Frontend, backend and install tool application classes are the
main entry points to create a response from a request object.

From within a HTTP index.php, run() is called, which creates the
request object from globals and feeds that to handle().

But, to retrieve a TYPO3 response from within a different PHP
application, or from within TYPO3 itself (eg. a backend calls a
frontend), the leading application would want to hand over a
given or specially crafted PSR-7 ServerRequest directly.

This is exactly what PSR-15 RequestHandlerInterface is for.

By implementing this inteface in the application classes, the
core increases interoperability significantly and allows to
be easily called by a third party PHP application.

Resolves: #92884
Releases: master
Change-Id: I3047c92de06668db4dd5ef224bafde23f4b8ebd5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66710


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>

Handing over '/' as $uri to InternalRequest() in functional
tests triggers an ugly fallback mechanism that changes this to
'http://localhost/' within the FE call.
Not handing over any $uri string at all defaults to
'http://localhost/' too, but at an much earlier and more
transparent point.
The patch streamlines two places that used the above method.

Resolves: #92877
Releases: master, 10.4
Change-Id: Ic8e8e58315efeaf49298737f549bb5955520f7f8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66700


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Test related fixture extension 'test_datahandler' still has calls
in ext_tables.php that changes $GLOBALS['TCA']. This is forbidden
for a while. Move those calls to Configuration/TCA/Overrides.

Resolves: #92879
Releases: master, 10.4
Change-Id: I4cc66ca41caf52d872b0ff1a06a90d180a739ddb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66705


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Test related fixture extension 'irre_tutorial' still has calls
in ext_tables.php that changes $GLOBALS['TCA']. This is forbidden
for a while. Move those calls to Configuration/TCA/Overrides.

Resolves: #92878
Releases: master, 10.4
Change-Id: I56c652e5073ef26c46335e05213363007d4450e5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66703


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

The backend module for backend users needs to use the hashed sessionId
to check the online status if the session backend allows hashed ids.

Resolves: #92871
Releases: master, 10.4, 9.5
Change-Id: Ifb5c2f48c751a52233888b293347425afd3092ae
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66697


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>

Extracting SVG processing to its own processor did not
respect that previously SVG files without dimensions were
handled as a side effect of undefined behaviour without
causing hard errors. The new processor however throws
an exception instead of accepting undefined behaviour, which
causes old installations with such SVG files to break.

As a mitigation (as long as no other correct behaviour is defined),
some default image dimensions are assumed for SVG files where
none can be properly determined.

This does not make SVG files without defined dimensions properly work,
but at least restores the previous behaviour of not throwing
an exception.

Additionally extracting SVG processing uncovered another bug
that existed, but never fully surfaced before.

Processed files that were updated, but in fact were using the
original file (like SVGs typically do) accessed the wrong storage
to fetch file infos, when the processed files were configured to
remain of a different storage. This is now properly checked as well.

Resolves: #92444
Resolves: #92449
Related: #92014
Releases: master, 10.4
Change-Id: Ide10af8105c5fb6a5257aa7a16e48a02a925a8fe
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65963


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Timo Poppinga <timo.poppinga@zdrei.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Timo Poppinga <timo.poppinga@zdrei.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

If the TSconfig setting is turned on, translations of content elements
are bound to the default record in the display. This means that within
each column with content elements any translation found for exactly
the shown default content element will be shown in the language
column next to the translation.

This feature has been forgotten during the rewrite and is now readded.

Resolves: #92482
Releases: master, 10.4
Change-Id: I408343d3b9a33b3239d1f341f3df36b65d2cd9c8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66412


Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

To avoid loss of quality and spawning unnecessary imagemagick
processes, cropping and scaling of images is now done
with a single imagemagick process.

By doing so, the code for SVG processing is streamlined.
SVG processing code can further be improved later,
by putting it into a dedicated file processing task processor.

Releases: master, 10.4
Resolves: #91855
Change-Id: I3bf735e74dd46dec73431405f37616506747ccdf
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65187


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Processing XML external entities is explicitly disallowed when retrieving
RSS/XML data from a remote service. Code-wise it is handled as security
issue - however it was not possible to actually exploit the code with
current system distributions. Default processing of external entities
has been disabled in libxml2 since verion 2.9 - thus, most systems are
not affected by this issue.

Resolves: #92329
Releases: master, 10.4
Change-Id: Ia00e98ea8e54472ad09fbf4beaf1481eaa5fd7a2
Security-Bulletin: TYPO3-CORE-SA-2020-012
Security-References: CVE-2020-26229
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66665


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Instead of storing session IDs with their corresponding storage
backends in plain text, their HMAC-SHA256 (Redis) or HMAC-MD5 (DB)
is being used. HMAC-MD5 had to be chosen to avoid breaking changes
for limited field size in database fields (32 characters currently).

