- May 26, 2014
-
-
Nicole Cordes authored
Due to patch https://review.typo3.org/#/c/30305/ the string comparison on colPos fails and new content elements are always stored on pid 0. This patch corrects the check for an integer colPos type by setting the unused variable to NULL. Resolves: #59059 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Change-Id: Iecd7f0cacf5c9315d882eebeb3893bcfa63ae7eb Reviewed-on: https://review.typo3.org/30416 Reviewed-by: Markus Klein Tested-by: Markus Klein
-
- May 23, 2014
-
-
Marc Bastian Heinrichs authored
Extbase allows to register alternative implementations for objects. However that does not work for view helpers using a closing tag. The resolved (alternative) object is compared to the name of the original view helper and throws an exception like: #1224485398: Templating tags not properly nested. Expected: "AlternativeViewHelper"; Actual: "OriginalViewHelper" A simple solution is to save the class name of the object returned from the object manager in a runtime cache and check this when resolving a view helper name. A nice side effect is, that a same view helper name must not be calculated over and over again. Fixes: #52272 Releases: 6.0, 6.1, 6.2 Change-Id: Ie49e5e83c779b4748dc2059f8fbc85552ce4b406 Reviewed-on: https://review.typo3.org/30349 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
- May 22, 2014
-
-
Markus Klein authored
lang/4.5/locallang_csh_pages.xlf contains invalid HTML structure a <p> tag should actually be a <b> tag. Resolves: #58936 Releases: 6.2, 6.1, 4.5 Change-Id: Id37d424296628202d8d434e0cf9cafd8529da2c3 Reviewed-on: https://review.typo3.org/30330 Reviewed-by: Markus Klein Tested-by: Markus Klein
-
Xavier Perseguers authored
The TCA tree element fail to load inside IRRE, in some condition (when the record is not loaded/opened) Change-Id: Id077a71e2191b0cf91003611e11dc5aefafab0c9 Resolves: #39035 Releases: 6.2, 6.1 Reviewed-on: https://review.typo3.org/29909 Reviewed-by: Wouter Wolters Tested-by: Wouter Wolters
-
Marc Bastian Heinrichs authored
Since making userHomePath and groupHomePath FAL compatible the descriptions in DefaultConfiguration don't fit anymore. Resolves: #56986 Releases: 6.2, 6.1 Change-Id: Ia27193b967137dd3744c2fdcf5b5b0d3366c0080 Reviewed-on: https://review.typo3.org/29906 Reviewed-by: Wouter Wolters Tested-by: Wouter Wolters
-
Markus Klein authored
The flexform converter in ContentObjectRenderer tries to access an array element on a non-array. Check existence with isset() first. Resolves: #57809 Releases: 6.2, 6.1 Change-Id: I8e6111afee3a639b3077dc59bc2e32b72fa12f5c Reviewed-on: https://review.typo3.org/29892 Reviewed-by: Markus Klein Tested-by: Markus Klein
-
Alexander Opitz authored
The var pageNotFound is set, if the called page has access restrictions. Afterwards starts a searching for an accessible page in the rootline upwards. If that page is a short link which also isn't accessible we stop instead of searching again in this new rootline. Limiting this to a maximum of 20 iterations to prevent endless loops. If an accessible page is found we do not reset the pageNotFound var. The PageNotFound handler reacts on this var and redirects to the 404 page instead of presenting the accessible page we found later on. You can reproduce this with the introduction package, for example change the access to the Example/Tables page to "Customer". Afterwards go to http://yourdomain/?id=38 and you will see the 404 page. If you disable the pageNotFound_handling you will see the content of the Example page. Resolves: #16472 Releases: 6.2, 6.1 Change-Id: I1e58ec1f96422c6bf3e5c9c74f1b1c1666b68762 Reviewed-on: https://review.typo3.org/29897 Reviewed-by: Alexander Opitz Tested-by: Alexander Opitz Reviewed-by: Markus Klein Tested-by: Markus Klein
