Fix superfluous comparison against boolean in
RelationHandler::readForeignField

Change-Id: I77f17dee6a14da7779dfe8e37bc73f33a3d02cb5
Resolves: #54048
Releases: 6.2
Reviewed-on: https://review.typo3.org/25735
Reviewed-by: Jo Hasenau
Reviewed-by: Michiel Roos
Tested-by: Michiel Roos
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Fix superfluous comparison against boolean in
Laguage::getLanguages

Change-Id: Idbf4c1f234eb1c60c01ea130095759ef49ce71c0
Resolves: #54054
Releases: 6.2
Reviewed-on: https://review.typo3.org/25741
Reviewed-by: Xavier Perseguers
Reviewed-by: Michiel Roos
Tested-by: Michiel Roos
Reviewed-by: Markus Klein
Tested-by: Markus Klein

With commit 6eb7a548 performance optimized class
instantiation code has been committed. This code
removed the side effect of a reflection exception
being thrown when a not existing class is instantiated.

Code in ContentObjectRenderer relied on this side
effect, so we have to fix that and properly test
if the class exists instead.

Additionally this change adds some more comments
to the new instantiation code that has been forgotten
in the last commit.

Resolves: #54425
Releases: 6.2
Change-Id: I8962434d60f80daf77ccdce7a8148e26f8fee267
Reviewed-on: https://review.typo3.org/26440
Reviewed-by: Marcin S?gol
Tested-by: Marcin S?gol
Reviewed-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Anja Leichsenring
Reviewed-by: Anja Leichsenring
Tested-by: Tobias Liegl
Reviewed-by: Frans Saris
Tested-by: Frans Saris
Reviewed-by: Dmitry Dulepov
Tested-by: Dmitry Dulepov
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

PHP reflection has quite an overhead in performance.
Use a switch construct like in Flow instead to
instantiate classes with up to 8 arguments without
reflection.

Resolves: #53682
Releases: 6.2, 6.1, 6.0
Change-Id: I82ecf0b1ea9a412a39b4429d7689f2bb6489f3df
Reviewed-on: https://review.typo3.org/26363
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

This patch prevents the creation of sys_refindex entries that point to no
table and no record.

Additionally it fixes the array structure for the creation of
sys_refindex records for sys_file relations.

For deleted file references no reference will be created between
sys_file and the referenced table.

The configuration for the uid_foreign field was changed from a select
field for tt_content records to a normal input field to prevent the
creation of invalid refindex data. To which table uid_foreign is
pointing depends on the tablenames field.

To make sure both sides of the relation of a sys_file_reference appear
in the refindex table the exclusion of sys_file_reference as
foreign_table is removed.

Resolves: #53712
Releases: 6.2, 6.1, 6.0
Change-Id: Ic864ade10e4e97fbd9017b9c779be68d911dd626
Reviewed-on: https://review.typo3.org/25476
Reviewed-by: Fabien Udriot
Tested-by: Fabien Udriot
Reviewed-by: Frans Saris
Tested-by: Frans Saris
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

In the previously merged patch are some glitches and a regression:
- The usage (and test for existence) of deprecated functions has been
  removed.
- The value passed by the old behaviour is now considered last place
  in the array providing the lookup paths
- The typo preventing usage setLayoutPaths() has been removed.

Intended usage:
plugin.tx_a.view.templateRootPaths {
	default = <some default path>
	extendedA = <some additional path>
}
The array gets reversed and the first hit will be used as template.
In case only numeric indizes are used, the entries get ordered.
See unit tests for a more specific description.

Change-Id: If4fa75347614cf9b352c6016430a928833cc62cd
Resolves: #52971
Documentation: #52761
Releases: 6.2
Reviewed-on: https://review.typo3.org/24903
Reviewed-by: Alexander Stehlik
Tested-by: Alexander Stehlik
Reviewed-by: Marc Bastian Heinrichs
Tested-by: Marc Bastian Heinrichs

Since the labels and values of select items are run through
htmlspecialchars by the FormEngine there is no need to use
htmlspecialchars in the renderTceformsSelectDropdown() method which
generates the select items for the filemount Backend form.

The current code will htmlencode the select value twice which results
in a htmlencoded value in the database which causes problems with
directory names that contain special characters.

Resolves: #54027
Releases: 6.2, 6.1, 6.0
Change-Id: I7ec8262f6c3d20879cde0679636a6a8e5c1d19cd
Reviewed-on: https://review.typo3.org/25770
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Oliver Klee
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Due some regressions on side of travis
(https://github.com/travis-ci/travis-ci/issues/1710) an older git version
is used which doesn't support things like "--single-branch".

