- Aug 10, 2021
-
-
Nikita Hovratov authored
In patch #93478 (66cd4ab5) the SVG Tree Drag & Drop got a little rework. While removing some magic strings and replacing them with enums, one string got a wrong replacement. This caused some faulty behaviour of the persistence of dropped pages. Changing it back to the previous value "before" restores the old behaviour. Resolves: #93548 Releases: master Change-Id: I65bf14aec5540a3ae3c91dade72fad739743a5e3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70185 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Jochen <rothjochen@gmail.com> Tested-by:
Oliver Bartsch <bo@cedev.de> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
Wouter Wolters <typo3@wouterwolters.nl> Reviewed-by:
-
Guido Schmechel authored
Resolves: #94389 Releases: master, 10.4 Change-Id: I6bbc99de19fbfb30f45bc7f7b03b313667daa6e3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69915 Tested-by:
-
Simon Gilli authored
This patch avoids exceptions during the upgrade from pre 11.3 versions where the column sys_log.channel does not exist. Resolves: #94708 Releases: master Change-Id: I4f1a7a2facfd9775126a13cb093347f332b9b6f3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70197 Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Tested-by:
-
Oliver Hader authored
Due to missing internal handling of provided RTE configuration, it was possible to directly persist XSS in database fields. Unless full blown backend RTE tag configuration is available, this patch still allows persisting potentially malicious data - which is not reflected in the backend user interface - but to be sanitized during frontend rendering (see below). Corresponding configuration directives (`removeTags`, `allowedAttribs`) are now considered again. Besides that a new, but simplified sequential HTML parser ensures that runaway node-boundaries are detected & denied. To sanitize and purge XSS from markup during frontend rendering, new custom HTML sanitizer has been introduced, based on `masterminds/html5`. Both `DefaultBuilder` and `CommonVisitor` provide common configuration which is in line with expected tags that are allowed in backend RTE. Using a custom builder instance, it is possible to adjust for individual demands - however, configuration possibilities cannot be modified using TypoScript - basically since the existing syntax does not cover all necessary scenarios. Resolves: #94375 Related: #83027 Related: #94484 Releases: master, 11.3, 10.4, 9.5 Change-Id: I5f8de43faab57b00052614ad37bd10ea9e384dc0 Security-Bulletin: TYPO3-CORE-SA-2021-013 Security-References: CVE-2021-32768 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70345 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Oliver Hader authored
Functionality of package t3g/svg-sanitizer has been integrated into the TYPO3 core. Resolves: #94719 Releases: master, 11.3, 10.4, 9.5 Change-Id: I9bef46af0b76275844aa4acb2b54214f37936ecc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70210 Tested-by:
-
Wouter Wolters authored
The constants of the DateTime class are deprecated and moved to DateTimeInterface. Move all usages in the core over to DateTimeInterface. Resolves: #94759 Releases: master Change-Id: If723da5d5439535735d47cbe9d68bf75d7b5a885 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70303 Tested-by:
-
Wouter Wolters authored
Resolves: #94761 Releases: master Change-Id: If8c407d284ab24a489835b3397d340f59ab53045 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70305 Tested-by:
-
Christian Kuhn authored
composer.json fields marked as root-only in https://getcomposer.org/doc/04-schema.md are only used if the composer.json is used as project root. Core extensions and split repositories are never used as project root directly and also won't work as such. Testing is always performed on the monorepo. All root-only fields are thus obsolete in extensions composer.json, namely: require-dev, autoload-dev, minimum-stability, prefer-stable, repositories, config, scripts. sortpackages: true in config field is kept since this is useful when updating packages using componer req something -d typo3/sysext/core_ext Resolves: #94747 Releases: master Change-Id: I9712703c35ef3d00c098bc58218032d1e19306d4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70288 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Reviewed-by:
-
Wouter Wolters authored
Resolves: #94760 Releases: master Change-Id: Id6ea4c584ea527c25de5050e2897822821435e32 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70304 Tested-by:
-
Oliver Hader authored
Addresses work-around of issues #94565 and #94582 concerning libxml2 segmentation faults. https://github.com/darylldoyle/svg-sanitizer/compare/0.14.0...0.14.1 Resolves: #94768 Releases: master, 11.3, 10.4, 9.5 Change-Id: I10f6386f0986f514a1387fb1153bbfc36f9c9dcc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70333 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
-
Wouter Wolters authored
Resolves: #94754 Releases: master Change-Id: I8a86ca3ef6f92b2f878aa6a8794d925e1a68c32e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70299 Tested-by:
-
- Aug 09, 2021
-
-
Oliver Bartsch authored
Since #82489 the "enabledControls['new']" option did not longer hide the "New record" button of inline containers as this was considered a misuse and led to some misbehaviour. This option should only affect the action buttons of each inline record. However since this can be considered a breaking change, especially because there is currently no option available to only hide the "New record" button, the whole change is reverted now and will only be fixed in a separate patch for v11. This will be done by introducing a dedicated option for the "new record" button and by deprecating the "none" value of the "levelLinksPosition" option. Resolves: #94764 Related: #82489 Related: #92397 Releases: master, 11.3, 10.4 Change-Id: I2d108da41c02dea4958e8d39e47dcee24d2343e3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70308 Tested-by:
-
Benni Mack authored
Various functionality regarding inline jumping to Backend modules / Page Module is now obsolete due to the introduced backend routing with TYPO3 v11.2. Resolves: #94766 Releases: master Change-Id: I176beebaf6c1548e413b407846332ca845526caf Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70313 Reviewed-by:
-
Nikita Hovratov authored
Resolves: #94742 Releases: master Change-Id: Ic71c90f3399826745dfb75bf18f8454e8540da5b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70283 Tested-by:
-
Andreas Fernandez authored
Currently, the TYPO3 backend shows incomplete version information regarding updates in the Core Updater and the reports. Both take community-supported releases into account only and ignore the fact that certain versions are covered by the ELTS program and thus render messages about unsupported or invalid versions, which are false statements. We now use the full information from get.typo3.org, and added lengthy tests to avoid any further issues. The internally used CoreVersionService is now able to handle ELTS releases as well and give proper information to admins. Resolves: #94745 Releases: master, 10.4, 9.5 Change-Id: I6485d36ded943acba723d55e23275554484e4f82 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70286 Tested-by:
Frank Nägler <frank.naegler@typo3.com> Tested-by:
-
Wouter Wolters authored
Constructor is removed as well because it is the same as the parent class. Resolves: #94755 Releases: master Change-Id: I918241344f467e84527e295c99b47152bc0f21be Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70300 Tested-by:
-
Wouter Wolters authored
The method only calls it's parent. The comment above the function already suggests to drop this method after Fluid 1.1.0. Resolves: #94756 Releases: master Change-Id: I1d5973bc0b864469231d3751d399b1c1c97376b6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70301 Tested-by:
-
Pierrick Caillon authored
After query filers for file storages have been used, those settings have to be reset. `StorageRepository::$storageInstances` actually applies an implicit singleton pattern to file storage objects. Resolves: #94714 Releases: master, 11.3, 10.4, 9.5 Change-Id: I353b782f8e98c55df6f9cb2e14a0745d83bfdc70 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70211 Tested-by:
-
Lukas Niestroj authored
Resolves: #94355 Releases: master, 10.4 Change-Id: Ibff208cf5e2165664a8e03952d207ece76be31e3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69715 Tested-by:
-
Christian Kuhn authored
Accessing request dependent data in a scheduler task is problematic on CLI. For this reason tasks have no setRequest() method or similar. The task does not loose much information avoiding a GU::getIndpEnv() for the test mail, and the setRequest() on the mail object is unused. Change-Id: I87a74c1d48eaa894c2859b235886ed57300c8a8b Resolves: #94748 Related: #94632 Releases: master Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70289 Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by:
-
Oliver Bartsch authored
In our effort to improve the UX in the record- and filelist, the clipboard component will receive some improvements in upcoming patches. For example the clipboard panel should be a standalone web component, listening on events, so it could be used in any module. However, to be able to do so, the Clipboard class needs to be cleaned up first. Therefore, among other, this patch does the following: * Add strict types, type hints and resolve "mixed" types, e.g some arguments accepted bool|int instead of just bool, while they are just treated as bool. * Improve naming of used variables * Simplify some code parts * Add guard clauses where applicable * Move the DataHandler command array generation into the classes (SimpleDataHandler, FileController), they belong to * Protect methods, only intended for the use in Clipboard * Remove fileMode property since most of the code already explicitly checked for the given table anyways Resolves: #94731 Releases: master Change-Id: Ia72bd1960e2028ee659e5f6db9dac19cf6c04207 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70240 Tested-by:
-
Wouter Wolters authored
Files were merged after initial patch for all UnitTest files. Resolves: #94746 Releases: master Change-Id: Ib9c7ef1d93a331e59884c76606610fb3d5722fde Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70287 Tested-by:
Simon Gilli <typo3@gilbertsoft.org> Tested-by:
-
- Aug 08, 2021
-
-
Benni Mack authored
Some methods which do not have any connection to the current backend user and are only used in DataHandler and DataHandlerHook of workspaces are moved to DataHandler in order to clean up the usages regarding permission handling of backend users within workspaces. Resolves: #94744 Releases: master Change-Id: I0473fe195d267fdb09440ab981ea2550f428d0b0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70199 Tested-by:
-
Wouter Wolters authored
Strip declare declaration from concatenated ext_localconf files. Resolves: #94739 Releases: master Change-Id: I006278888b950a3a4aa105dc6bb822390cd29aef Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70281 Tested-by:
-
Torben Hansen authored
In clearCacheForRecord() record uids are not added to the previously initialized array, but they overwrite the array resulting in an exception when clearCachesOfRegisteredPageIds is called. This change ensures uids are correctly added to the array. Resolves: #94740 Related: #94703 Releases: master Change-Id: Ie784c556201731673ec9c5e3196c93b19211a3e1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70282 Tested-by:
-
Wouter Wolters authored
Resolves: #94738 Releases: master Change-Id: I38544e9ae2f1890c43bd65466a39120729353e97 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70280 Tested-by:
-
- Aug 06, 2021
-
-
Wouter Wolters authored
The file does not exist anymore. Resolves: #94737 Releases: master Change-Id: Iffc65e2980d56d06d92ddcefba1e39e22a85be81 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70279 Tested-by:
-
Wouter Wolters authored
Resolves: #94736 Releases: master Change-Id: I12d1bd3b963ffb77b8b195c4a50e60a254b885b2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70278 Tested-by:
-
Christian Kuhn authored
We have the annotationChecker and the ever growing phpstan ruleset that scan our codebase for code and documentation code block violations. For the additional script docBlockChecker.php it's unclear what it actually does and when it should fail. It never went red to my knowledge. The patch author didn't know what was going on and I've been unable to make the script fail with local tests. The mentioned phpdocumentor/phpdocumentor seems to have never materialized in our world, and tools like api.typo3.org rely on doxygen. The patch drops that integrity test script and removes usages in runTests.sh and gitlab-ci. Resolves: #94735 Related: #89023 Releases: master Change-Id: Id7744780cd50e2009d59bd0f040799f8081924e7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70277 Reviewed-by:
-
Christian Kuhn authored
Some functional tests don't need a fully set up database with all tables and fields to test the subject. Those now leverage a new testing-framework feature to skip database creation. Good examples are the core redis and memcache cache backend tests as well as a lot of fluid view helper functional tests. The speed improvement of around factor ten is significant enough to use it if possible. Resolves: #94734 Related: #94733 Releases: master Change-Id: Ib6d7f9fec52aab8d7271c47443fe24806b15e133 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70241 Tested-by:
-
Christian Kuhn authored
Brings a new feature to speed up functional tests and a series of tasks and bug fixes. composer req --dev typo3/testing-framework:^6.9.0 composer req --dev typo3/testing-framework:^6.9.0 -d typo3/sysext/core/ --no-update Change-Id: Iacfda77682d89468c0158fb467df90120a41a099 Resolves: #94733 Releases: master, 10.4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70272 Tested-by:
-
Oliver Bartsch authored
When using a SelectTree in flexform, the FormSelectTreeAjaxController reduces the data structure array, passed to the tcaSelectTreeAjaxFieldData FormDataGroup, down to the relevant element only. This previously lead to deprecation messages as one of the DataProviders, FlexPrepare, calls the TcaMigration for the passed data structure array. This then failed for the container, since it was falsely treated as an invalid TCA column, due to the missing type property. This is now fixed by adding the missing "type=array" property to the reduced data structure. Resolves: #94720 Releases: master, 10.4 Change-Id: Ib1ee2fe81ea54e17cdd38a39e2359e1cc6cfdfbf Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70206 Tested-by:
-
Oliver Bartsch authored
In #94491 the injection of the ImageService in the ImageViewHelper was replaced by instantiating with GeneralUtility. This was done, since the ImageViewHelper is also used in the install tool, where no DI of this service is possible. However, since ImageService can be extended by third-party ViewHelpers, this then broke when accessing $this->imageService. This is now fixed by instantiating and assigning the ImageService in the constructor to the $imageService class variable. This way the DI is still not used, but backwards compatibility is given. Resolves: #94728 Related: #94491 Releases: master Change-Id: Id029a01f7f4f6dabdb2b148ac7b9efcca0f7b0fc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70245 Tested-by:
David Steeb <david.steeb@b13.com> Tested-by:
Ruben Steeb <ruben.steeb@gmail.com> Tested-by:
-
Oliver Bartsch authored