This change also allows a fallback to non-hashed-session values,
meaning that
* set() and update() will create new session records with the hashed
  identifier
* get() contains a fallback to the non-hashed-version when no session
  with a hashed identifier is found

Resolves: #91854
Releases: master, 10.4, 9.5
Change-Id: Ia57acc5e0d0cf71088af1aaff1ab894bd1d4e3dd
Security-Bulletin: TYPO3-CORE-SA-2020-011
Security-References: CVE-2020-26228
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66664


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

* XSS in `f:be.labels.csh` in argument `label`
* XSS in `f:be.menus.actionMenu` in argument `label`
* XSS in `f:form` in argument `fieldNamePrefix`

Resolves: #92602
Releases: master, 10.4, 9.5
Change-Id: I7574bfb60eb2e11ecfb98d187f2edd580f43cd93
Security-Bulletin: TYPO3-CORE-SA-2020-010
Security-References: CVE-2020-26227
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66663


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: Ie2adfafff4ab57cac9426d9a5784b794f459ea7c
Resolves: #92829
Releases: master
Security-Bulletin: TYPO3-CORE-SA-2020-009
Security-References: CVE-2020-26216
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66662


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The access settings is an exclude field and hence
the value is synchronized to the translation.
Fetching the translation overlay therefore does
not need to evaluate the fe_groups again.

Resolves: #91725
Releases: master, 10.4, 9.5
Change-Id: Ie6ec2208d15f67eafb6a48627c5f1b76ffdc5725
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66330


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

Since there is no dedicated AbstractController any more and
ActionController cannot be dispatched without being extended
the class is finally marked abstract.

Releases: master
Resolves: #92850
Change-Id: I910765ded482a59789dc3830701e497b4b8b45b8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66642


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>

Introduces Content-Security-Policy HTTP header check on
fileadmin/ resources.

This can be seen as follow-up up to TYPO3-CORE-SA-2020-006
and TYPO3-PSA-2019-010 now actively analyzing this HTTP
header and letting users know in reports module and
system environment check of the Install Tool.

Resolves: #92835
Releases: master, 10.4, 9.5
Change-Id: I53028ae36c9195082993ee89d630efa7b555c547
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66627


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The session expiration time for the install tool is reduced from
60 to 15 minutes. When accessing the install tool via backend user
interface, currently logged in backend users have to confirm their
user password again in order to get access to the install tool.
This process is known as "sudo mode".

Standalone install tool is not affected by sudo mode confirmation.
This change enforces mitigation as mentioned in TYPO3-CORE-SA-2020-006,
see https://typo3.org/security/advisory/typo3-core-sa-2020-006.

Resolves: #92836
Releases: master, 10.4, 9.5
Change-Id: Ib4f0e92346610879347a48587ffd575429b98650
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66630


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Torben Hansen <derhansen@gmail.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Torben Hansen <derhansen@gmail.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Instead of instantiating PageRenderer early in
ext_localconf, the additional require js for
t3editor and rte_ckeditor is now injected by a
PageRenderer hook when needed.

Releases: master
Resolves: #92848
Change-Id: I070d75482deb0b4c7a301719440ae18d28f0a57a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66641


Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Resolves: #92854
Related: #92062
Releases: master
Change-Id: I416d747877aa3d7f56e8ddbd3438db27576c0ce4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66645


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Resolves: #92851
Releases: master
Change-Id: If7249e411165e1050b55d1d7aa9da6896fe3d9ba
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66643


Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

With this change an undefined symbol is included when not having
AdminPanel loaded: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66218

This change aims to change the logic for checking if the preview
flag is enabled.

Resolves: #92746
Reverts: #92242
Releases: master, 10.4, 9.5
Change-Id: I1005424a86f1ced595b23938bd6dcc70ff2f00c9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66372


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

Functional test case methods getFrontendResponse() and
getFrontendResult() have been deprecated a while ago
but their core usages have not been adapted. Do this
now by switching to their younger counterparts.

Change-Id: Ica1a6625a29b9d35189f2c9fce29da52f121d280
Resolves: #92845
Releases: master, 10.4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66635


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

In order to build the group resolving more flexible, the major method
"fetchGroupData()" is now separated into a smaller chunk
as a pre-patch.

Resolves: #92814
Releases: master
Change-Id: Id688355a869948e1b4eb57f06ed23cee0e2d513c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66598


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

If the loading text of the login box is too large, the text exceeds the size
of the login button.

This patch allow the button to grow vertically.

Resolves: #92622
Releases: master, 10.4
Change-Id: I9aa7858fd23c5f5848657c6c029769e9fa8de179
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66554


Tested-by: Martin Kutschker <mkutschker-typo3@yahoo.com>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Mathias Brodala <mbrodala@pagemachine.de>
Tested-by: Torben Hansen <derhansen@gmail.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Martin Kutschker <mkutschker-typo3@yahoo.com>
Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Reviewed-by: Torben Hansen <derhansen@gmail.com>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Change the implementation of backend deferred image processing
to use a file processor, which is only but always used in the backend.

By doing so all limitations of the current implementation are resolved,
which means, width and height of the image can be set in HTML, to avoid
layout shifts and once the images are processed, they will simply
be delivered by the web server.

Inconsistencies with thumbnail ratio (depending on crop being defined
or not) are also tackled on the go.

While this changes processing configuration for some files,
which triggers a re-generation, it should not matter, as image
processing will be done in parallel on request, making such changes
viable in a bugfix release.

The introduced database field is neither used nor required for the
current implementation, but is introduced to provide a possibility for
third party processors to replace the current implementation with simple
(and persisted) URLs to third party SaaS image processing services.

Resolves: #92188
Releases: master, 10.4
Change-Id: I8d1e14324085c5b6ba646475206c8cb10a1fc10d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65237


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

Back in 6.2 at ExtJS times, a feature has been introduced
to the workspace module to extend the shown 'data grid'
with custom columns. This implementation has been done for
one specific customer who nowadays does not use the feature
anymore.
The feature broke when the transition to a native JavaScript
implementation has been done in v8. There is not a single bug
report this feature broke in forge, and it is hard to resurrect
it with the new client side implementation.
The patch drops related code from the extension. This gives
core development more freedom to improve the workspace module
with other patches.

Change-Id: Ie66b172484cdd08de06e019aa004055975948e85
Resolves: #92838
Releases: master
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66632


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Daniel Haupt <mail@danielhaupt.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Daniel Haupt <mail@danielhaupt.de>
Reviewed-by: Benni Mack <benni@typo3.org>

The TSconfig setting `mod.web_layout.disableAdvanced` has been used to disable
the "clear cache"-button in the page module.

Since this behaviour can be triggered through various other ways, like the
context menu or by just saving the page record, this feature is removed completely.

Resolves: #92837
Releases: master
Change-Id: Ie4c563d89280bc494265611924e2b02727aed644
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66631


Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

SqlServer can not handle a transaction for a table, if the
same table is queried currently. The install tool database
row updater does this. Solution is to skip the transaction
on this platform. Additionally, an update query is fixed
to hint for proper field types.

Resolves: #92832
Releases: master, 10.4
Change-Id: I5fc76705088a727dc1ff41410d6e2cd02b3d9655
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66622


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Benni Mack <benni@typo3.org>

* replace string states with specific StatusMessage models
* combine file path and base URL in new FileLocation model
* streamline responsibilities of classes

Resolves: #92834
Releases: master, 10.4, 9.5
Change-Id: Ib1a24fb00d4362062e88f93f236b3fd385015c3c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66624


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The package @typo3/icons can be updated to version 2.0.4 which adds some
new icons and reverts the icons "actions-edit-hide" and
"actions-edit-unhide" to their v1 variants.

Executed commands:

  cd Build
  yarn add "@typo3/icons@^2.0.4"
  yarn build

Resolves: #92833
Releases: master, 10.4
Change-Id: I78933010cb2d36b0d412b20c5e0d63976cc77035
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66623


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Simon Gilli <typo3@gilbertsoft.org>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Simon Gilli <typo3@gilbertsoft.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

This change adds the methods
* setRequest()
* getRequest()
* getUriBuilder()

to the RenderingContext of EXT:Fluid.

The main goal is to reduce the usages of
the ControllerContext as much as possible to
decouple Extbase from Fluid.

When the "setRequest" method is used in the renderingContext,
the controllerContext is filled as well, in order to be
backwards-compatible.

Resolves: #92826
Releases: master
Change-Id: I41b8741e947c78895317ef2235959ceb251e103c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66323


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

Resolves: #92821
Releases: master, 10.4, 9.5
Change-Id: Ife0999560d3da75051b663b55d46e0f6a5e03dfb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66617


Tested-by: Peter Kraume <peter.kraume@gmx.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Peter Kraume <peter.kraume@gmx.de>
Reviewed-by: Chris Müller <typo3@krue.ml>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Creating a new record in a workspace adds two database rows.

One that is the "placeholder", which - since v10.4 - contains
the same metadata as the other record:

* t3ver_wsid = workspaceID
* t3ver_oid = 0 (simulating behavior of an "online pendant record")
* t3ver_state = 1

And the "versionized" record, identified by:

* t3ver_wsid = workspaceID
* t3ver_oid = uid of the new placeholder record
* t3ver_state = -1

As of TYPO3 v10, the first record is not needed anymore,
the versioned record can be queried directly, however, since
the relations (except MM) point to the placeholder record,
this one is kept.