-
Helmut Hummel authored
The unit tests for the recent HTTP host fix are failing if executed in CLI mode. In CLI mode no server environments and HTTP headers are available, that's why the behavior needs to know about the test execution process. We solve this by mocking allowed request types. Resolves: #59022 Releases: 6.2, 6.1, 6.0 Change-Id: I3c93d181dcec5f34064798e7c31240877fde610d Reviewed-on: https://review.typo3.org/30325 Reviewed-by: Helmut Hummel Tested-by: Helmut Hummel
-
TYPO3 Release Team authored
Change-Id: I4f3b6dc5fe3e7e64365b632d6bd2656cd45d1378 Reviewed-on: https://review.typo3.org/30315 Reviewed-by: TYPO3 Release Team Tested-by: TYPO3 Release Team
-
TYPO3 Release Team authored
Change-Id: I68884dbd5ac459c84ad18a14e7c7df30701ad72c Reviewed-on: https://review.typo3.org/30314 Reviewed-by: TYPO3 Release Team Tested-by: TYPO3 Release Team
-
Helmut Hummel authored
TYPO3 uses the values of HTTP_HOST in several places without validating them. This could lead to a situation where links are generated using the host part from HTTP_HOST. Since HTTP_HOST headers are user input and can be spoofed by an attacker, it leads into several potential and actual security issues. To address this, a configuration option for trusted hosts is added, which is evaluated every time getIndpEnv('HTTP_HOST') is called. The configuration option is $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] and can contain either a regular expression or the value "SERVER_NAME" To properly output the exception message in case the trustedHostPattern does not match, we need to adapt the exception handlers slightly to not log information in this case and to actually show the message even in production context to not confuse admins on what is currently going wrong. To not break all existing installations, the default pattern is set to 'SERVER_NAME' which allows all HTTP_HOST values matching the SERVER_NAME (and optionally the SERVER_PORT if a port is specified in the HTTP_HOST value). This will secure all installation which use properly configured name based virtual hosts, but leaves installations where the web server is not bound to a specific host name still in an insecure state. Change-Id: I38e6a18a3e66e80abda2a4682bd1348198de1f8b Fixes: #30377 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Security-Bulletin: TYPO3-CORE-SA-2014-001 Reviewed-on: https://review.typo3.org/30299 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
Nicole Cordes authored
Needs to be fixed also in 6.x, but the affected function is not used anymore. Change-Id: I434689d4065496330a92e7086ec6899ddff1d2d6 Fixes: #54111 Fixes: #54113 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Security-Commit: 383664ef458c2b978666311d294591d96a2d0eb9 Security-Bulletin: TYPO3-CORE-SA-2014-001 Reviewed-on: https://review.typo3.org/30298 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
Marcus Krause authored
Sanitize user-input colPos in new content element wizard. Change-Id: I68ee05a9113b2a0266c0be612b1a10272cb986a2 Fixes: #48695 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Security-Commit: eccb66a7ed4cb872f512f611395eae4ed0226e10 Security-Bulletin: TYPO3-CORE-SA-2014-001 Reviewed-on: https://review.typo3.org/30297 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
Marc Bastian Heinrichs authored
Change-Id: I2958dcc7cecf8ef980d90dae66c6bd2df432ce4b Fixes: #54109 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Security-Commit: 788dfadc5c1339e9bc4533d595ce23a524cc5450 Security-Bulletin: TYPO3-CORE-SA-2014-001 Reviewed-on: https://review.typo3.org/30296 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
Helmut Hummel authored
Change-Id: Ie3f08333e417d8d208b3b36b208056efd4dbcec0 Fixes: #57576 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Security-Commit: cc840cb0438cfdae76219c3ac5f28a1f341ae9b7 Security-Bulletin: TYPO3-CORE-SA-2014-001 Reviewed-on: https://review.typo3.org/30295 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
Jigal van Hemert authored
The url for the Open in New Window button must be quoted for use in JavaScript to prevent XSS issues. Change-Id: I849534cd53d333f6e12846a8065ad7e5373b8e63 Fixes: #48693 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Security-Commit: 06a582c197dee4add0979f956f932ea03e2b3022 Security-Bulletin: TYPO3-CORE-SA-2014-001 Reviewed-on: https://review.typo3.org/30294 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
Helmut Hummel authored
Change-Id: Id3a692cdccb2d3a9ae46ae635ee5c316fa36e371 Fixes: #56458 Releases: 6.1, 6.0, 4.7, 4.5 Security-Commit: 3981e7efef710d680a18f8a5537a7085e540aab3 Security-Bulletin: TYPO3-CORE-SA-2014-001 Reviewed-on: https://review.typo3.org/30293 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
Helmut Hummel authored
The file charts.swf is vulnerable to XSS, is delivered by ExtJS but not used in TYPO3 CMS at all. Since the vendor of ExtJS did not fix this vulnerability, we decided to remove it from TYPO3 sources. Change-Id: I4d4f871e9e89250b0b818b50e8342bd902485464 Fixes: #54526 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Security-Commit: 467ea328aaa23230bbe93b4deb18ec73fbd7b1e8 Security-Bulletin: TYPO3-CORE-SA-2014-001 Reviewed-on: https://review.typo3.org/30292 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
- May 21, 2014
-
-
Markus Klein authored
The Indexer of indexed_search tries to insert NULL values into NOT NULL columns of the database. Since #53662 NULL values are passed to the database, hence these insert statements now fail. Resolves: #54917 Releases: 6.2, 6.1, 6.0 Change-Id: Ia935abe14b9c3be2062f1b38ec98fb63921a1c2f Reviewed-on: https://review.typo3.org/30244 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
- May 15, 2014
-
-
Markus Klein authored
Resolves: #58842 Releases: 6.2, 6.1 Change-Id: Ibaf87d32778349d5a87009bcd2b365447e6488fa Reviewed-on: https://review.typo3.org/30151 Reviewed-by: Markus Klein Tested-by: Markus Klein
-
- May 14, 2014
-
-
Markus Klein authored
Remove the superfluous count() call. Resolves: #58529 Releases: 6.2, 6.1, 6.0 Change-Id: I0933650b52063009de52268034480f6e06af56ac Reviewed-on: https://review.typo3.org/29883 Tested-by: Stefan Neufeind Reviewed-by: Markus Klein Reviewed-by: Nicole Cordes Tested-by: Nicole Cordes Reviewed-by: Helmut Hummel Tested-by: Helmut Hummel
-
- May 08, 2014
-
-
Jigal van Hemert authored
The reason for this behaviour is the combination of prototype.js and ExtJS. The ExtJS defer() method takes precedence. Calling the defer() method without any arguments would have resulted in using a default value of "0.01" seconds in standalone prototype.js, but results in directly calling the submitted function. The stack overflow is caused by not delaying the function call and thus ending in a recursive endless loop. Resolves: #58187 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Change-Id: I6db191ff67a3e869072877936d949fc733cda74f Reviewed-on: https://review.typo3.org/29907 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
Stanislas Rolland authored
When inserting an image in the RTE, the default image title should be the image file title, not the image file name. Resolves: #58373 Releases: 6.1, 6.2 Change-Id: I5aa3aae4db83cbd36244b89cc37c78184b290228 Reviewed-on: https://review.typo3.org/29780 Reviewed-by: Stanislas Rolland Tested-by: Stanislas Rolland
-
- May 05, 2014
-
-
Marc Bastian Heinrichs authored
A TypoScript condition like "[globalString = GP:anEmptyGetPostVarKey = ]" returns a false value instead of the expected true value. Fixes: #45183 Releases: 4.5,6.0, 6.1, 6.2 Change-Id: I114b702f4b5ae5f68236874325e82974a8ba6107 Reviewed-on: https://review.typo3.org/27249 Reviewed-by: Stefan Neufeind Tested-by: Stefan Neufeind
-
- May 04, 2014
-
-
Nicole Cordes authored
This patch adds the loading check of rsaauth before trying to access the BackendFactory of rsaauth. Otherwise the extension manager gets broken on entering extension configuration. Resolves: #58504 Releases: 6.2, 6.1 Change-Id: I197fb5e032b31e6add388269f77e6fc834e45b54 Reviewed-on: https://review.typo3.org/29860 Reviewed-by: Jigal van Hemert Tested-by: Jigal van Hemert
-
Marc Bastian Heinrichs authored
The SoftReferenceIndex parses and rebuilds typolink tags, but the support for more than one value in class attribute is missing, because the values don't get enclosed with quotes on rebuilding. This leads to lost classes in typolinks in exports from impexp. Resolves: #58484 Releases: 6.2, 6.1, 4.5 Change-Id: I12ed3be7f5be36254bcee57fcb24bf2a10f92f46 Reviewed-on: https://review.typo3.org/29852 Reviewed-by: Markus Klein Tested-by: Markus Klein
-
- May 02, 2014
-
-
Sascha Wilking authored
XmlParser has an issue with PHP < 5.4.28 leading to unexpected empty arrays raising warnings. If development preset is activated, warnings are turned into exceptions, so the extension list parser stops importing. Resolves: #58418 Releases: 6.2, 6.1 Change-Id: Idc6453bd8dcc46a933a1d6d72361ffff5842e39d Reviewed-on: https://review.typo3.org/29784 Reviewed-by: Anja Leichsenring Tested-by: Anja Leichsenring
-
- Apr 29, 2014
-
-
Markus Klein authored
ActionMenuViewHelper contains a wrong example for the usage of the viewhelper. It uses a '=' where a ':' would be correct. Resolves: #58166 Releases: 6.2, 6.1 Change-Id: I135310be0ac2e8df59f81dfbf694a0febbcde99a Reviewed-on: https://review.typo3.org/29733 Reviewed-by: Stefan Neufeind Tested-by: Stefan Neufeind
-
- Apr 25, 2014
-
-
Oliver Hader authored
In frontend rendering mode PageRepository::versionOL() is called frequently to overlay workspace data. A further method call then creates a query with required t3ver_* fields. This query fails if a table is not considered to support workspaces/versioning at all. This behaviour is regression that has been introduced with issue #30604 during TYPO3 4.7 development. Resolves: #58180 Releases: 6.2, 6.1, 6.0 Change-Id: I81d24ea16116563f4f0d75fafd06496a9c4e993d Reviewed-on: https://review.typo3.org/29658 Reviewed-by: Oliver Hader Tested-by: Oliver Hader
-
- Apr 16, 2014
-
-
TYPO3 Release Team authored
Change-Id: Icb574fdf43e9850c5eceba5be9fb41541305323c Reviewed-on: https://review.typo3.org/29522 Reviewed-by: TYPO3 Release Team Tested-by: TYPO3 Release Team
-
TYPO3 Release Team authored
Change-Id: Ib8f3b0d555fad430262e8e864dcd40b9e7fa2ee0 Reviewed-on: https://review.typo3.org/29521 Reviewed-by: TYPO3 Release Team Tested-by: TYPO3 Release Team
-
Jigal van Hemert authored
