Skip to content
Snippets Groups Projects
  1. May 26, 2014
  2. May 23, 2014
    • Marc Bastian Heinrichs's avatar
      [BUGFIX] Alternative implementations for view helpers do not work · 003c6628
      Marc Bastian Heinrichs authored
      Extbase allows to register alternative implementations for
      objects. However that does not work for view helpers using
      a closing tag. The resolved (alternative) object is compared
      to the name of the original view helper and throws an
      exception like:
      
        #1224485398: Templating tags not properly nested. Expected:
        "AlternativeViewHelper"; Actual: "OriginalViewHelper"
      
      A simple solution is to save the class name of the object returned
      from the object manager in a runtime cache and check this when
      resolving a view helper name. A nice side effect is, that a same
      view helper name must not be calculated over and over again.
      
      Fixes: #52272
      Releases: 6.0, 6.1, 6.2
      Change-Id: Ie49e5e83c779b4748dc2059f8fbc85552ce4b406
      Reviewed-on: https://review.typo3.org/30349
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      003c6628
  3. May 22, 2014
    • Markus Klein's avatar
      [BUGFIX] Wrong HTML in locallang_csh_pages.xlf · 94f1e325
      Markus Klein authored
      lang/4.5/locallang_csh_pages.xlf contains invalid
      HTML structure a <p> tag should actually be a <b> tag.
      
      Resolves: #58936
      Releases: 6.2, 6.1, 4.5
      Change-Id: Id37d424296628202d8d434e0cf9cafd8529da2c3
      Reviewed-on: https://review.typo3.org/30330
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      94f1e325
    • Xavier Perseguers's avatar
      [BUGFIX] TCA tree fail to load with IRRE · f954a795
      Xavier Perseguers authored
      The TCA tree element fail to load inside IRRE, in some condition
      (when the record is not loaded/opened)
      
      Change-Id: Id077a71e2191b0cf91003611e11dc5aefafab0c9
      Resolves: #39035
      Releases: 6.2, 6.1
      Reviewed-on: https://review.typo3.org/29909
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      f954a795
    • Marc Bastian Heinrichs's avatar
      [BUGFIX] Fix description of userHomePath and groupHomePath · b908b7da
      Marc Bastian Heinrichs authored
      Since making userHomePath and groupHomePath FAL compatible
      the descriptions in DefaultConfiguration don't fit anymore.
      
      Resolves: #56986
      Releases: 6.2, 6.1
      Change-Id: Ia27193b967137dd3744c2fdcf5b5b0d3366c0080
      Reviewed-on: https://review.typo3.org/29906
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      b908b7da
    • Markus Klein's avatar
      [BUGFIX] Properly check existence of array item · f0ac518f
      Markus Klein authored
      The flexform converter in ContentObjectRenderer tries to access
      an array element on a non-array.
      
      Check existence with isset() first.
      
      Resolves: #57809
      Releases: 6.2, 6.1
      Change-Id: I8e6111afee3a639b3077dc59bc2e32b72fa12f5c
      Reviewed-on: https://review.typo3.org/29892
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      f0ac518f
    • Alexander Opitz's avatar
      [BUGFIX] Inaccessible pages on shortcuts/PageNotFound handler · 203c1eb9
      Alexander Opitz authored
      The var pageNotFound is set, if the called page has access
      restrictions. Afterwards starts a searching for an accessible page
      in the rootline upwards.
      
      If that page is a short link which also isn't accessible we stop
      instead of searching again in this new rootline. Limiting this to a
      maximum of 20 iterations to prevent endless loops.
      
      If an accessible page is found we do not reset the pageNotFound var.
      The PageNotFound handler reacts on this var and redirects to the 404
      page instead of presenting the accessible page we found later on.
      
      You can reproduce this with the introduction package, for example
      change the access to the Example/Tables page to "Customer".
      Afterwards go to http://yourdomain/?id=38 and you will see the 404
      page. If you disable the pageNotFound_handling you will see the
      content of the Example page.
      
      Resolves: #16472
      Releases: 6.2, 6.1
      Change-Id: I1e58ec1f96422c6bf3e5c9c74f1b1c1666b68762
      Reviewed-on: https://review.typo3.org/29897
      Reviewed-by: Alexander Opitz
      Tested-by: Alexander Opitz
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      203c1eb9
    • Helmut Hummel's avatar
      [BUGFIX] Fix failing unit tests for HTTP host check in CLI mode · 420b5c8d
      Helmut Hummel authored
      The unit tests for the recent HTTP host fix are failing
      if executed in CLI mode.
      In CLI mode no server environments and HTTP headers are available,
      that's why the behavior needs to know about the
      test execution process.
      
