- Jun 28, 2019
-
-
Benni Mack authored
Resolves: #88287 Releases: master Change-Id: I4e6efbd00caca8c1ed01252f1dde30f36330640e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61151 Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
Jonas Eberle <flightvision@googlemail.com> Tested-by:
Daniel Goerz <daniel.goerz@posteo.de> Reviewed-by:
-
mstaatz authored
Releases: master, 9.5 Resolves: #88591 Change-Id: I45588bfd8f1dd26debec6e06d6a3466a7458496a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61092 Reviewed-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
Guido Schmechel <guido.schmechel@brandung.de> Reviewed-by:
-
Jonas Eberle authored
Wrap potentially long version strings to prevent a horizontal scrollbar in the modal content. Introduces CSS class "text-wrap-allowed". Resolves: #88522 Releases: master, 9.5 Change-Id: I848ecc111ec4879caf12b77f5308f5eadd403ffa Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61041 Tested-by:
Riccardo De Contardi <erredeco@gmail.com> Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
-
Benni Mack authored
The special handling "nextLevel" in TypoScript templates to only load a specific sys_template on the next level (subpages and further down the rootline) but not on the current level, is removed. It is recommended to use proper inclusions and TypoScript conditions instead. This reduces complexity within the TemplateService parser, and for newcomers a very confusing option after gathering some feedback on this topic. The database field "sys_template.nextLevel" is therefore removed. Resolves: #88640 Releases: master Change-Id: I06e14d6dfbde82eb36f2ffc30b61bd9870906246 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61158 Tested-by:
Benjamin Kott <benjamin.kott@outlook.com> Reviewed-by:
-
Alexander Schnitzler authored
When the patch https://forge.typo3.org/issues/87550 changed the controller configuration of plugins and modules to use fully qualified controller class names instead of just controller aliases, the override mechanism called switchable controller actions, that can be used via typoscript and flexforms broke. This is due to the fact that switchable controller actions are usually still used with controller aliases rather than fully qualified controller class names. To fix this, method overrideSwitchableControllerActions of class \TYPO3\CMS\Extbase\Configuration\AbstractConfigurationManager has been adjusted to convert controller aliases to FQCN's before overriding the controller configuration. Releases: master Resolves: #88513 Relates: #87550 Change-Id: Ie2d1eb4b64d03d4e17d08a85aa7f8e548bff92bb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60906 Tested-by:
Benni Mack <benni@typo3.org> Tested-by:
-
Andreas Fernandez authored
Since FormEngine doesn't use split buttons anymore with TYPO3 v9, the JavaScript module `TYPO3/CMS/Backend/SplitButtons` has been replaced with `TYPO3/CMS/Backend/DocumentSaveActions`. The old module is still in place, but usage will trigger a deprecation warning in the browser's console. Resolves: #88651 Releases: master Change-Id: If180f080b956804d49ca928afe4d86d07d1939bb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61164 Tested-by:
Frank Naegler <frank.naegler@typo3.org> Tested-by:
-
Andreas Fernandez authored
Resolves: #88523 Releases: master Change-Id: I26404c120702bac669b3ad3aaf9280a76eb8f0e2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60899 Tested-by:
-
Alexander Schnitzler authored
With the introduction of symfony/property-info, the class \Symfony\Component\PropertyInfo\Extractor\PhpDocExtractor has been used to extract property types from the php doc. Unfortunately said extractor class doesn't cache the so called context object, which is created repeatedly for each property of each class. The context object is used to determine non FQCN's and its creation comes at very high costs. To fix this issue, a custom PhpDocExtractor class has been created which acts just like the original one, but which caches the context objects. Releases: master Fixes: #88033 Change-Id: I54bec5b8adadeb6bde107547cbd115fa8be97526 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61076 Tested-by:
-
Richard Haeser authored
This option will make it possible to select a type of Twitter Card that should be used when your page is shared on Twitter. Resolves: #88648 Releases: master Change-Id: I9b487cf51ae6380fe771e1bcbbfd196d8b952f0f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61163 Tested-by:
Riny van Tiggelen <info@online-gamer.nl> Tested-by:
Richard Haeser <richard@maxserv.com> Reviewed-by:
Björn Jacob <bjoern.jacob@tritum.de> Reviewed-by:
-
Benni Mack authored
The current Authentication Service API looks like this: AbstractService -> AbstractAuthenticationService -> AuthenticationService Most of the functionality of AbstractService is not used and leads to a confusing PHP inheritance structure, where most functionality is not needed actually. Since there are no proper contracts APIs for neither makeInstanceService / Service API nor Authentication, the first step is to decouple the logic of both areas and allow Authentication to continue without a strong dependency on AbstractService. This is a pre-patch to decouple Authentication logic from Service logic. Resolves: #88646 Releases: master Change-Id: I525f7510d06747fcb1e204c63cf7cbc3296a54a2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61125 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Reviewed-by:
-
Benni Mack authored
Since Versioning is completely handled via the Context API and set within PageRepository directly since TYPO3 v9, using the fourth parameter would result in an invalid scenario. Instead PageRepository->where_hid_del in a live scenario now always contains (pid!=-1) which filters out all non-versioned records. This is a breaking change to avoid confusion, however in regular scenarios this does not affect the system, as PageRepository->versionOL() filters out these cases in live workspace anyways. Resolves: #88574 Releases: master Change-Id: I538c04997cb67e30c58a4dfa515acd751f868e9c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61073 Tested-by:
-
Benni Mack authored
Since bugfix #87831 it is possible to also add base variants for specific languages, however this was not documented. See https://review.typo3.org/c/Packages/TYPO3.CMS/+/59840 for the related change. Related: #87831 Resolves: #88647 Releases: master, 9.5 Change-Id: I9c170fde6a02f98843eddc3388ced90bb1997849 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61162 Tested-by:
-
mstaatz authored
Releases: master,9.5 Resolves: #88589 Change-Id: If71c06dd3033e7d73abc2baf3cf3b786cd45e331 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61091 Tested-by:
Alexander Schnitzler <review.typo3.org@alexanderschnitzler.de> Tested-by:
-
Benni Mack authored
The database field "static_lang_isocode" in the DB table "sys_language" is configured via static_info_tables, however due to legacy reasons, this was added in TYPO3 Core, as some references were put there. It is now possible to remove any references to this field, and have the third-party extension deal with it. Resolves: #88583 Releases: master Change-Id: I5c366c84d21e0d291ec32d44c0b2c2e1064f669d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60887 Tested-by:
-
Benni Mack authored
Due to the introduction of Site Handling, the public property `$TSFE->sys_language_isocode` is not necessary anymore, as this value is used outside of TSFE fully, and not needed as public property to hold the state. It is marked as deprecated. Resolves: #88559 Releases: master Change-Id: If02eb5b342fec4f83a9585dbc29fc13c8adda88e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61002 Tested-by:
-
Benni Mack authored
The softRefParser logic previously contained its own factory within BackendUtility with a magic singleton logic built into "$GLOBALS['T3_VAR']['softRefParser']". This has changed by building custom Singleton Interfaces instead. Resolves: #88638 Releases: master Change-Id: I43f30c18b27f75672fbc2b5cc2cbdb725eb6f44a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61124 Tested-by:
-
Riccardo De Contardi authored
Add some empty lines to allow correct list formatting, like on https://github.com/TYPO3-Documentation/TYPO3CMS-Reference-CoreApi/edit/mas ter/Documentation/ApiOverview/TypoScriptSyntax/Syntax/Includes.rst Releases: master, 9.5 Resolves: #88641 Change-Id: Ice387d8b97d8b74ea859c92d274bcb535005fdae Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61160 Tested-by:
-
Richard Haeser authored
Removed the mention of altPageTitleProvider that were left on some places after removing this deprecated provider. Resolves: #88644 Releases: master Change-Id: I0626373204706e7b57224ecd74b739d3b36d745b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61161 Tested-by:
Kevin Appelt <kevin.appelt@icloud.com> Tested-by:
Simon Gilli <typo3@gilbertsoft.org> Reviewed-by:
-
- Jun 27, 2019
-
-
Andreas Fernandez authored
Currently, the ElementBrowser is used in three different places in FormEngine, all of them trigger it differently. This patch introduces an event-driven approach and streamlines all usages. Resolves: #88436 Releases: master Change-Id: I13e696f29ade0aede6a2466cbca1e27cebc86c61 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60818 Tested-by:
-
Benni Mack authored
Calling GeneralUtility::makeInstanceService() stores the instance as "persistent object". Since TYPO3 4.x this has been dealt with SingletonInterface, which allows far more flexibility in various places, as throughout the ENTIRE TYPO3 Core already. The special handling of having GeneralUtility::makeInstanceService() stores its own Singleton instances is removed, as the method calls `GeneralUtility::makeInstance()` as well, which does handle the SingletonInterface anyway. For services in general (like Authentication Services), it is useful to not have them as singleton. The current process within "makeInstanceService()" now allows to properly "reset()" the functionality anyway by re-calling "init()", which itself calls "reset()" as well. As there are no contracts (interfaces) for Services currently, this should not interfere with anything existing services. Resolves: #88588 Releases: master Change-Id: Iba54715c04e510003c095578a237524ebe9f374f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61090 Tested-by:
Daniel Sattler <sattler@b13.de> Tested-by:
-
Andreas Fernandez authored
Since #87031 the color picker is tightly coupled to FormEngine, causing issues if not used in FormEngine context, e.g. in Constant Editor. This patch removes the introduced FormEngine handling and uses minicolors' events to fix the original reported bug. Resolves: #88593 Related: #87031 Releases: master, 9.5 Change-Id: Ibb20785785d406bc113035f79bec95d9788866ab Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61094 Tested-by:
Joerg Kummer <typo3@enobe.de> Tested-by:
Markus Klein <markus.klein@typo3.org> Reviewed-by:
Susanne Moog <look@susi.dev> Reviewed-by:
-
Sven Juergens authored
Resolves: #88620 Releases: master, 9.5 Correct global/multiple icon in listview Change-Id: Id613f06d24148851d428c61c1166fabef1ad65af Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61121 Tested-by:
-
Benni Mack authored
This issue was raised that translated pages do not show up in the list of records to be published/staged, as translated pages are in the same table. So, page handling needs to consider l10n_parent fields, and check for the UID/l10n_parent, whereas other records (like pages_language_overlay before) only are checked for the "pid". Resolves: #88446 Releases: master, 9.5 Change-Id: I9fe0b0290d4dd52104e15a08bb55e0aa7ab7473c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60944 Tested-by:
matseriks <mats@pixelant.se> Tested-by:
-
Benni Mack authored
In order to run a subrequest in Frontend, TYPO3_MODE kills most of the functionality. Although it is clear, that TYPO3 Core is not 100% there yet, some very obvious changes can actually be replaced with simple TSFE checks instead of TYPO3_MODE. This is only focused on rendering content (Fluid), and this happens in FE after TSFE is initialized, for eID scripts, this would break already. Resolves: #88581 Releases: master, 9.5 Change-Id: I9c97da60e7df572290e54d53da5eb8dac69e8f7e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61084 Tested-by:
Daniel Gorges <daniel.gorges@b13.de> Tested-by:
-
Daniel Siepmann authored
As `\` is escaping, there has to be an additional `\` in front, in order to display the `\` as expected. Resolves: #88634 Releases: master, 9.5 Change-Id: I790079dd3de6e0a3ceb6ebfb93e1a52ad9bb4249 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61154 Tested-by:
Mathias Brodala <mbrodala@pagemachine.de> Reviewed-by:
-
Benni Mack authored
The Context API can be used now within TemplateService to fetch a version overlay, which now only relies on the PageRepository (which also uses Context API), to avoid certain magic detection of Frontend/Backend mode. TemplateService is only used to fetch sys_template records in this use-case. Resolves: #88626 Releases: master Change-Id: I5f6526868af090915748031d50eeaf245049e655 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61126 Tested-by:
-
Benni Mack authored
The same if() loop is used for checking menu generation item states (ACT/IFSUB etc), this can be very much simplified by using a loop over the available item states which are now defined as a constant. Resolves: #88477 Releases: master Change-Id: If8b7ddbcb2d367954d5757d2957bea6b34f8ed60 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60865 Tested-by:
-
Benni Mack authored
Due to #88498 a bug within the Extension Scanner was introduced where the scanner did not find the expected results due to wrong information. Resolves: #88639 Related: #88498 Releases: master Change-Id: I47f0393fafd4860f058eeba6828b5143b6e1b8c2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61157 Tested-by:
-
Sascha Egerer authored
The return type annotation must be `static` instead of `self` as the method returns an instance of the inheriting class. Do also replace some occurrences of get_calling_class() by static::class Resolves: #88587 Releases: master, 9.5, 8.7 Change-Id: Ib14d016ef733b94ed5a732ed36af8fcfcdee149b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61086 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
- Jun 26, 2019
-
-
Benni Mack authored
There are some leftovers where PseudoSite is mentioned. Since TYPO3 v10.0 is built on Site Handling completely, this logic is removed. Resolves: #88625 Releases: master Change-Id: I9f3b3a6c9a4bf29c2b509246c02d64aa5f536b4e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61123 Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by:
-
Benni Mack authored
Checking if cHash matches any GET parameters can be done without $TSFE->cHash_array and $TSFE->hash as all data is built inside PageArguments already. However, $TSFE->cHash_array is still necessary and filled as before when ->setPageArguments() is called. This is a precursor to re-structure the dependencies within TSFE and PSR-15 middlewares. Resolves: #88460 Releases: master Change-Id: I43c2fdc1049d451b3fc9bc06a57b744703a7a323 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60841 Tested-by:
-
Benni Mack authored
Modules which do not set a proper route path themselves now have a different route path, basically "/module/file/list" for example, whereas there is a proper prefix with "/module/" and no trailing slash anymore. It is still possible to build links to the route paths, and resolve them properly. The "old" route paths will stop working in TYPO3 v11.0. Resolves: #82669 Releases: master Change-Id: If976df458e87b1199933cf1c42c5d3d8ff2407ba Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60433 Tested-by:
-
Benni Mack authored
The introduction of the Session Framework API in v8 introduced generators for fetching authentication service objects within `AbstractUserAuthentication`. Some places were however forgotten, which can safely replaced with the `$this->getAuthServices()` method. Resolves: #88594 Releases: master Change-Id: I987150be574232b549340f4766bb963baa17fd60 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61095 Tested-by:
-
- Jun 25, 2019
-
-
Oliver Hader authored
Serialized values in l18n_diffsource are vulnerable to insecure deserialization when being invoked in FormEngine or DataHandler. Resolves: #88323 Releases: master, 9.5, 8.7 Security-Commit: 215de3e52140dc69ccb0e5802ab4234922b1aa63 Security-Bulletin: TYPO3-CORE-SA-2019-020 Change-Id: I03704b35d94e2575e9231656977f3760e6f04e2b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61146 Tested-by:
-
Oliver Hader authored
Fields `TSconfig` and `tsconfig_includes` of table `pages` can be misused by restricted users to contain malicious instructions and lead to cross-site scripting as well as arbitrary code execution. Since user input cannot be sanitized properly, the field is now available for admin users only. In addition directory traversal in TSconfig static includes has been mitigated. Resolves: #88565 Releases: master, 9.5, 8.7 Security-Commit: b4ab9cd1f0539b3af675b94aa01d26e5c4b3a1d9 Security-Bulletin: TYPO3-CORE-SA-2019-019 Change-Id: I712364fde6a76ad761a0b738756cb151dc5c22e1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61145 Tested-by:
-
Oliver Hader authored
When frontend users logged out their session data (e.g. shopping cart) was transfered into an anonymous session. This session could have been reused by a different user working with the very same browser. In order to enhance security aspects on this topic session data is purged when an according frontend user is logging out. Since this might be breaking for some scenarios a new feature toggle has been introduced which allows to keep the previous behavior: boolean 'security.frontend.keepSessionDataOnLogout' in $GLOBALS['TYPO3_CONF_VARS']['SYS']['features'] Resolves: #88139 Releases: master, 9.5, 8.7 Security-Commit: 89c45f80388f24f08f827c474daa5ab8fda63da2 Security-Bulletin: TYPO3-CORE-SA-2019-018 Change-Id: I869f3bee7c6bf6e2ae51bcd86273b6abc15f09c5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61144 Tested-by:
-
Oliver Hader authored
Due to an incomplete condition it was possible for regular backend users to make use of the import module - which only would be accessible to admin users or to those users have User TSconfig `options.impexp.enableImportForNonAdminUser` enabled. Resolves: #88284 Releases: master, 9.5 Security-Commit: a3ca05df1e9e9269b45daf9dd79517df9d202604 Security-Bulletin: TYPO3-CORE-SA-2019-017 Change-Id: I9ac9a026d5715f9c03eda37f0ef84178640b2f1d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61143 Tested-by:
-
Benni Mack authored
The symfony/cache component is not directly used by the core but is a dependency of symfony/expression-language which is used in the core. The affected symfony/cache packages have been marked as "conflict" in the composer.json. See https://symfony.com/blog/cve-2019-10912-prevent-destructors-with-side-effects-from-being-unserialized Resolves: #88215 Releases: master, 9.5 Security-Commit: d13c36e9e9951030a0787c63674634a52ff0aae3 Security-Bulletin: TYPO3-CORE-SA-2019-016 Change-Id: If98391ceef88561507d0095d26455a8da128f01e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61142 Tested-by:
-
Oliver Hader authored
URLs defined using TYPO3's internal t3://url/?url=... notation are now hardened against using `javascript:` and`data:` URL schemes. Resolves: #88476 Releases: master, 9.5, 8.7 Security-Commit: 1a873c662524a62b192661da45d27e223e517d18 Security-Bulletin: TYPO3-CORE-SA-2019-015 Change-Id: Ia9ca8784a1779492762e5a36fcb1ada67bb6c56a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61141 Tested-by:
-
Andreas Fernandez authored
The ElementInformationController now checks a backend user has sufficient permissions to see each referenced record. Resolves: #88317 Releases: master, 9.5, 8.7 Security-Commit: 4322d6b827c09b98b35ab4ef47753e9c20f7f117 Security-Bulletin: TYPO3-CORE-SA-2019-014 Change-Id: I49d077e5628465111b4460dd3cb673182d09eaa0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61140 Tested-by:
-