To avoid this, git is updated to latest version on the build server before
starting cloning

Change-Id: Ic5f698e84f378b9fed6bd64398b8058a20be860e
Resolves: #54369
Releases: 6.2
Reviewed-on: https://review.typo3.org/26366
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

To make sure calls to filesize() etc. return correct values the PHP
method clearstatcache() is called in the LocalDriver after contents
were written to a file.

Resolves: #54302
Releases: 6.2
Change-Id: Ia30e519d17aa3cf37856096f1cdac567b5729aec
Reviewed-on: https://review.typo3.org/26278
Reviewed-by: Markus Klein
Reviewed-by: Frans Saris
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

The second typolink parameter, that is the target, can be abused to
introduce XSS code into the generated link. Escaping the parameter
with quoteJSvalue solves the problem.

Change-Id: Ie91b022a2ffed039fb365e6b0be2ea39f7096514
Fixes: #31206
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 484cf1aea8d3e66db547325fe4d843d50a668162
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26225
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Encode user-input in JavaScript context for colorpicker.

Change-Id: I1121d6d20c90e476a2d0ea4f000b180e843a4ce0
Fixes: #42772
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: b6fec0611604ccdce95d4d33cd7dcae0911a5d9a
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26224
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

An hmac of the editor controlled auto respond message was used to verifiy
the correctness of this message on submit. To prevent this, we add an
additional secret.

Change-Id: I1551feebd4dd84abeb3fb098175384f425f605a9
Fixes: #45043
Releases: 4.5, 4.7, 6.0, 6.1, 6.2
Security-Commit: 344975268f4b9eb4ce7c664958647b9268ea03a8
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26223
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Change-Id: I88807af69635d75f1fbefc62b4672e945397fb07
Fixes: #48691
Releases: 6.2, 6.1, 6.0
Security-Commit: 715b2c58c53f0109acce8c52df08d5dffea79f49
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26222
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

It has been possible for authenticated editors
to show content of arbitrary tables and fields
that are defined in TCA by manipulating
GET parameters of the forms and table wizard.

This change adds a check if the editor has access
to the given record.

Change-Id: I8e27e5ffbccf148d951b50b21d9e15cc8e317442
Fixes: #41714
Releases: 4.5, 4.7, 6.0, 6.1, 6.2
Security-Commit: 52d4e3eced81639820db6d75f3d65d14c5234072
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26221
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The eID script of the openid extension does not
validate the given redirect url, leading to
an open redirection vulnerability.

Add and verify hmac of the redirect url.

Change-Id: I0d65390b61dd5cf92151d36e490a194624b98b8f
Fixes: #54099
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 5c6a45c0f843a93ab048a3df4bb352b8e02099b2
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26220
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Usage of unverified input parameters in wizard URL leads to a possible
XSS vulnerability in backend_layout wizard.
The solution is the introduction of a hmac validation of the parameters
used in JavaScript.

Change-Id: I48f89309fc062d132e283d4fd9179ccbfdcfda4c
Fixes: #36768
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: a3ac48f5d66c566d241295d87cc8d7eb4d10c274
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26219
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The tree Display/* ViewHelpers introduce a XSS vulnerability by
using unescaped parameters in HTML.

Change-Id: I0dadb03105d3eaa520f10f0375a46c83fa56c269
Fixes: #47086
Releases: 6.2, 6.1, 6.0
Security-Commit: 1e0f51f204efd9efacec8aef8ea08e2a8122177b
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26218
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

As parameters passed to an ErrorObject can be user input, the
output of those parameters in the ActionController::errorAction() method
could lead to a cross side scripting possibility.

The offending output has been removed without substitution.

Change-Id: I01385c54bb384a86fc6428f67171e7010b821cc2
Fixes: #54074
Releases: 6.2, 6.1, 6.0, 4.7. 4,5
Security-Commit: ec947ba22bd673827899c5e82857b293dff8b4b0
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26217
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

If the TCEforms wizard "add" is used, the original opened document
is closed and a new one is created in which you then add a new
element to be related.

In order to "store" the originating document which has been
edited, the Wizard/AddController and EditDocumentController
exchange state data in an URL-parameter.

This state-array is serialized in the EditDocumentController
and again unserialized in the Wizard/AddController from that
GET parameter. Without any checks, every code can be injected
to be unserialized here - even though we just need an array
with some data.

This patch changes serialize/unserialize to json_encode and
json_decode. Since the GET parameter only is used in
conjunction of these two classes it is save to changes the
format how the URL parameters are serialized.

Change-Id: I3b41bd0a688f067af2ea4a345ce0264f61bdecf7
Fixes: #54073
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 7148349140f9c8ccb6d847ef58cf1e032711315b
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26216
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

This reverts commit 8e022bcb

Merged a Feature after Feature Freeze is not acceptable. Sorry. Patch is pushed new but will not be available in 6.2.