      We solve this by mocking allowed request types.
      
      Resolves: #59022
      Releases: 6.2, 6.1, 6.0
      Change-Id: I3c93d181dcec5f34064798e7c31240877fde610d
      Reviewed-on: https://review.typo3.org/30325
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      420b5c8d
    • TYPO3 Release Team's avatar
      [TASK] Set TYPO3 version to 6.1.10-dev · 2b0b9ad6
      TYPO3 Release Team authored
      Change-Id: I4f3b6dc5fe3e7e64365b632d6bd2656cd45d1378
      Reviewed-on: https://review.typo3.org/30315
      Reviewed-by: TYPO3 Release Team
      Tested-by: TYPO3 Release Team
      2b0b9ad6
    • TYPO3 Release Team's avatar
      [RELEASE] Release of TYPO3 6.1.9 · 211c2332
      TYPO3 Release Team authored
      Change-Id: I68884dbd5ac459c84ad18a14e7c7df30701ad72c
      Reviewed-on: https://review.typo3.org/30314
      Reviewed-by: TYPO3 Release Team
      Tested-by: TYPO3 Release Team
      TYPO3_6-1-9
      211c2332
    • Helmut Hummel's avatar
      [SECURITY] Add trusted HTTP_HOST configuration · 6fafbf7d
      Helmut Hummel authored
      TYPO3 uses the values of HTTP_HOST in several
      places without validating them. This could
      lead to a situation where links are generated
      using the host part from HTTP_HOST.
      
      Since HTTP_HOST headers are user input and
      can be spoofed by an attacker, it leads
      into several potential and actual security issues.
      
      To address this, a configuration option for
      trusted hosts is added, which is evaluated every
      time getIndpEnv('HTTP_HOST') is called.
      
      The configuration option is
      
      $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']
      
      and can contain either a regular expression or the
      value "SERVER_NAME"
      
      To properly output the exception message in case
      the trustedHostPattern does not match,
      we need to adapt the exception handlers slightly
      to not log information in this case and to actually
      show the message even in production context to not
      confuse admins on what is currently going wrong.
      
      To not break all existing installations, the default
      pattern is set to 'SERVER_NAME' which allows all
      HTTP_HOST values matching the SERVER_NAME (and
      optionally the SERVER_PORT if a port is specified
      in the HTTP_HOST value).
      
      This will secure all installation which use properly
      configured name based virtual hosts, but leaves
      installations where the web server is not bound
      to a specific host name still in an insecure state.
      
      Change-Id: I38e6a18a3e66e80abda2a4682bd1348198de1f8b
      Fixes: #30377
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30299
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      6fafbf7d
    • Nicole Cordes's avatar
      [SECURITY] XSS in (old) extension manager information function · 2994a1c5
      Nicole Cordes authored
      Needs to be fixed also in 6.x, but the affected function is not
      used anymore.
      
      Change-Id: I434689d4065496330a92e7086ec6899ddff1d2d6
      Fixes: #54111
      Fixes: #54113
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 383664ef458c2b978666311d294591d96a2d0eb9
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30298
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      2994a1c5
    • Marcus Krause's avatar
      [SECURITY] XSS in new content element wizard · 12741ad6
      Marcus Krause authored
      Sanitize user-input colPos in new content element wizard.
      
      Change-Id: I68ee05a9113b2a0266c0be612b1a10272cb986a2
      Fixes: #48695
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: eccb66a7ed4cb872f512f611395eae4ed0226e10
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30297
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      12741ad6
    • Marc Bastian Heinrichs's avatar
      [SECURITY] XSS in template tools on root page · 7595ad45
      Marc Bastian Heinrichs authored
      Change-Id: I2958dcc7cecf8ef980d90dae66c6bd2df432ce4b
      Fixes: #54109
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 788dfadc5c1339e9bc4533d595ce23a524cc5450
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30296
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      7595ad45
    • Helmut Hummel's avatar
      [SECURITY] XSS in Backend Layout Wizard · 69658064
      Helmut Hummel authored
      Change-Id: Ie3f08333e417d8d208b3b36b208056efd4dbcec0
      Fixes: #57576
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: cc840cb0438cfdae76219c3ac5f28a1f341ae9b7
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30295
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      69658064
    • Jigal van Hemert's avatar
      [SECURITY] Encode URL for use in JavaScript · 54e46912
      Jigal van Hemert authored
      The url for the Open in New Window button must be quoted for
      use in JavaScript to prevent XSS issues.
      
