Missing size property on group-type fields causes various
problems, like missing controls (move to top and move to
bottom) or misbehaving JS. Adding a default size ensures
that a forgotten size property does not break everything.

Additionally the size property is added to the sys_collection
table, since all Core tables should be cleanly defined.

Resolves: #23552
Documentation: #56627
Releases: 6.1, 6.2
Change-Id: Idafb1912f9702fddf85b7c2c222f408419e50ecf
Reviewed-on: https://review.typo3.org/28116
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Cache calls to getSpriteIcon() that only use the first parameter.

Change-Id: I63e7dbaf81473b733a73f4a964e419dae0650f5f
Resolves: #56110
Releases: 6.2
Reviewed-on: https://review.typo3.org/27713
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

This patch enables the @ character to be usable now
also for non-utf8 file systems.

Resolves: #50538
Releases: 6.2, 6.1
Change-Id: I72ce24393003af8733af6fc650e69781df4a272c
Reviewed-on: https://review.typo3.org/23439
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Stefan Neufeind
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Keeping the old wizard script would not solve
the CSRF attack vector as they could still
be referenced in this kind of attack.

Because of that, we remove it now.

This change provides a backwards compatibility layer.

It will however break code which link to the
old scripts directly in other places.

Resolves: #56625
Releases: 6.2
Change-Id: I07577dca0e16cf095e114799ace4a6e344ad5aa3
Reviewed-on: https://review.typo3.org/28121
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

This fixes an issue within method func_delete trying to catch a file
access exception instead of expected folder access exception during
delete of an folder.

Change-Id: Iaf76100cd668ef4b1a36a5d9052a6f185ffa6b7b
Resolves: #56511
Releases: 6.2
Reviewed-on: https://review.typo3.org/28019
Reviewed-by: Frans Saris
Reviewed-by: Christian Weiske
Tested-by: Christian Weiske
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Changed parent class of folder permission exceptions to
InsufficientFolderAccessPermissionsException so excecption
could be catched properly.

Change-Id: I1c85e4c0e4652f1e3394fd58f98d95ea6ca8cc34
Resolves: #56494
Releases: 6.2
Reviewed-on: https://review.typo3.org/27994
Reviewed-by: Christian Weiske
Tested-by: Christian Weiske
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

AbstractUserAuthenticationTest is actually supposed to test
processLoginData from AuthenticationService from ext:sv.
However it fails to properly setup all auth parameters, therefore auth
services that depend on further settings fail.

This moves the test to the actually tested code (extension sv).
The test is adopted accordingly.

Additionally both tests are cleaned up from unneeded setUp/tearDown
functions.

Resolves: #56586
Releases: 6.2
Change-Id: I7406a56e5274ea54d400c1c116a8ea81c5cf4cea
Reviewed-on: https://review.typo3.org/28090
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

There is a check in getModuleUrl that checks
access rights to modules and returns false
if this is not the case.

However access rights are checked in each
module independently anyway.

So we remove this check here.

Resolves: #56611
Releases: 6.2
Change-Id: I63901cba3e882aab23de17929a461f08bd899cf1
Reviewed-on: https://review.typo3.org/28118
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

While moving the element browser to a module
quoting was added in several places.

However quoting DocumentTemplate::issueCommand
calls does not work, as the returned string
contains JavaScript.

Remove the quoting in these places.

Resolves: #56622
Releases: 6.2
Change-Id: I1b9ec8b4a5900940a5c5dfd81ed712f2994ecef3
Reviewed-on: https://review.typo3.org/28119
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Alexander Schnitzler
Tested-by: Alexander Schnitzler
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

css-files with statements like @import might become corrupted. This is due
a wrong regex in case no quotes (single or double) are provided.

Adjust regex and add testcases.

Resolves: #50491
Releases: 6.2, 6.1
Change-Id: I8c35be97147da51e3cfc4be6de114f3c19c1abca
Reviewed-on: https://review.typo3.org/22623
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Alexander Opitz
Tested-by: Alexander Opitz
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

For the users to select a distribution, the installation should
redirect directly to the extension manager, after the first
login of the admin, who set up the site.

Then, the list of TER extensions is loaded initially and all
distributions are shown.

For this to happen, the install tool needs to add another option
that sets a UC flag in the just created admin user.
This UC flag is evaluated when the start module is to be shown.

Also, it adds some more logic when redirecting to the start module
to allow to directly jump to a modfunc/action.

Additionally, the distribution action should initially load all
extensions from TER on first hit.

Releases: 6.2
Resolves: #56321
Change-Id: I1e86b5804011e84f7936514e4b88c4a257905e56
Reviewed-on: https://review.typo3.org/27866
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Patch df239a6d renamed bootstrap method setCoreCacheToNullBackend
to disableCoreAndClassesCache but missed a usage in installer.

Change-Id: Ie4939384a7c476c489d8734ecd7badf5f0dcebdc
Resolves: #56605
Related: #56583
Releases: 6.2
Reviewed-on: https://review.typo3.org/28102
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Switching to transientMemoryBackend for some caches raises the
memory footprint of unit test. Change the bootstrap a bit to not
use this cache backend in unit tests.

Change-Id: I3bc4774c4c9c6a24314681491bfdf23a9eab570d
Resolves: #56585
Related: #56583
Releases: 6.2
Reviewed-on: https://review.typo3.org/28089
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

With patch 6711c14b the function setFormValueManipulate was corrected but
if called it returns an array instead of the first form element. This
patch makes sure that the first object is always returned.

Resolves: #56221
Releases: 6.2
Change-Id: I03445afcb15d9323cd899974ac1cf378945e4ecb
Reviewed-on: https://review.typo3.org/28010
Reviewed-by: Stefan Neufeind
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Remove the click function on the whole item.
This prevents selecting the text.
The input fields are be enough to select them easily.

Resolves: #56350
Releases: 6.2
Change-Id: I929ef24383460964288696d268959b32fae3b705
Reviewed-on: https://review.typo3.org/27882
Reviewed-by: Jost Baron
Tested-by: Jost Baron
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

This patch adds functional tests for exporting and
importing all irre_tutorial relation types.

Resolves: #56287
Releases: 6.2
Change-Id: I9fe650151cca11e1f7fcb0d4b1d3ebdbbc0b75ad
Reviewed-on: https://review.typo3.org/27993
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Install Tool and tests are intended to work
without caches being active.

Currently this functionality is broken in bootstrap
because it is applied too late and does not
respect classes cache.

Resolves: #56583
Releases: 6.2
Change-Id: I45bb11d3b7951b189c1f12c3da6969285575d72b
Reviewed-on: https://review.typo3.org/28088
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Extends the functional tests with the possibility to create additional
folders inside the TYPO3 CMS test instance created within typo3temp.

Resolves: #56194
Releases: 6.2
Change-Id: I3271b3877fc953a2d876e56fc18af823d2e2a609
Reviewed-on: https://review.typo3.org/27779
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Bernhard Kraft
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

Add functional tests for persisting 1:M and M:M relations
in Extbase.
This patch adds blog_example as an fixture extension.

Resolves: #55786
Releases: 6.2
Change-Id: If90c854c9cb86fd45dcdbc14319a0a416e9447a0
Reviewed-on: https://review.typo3.org/27492
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Stefan Neufeind
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Change-Id: I1ac785adf3b0573a50954855befdda838fd01c33
Resolves: #55671
Releases: 6.2
Reviewed-on: https://review.typo3.org/28063
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Properly implement MySQLi for DBAL native mode.

Resolves: #50752
Releases: 6.2
Change-Id: I0c36e7d2828c94cc7c726757f3adc086ffd68015
Reviewed-on: https://review.typo3.org/27875
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Anja Leichsenring
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Resolves: #56470
Releases: 6.2
Change-Id: I7bf8c20ab7e084efca352840f88007a574f7e270
Reviewed-on: https://review.typo3.org/27981
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

This commit fixed the backend user/groups TCA to set the right option
to allow recursive deletion of folders.