Change-Id: I39baa58c70b0e942d01c1c37bbf793b873db385d
Reviewed-on: https://review.typo3.org/26055
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

In order to provide the full functionality known from the
switch/case PHP function, a default case possibility is
introduced. Use it like:
<f:switch expression="{person.gender}">
  <f:case value="female">Mrs.</f:case>
  <f:case value="male">Mr.</f:case>
  <f:case default="TRUE">Mrs. or Mr.</f:case>
</f:switch>

Resolves: #49371
Documentation: #54283
Change-Id: I6b71ec39173ab957aa392bd595a65ceddadc81c9
Releases: 6.2
Reviewed-on: https://review.typo3.org/23739
Reviewed-by: Cedric Ziel
Tested-by: Cedric Ziel
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

The filemetadata extension adds additional fields to the sys_file_metadata
table. The field creator_tool is defined in SQL and TCA, but not added to
any palette or tab. This patch adds the field to the palette with
related authoring information.

Releases: 6.2
Fixes: #54259
Change-Id: I9e3c3af618b04ddde1c96b3dcb1e4cdf209f6eec
Reviewed-on: https://review.typo3.org/25993
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

The Context-Menu of files misses the editing pen allowing
to directly edit the metadata of the file. Currently it
only shows the edit-content possibility in case it is a
text file.

This patch adds the missing option.

Resolves: #52835
Releases: 6.2
Change-Id: I869d8a57d2cacc04455df5189b5cc7af02c2e9cf
Reviewed-on: https://review.typo3.org/25811
Reviewed-by: Steffen Müller
Tested-by: Steffen Müller
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

When the file list has been reworked to use FAL instead of
plain PHP file functions the feature to go one level up has
been removed accidentilly. This patch reintroduces the
original behaviour known from TYPO3 CMS 4.x.

Releases: 6.2
Resolves: #51866
Change-Id: Iad334c90d575f2b2f3b47af71e23c721edd76e1e
Reviewed-on: https://review.typo3.org/25812
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Steffen Müller
Tested-by: Steffen Müller

Fix superfluous comparison against boolean in
CronCommand::dayMatchesCronCommand

Change-Id: Ia1d852ffbbc772dd89587d304b1234e11e372d2d
Resolves: #54050
Releases: 6.2
Reviewed-on: https://review.typo3.org/25737
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Markus Klein
Tested-by: Markus Klein

When using aliased ViewHelper class names and old Tx_ namespace in
template and ViewHelper uses closing tag (not self-closing) an
error is thrown, saying closing tag ViewHelper is not the same
as openening tag ViewHelper (closing tag uses old class name,
opening tag uses new). To solve, TemplateParser now checks if
resolved ViewHelper class names are aliases of other classes and
if so, uses the real class name instead of the alias.

Steps to reproduce error:

* template namespace: {namespace myext=Tx_Myext_ViewHelpers}
* template code: <myext:vh>test</myext:vh>
* namespaced VH class: \Myext\ViewHelpers\VhViewHelper
* ClassAliasMap: Tx_Myext_ViewHelpers_VhViewHelper ->
  \Mext\ViewHelpers\VhViewHelper
* framework: render template using any View

Error 1224485398 "closing tag does not match opening tag" thrown.

Steps taken to fix error:

* run constructed class name through alias resolve method.

Fixes: #54115
Releases: 6.2, 6.1, 6.0
Change-Id: I070b6199095ec84c7213cfc0c3775f5f08340840
Reviewed-on: https://review.typo3.org/25814
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Since the Release of Microsoft IE 11 there is no "MSIE" hint in
its user agent header anymore. Therefore the existing patterns
fail and the browser is detected as unknown browser.

TYPO3 deactivates several features for unknown browser. As a
result f.e. the RTE does not load.

This change adds special treatment for IE11+ by introducing an
additional regular expression matching the new user agent format
and looking for the Trident engine to be present.

In addition unit tests for common IE 9-11 user agents are added.

Change-Id: I389f344a498ac77f3e6445656dd125fd5d236a98
Resolves: #54124
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/25848
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Needed to workaround a login-problem with IE11.

ExtJS tries to clear a cookie with different settings than when
setting the cookie. In IE11 this leads to problems with the cookie
being set twice on the next call to set(). The get() however
would return the first (empty) cookie.

Using set() with a date in the past also clears the cookie but
will correctly use the same path-settings.

Change-Id: Ieff22129895cd89ca2e1429703daf1636596ecb6
Resolves: #53818
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/25852
Reviewed-by: Henrik Ziegenhain
Tested-by: Henrik Ziegenhain
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Steffen Ritter
Reviewed-by: Markus Klein
Tested-by: Markus Klein

The defaultTypoScript_setup has a different configuration than
defaultTypoScript_constants.
Make them equal.

Resolves: #53852
Releases: 6.2
Change-Id: Ide8be9b4653ed17e3a0ee7a0222bd384a986b3ce
Reviewed-on: https://review.typo3.org/25634
Reviewed-by: Wouter Wolters
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

There is faulty and superfluous code in import/export module:
* ModuleFunctionController does not work at all, this points
  back to issue #22921 during TYPO3 4.4 development
* ImportExportTask fetches thumbnail files from a (faulty)
  storage that are not used at all

Since the required class "mod_user_task" has been removed in
TYPO3 4.4, the module function component was broken since then.
Thus, it will be removed completely with this change.

Fixes: #53555
Releases: 6.2, 6.1, 6.0
Change-Id: I1cbdd967dc47ac2fcd256e7eefc756278822ad84
Reviewed-on: https://review.typo3.org/25302
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Oliver Klee
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

The LegacyClassesForIde.php contains some class definition
which extend non-existing or wrong classes.

Also fix some issues in ClassAliasMaps of ext:frontend

Resolves: #54059
Releases: 6.2
Change-Id: Id0918cfc3b187ea1110ad5e745a2b904ea50502c
Reviewed-on: https://review.typo3.org/25750
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Remove second (no longer evaluated) _GP() function call parameter.

Resolves: #54106
Releases: 6.2
Change-Id: I5b8f6401a07a7291c893a7e82f224c89f0e6404e
Reviewed-on: https://review.typo3.org/25803
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Adds phpinfo() information in System Environment section from
the Install Tool, after warning / error messages.

Fixes: #53271
Releases: 6.2
Change-Id: I8582a65247de998f373d3143f013fa91cb47bff9
Reviewed-on: https://review.typo3.org/25263
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe

writeLocalConfiguration() and writeAdditionalConfiguration()
have return statements like:
return $result === FALSE ? FALSE : TRUE;

This can be reduced to:
return $result;

Moreover the return value of canWriteConfiguration()
can be optimized as well.

Change-Id: I8e571459179e4bfeca3bba0a4969fb76d18058e2
Resolves: #54019
Releases: 6.2
Reviewed-on: https://review.typo3.org/25715
Reviewed-by: Markus Klein
Reviewed-by: Michiel Roos
Tested-by: Michiel Roos
Tested-by: Markus Klein
Reviewed-by: Oliver Klee
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe

Extension adodb can be used together with TER extension "datasource".
ext:adodb delivers a wizard and flexform code to connect to this
third party extension. Last release of ext:datasource was in 2005,
the extension in unmaintained and always had an experimental
character. Since core extension functionality should not depend on
third party code, the datasource related code of ext:adodb is fully
removed with this patch in 6.2.

Change-Id: Ib7de137599d9bb55d6b9dd98667cbbe3dd70c986
Resolves: #42651
Releases: 6.2
Reviewed-on: https://review.typo3.org/25759
Reviewed-by: Oliver Klee
Tested-by: Oliver Klee
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Franz G. Jahn
Tested-by: Franz G. Jahn
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

Remove some ancient and obsolete patch files from ext:adodb/doc.

Change-Id: Ib2183abb3358de8b4d7e1dad71731b1df96a9a80
Fixes: #54078
Releases: 6.2
Reviewed-on: https://review.typo3.org/25758
Reviewed-by: Oliver Klee
Tested-by: Oliver Klee
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter
Reviewed-by: Franz G. Jahn
Tested-by: Franz G. Jahn
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Instead of making a slow array traversal simply check if there is
a hook object for the cObject being rendered by using an array access.
And check if the object exists before.

Change-Id: I6b16703b1194eca4d1ed5c3d5543076e2cae495d
Resolves: #51283
Releases: 6.2
Reviewed-on: https://review.typo3.org/23267
Reviewed-by: Oliver Klee
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Helmut Hummel
Reviewed-by: Markus Klein
Tested-by: Markus Klein

From 3.4.0, released June 9, 2011
To 3.4.1.1, released March 29, 2013

Change-Id: I009c472975262f1813711b8b204518c9f1c8f463
Resolves: #52933
Releases: 6.2
Reviewed-on: https://review.typo3.org/24883
Reviewed-by: Tomita Militaru
Tested-by: Tomita Militaru
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Fix superfluous comparison against boolean in
InlineElement::renderForeignRecord().

Change-Id: I75bb1625ad7ead08e8e38fe46daa03071bc76113
Resolves: #54018
Releases: 6.2
Reviewed-on: https://review.typo3.org/25714
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

GeneralUtility::inList() does a comparison resulting in a boolean value.
Then based on this value it will return TRUE or FALSE.

It suffices to return the result of the comparison.

Change-Id: I12f9dd699a643a187f871940175e32ab2bcca7de
Resolves: #54017
Releases: 6.2
Reviewed-on: https://review.typo3.org/25713
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters