- May 15, 2020
-
-
Andreas Fernandez authored
When a null placeholder checkbox is changed, the linked form field is now marked as "changed", which triggers the confirmation when leaving the form while being unsaved. Resolves: #91351 Releases: master, 9.5 Change-Id: I1b3ac08223a4a4c588a980abe70f22ff9814b13f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64444 Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
Josef Glatz <josefglatz@gmail.com> Tested-by:
Xavier Perseguers <xavier@typo3.org> Tested-by:
Susanne Moog <look@susi.dev> Reviewed-by:
-
Oliver Hader authored
HTML element with identifier `t3js-login-url` is used to check whether referrer handling is activated and suported. In case the `Login.html` template has been overridden, mentioned element might not be given at all - which leads to a corresponding JavaScript error. Resolves: #91385 Releases: master, 9.5 Change-Id: Ie986a94209809c32cdfb217aa00b42f4369c525a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64484 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
-
- May 14, 2020
-
-
Benjamin Franzke authored
The SMTP SSL/TLS migration introduced in #91070 does not take the case into account when no SMTP encryption was used at all (that means insecure plaintext authentication). This could be configured by specifying an empty string for `transport_smtp_encrypt` in TYPO3 v9. We do now check for this third option and adapt the migration to set the value to false, which means symfony/mailer will allow connection without encryption. Note: symfony/mailer will still try to start a STARTTLS connection if the server supports that capability. (That is now default in symfony/mailer and can't be deactivated) We also fix the default configuration of transport_smtp_encrypt to be a boolean value. The setting was switched to boolean in #90295 but was forgotten to be adapted here. Releases: master Resolves: #91391 Related: #91070 Related: #90295 Change-Id: I16f0f19cf91b92b3a252d2a52c7226dd0eb23296 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64490 Reviewed-by:
Torben Hansen <derhansen@gmail.com> Reviewed-by:
Benjamin Franzke <bfr@qbus.de> Tested-by:
-
Oliver Hader authored
Using `<div />` as template to be used in jQuery worked previously, but is not supported with jQuery 3.5.x anymore. Occurences are now using correct expanded tags like `<div></div>`. Resolves: #91367 Releases: master, 9.5 Change-Id: I088481e607b4621e28550f79f065496c89b409d1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64479 Tested-by:
Sebastien Convers <sebastien.convers@agrosupdijon.fr> Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Daniel Goerz <daniel.goerz@posteo.de> Reviewed-by:
Helmut Hummel <typo3@helhum.io> Reviewed-by:
-
Xavier Perseguers authored
The current record constraint was forgotten in the implementation of uniqueInTable and is now added. Resolves: #91378 Related: #91235 Releases: master, 9.5 Change-Id: Ie7862b22a06996a9d7ca484a01d7a1859c8f7276 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64482 Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
-
Oliver Hader authored
With security advisory TYPO3-CORE-SA-2020-004 new `BlockSerializationTrait` has been introduced blocking serialization and deserialization for a couple of classes (see advisory for details). Since this caused a couple of side-effects for valid use-cases, the restriction on serialize() is removed - which is fine from a security point of view. Resolves: #91387 Releases: master, 9.5 Change-Id: I9a9d415deab80badc3c1517f2e0c0c3336d3d936 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64486 Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
Georg Ringer <georg.ringer@gmail.com> Tested-by:
Oliver Bartsch <bo@cedev.de> Tested-by:
-
Daniel Siepmann authored
A context can be provided, when opening the CSH (Context Sensitive Help). E.g. when opening the CSH for a backend module or specific table field, the help entry for that module or field will be opened. This patch restores the described functionality by adding the action to the link opened via JavaScript. The "see also" links, used for cross referencing different CSH entries are fixed as well. Cross referencing links are now build using the proper ViewHelper to use backend module routing, instead of extbase routing. This ensures arguments are not moved into an arbitrary extbase plugin namespace. Resolves: #91370 Releases: master Change-Id: Ib6361e5a5f4ef441e098a595fa344f484a07ddc0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64477 Reviewed-by:
Sebastian Klein <laitnin@gmx.net> Reviewed-by:
-
- May 13, 2020
-
-
Markus Klein authored
Some methods have been added for this matcher, which are actually not deprecated/removed as a whole. Only the usage of those methods has been adjusted. The extension scanner is not capable of detecting such usages only, hence there is no sense in reporting every usage of those functions, albeit these usages might be valid. The matcher entries are removed therefore. Resolves: #91355 Releases: master Change-Id: I9da87ecb320f65d4fe5df168d788bb2ba8547f84 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64451 Tested-by:
Alexander Schnitzler <git@alexanderschnitzler.de> Tested-by:
-
Benjamin Franzke authored
As GeneralUtility::getContainer is marked internal, we do now avoid to use this method in core tests in order to demonstrate best practices for third party extensions that may use core tests as inspiration. This change requires an update for typo3/testing-framework which now provides a getContainer() method as API in functional tests: composer require --dev typo3/testing-framework:^6.2.5 Releases: master Resolves: #91363 Change-Id: I844973ddd3355d15c72307ac9533429333a396da Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64456 Tested-by:
-
- May 12, 2020
-
-
Oliver Hader authored
Change-Id: I6e8b59634266786e07a0d80a6271914a26a7d7e4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64475 Tested-by:
-
Oliver Hader authored
Change-Id: I22d5494ecd9cf12efbd6a7acec0b23b000340905 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64474 Tested-by:
-
Markus Klein authored
Prevent XSS by escaping the shortened placeholder text for various Backend form elements properly. Resolves: #90817 Releases: master, 9.5 Change-Id: I58f61b2d3d902dd3cb07e97acf974156f100a8aa Security-Bulletin: TYPO3-CORE-SA-2020-002 Security-References: CVE-2020-11064 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64471 Tested-by:
-
Oliver Hader authored
Cross-site scripting in same-site/same-origin context most probably allows bypassing tokens that usually protects against cross-site request forgery - basically that is obvious when focusing on "cross-site" and "same-site" terminology. To mitigate these scenarios, same-site requests from outside`/typo3/` URI path - which is used to access the backend user interface - now have to provide an HTTP `Referer` header which is enforced for global routes potentially containing CSRF tokens. In general all routes that switch their state internally from `public` to `restricted` are relevant in this scenario. If really necessary, the behavior can be disabled using corresponding feature switch `security.backend.enforceReferrer` in TYPO3_CONF_VARS. Resolves: #90681 Releases: master, 9.5 Change-Id: Id410fa73f1029cb131356e44b64637a5f12381e5 Security-Bulletin: TYPO3-CORE-SA-2020-006 Security-References: CVE-2020-11069 Reviewed-on: https://review.typo3.org/c/Packages/TYPO...
-
Oliver Hader authored
General and unscoped collection of user settings in $BE_USER->uc is vulnerable to insecure deserialization, triggered by lots of different consumers invoking `unserialize()`. Class deserialization is denied by using option `['allowed_classes' => false]`. Resolves: #90313 Releases: master, 9.5 Change-Id: Ic969441bcd4e85fcdbbde23f539bfbcb629ffbb4 Security-Bulletin: TYPO3-CORE-SA-2020-005 Security-References: CVE-2020-11067 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64469 Tested-by:
-
Oliver Hader authored
Deserialization of objects could lead to arbitrary removal of resources as well as sending out message via mail. Resolves: #88573 Resolves: #90316 Releases: master, 9.5 Change-Id: I3f77928203f4929bc715f548fb9bfdc0cd749e93 Security-Bulletin: TYPO3-CORE-SA-2020-004 Security-References: CVE-2020-11066 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64468 Tested-by:
-
Oliver Hader authored
HTML entities being used in link tags created with `typolink` have to be encoded correctly again after entities have been decoded for internal processing. Resolves: #91161 Releases: master, 9.5 Change-Id: Ifc4d2da669aab01f2b3041bb32c0a24a727634b4 Security-Bulletin: TYPO3-CORE-SA-2020-003 Security-References: CVE-2020-11065 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64467 Tested-by:
-
Frank Naegler authored
To prevent a time based information disclosure in backend password reset, this patch adds a random delay between 200 milliseconds and 3 seconds before sending the response to the client. Resolves: #91243 Releases: master Change-Id: I0362db283145e0bed414ecdb06fff81b2cff0d4b Security-Bulletin: TYPO3-CORE-SA-2020-001 Security-References: CVE-2020-11063 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64466 Tested-by:
-
Oliver Hader authored
In order to evaluate potential server misconfigurations and to reduce the potential of security implications in general, a new HTTP response check is integrated to "Environment Status" and the "Security" section in the reports module. It is evaluated whether non-standard file extensions lead to unexpected handling on the server-side, such as `test.php.wrong` being evaluated as PHP or `test.html.wrong` being served with `text/html` content type. Resolves: #91354 Releases: master, 9.5 Change-Id: Ie6584692f39706aad2a25bad27bb201f4c1045e9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64450 Tested-by:
-
Andreas Fernandez authored
This commit introduces live-patching of node_modules, which applies patch files to specific modules (similar to composer-patches). Patch files for fixing security issues are provided and applied after installing the modules via `yarn install`. http://blog.jquery.com/2020/05/04/jquery-3-5-1-released-fixing-a-regression/ The patches are based on https://github.com/DanielRuf/snyk-js-jquery-565129. Resolves: #91334 Releases: master, 9.5 Change-Id: I85555e9a21d6121e1a39c057b777a9250d56a781 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64459 Tested-by:
-
Benni Mack authored
In order to allow non-admins to fetch nodes which have no "pid=0" the change to only fetch pages with access, the change to check on a DB query basis is reverted. Additionally a functional tests is extended to cover the problematic case. Resolves: #91348 Related: #90880 Releases: master, 9.5 Change-Id: I3f737c92c8164c572f7e58335d92a82a4a5aa4dc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64431 Tested-by:
Tymoteusz Motylewski <t.motylewski@gmail.com> Tested-by:
-
Benni Mack authored
Internal and external links have been incorrectly processed by the legacy link notation converter which removed the fragment from the URL before checking whether the link is actually a legacy (file) link. The change is now narrowed down to only append the fragment to file links. Resolves: #90916 Resolves: #91357 Related: #75213 Releases: master, 9.5 Change-Id: Ibdbfae4ac2ca0caa6710fb944810336e875e8929 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64411 Reviewed-by:
-
Manuel Selbach authored
With this change it is possible to use a wider set of characters. Please have a look at the official documentation of MySQL / MariaDB. e.g.: https://dev.mysql.com/doc/refman/5.5/en/identifiers.html https://dev.mysql.com/doc/refman/5.6/en/identifiers.html https://dev.mysql.com/doc/refman/5.7/en/identifiers.html https://dev.mysql.com/doc/refman/8.0/en/identifiers.html https://mariadb.com/kb/en/identifier-names/ The mentioned characters in chapter "Quoted" (ASCII and Extended) are supported by now. Furthermore the database name is quoted during the installation process for creating / dropping a database. If, for example a `.` is used in the name, a notification will be shown. e.g.: ``` Unable to create database Database with name "foo.test@bla123" could not be created. Either your database name contains a reserved keyword or your database user does not have sufficient permissions to create it or the database already exists. Please choose an existing (empty) database, choose another name or contact administration. ``` Resolves: #91167 Releases: master Change-Id: I2df93f5c2238c2f0ca5ab8020ca8eebd10fdf58f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64312 Tested-by:
Manuel Selbach <manuel_selbach@yahoo.de> Reviewed-by:
-
The system extension ext:dashboard provides a way to register presets of dashboards. These presets can be configured via User TSconfig, if the user doesn't have a dashboard yet. Resolves: #91341 Releases: master Change-Id: I174d6ee4a931bbe32f0cbed87db1545ee2785946 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64435 Tested-by:
Richard Haeser <richard@maxserv.com> Tested-by:
Koen Wouters <koen.wouters@maxserv.com> Tested-by:
Daniel Siepmann <coding@daniel-siepmann.de> Reviewed-by:
-
- May 11, 2020
-
-
Benni Mack authored
When using e.g. PageTypeDecorator in conjunction with mountpoints and other Enhancers, the MP parameter was not added to the resulting PageArguments object. In addition, when building up a RouteCollection internally, the same page was used multiple times but was overridden with a MountPoint argument, adding to the "last principle wins" concept. The patch adapts the needed changes. Resolves: #90731 Releases: master, 9.5 Change-Id: Ic8c70dd51dc37617ba97cace3b9bec63512ecad6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64403 Tested-by:
Jan Kornblum <jan.kornblum@gmx.de> Tested-by:
-
Benni Mack authored
Since isInWebMount now calls BEgetRootline with workspace overlays, an additional query for ALL requested pages in rootline is made, because getMovePlaceholder() is called every time and does not know the actual record - getMovePlaceholder should only be called on MOVE_POINTER records. An additional check makes the Page tree work again for editors in workspaces. Resolves: #91360 Releases: master, 9.5 Change-Id: I1822a9824a0c9aacf4f3e1a900cbd19bd95ed9b9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64453 Tested-by:
Achim Fritz <af@achimfritz.de> Tested-by:
-
Helmut Hummel authored
SiteConfiguration is available from the DI container (both in failsafe and symfony DI), therefore no constructor arguments MUST be passed to GeneralUtility::makeInstance when fetching the SiteConfiguration singleton instance, or a new instance will be created. There are however multiple places where this object is still created by passing constructor arguments to GeneralUtility::makeInstance (this bypasses proxying to the container). This leads to the situation that two different objects are created and retrieved, depending on how it is fetched. This is now fixed by changing each remaining retrieval via makeInstance to NOT provide constructor arguments, which in turn results in a call to the container to fetch the SiteConfiguration object. Additionally the ServiceProvider introduced in #89892 is changed to allow providing an alternative implementation using XCLASS. Although XCLASSES are generally discouraged in favor of Services.yaml overwrites, there is no other way to provide an alternative for this class, as it is registered in an internal service provider. Resolves: #91260 Releases: master Change-Id: I8af1cafd737feccff9e06eacb23d6991105238d0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64386 Tested-by:
-
David König authored
TYPO3 v9.5.16, fixed functionality for URL resolving for records with slug fields defined as "uniqueInSite". With such setting, it is important to limit URL resolving to the site the slugs are generated for. Because we currently don't support records to be stored within one site, but generating slugs for another one, this change enforced the storage of news records to be in the same site as the detail page. This however led to not working installations, where a record storage folder is available in a site where other sites are fetching this information from, which is a quite common use case. To cover such use case, TCA needs to be adapted to the existing configuration eval=unique, which diables the site check in URL frontend resolving. However the current implementation of DataHandler only checks uniqueness of fields of type "input". This means for slug fields, the functionality of 'unique' is currently not taken into account when generating the slug, which can lead to duplicate slugs. To fix this problem, a check for the unique eval setting is added to DataHandler and FormSlugAjaxController. SlugHelper is adapted to correctly generate slugs for this use case. Resolves: #91235 Releases: master, 9.5 Change-Id: Id6e5c1d27860b09604787132f2cd83976418baa4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64428 Tested-by:
Henrik Ziegenhain <henrik@ziegenhain.me> Reviewed-by:
-
Andreas Fernandez authored
Each link triggering the "New content element" wizard is now initially disabled and gets enabled once the according module has been loaded and initialized. Resolves: #91165 Releases: master Change-Id: Ic4073faa5bd97f9b50bb8c3ada6864539c0ae63f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64307 Tested-by:
Chris Müller <typo3@krue.ml> Tested-by:
-
Benni Mack authored
When setting a site language into free mode for translations, then "$cObj->exec_getQuery()" only returns the pages without overlays. HMENU however always expects sys_language_uid=0 records, as it does a MountPoint + overlay again. Doing an getPageOverlay of a translated page results in an empty result. The change now modifies the HMENU directory resolving to fetch the original record (cached in PageRepository), and do the overlay information as well. This also fixes the same issue in HMENU.special = updated Big Kudos to Jones for great support on tackling this issue! Resolves: #91292 Releases: master, 9.5 Change-Id: Ifc0faddb6562c2b83dc95aa84ed40f37b5a1a0e9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64436 Tested-by:
Jonas Temmen <jonas.temmen@artundweise.de> Tested-by:
Wouter Wolters <typo3@wouterwolters.nl> Reviewed-by:
-
Benni Mack authored
The global object $GLOBALS[TYPO3_REQUEST] holding the current PSR-7 request object was introduced in TYPO3 v9.2. However, it was also marked as deprecated as we thought we were able to remove all usages again by the end of TYPO3 v9.5 development, which shows that we have more problems in various areas like hooks and Extbase where we heavily rely on this object. For this reason, it is kept but the original Feature RST still contains the information that it is considered bad practice. Removing the deprecation will result in better result for the ExtensionScanner. Resolves: #91347 Releases: master, 9.5 Change-Id: I97bb16cf7f4e7149c5c3a3528a015701f60c2628 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64439 Tested-by:
-
Marcin Sągol authored
This commit fixes small typo in CSH text for frontend usergroups where instead of "of" word "or" was used, changing sens of this statement. Resolves: #91356 Releases: master, 9.5 Change-Id: Ic4f9e7544875f5d7a8d1f89e732955769041653e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64452 Tested-by:
Riccardo De Contardi <erredeco@gmail.com> Tested-by:
-
- May 09, 2020
-
-
Anja Leichsenring authored
Resolves: #91349 Releases: master Change-Id: I60ffcb35a82d7e890590f836dcfd9e0739c8db03 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64440 Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by:
-
Andreas Fernandez authored
It's safe to use getElementById() instead of querySelector() in case an element is fetched by its ID. Numbers for nerds: getElementById() is nearly 1.5x faster than querySelector(). To be fair, both functions are really fast with executing multiple million operations per second, thus nobody will notice a performance impact. See https://www.measurethat.net/Benchmarks/ShowResult/106740 Resolves: #91254 Related: #91183 Releases: master Change-Id: I2ed590d20c9af66ce818f012ac73ec45c5c9fa55 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64384 Tested-by:
-
Marcin Sągol authored
This commit improves description text for backend module Form by replacing reference to "Mail Form" content element with just "Form" as this name is used in TYPO3. Resolves: #91352 Releases: master, 9.5 Change-Id: I3348d2766afad6a2c06ce7b323df775a9bf9c33b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64442 Tested-by:
Björn Jacob <bjoern.jacob@tritum.de> Tested-by:
-
Daniel Goerz authored
Resolves: #91343 Releases: master, 9.5 Change-Id: I1d5c48c5ba7a8d6ff977b7e0ca5d3f96d7e1963d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64437 Tested-by:
Guido Schmechel <guido.schmechel@brandung.de> Reviewed-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
-
- May 08, 2020
-
-
Mathias Brodala authored
Releases: master Related: #85878 Resolves: #91248 Change-Id: I8eb19a7e7f2ac4527beb9befafc6b16cf79e99cd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64372 Tested-by:
-
Anja Leichsenring authored
The to header is mandatory by now, so we need to supply the recipient in our testcases now. Resolves: #91346 Releases: master Change-Id: Ic1a3197a8412b27eb5cebb00a1443f10021b9326 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64438 Reviewed-by:
-
Sebastian Iffland authored
Releases: master Resolves: #91337 Relates: #90729 Change-Id: I564f488dd653448046599a9bb1099dd05c4211f7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64432 Reviewed-by:
Alexander Grein <alexander.grein@gmail.com> Reviewed-by:
-
Alexander Schnitzler authored
While switching from controller class aliases to fully qualified controller class names (internally), the structure of framework configuration slightly changed. This unfortunately broke the detection of the plugin name by action because the new structure had not been checked for. Also, there was a unit test which hasn't been adjusted to the new structure as well because it was simply overlooked. With this patch the bug is fixed and the fix is also covered again by a unit test. Releases: master Resolves: #91249 Change-Id: I9acdaeb66010563d82c818ddf0a73e2adab780db Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64388 Tested-by:
-
Joschi Kuphal authored
Nested tags starting with the same literals, like `<s><span>...` or `<a ...><abbr>...` are not correctly nested due to a flaw in identifying proper start and end of HTML tags. Resolves: #91194 Releases: master Change-Id: I2029c8e01d66e5286790fd04a259153cd130c753 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64409 Tested-by:
-