Change-Id: I6f763ce820a09aa8b3f555ff6dfc5666fd7f81bf
Resolves: #56527
Releases: 6.2
Reviewed-on: https://review.typo3.org/28030
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Until now files from TCA type group internal_type
file or file_reference were included as binary data in
the export only. Include also the binary data from
sys_file records in a separate array.

Resolves: #55431
Releases: 6.2
Change-Id: I9a1b1f090705f6a42ff34f98ec95b62a3a79c9c1
Reviewed-on: https://review.typo3.org/27364
Reviewed-by: Bernhard Kraft
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

A large number of files were stored with executable permissions. This
may be a (minor) security risk and can be confusing. The patch removes
the executable permissions on all files but:

* typo3/cli_dispatch.phpsh
* typo3/cleaner_check.sh
* typo3/cleaner_fix.sh

Resolves: #56571
Releases: 6.2
Change-Id: Ib6a9fb19fe716d7d5405d5a7120b50269bdbf5f8
Reviewed-on: https://review.typo3.org/28072
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

SQL parser is unable to parse the complex Upgrade Wizard query. As we
know that it is compatible with DBMS we actively support (MySQL,
PostgreSQL, Oracle, MS SQL), a pragmatic solution is implemented to
bypass the parser while keeping compatibility with DBAL and its remapping
feature.

Releases: 6.2
Fixes: #56390
Change-Id: I54c01a3eca73668be579fb45e6fea907664290d6
Reviewed-on: https://review.typo3.org/27996
Reviewed-by: Andreas Fernandez
Tested-by: Andreas Fernandez
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert

The backend search is currently not
working for file collections etc as there
is no searchFields string provided.

The patch adds them, and also
adds it to non-visible records like
sys_file and sys_file_records as they
might be used in a different
visualization when having a filesearch
service.

The patch is easily testable if you
take a file collection and name it
"my collection". Searching in the list
module on that page for "collection"
does not show anything without
the patch.

see
https://review.typo3.org/#/c/16725/9

Releases: 6.2
Resolves: #56410
Change-Id: I0e99b3b291f085b81560e8f823d3e258a8645fc0
Reviewed-on: https://review.typo3.org/27928
Reviewed-by: Tom Ruether
Tested-by: Tom Ruether
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Change-Id: Ie70bf11000e9b70f60bbd6923ab1516904164edd
Reviewed-on: https://review.typo3.org/28062
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

Change-Id: I034ed6f244869918e9e3b7c189a629825d76df79
Reviewed-on: https://review.typo3.org/28061
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

We can only clear the opcache in XCache if xcache.admin.enable_auth is not
set, else you get a fatal error.

Resolves: #56554
Related: #55252
Releases: 6.2
Change-Id: Ia33afc4141852c58266f6c7dfedec82f4c35148d
Reviewed-on: https://review.typo3.org/28059
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny

Refine the class and interface structure of
Install Tool actions.

Resolves: #52736
Releases: 6.2
Change-Id: Id1b0107670859e140169767233ba9944822e0d8d
Reviewed-on: https://review.typo3.org/24665
Reviewed-by: Alexander Opitz
Tested-by: Alexander Opitz
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

extListArray is obsolete and can be removed. It is already taken
core off in the install tool upgrade process.

Change-Id: Ie9b86f28deebd3aab1031a725d72d852374e5607
Resolves: #56552
Releases: 6.2
Reviewed-on: https://review.typo3.org/28054
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

Cache Identifiers shorten the MD5 hash - This is superfluous substr() work
without any gain - remove it.

Change-Id: I0061337afb74df2f29aae69f868a1a0bbe3ad966
Resolves: #56313
Releases: 6.2
Reviewed-on: https://review.typo3.org/27878
Reviewed-by: Dmitry Dulepov
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

If a driver is readonly, the upload button in the file list disappears,
but the DragUploader is still activated - on the whole page.
Clicking anywhere on the list page causes an upload file selection to
pop up. Additionally the new button is shown but has no functionality.
The patch removes DragUploader and superfluous button.