Resolves: #94730 Releases: master, 10.4 Change-Id: I9e02de91e4c7f4cd3d2bc6f1e6ffe1b105c11ba0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70247 Tested-by:
-
Christian Kuhn authored
typo3/testing-framework ships default .xml and bootstrap files for phpunit unit and functional tests. They are however quite hard to maintain since the testing-framework supports multiple core versions at once, but core occassionally needs version specific settings. The patch copies the files from the testing-framework to Build/phpunit and adapts core usages. The files within testing-framework will be kept, but will receive an additional "these are boilerplates, consider copying them to your extension" hint for extension developers. The local .xml files are now: * Compatible with phpunit 9 * Let tests fail if phpunit marks a test with warning. With this enabled, we would have seen the issues fixed with #94724 and #94723 with initial #94706 already. Good to do that now. Resolves: #94725 Related: #94706 Related: #94723 Related: #94724 Releases: master Change-Id: I9fef75a972759d26d4e0e3286142cacf181c33d2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70239 Tested-by:
-
Christian Kuhn authored
The consuming test case has been dropped a while ago, fixture removal has been forgotten. Resolves: #94727 Releases: master Change-Id: I3ec574a3efd200c2572a5596ae6e97a03a5a0d49 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70242 Tested-by:
-
Oliver Bartsch authored
BackendUtility::getRecordTitle() should return a string (as the return type annotation suggest). Especially because the return value is usually directly passed to htmlspecialchars(), which again requires a string to be given. Since BackendUtility::getRecordTitle() was missing some typecasts, it was possible that e.g. an integer was returned. This then failed in classes, defining strict mode. An example for such scenario: Having a table, which defines the `uid` as `label` field. getRecordTitle is using getProcessedValue(), which has a guard clause to directly return the input value, in case the label field is `uid`. This would then usually (depending on DBMS) return an integer. This is now fixed by applying type casts to the relevant places. Resolves: #94726 Releases: master Change-Id: Ie02837ff5e55f369ff8ddf1f3e5098e636f475bb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70243 Tested-by:
Jörg Bösche <typo3@joergboesche.de> Reviewed-by:
-
- Aug 05, 2021
-
-
Wouter Wolters authored
Rector is used to migrate functional tests to PHPunit v9. Resolves: #94724 Related: #94706 Releases: master Change-Id: I378acd4145aacb5448d461eec48c3a1695876d61 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70238 Tested-by:
-
Wouter Wolters authored
composer req --dev codeception/codeception:^4.1.21 composer req --dev codeception/module-webdriver:^1.2.1 composer req --dev php-webdriver/webdriver:^1.11.1 composer req --dev composer/package-versions-deprecated:^1.11.99.2 composer req --dev codeception/codeception:^4.1.21 -d typo3/sysext/core --no-update composer req --dev codeception/module-webdriver:^1.2.1 -d typo3/sysext/core --no-update composer req --dev php-webdriver/webdriver:^1.11.1 -d typo3/sysext/core --no-update composer req --dev composer/package-versions-deprecated:^1.11.99.2 -d typo3/sysext/core --no-update composer u mikey179/vfsstream behat/gherkin composer/semver codeception/stub Resolves: #94722 Releases: master Change-Id: I2ec0277374a2bf4e1501e79469826b7ea6360557 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70234 Tested-by:
-
Christian Kuhn authored
LocalConfiguration BE/explicitADmode controls wether field permissions for backend user groups are additive (explicitAllow) or subtractive (explicitDeny). By means of best practice in the IT world, user permissions should always be configured additive - which is called the "Principle of Least Privilege" (see https://en.wikipedia.org/wiki/Principle_of_least_privilege). TYPO3's permission system already uses PoLP in all cases of backend groups except for the permission system of "Allowed Content Types" This is not only important from a security point of view in terms of permissions (for instance when an extension adds new CTypes), it's also possible to easily create a hard to understand mess in explicitDeny mode with nested groups. The default / fallback in DefaultConfiguration however has always been explicitDeny since "ever". New instances always got explicitAllow due to it being set in FactoryConfiguration - since TYPO3 v6.2. We can expect the vast majority of instances to run with explicitAllow already, either since the instance is younger than ~7 years, or because an admin already did set the default to explicitAllow for any instance that works with a non-trivial backend user group setup. This change turns the default in DefaultConfiguration around towards explicitAllow. A simple silent upgrade within install tool sets the value to explicitDeny in LocalConfiguration for instances that still use this, so this change is fully transparent and b/w compatible. Resolves: #94721 Releases: master Change-Id: Ifd219edce21a1c044541e6c8129134543e8d95ef Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70233 Tested-by:
-