As result, only one record is created from now on:

* t3ver_wsid = workspaceID
* t3ver_oid = 0 (no online counterpart)
* t3ver_state = 1

On reading, the record is queried directly (no overlay needed anymore!)
with the existing Database Doctrine Restrictions. On publishing, the
record just gets the state/stage/wsid set and is "live".

This brings fundamental benefits:

* No overlays needed when querying
* Fewer database records (placeholders are not helpful)
* Conceptual problems with placeholder and shadowed fields are removed

Resolves: #92791
Releases: master
Change-Id: I0288cc63fe72d8442d586f309bd4054ac44e829b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65587


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

In #92659 the tt_content fields `imagewidth` and `imageheight` have
been adjusted to not limit user input per default.

This improves the corresponding rst to properly describe the changes made.

Resolves: #92825
Relates: #92659
Releases: master
Change-Id: I61b1ee1fed95251d1a3be4dc9e3c996fb033aa04
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66611


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Josef Glatz <josefglatz@gmail.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Josef Glatz <josefglatz@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Use the current W3C recommended mime types for
fonts in htaccess base file, see

https://www.iana.org/assignments/media-types/media-types.xhtml#font

Releases: master, 10.4
Resolves: #92743
Change-Id: I8abc5abe703ef02ed678e8f7b7b28a3544ce239e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66513


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

No need to use a fully qualified namespace for
3rd party modules that are placed in TYPO3/CMS/Core/Contrib.
There are usually aliases configured in the requirejs configuration,
and if they are missing, we add them now.

This change additionally drops an unneded module declaration
for "TYPO3/CMS/Core/Contrib/imagesloaded.pkgd.min" which is
not needed when simply using "imagesloaded" as module name.

Commands used:

  grunt build

Releases: master, 10.4
Resolves: #92725
Change-Id: I6e7c02104050202d5c1a8bd0d7546a1496f5636c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65693


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Only tables with TCA configurations are available for the export of a
TYPO3 instance. The stored export configurations - so called presets -
were missing the TCA configuration and thus had to be exported and
imported separately in a database client.

This patch adds a TCA configuration for the export configurations and
thus makes them exportable and importable along with the main dump.
The presets are saved on PID=0 and hidden from record lists to
force the user to continue managing them with the export module.

Resolves: #92346
Releases: master, 10.4
Change-Id: Ic5a9babc91a93f8bf1561b697c4fca0ad548f734
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65770


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Rémy DANIEL <dogawaf@no-log.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Due to a refactoring and "unrolling" of buttons in TYPO3 v9, the TSconfig
options.saveDocNew has been forgotten when adding a button to create a
new record right while editing another one.

Even if the new button nowadays is physically not a "Save and create new"
action in the label, the behaviour is strictly the same as any unchanged
edit will trigger a modal asking whether the changes should be persisted.

Releases: master, 10.4, 9.5
Resolves: #87321
Resolves: #92788
Change-Id: Ic79f7ff06afef0cf9423780eef2d5324e5613664
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66559


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Eric Chavaillaz <eric@hemmer.ch>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Eric Chavaillaz <eric@hemmer.ch>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Josef Glatz <josefglatz@gmail.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Two new options for the famous Build/Scripts/runTests.sh script
have been added, that allow to quickly set up local environment
for composer min and max testing.

There is now

- Build/Scripts/runTests.sh -s composerInstallMax for no platform.php
setting and `composer update` preset and
- Build/Scripts/runTests.sh -s composerInstallMin for platform.php set
to current PHP version bugfix version 0 (like 7.2.0 or 8.0.0) and
`composer update --prefer-lowest` preset

Resolves: #92795
Releases: master, 10.4, 9.5
Change-Id: I13f782f2e73bb89404fcd2e18d507e2c39e4eba3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66570


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Simon Gilli <typo3@gilbertsoft.org>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Simon Gilli <typo3@gilbertsoft.org>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Contains a change for an upcoming workspace related
core patch.

composer require --dev typo3/testing-framework ^6.4.7

Change-Id: I11980b635e3a2b00de481a8d73b69368554c08d3
Releases: master, 10.4
Resolves: #92818
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66604


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

The Developer page explained how link handling is done
in the RTE. This is not specific to linkvalidator and
may change in the future.

Understanding how the existing events work can be
better done by looking in the core.

Resolves: #92720
Releases: master
Change-Id: I88bdf27c2045c29c0f93bcc3f394cb21471e0b73
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66274


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Björn Jacob <bjoern.jacob@tritum.de>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Josef Glatz <josefglatz@gmail.com>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Björn Jacob <bjoern.jacob@tritum.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Josef Glatz <josefglatz@gmail.com>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>