Change-Id: I3f6c2e932d9f66feb6590f08229ddaaad06e688e
Resolves: #56443
Releases: 6.2
Reviewed-on: https://review.typo3.org/27946
Reviewed-by: Nicole Cordes
Tested-by: Nicole Cordes
Reviewed-by: Christian Weiske
Tested-by: Christian Weiske
Reviewed-by: Rico Sonntag
Tested-by: Rico Sonntag
Reviewed-by: Frans Saris
Tested-by: Frans Saris

When the backend user session expires, currently
a popup window is shown which asks the user to
relogin when salted passwords or rsaauth are used
(which is currently our default).

However when a user works with multiple browser tabs
open, it is easy to overlook this popup. When realizing
that the session is expired and the user logs
into the backend again in one tab, the session
is authenticated in all other open tabs, but a
new CSRF protection token has been generated, which
makes working in this tab impossible, especially
because the tokens are now checked for virtually
any action.

This changes cleans up the AjaxLogin functionality
by making use of the new Ajax API introduced lately
and functionality is added so that AjaxLogin also
works with rsaauth and saltedpasswords enabled.

Additionally the form protection framework is slightly
reworked to better support the re-login and token
restore functionality in the AjaxLogin.

The "showRefreshLoginPopup" functionality is still
kept, because AjaxLogin can still not handle
OpenID logins.

Resolves: #56453
Releases: 6.2
Change-Id: Ic6c3415f292d346293c7d2c775288f4ba62ebc15
Reviewed-on: https://review.typo3.org/27954
Reviewed-by: Nicole Cordes
Tested-by: Nicole Cordes
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Frans Saris
Tested-by: Frans Saris
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Resolves: #56471
Releases: 6.2
Change-Id: I8bd844326566715201ab3ae82811c945566b5b88
Reviewed-on: https://review.typo3.org/27977
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

The upgrade wizard to migrate the fields like e.g.
tt_content->image and pages->media fetches all records
of each table and loops over them. This is basic, and not
very clever, especially when the max_execution_time is
less than the upgrade wizards needs to process all fields
or if the memory_limit is reached because ALL of the
records are fetched.

Thus, the patch modifies the behavior in the following ways:
* As all TCA value are switched from text to integer
 (the value itself, not the DB field yet) the SQL is done to
only fetch records that are not empty, not integer
(and not deleted). This reduces the memory footprint
massively.
* The check for a record is now done for each table and
then for each field of the table (as the SQL has been changed).
* The field is only marked as "done" if no more records were
found in the migration run.
* Also, the redudant myfile_05.jpg are not moved if the
first file with that name (myfile.jpg) was moved already.

The migration wizard can now be run multiple times
(and the counter shows how many records are left).

Furthermore the wizard hides itself now once all migrations
are done.

Resolves: #53845
Resolves: #53891
Releases: 6.2
Change-Id: I835a07158e6869d80b4426d9774754421963ef81
Reviewed-on: https://review.typo3.org/25621
Reviewed-by: Jigal van Hemert
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny

In PHP 5.3 anonymous functions can't be bound to static/self so an extra
call to a public function is needed.

Resolves: #56546
Related: #55252
Releases: 6.2
Change-Id: I56fc8c4ae92e50c35e972413540b43ec1fa714fc
Reviewed-on: https://review.typo3.org/28048
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers

When adding a new file through the ResourceStorage there
is a check to see if the file already exists. But this check
does not sanitize the target filename, so it could happen that
you get a false positive because when the file really is added
to the file system the target filename is sanitized.

This patch sanitizes the file name before the fileExists check.

Releases: 6.2, 6.1
Resolves: #55299
Change-Id: I519220040448b08883146caf463ed58544a18453
Reviewed-on: https://review.typo3.org/27806
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Xavier Perseguers
Reviewed-by: Wouter Wolters
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

The new eval function "maximumRecordsChecked"
silently disables the checkbox again when the
maximum number of records has been reached.

The patch adds a log entry for the user on saving
the record.

You can test this change with #55177.

Resolves: #55590
Releases: 6.2
Change-Id: Ie8489f6b8fe519130689098968ae28fabe7c7b8e
Reviewed-on: https://review.typo3.org/27264
Reviewed-by: Frans Saris
Tested-by: Frans Saris
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters