset.css>`
were not encoded and allow cross-site scripting. In case values shall
be taken as is, corresponding `f:format.raw` instruction has to be used.

Resolves: #97900
Releases: main, 11.5, 10.4
Change-Id: Id843a41c42bbe1f74cdc4efbc117b24d20026b97
Security-Bulletin: TYPO3-CORE-SA-2022-010
Security-References: CVE-2022-36108
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75707


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

FileDumpController is used to expose stored files from the backend
user interface through a corresponding service-side process. Since
content-security-policy settings for files served directly by the
web server won't be applied, FileDumpController has to take care.

Resolves: #98221
Releases: main, 11.5, 10.4
Change-Id: I4fde10e48e33fa08452eddf876172f56b4f38e28
Security-Bulletin: TYPO3-CORE-SA-2022-009
Security-References: CVE-2022-36107
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75706


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>