- Mar 18, 2021
-
-
Torben Hansen authored
Update copyright year to 2021 Resolves: #93769 Releases: master, 10.4, 9.5 Change-Id: Iec3214352aca9df579a3a1574eaf61222a6d2689 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68500 Tested-by:
Oliver Bartsch <bo@cedev.de> Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
core-ci <typo3@b13.com> Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by:
-
Benni Mack authored
The SVG Tree class is now a lit element, allowing for further reduction of d3 usage in favor of native HTML5 APIs. Resolves: #93773 Releases: master Signed-off-by:
Benni Mack <benni@typo3.org> Signed-off-by:
Benjamin Franzke <bfr@qbus.de> Change-Id: I12fef793726f83e872a353901528516a589e48ab Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68309 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Reviewed-by:
-
Benjamin Franzke authored
Whenever a topbar refresh is triggered, e.g. by activating/deactivating of an extension in the extension manager, or when changing the backend users language, the topbar link events (such as "user settings") need to be re-added. Resolves: #93757 Related: #92704 Releases: master Change-Id: I3580ea1ad890ba9a8dc79903f1f2d43bb212de72 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68495 Tested-by:
Michael Telgkamp <michael.telgkamp@mindscreen.de> Tested-by:
-
- Mar 17, 2021
-
-
Markus Klein authored
The DatabaseCachePreset now sets options/compression to `true` instead of 1. This is necessary because the option is of type boolean in the backend code. This fails hard if the backend is validating the option, like the Redis backend does. Resolves: #93767 Releases: master, 10.4 Change-Id: I8db3bebfa73b80e0d2e9d0a062183cd3f7cc36d1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68493 Tested-by:
-
Oliver Bartsch authored
Since bootstrap 5 an active tab is highlighted by setting the `.active` class on the tab item link (`.nav-link`) instead of the tab item (`.nav-item`) itself. Therefore, this must also be done in templates defining the initially active tab item, which is usually just the first one. See: https://getbootstrap.com/docs/5.0/components/navs-tabs/#fill-and-justify Resolves: #93763 Releases: master Change-Id: I56f7024a3b4d7f62e01e8dc9e25d508203359366 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68471 Tested-by:
Richard Haeser <richard@richardhaeser.com> Reviewed-by:
-
Benni Mack authored
The element browser now shows the active state again of the tab (Page, File, Folder etc), because the active class needs to reside on the link and not on the <li> element. Resolves: #93761 Releases: master Change-Id: Ie7db46b1b6b321546d5a976fea35e747d8848806 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68470 Tested-by:
-
Benni Mack authored
Since the upgrade of bootstrap, the radio button inside the upgrade wizards' buttons are shown. The change utilizes btn-check functionality from Bootstrap 5 Resolves: #93653 Releases: master Change-Id: I718ff5390c039ba5c14881ecdbca7d29817ce8d1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68187 Tested-by:
-
Markus Klein authored
Set the current content element record as data for the cObj used to generate the click-enlarge code for images. This ensures that the default dataWrap used in TypoScript actually gets the uid of the content element and not the current page. Resolves: #93700 Releases: master, 10.4 Change-Id: I066c8fcb568b752b57439fffaf969ec002032d3a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68310 Tested-by:
-
- Mar 16, 2021
-
-
Oliver Bartsch authored
Since #93663 the setup module uses the be_users.lang field for the UI language. Therefore, when switching languages, the corresponding value is not longer found on the root level of the form data array, but in the `be_users` subarray. Resolves: #93756 Releases: master Change-Id: Ib593f969a61ddfc72030c21a85ba3b3ab401d181 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68467 Tested-by:
Wouter Wolters <typo3@wouterwolters.nl> Reviewed-by:
-
Benni Mack authored
A new TCA type "language" is added, in order to make life easier to set up new TCA. The main issue (as can be seen in core already) is that each TCA adds different implementations on how to deal with "-1". Now "-1" is added for any record except "pages", where the "-1 / All Languages" concept is not implemented. In addition, this decouples the select type from sys_language, effectively reducing the logic where a direct access is necessary to the "sys_language" table. This effectively also removes the now mis-use of `foreign_table` from the TCA "languageField" field by properly handling languages internally. This furthermore makes any relation handling superfluous, reducing quite an amount of code and complexity in the DataHandler. Instead, all columns, defined as "[ctrl][languageField]", are now automatically migrated to the new "type=language", with no specific configuration, as TYPO3 is managing this field, taking care of the user specific configuration. Furthermore, are all columns, using the “special=languages” option, migrated to the new TCA type. This allows to get rid of this special case as well, reducing complexity in FormEngine and DataHandler. The new TCA type also properly handles the field for records on root level, or on a page outside of a site context. The only exception is the `allowed_languages` field in be_users and be_groups, where a new itemsProcFunc is used. Resolves: #57082 Releases: master Change-Id: Ic4878326c0cdc6ce1f233fa29f07419bf6b572a4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60293 Tested-by:
-
Oliver Bartsch authored
Some TCA configurations were still using strings for class references in the itemsProcFunc option. Since this is error-prone and also prevents proper IDE support, all remaining places are changed to use the automatic PHP class name resolution with ::class. Resolves: #93753 Releases: master Change-Id: I853492ae7f590171d7a3e8e422f40728f7e879b1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68466 Tested-by:
-
Markus Klein authored
If port 465 is used for SMTP the `transport_smtp_encrypt` feature is automatically enabled by the underlying symfony component. Resolves: #93749 Releases: master, 10.4 Change-Id: Id4a1822da7e744fb02fc7b0e9db6784e966c2403 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68462 Tested-by:
-
Christian Kuhn authored
The recent extbase related class schema revert introduced a warning within functional PHP 8 tests leading to test fails. Run the mariadb functionals with PHP 7.4 instead of PHP 8 for the moment again. Additionally a minor type hint from one of the recent security patches is added in ext:form area to make phpstan happy again. Related: #93745 Resolves: #93751 Releases: master Change-Id: Idac9c953d7029c3f67d6d1060354edfa5fa972dc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68463 Tested-by:
Daniel Goerz <daniel.goerz@posteo.de> Reviewed-by:
-
Oliver Bartsch authored
The content element preview for menus displays the menu type label along with the record title of the defined pages and categories. Since the output was not properly encoded, this led to a XSS vulnerability in the page module. The issue is addressed by properly encoding user input. Note: Because of a bug in `PreviewRenderer`, the vulnerable code was most likely not executed in any TYPO3 installation after v8.6.0. Resolves: #93664 Releases: master, 11.1, 10.4, 9.5 Change-Id: I56ec17f5f07ff4d7c28f2241e0c9eeee9affd71f Security-Bulletin: TYPO3-CORE-SA-2021-008 Security-References: CVE-2021-21370 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68453 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Andreas Fernandez authored
The PreviewRenderer pattern introduced with #78450 makes use of the TCA feature `descriptionColumn` to render the content of this column in a content element's preview in the page module. The content of the column however was not properly escaped allowing a persistent XSS abuse. This patch adds a `htmlspecialchars()` to the output to escape the content properly Resolves: #93562 Related: #78450 Releases: master, 11.1, 10.4 Change-Id: I144c6c2d7f4f61f4479fac3c2d400a21f5d72405 Security-Bulletin: TYPO3-CORE-SA-2021-007 Security-References: CVE-2021-21340 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68452 Tested-by:
-
Oliver Hader authored
`AbstractUserAuthentication::$uc['moduleSessionID']` still stored plain session identifier, which has been replaced by corresponding HMAC. Resolves: #93359 Releases: master, 11.1, 10.4, 9.5 Change-Id: I920b8d3b364c249d2ec3a6deb42e141e5a1b8ff7 Security-Bulletin: TYPO3-CORE-SA-2021-006 Security-References: CVE-2021-21339 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68439 Tested-by:
-
Frank Naegler authored
To prevent DoS attacks by using page-based error handling, the content of the error page is now cached, this prevents fetching the content of the error pages again and again. Resolves: #88824 Releases: master, 11.1, 10.4, 9.5 Change-Id: I6dea5200dc710a182b66deedfbeb2110ea829117 Security-Bulletin: TYPO3-CORE-SA-2021-005 Security-References: CVE-2021-21359 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68438 Tested-by:
-
Andreas Fernandez authored
The form name is rendered multiple times in the form wizard when either creating or cloning a form. Any input is now sanitized to avoid XSS in the summary step of the form wizard. Resolves: #93560 Releases: master, 11.1, 10.4 Change-Id: I3ddce48e38e32456318c695774bbcd035115b5ae Security-Bulletin: TYPO3-CORE-SA-2021-004 Security-References: CVE-2021-21358 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68437 Tested-by:
-
Ralf Zimmermann authored
Form editors which provide only a limited set of allowed values (like single-select or multi-select form editors) now validate the submitted values against the set of allowed values (configured within the form setup). Resolves: #93581 Releases: master, 11.1, 10.4, 9.5 Change-Id: Iae0a34c20cacdbcfc4eff9c4b1add966c1657010 Security-Bulletin: TYPO3-CORE-SA-2021-003 Security-References: CVE-2021-21357 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68436 Tested-by:
-
Oliver Hader authored
File handling implementation in `UploadedFileReferenceConverter` of `ext:form` creates files in `/fileadmin/user_uploads/` whenever some Extbase controller is (implicitly) dealing with `FileReference` models, unless particular implementations assign specific type converters or register type converters having a higher processing priority. As a side-effect this could lead to by-passing mime-type validators, allowing to plant cross-site scripting and other malicious binaries to public accessible `/fileadmin/` storage. PHP files and similar are blocked since `fileDenyPattern` rule is active in any case. This change makes the usage of `UploadedFileReferenceConverter` more specific in the scope of processing contact forms with `ext:form` * use random folder names for files, `.../form_abcde12345/image.png` * removes `UploadedFileReferenceConverter` from being used implicitly by other Extbase implementations dealing with `FileReference` models `PseudoFileReference` has been introduced to limit properties being serialized to `uid` (in case it's a real file reference) or `uidLocal` (in case it's a transient reference, pointing to a file). Direct URLs to uploaded files are substituted by `fileDump` eID script now, enforcing corresponding FAL mime-type and denying the web server from guessing/interpreting a different mime-type based on file suffix. A unique form `__session` value has been introduce, serving as seed to derive for instance mentioned folder names for uploaded files. In addition to that, form `__state` is only parsed when having been submitted via expected `FormFrontendController::performAction`. Resolves: #92136 Releases: master, 11.1, 10.4, 9.5 Change-Id: I7c33803443a68d6b3c895ec74da802a70bd390c1 Security-Bulletin: TYPO3-CORE-SA-2021-002 Security-References: CVE-2021-21355 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68435 Tested-by:
-
Torben Hansen authored
A missing check in GeneralUtility::sanitizeLocalUrl() resulted in an url starting with `//` to be considered as a local url. This change ensures, that urls starting with `//` are not considered local. Corresponding unit tests are fixed and extended, since they need a full environment to process correctly. Resolves: #92891 Releases: master, 11.1, 10.4, 9.5 Change-Id: I41eb16776742b3e0d2cffd064dd0408e4faa7c78 Security-Bulletin: TYPO3-CORE-SA-2021-001 Security-References: CVE-2021-21338 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68434 Tested-by:
-
- Mar 15, 2021
-
-
Benni Mack authored
The change makes "e712dc9e" existing Extbase installations broken, so this is reverted. Change-Id: I141e100a1dcbfe6c2d9b41af090c1c120052a8f4 Resolves: #93745 Reverts: #92946 Releases: master, 10.4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68329 Tested-by:
-
Markus Klein authored
The login dialog may show a cookie warning. This has only to be shown if the authentication was successful, but the cookie has not been accepted by the browser. Resolves: #93492 Releases: master, 10.4 Change-Id: I5d8409357e9db1ed73f38862d8a1586580dab6ca Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68334 Tested-by:
-
Benni Mack authored
The SVG tree is now building the SVG elements and needed containers ("<g>") via lit-helper. In addition, the update() method is renamed to this.updateVisibleNodes() to easier integrate this as Lit element, as update() is a reserved protected method in lit. The initialize() method is much cleaner, as the event listener registration is now separated in a custom method. Resolves: #93724 Releases: master Change-Id: I945cd620f9900c6ea535dfe5f0d44ee5ced46f89 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68367 Tested-by:Daniel Gorges <daniel.gorges@b13.com> Tested-by:
-
- Mar 14, 2021
-
-
Christian Kuhn authored
The 'heavy lifting' parts like db init and first frontend call can be quite slow in the 'installer' tests. We raise timeouts to stabilize them. This patch mostly targets v10 since the bootstrap package related tests are currently off in master. Change-Id: I82425ab2cabfea9746aed7a7a49134f9e2ad497e Resolves: #93737 Releases: master, 10.4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68391 Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by:
-
Tina Westner authored
With this commit the method getSearchWords is called after initializing $this->searchData, which is used there (only when searchType is 20 - search for "sentence") Resolves: #75845 Releases: master, 10.4 Change-Id: Ic344f05fb6f4ac1ef496907edfc4fa0e49010401 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68369 Tested-by:
-
Christian Kuhn authored
Brings an error/exception handler improvement for acceptance tests. composer req --dev typo3/testing-framework:^6.8.0 Resolves: #93735 Releases: master, 10.4 Change-Id: I9d6aff03cd811c36d73959191b946d493ece7572 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68384 Tested-by:
-
Nikita Hovratov authored
Releases: master Resolves: #93729 Change-Id: I9dea4a153138e29ae77c9f3e5ae5e202851a09ab Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68374 Tested-by:
Martin Kutschker <mkutschker-typo3@yahoo.com> Reviewed-by:
Jonas Eberle <flightvision@googlemail.com> Reviewed-by:
-
Christian Kuhn authored
Record history tends to show changes of content elements that have been done in a workspace in live. This is misleading. The patch changes the queries a bit to fetch correct records only and adapts the workspace view a bit to be more meaningful. Change-Id: Ie13ec0529b0943110b6d1096f37ac4a9f6b1e5e5 Resolves: #93725 Releases: master Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65494 Tested-by:
Guido Schmechel <guido.schmechel@brandung.de> Tested-by:
-
Anja Leichsenring authored
The test became quite unstable lately, and with a little bit of breathing room after a page reload has been executed, it should be more stable again. Resolves: #93736 Releases: master, 10.4 Change-Id: I4f803d4b5c03a76e66464acf5bdcd35b2121206a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68386 Tested-by:
-
Christian Kuhn authored
Update some simple cases in DataHandler where method arguments are provided, but not used. Change-Id: I4658fadd8b031a428fcb21b616172729ece6daa8 Resolves: #93678 Releases: master Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68253 Tested-by:
-
Christian Kuhn authored
Honor -x option for acceptance tests: Both 'Tester' and 'System under test' allow break points with -s acceptance and -s install. Resolves: #93734 Releases: master Change-Id: Ia3f5a518089be675e33ddc673ebd4c99b2dbfaf6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68380 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
-
Christian Kuhn authored
codeception seeFileFound() and dontSeeFileFound() apply some path magic if relative files are given. It leads to wrong paths. This is however not (yet) shown due to error suppression in the suite. To work on ac test error handling for increased PHP 8 compatibility, this needs to be sorted out first. Resolves: #93732 Releases: master, 10.4 Change-Id: I0f69ec066069261e7b47afa44e934c0b5ee02b51 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68378 Tested-by:
-
Christian Kuhn authored
The backend template analyzer module has a 'breakpoint' handling that works as follows: When a template is shown and line numbers are enabled and one line number is clicked, a link parameter jumps to the template object browser and instructs it to parse TypoScript only up to this line to show the state of constants or setup array up until this parsed point. This hidden and not documented feature has been around since 'ever', with only a few persons knowing, understanding or even actively using it. Last patch in this area was for TYPO3 4.4. The implementation is quite messy and goes through various classes, a bunch of properties and some inline javascript. The patch drops the feature: It is not well known and of limited use - the frontend does not reflect it and TypoScript in general tends to become less complex nowadays. Resolves: #93726 Related: #23265 Related: #23246 Related: #55761 Releases: master Change-Id: I4f0c7f507a5a6e212f166206b5d3e606071b46c4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68371 Tested-by:
-
Torben Hansen authored
Corrects some wrong language identifiers introduced in #91008 Resolves: #93731 Releases: master, 10.4 Change-Id: I2e33e922a248634f9a6ce10274ca53df1ca447d8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68377 Tested-by:
-
Andreas Fernandez authored
The field be_groups.pagetypes_select is of type TEXT, which can contain data of a maximum of 64 kilobytes. This patch removes the maxitems constraint pinned to 20 items as a page type identifier usually is a few bytes long. Resolves: #93728 Releases: master, 10.4 Change-Id: I88ea4bb84eb054b22ed00e30f0a95dd4cd1e7375 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68373 Tested-by:
-
- Mar 12, 2021
-
-
Alexander Nitsche authored
The wiki.typo3.org is marked as deprecated and gets replaced soon by docs.typo3.org permanently. Replace all wiki links by actual documentation links. Resolves: #93677 Releases: master, 10.4, 9.5 Change-Id: Ib1bc42a6f2192580581499a9a0c1deb8d21ae2e0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68252 Tested-by:
Lina Wolf <112@linawolf.de> Reviewed-by:
-
Christian Kuhn authored
* Drop a TimeTracker test that does a sleep(1) to safe this second. The subject is pretty trivial anyways. * The recently introduced MFA related unit tests receive some password hashing options to reduce calculation costs. This reduces suite execution time from ~60 seconds to ~40 locally - totally worth it. Resolves: #93723 Releases: master Change-Id: I510f8b8f71f7c787e30a92e14a7876464f0655a6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68368 Tested-by:
-
Daniel Goerz authored
Remove entries from phpstan.neon for ignored errors that have been fixed meanwhile. Parameter reportUnmatchedIgnoredErrors finds those, but it is false by default. We may drop that parameter with a dedicated patch, but are currently not sure why it is commented as 'needed for bamboo' at the moment. Resolves: #93711 Releases: master Change-Id: I9439b2144f60f0a4021b307ef5bacaa23801880e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68358 Tested-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
-
Martin Kutschker authored
In the backend and frontend the array of user group ids of the current backend user is now available as backend.user.userGroupIds. In the frontend the the array of user group ids of the current frontend user is available as frontend.user.userGroupIds. Resolves: #93591 Releases: master Change-Id: Ifb10d025ad944ce17753c450ee2d7086bbb668c8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68111 Tested-by:
-