If the end of a result set is reached some drivers produce NULL. This must be changed into FALSE to be compatible with the non-DBAL version of these functions. Resolves: #57957 Releases: 6.2, 6.1 Change-Id: I664dd10735f88754c74e20ecd5c07fad5ef2b78d Reviewed-on: https://review.typo3.org/29513 Reviewed-by: Jigal van Hemert Tested-by: Jigal van Hemert
-
Stefan Neufeind authored
Followup to: https://review.typo3.org/28625 No use-statement for MathUtility in 6.1 yet. Change-Id: Iffa9c7cd9ab41831e34c40d7b3ada530ba73ac9c Resolves: #24925 Resolves: #24871 Releases: 6.1 Reviewed-on: https://review.typo3.org/29507 Reviewed-by: Ernesto Baschny Tested-by: Ernesto Baschny
-
- Apr 15, 2014
-
-
Benjamin Mack authored
It's not possible to create a backend selectbox that is mandatory with only 1 item selectable. Releases: 6.2, 6.1 Resolves: #24925 Resolves: #24871 Change-Id: Idaef6475f61c70cd8c3f6074ccd0b0195d90c581 Reviewed-on: https://review.typo3.org/28625 Reviewed-by: Stefan Neufeind Tested-by: Stefan Neufeind
-
Marc Bastian Heinrichs authored
The SoftReferenceIndex parses and rebuilds typolink tags, but the support for the title attributes was missing. This leads to lost title attributes on typolinks in exports from impexp. Resolves: #56580 Releases: 6.2, 6.1, 6.0, 4.5 Change-Id: I9bf5c02b79ae4c9024322f0da99dcca37b678daa Reviewed-on: https://review.typo3.org/28169 Reviewed-by: Marc Bastian Heinrichs Tested-by: Marc Bastian Heinrichs
-
Marc Bastian Heinrichs authored
According to the fixes for the normal TCA fields of type "group" internal_type "file_reference" in #49538 and #56353, this needs also to be fixed for the FlexForm fields: handle the internal_type file_reference as an db reference to sys_file. Resolves: #56991 Releases: 6.2, 6.1, 6.0 Change-Id: Ie66c86c1bf3f0386d23259d0aee6706564beace3 Reviewed-on: https://review.typo3.org/28797 Reviewed-by: Marc Bastian Heinrichs Tested-by: Marc Bastian Heinrichs
-
Marc Bastian Heinrichs authored
If an record with a field of type "group", internal_type "file" should be indexed in the ReferenceIndex an SQL error exception gets thrown. So the relation to the file isn't represented in the refindex. Thus those files are also missing in exports created with system extension impexp. This is caused by wrong array keys and incorrectly storing a file relation as DB relation since merge of FAL. Resolves: #56353 Resolves: #56352 Releases: 6.2, 6.1, 6.0 Change-Id: I78211efcb6bf3032811ef0b0e20ed7f98f9fa8fb Reviewed-on: https://review.typo3.org/28795 Reviewed-by: Marc Bastian Heinrichs Tested-by: Marc Bastian Heinrichs
-
Marc Bastian Heinrichs authored
The field "link" of the table "sys_file_reference" handles links. To make the SoftReferenceIndex, which is used by impexp and linkvalidator, work right, the “softref” key "typolink" should be registered. Resolves: #57010 Releases: 6.2, 6.1, 6.0 Change-Id: I95cb8dbfa0c6d84926cd57d1fe4e4dad93e9c21a Reviewed-on: https://review.typo3.org/28800 Reviewed-by: Marc Bastian Heinrichs Tested-by: Marc Bastian Heinrichs
-
Ernesto Baschny authored
Upgrades prototype from 1.6.0.3 to 1.7.1 and scriptaculous from 1.8.2 to 1.9.0. Solves the problem with sorting IRRE elements in IE9+, for example. Resolves: #51768 Releases: 6.2, 6.1, 6.0, 4.7, 4.5 Change-Id: I5ea11b2e926ae0f23d1c6d85a0ff5ba24995eebb Reviewed-on: https://review.typo3.org/29471 Reviewed-by: Markus Klein Tested-by: Markus Klein
-
- Apr 12, 2014
-
-
Marc Bastian Heinrichs authored
On detaching related objects the foreign_match_fields needs to be cleared. Resolves: #47694 Relates: #45337 Releases: 6.2, 6.1 Change-Id: I6d74201afc437a2b0e2a73022bc71ed0cd1dd2d4 Reviewed-on: https://review.typo3.org/29430 Reviewed-by: Anja Leichsenring Tested-by: Anja Leichsenring
-