      Change-Id: I849534cd53d333f6e12846a8065ad7e5373b8e63
      Fixes: #48693
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 06a582c197dee4add0979f956f932ea03e2b3022
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30294
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      54e46912
    • Helmut Hummel's avatar
      [SECURITY] Fix insecure unserialize in colorpicker · b6826ff0
      Helmut Hummel authored
      Change-Id: Id3a692cdccb2d3a9ae46ae635ee5c316fa36e371
      Fixes: #56458
      Releases: 6.1, 6.0, 4.7, 4.5
      Security-Commit: 3981e7efef710d680a18f8a5537a7085e540aab3
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30293
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      b6826ff0
    • Helmut Hummel's avatar
      [SECURITY] Remove charts.swf to get rid of XSS vulnerability · 32efb1b0
      Helmut Hummel authored
      The file charts.swf is vulnerable to XSS, is delivered
      by ExtJS but not used in TYPO3 CMS at all.
      
      Since the vendor of ExtJS did not fix this vulnerability,
      we decided to remove it from TYPO3 sources.
      
      Change-Id: I4d4f871e9e89250b0b818b50e8342bd902485464
      Fixes: #54526
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 467ea328aaa23230bbe93b4deb18ec73fbd7b1e8
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30292
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      32efb1b0
  4. May 21, 2014
    • Markus Klein's avatar
      [BUGFIX] Indexer tries to insert NULL into DB · 6a91a909
      Markus Klein authored
      The Indexer of indexed_search tries to insert NULL values
      into NOT NULL columns of the database.
      
      Since #53662 NULL values are passed to the database,
      hence these insert statements now fail.
      
      Resolves: #54917
      Releases: 6.2, 6.1, 6.0
      Change-Id: Ia935abe14b9c3be2062f1b38ec98fb63921a1c2f
      Reviewed-on: https://review.typo3.org/30244
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      6a91a909
  5. May 15, 2014
  6. May 14, 2014
  7. May 08, 2014
    • Jigal van Hemert's avatar
      [BUGFIX] Solve stackoverflow in prototype in IE8 · fb8370d0
      Jigal van Hemert authored
      The reason for this behaviour is the combination of prototype.js
      and ExtJS. The ExtJS defer() method takes precedence. Calling the
      defer() method without any arguments would have resulted in using
      a default value of "0.01" seconds in standalone prototype.js, but
      results in directly calling the submitted function.
      
      The stack overflow is caused by not delaying the function call
      and thus ending in a recursive endless loop.
      
      Resolves: #58187
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Change-Id: I6db191ff67a3e869072877936d949fc733cda74f
      Reviewed-on: https://review.typo3.org/29907
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      fb8370d0
    • Stanislas Rolland's avatar
      [BUGFIX] Default image title in RTE contains the file name · 3abc7030
      Stanislas Rolland authored
      When inserting an image in the RTE, the default image title should be
      the image file title, not the image file name.
      
      Resolves: #58373
      Releases: 6.1, 6.2
      Change-Id: I5aa3aae4db83cbd36244b89cc37c78184b290228
      Reviewed-on: https://review.typo3.org/29780
      Reviewed-by: Stanislas Rolland
      Tested-by: Stanislas Rolland
      3abc7030
  8. May 05, 2014
  9. May 04, 2014
  10. May 02, 2014
    • Sascha Wilking's avatar
      [BUGFIX] Retrieving extension fails with some PHP versions · a49ddfd3
      Sascha Wilking authored
      XmlParser has an issue with PHP < 5.4.28 leading to
      unexpected empty arrays raising warnings. If development
      preset is activated, warnings are turned into exceptions,
      so the extension list parser stops importing.
      
      Resolves: #58418
      Releases: 6.2, 6.1
      Change-Id: Idc6453bd8dcc46a933a1d6d72361ffff5842e39d
      Reviewed-on: https://review.typo3.org/29784
      Reviewed-by: Anja Leichsenring
      Tested-by: Anja Leichsenring
      a49ddfd3
  11. Apr 29, 2014
  12. Apr 25, 2014
    • Oliver Hader's avatar
      [BUGFIX] Database query error for non-workspaces tables · 8cf4f78f
      Oliver Hader authored
      In frontend rendering mode PageRepository::versionOL() is called
      frequently to overlay workspace data. A further method call then
      creates a query with required t3ver_* fields. This query fails
      if a table is not considered to support workspaces/versioning at
      all. This behaviour is regression that has been introduced with
      issue #30604 during TYPO3 4.7 development.
      
      Resolves: #58180
      Releases: 6.2, 6.1, 6.0
      Change-Id: I81d24ea16116563f4f0d75fafd06496a9c4e993d
      Reviewed-on: https://review.typo3.org/29658
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      8cf4f78f
  13. Apr 16, 2014
  14. Apr 15, 2014
  15. Apr 12, 2014