- Mar 26, 2022
-
-
Oliver Hader authored
Recent CKEditor4 v4.18.0 addressed several vulnerabilities: * CVE-2022-24728 (XSS via attributes & comments) * CVE-2022-24729 (reDoS via Dialog Plugin API) * see https://ckeditor.com/cke4/release/CKEditor-4.18.0 for details Mentioned known vulnerabilities are not considered relevant for the TYPO3 backend user interface. By-passing CKEditor's XSS protection allows to persist malicious markup in database fields, which is mitigated during frontend rendering by typo3/html-sanitizer. That's why this issue is handled as regular bugfix. Executed commands: cd Build/ nvm use yarn add ckeditor4@^4.18.0 rm -r ../typo3/sysext/rte_ckeditor/Resources/Public/JavaScript/Contrib/ yarn exec grunt build Resolves: #97239 Releases: main, 11.5, 10.4 Change-Id: I3be12120c316b334e7efd237d0300e6d3cd165a8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74056 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Stefan Bürk <stefan@buerk.tech> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
-
Torben Hansen authored
In the process of using dedicated TCA types, the new TCA type "password" is introduced and replaces "eval=password" and "eval=saltedpassword" of TCA type "input". Notable changes to the previous behaviour: - "trim" is always done in DataHandler and FormEngine - Password field is rendered as input type=password - The input field has by default "autocomplete=off" The TCA type "password" introduces the new configuration "hashed", which can be set to "false", if the field value should be saved as plaintext to the database. This configuration has no effect for the tables "fe_users" and "be_users". Resolves: #97104 Releases: main Change-Id: Ia48296291a61df6802ef21105b38b4f508b7a11c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73832 Tested-by:
Oliver Bartsch <bo@cedev.de> Reviewed-by:
-
- Mar 25, 2022
-
-
Oliver Hader authored
Recent guzzlehttp/psr7 versions address vulnerability CVE-2022-24775. Mentioned known vulnerability is not considered relevant for the TYPO3 core. That's why this issue is handled as regular bugfix. Commands executed: composer req guzzlehttp/psr7:"^1.8.5 || ^2.1.2" composer req guzzlehttp/psr7:"^1.8.5 || ^2.1.2" \ -d typo3/sysext/core --no-update Resolves: #97240 Releases: main, 11.5, 10.4 Change-Id: I915b5620140912ecf1e0dc5bc887f4cc25ffb85a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74059 Tested-by:Simon Schaufelberger <simonschaufi+typo3@gmail.com> Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Oliver Bartsch authored
This introduces a new PSR-14 event, enabling extension authors to modify the preview url within the image manipulation element, used e.g. for the `crop` field of `sys_file_reference`. This replaces the previously available hook $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['Backend/Form/Element/ImageManipulationElement']['previewUrl'] which is therefore now removed. Resolves: #97230 Releases: main Change-Id: I56bb2111d85994c13acfc8ae074cac3d61933145 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74025 Tested-by:
Jochen <rothjochen@gmail.com> Tested-by:
-
Oliver Bartsch authored
Using the hook ['Backend/Form/Element/ImageManipulationElement']['previewUrl'], one can define a preview url for the image manipulation wizard. If defined, a button is displayed, opening the defined url in a new window, while adding the crop variants as an additional query parameter. However, the query parameter was previously always added using "&" which failed, in case the defined preview url does not already define query parameters. This is now fixed by properly checking whether the url already contains further parameters when adding the crop variants. Resolves: #97236 Releases: main, 11.5 Change-Id: Iedfdfa10db036490a4a801b1614ad99016f0bdc3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74029 Tested-by:
-
Andreas Fernandez authored
TYPO3 allows to install incompatible extensions for a very long time, but distributions were missed when this feature was introduced. This patch now offers the same "Dependencies could not be resolved" dialog for distributions that miss dependencies. As this dialog is now used in different contexts, the "Go back" action has been made configurable. Resolves: #80219 Releases: main Change-Id: If429164e539d9c3c984477cfdcb2568a59891117 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74024 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
-
- Mar 24, 2022
-
-
Oliver Bartsch authored
This introduces two new PSR-14 events, enabling extension authors to modify the enabled controls as well as the corresponding controls' markup for FormEngine inline elements. This replaces the previously available hook $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tceforms_inline.php']['tceformsInlineHook'] which is therefore now removed. The hook required implementations to implement the InlineElementHookInterface, which is now deprecated as it's unused due to the hook removal. Resolves: #97231 Releases: main Change-Id: I669d759c554d4a2d3ed24f65013c74d54038a0af Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74026 Tested-by:
Nikita Hovratov <nikita.h@live.de> Tested-by:
-
Simon Schaufelberger authored
Resolves: #97211 Releases: main, 11.5 Change-Id: Ic0165c1c88bae6ef5206d79691aa5918762dc14c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73995 Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
-
- Mar 23, 2022
-
-
Oliver Bartsch authored
Element browsers are now automatically tagged and registered, based on the implemented `ElementBrowserInterface`, using the autoconfiguration feature from the DI container. The previous registration via `$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['ElementBrowsers']` has been removed. Additionally, to be able to use autoconfiguration, the identifier of a element browser has to be provided by the service directly using the now required :php:`getIdentifier()` method. Resolves: #97188 Releases: main Change-Id: I8fa782331b3226e651c239dfc5d131f3a0a46893 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73973 Tested-by:
-
Oliver Bartsch authored
The Scheduler module provides the option to execute symfony commands. Since those commands are usually built for CLI execution they might also contain interactive components like questions, which however can not be used when execution is scheduled. Therefore, the console input is now set to be non-interactive in the ExecuteSchedulableCommandTask "wrapper" class. Resolves: #97225 Releases: main, 11.5 Change-Id: I217c339ea0ef44ff91bcd8396d384227e8691184 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74018 Tested-by:
Mathias Brodala <mbrodala@pagemachine.de> Reviewed-by:
-
Oliver Bartsch authored
This introduces a new PSR-14 event, enabling extension authors to modify the link explanation, used for TCA `link` fields in a flexible way. This replaces the previously available hook $GLOBALS['TYPO3_CONF_VARS']['SYS']['formEngine']['linkHandler'] which is therefore now removed. Resolves: #97187 Releases: main Change-Id: I8937a9870657085bd520d8b813d8d5b4c93f7bc1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73972 Tested-by:
-
Georg Ringer authored
Resolves: #97229 Releases: main, 11.5 Change-Id: I908102d0f4b5b3f3fe686f0ccdc60604669a8173 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74022 Tested-by:
-
Simon Schaufelberger authored
Used command: composer req friendsofphp/php-cs-fixer:^3.8.0 --dev Resolves: #97227 Releases: main, 11.5 Change-Id: Iad07abbef89a4b69c9d0ab2ea76cc3645bdb5476 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74020 Tested-by:
-
- Mar 22, 2022
-
-
Oliver Bartsch authored
A couple of JS modules requires some module information, such as the navigationComponent. Those information were previously added as data attributes to the main module menu items and then retrieved by the JS components. This however did no longer work for third-level modules, introduced in #97135, since they are not present in the main module menu. This is now resolved by adding the full module information, including all modules, as a single data attribute to the "scaffold-modulemenu" element. Note: On installing new extensions, which add backend modules, a complete backend refresh is necessary for the new modules to be accessible. An automatic refresh will be added in another patch, since this will also be required to update the JavaScript import maps. Resolves: #97184 Related: #97135 Releases: main Change-Id: I753ef87f09ef111222945703ae3aa7cb2cb0d802 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73914 Tested-by:
Benjamin Franzke <bfr@qbus.de> Tested-by:
-
Oliver Hader authored
Custom element typo3-backend-table-wizard offers a wizard for modifying serialized table syntax of tt_content CType table. Whenever data is changed in the wizard, a corresponding client change event has to be forwarded to the actual tt_content field handled by FormEngine, to reflect the record has changes. Resolves: #96656 Releases: main, 11.5 Change-Id: Ib63088052ac3d2150e3f3db6b624bc7cac61db99 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74015 Tested-by:
-
Torben Hansen authored
To support future password hashing algorithms, it is recommended by PHP to use a DB size of 255 chars for fields storing password hashes. Resolves: #97221 Releases: main Change-Id: I490c7848f8ca7a0fc61aeb8272f6982c3b420a6a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74014 Tested-by:
-
Oliver Bartsch authored
This removes the import of OnFieldChangeTrait from all FormEngine elements, extending AbstractFormElement, since the abstract class already imports the trait. Resolves: #97219 Releases: main Change-Id: I685b3cd771a826edab2cc34f1d54bb8aa48e3e72 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74003 Tested-by:
-
Stefan Bürk authored
This patch updates typo3/cms-styleguide, which contains replacement of 'QueryBuilder->execute()' calls, which has been missed on first replacement round. This avoids deprecation messages in acceptance tests. Used commands: > composer u typo3/cms-styleguide Resolves: #97223 Releases: main Change-Id: I5ad1f2f0dfb2dce9248ee4a1b927eafe8f8d021b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74012 Tested-by:
-
Oliver Bartsch authored
EXT:core unfortunately has a couple of dependencies to EXT:frontend. One of them are TypoLinkCodecService. Since this service does not have any context, only related to EXT:frontend, it is now moved to EXT:core, resolving this cross dependency. This also allows to use the service in the DataHandler instead of duplicating parts of the code, which was previously done to prevent any EXT:frontend dependency in the DataHandler. Resolves: #97217 Releases: main Change-Id: Ib24bfb530fd0ac486ac30b09f43717c95c98c292 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73993 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Reviewed-by:
-
- Mar 21, 2022
-
-
Oliver Bartsch authored
Resolves: #97215 Related: #97174 Releases: main Change-Id: I099c21da402176e8d31ea9a5d3f9d394b3567119 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74000 Tested-by:
-
Oliver Bartsch authored
Resolves: #97199 Releases: main, 11.5 Change-Id: Ibb65dbccbf26b0522ce1c8ccf8c78a1cea29e9c6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73992 Tested-by:
-
Oliver Bartsch authored
Since bitwise operators requires the operands to be integers, a possible raw database value for a checkbox element is now properly casted, before used as operand, preventing a TypeError. Note: PHP < 8, this only triggered a warning. Resolves: #97194 Releases: main, 11.5 Change-Id: I40b53ba4eb11341792649516de2f3c6b86ae5a61 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73978 Tested-by:
-
Oliver Bartsch authored
With #97013 and #97159, two dedicated TCA types were added, which both only allow a few eval options. To prevent invalid options being passed as attributes to the HTML element, the list is now filtered for the allowed options. Additionally, the "trim" option is always added. Resolves: #97192 Related: #97013 Related: #97159 Releases: main Change-Id: Icc2fd3a0501567da19df3320e4bb2571a70f00b9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73977 Tested-by:
-
Oliver Bartsch authored
Resolves: #97218 Related: #97159 Releases: main Change-Id: I953768642c41cd0293394d3795edc56dc570d71d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74001 Tested-by:
-
Simon Schaufelberger authored
Annotations are not needed since .phpstorm.meta.php takes care of it. Resolves: #97213 Releases: main, 11.5 Change-Id: I00687c4ea2c938e5b531016faf80f2a84ea1cdd9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73996 Tested-by:
-
Susanne Moog authored
The TemplateService - if no TSFE is available - uses the rootline to find a matching site. Previously it only considered the top most element of the root line for finding a site, now it also considers all pages in the rootline with is_siteroot set. Resolves: #97172 Releases: main, 11.5 Change-Id: I39d2e980b91addbbce40666cada5ee63cb88d6a8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73902 Reviewed-by:
Jörg Bösche <typo3@joergboesche.de> Reviewed-by:
-
Oliver Bartsch authored
This introduces a new PSR-14 event, enabling extension authors to modify the items of the new content element wizard component. This replaces the previously available hook $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['cms']['db_new_content_el']['wizardItemsHook'] which is therefore now removed. Additionally, the NewContentElementController receives some code cleanup, e.g. removing the "params" parameter from the wizard items' configuration, which previously just duplicated the "tt_content_defValues" property. Also, four public methods have been removed from the class as they were only used for the now removed hook and are now available in the PSR-14 Event directly. Resolves: #97201 Releases: main Change-Id: I6472ccd2bf81e97f81fe4b2e529ea519c9bdaaf0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73982 Tested-by:
-
Larry Garfield authored
The new release allows versions 1, 2, or 3 of psr/log, so unblocks core using psr/log 3. Commands run: > composer req typo3/html-sanitizer ^2.0.14 > composer req typo3/html-sanitizer ^2.0.14 \ -d typo3/sysext/core --no-update Resolves: #97183 Releases: main, 11.5 Change-Id: I9c306e48daa577dcaf64d57ca8b63142d31a8124 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73913 Reviewed-by:
crell <larry@garfieldtech.com> Reviewed-by:
-
- Mar 18, 2022
-
-
Oliver Bartsch authored
This fixes issues in a couple of 12.0 changelog files, which were quite obvious, looking at the rendered versions. Additionally fix all rendering warnings. Resolves: #97191 Releases: main Change-Id: I3ce582d4d8654e560ecf0e0e89835dcb7cf4f79e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73976 Tested-by:
Björn Jacob <bjoern.jacob@tritum.de> Tested-by:
Lina Wolf <112@linawolf.de> Reviewed-by:
-
- Mar 17, 2022
-
-
Markus Klein authored
The FileHandlingUtility may be used from a context where there is no BE_USER. Avoid a warning in PHP 8 Resolves: #97204 Releases: main, 11.5 Change-Id: Iae4d2d77cc69f46811933b6b081044256a1c7ce2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73985 Reviewed-by:
-
dev-rke authored
Releases: main, 11.5 Resolves: #97196 Change-Id: I75ac3c5ced9214ff4b5ed0d52772a42dddec1ec1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73980 Tested-by:
-
- Mar 16, 2022
-
-
dev-rke authored
Since PHP 8.1, passing null to non-nullable internal function parameters is deprecated. Therefore the str_replace() call in ResourceFactory:retrieveFileOrFolderObject() might trigger a PHP deprecation. This is now fixed by adding a typecast to the input value. Resolves: #97195 Releases: main, 11.5 Change-Id: I0ca2fc3524b77b9d6b257b4797219046aa7beb15 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73979 Tested-by:
-
- Mar 15, 2022
-
-
Benni Mack authored
When logging, the "DELETE" action is used when trying to read a record which should be copied. This change uses the INSERT action, so the log is proper. Resolves: #97182 Releases: main, 11.5 Change-Id: I294ee08e24327e67b6de2812163a00e6ca35f043 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73911 Tested-by:
-
Oliver Bartsch authored
In case an internal link targets a content element, defined by an anchor, this element is checked for e.g. being moved, hidden or deleted. In case the element is moved the "title" attribute was not filled, leading to a PHP warning. This is now fixed by always adding the correct record title. Resolves: #97147 Releases: main, 11.5 Change-Id: Ia78c34465bdc056a5714fc4e1bb7d7981be1e409 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73897 Tested-by:
-
Oliver Bartsch authored
The reports module links to extension manager in case an extension with an invalid composer manifest exists. This link however did no longer work, since the target module was removed in #97096. It's now added again. Resolves: #97167 Related: #97096 Releases: main Change-Id: I7f8112c9182cb6c289967164f62f496843b6ce1e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73895 Tested-by:
-
Oliver Bartsch authored
$disabled is initialized as empty string and never updated, before being added to the markup, thus has no effect. $placeholder is initialized with "0" and never updated, thus the value can be set in the markup directly. Additionally, this replaces a strlen() check with an empty string comparison. Resolves: #97166 Releases: main Change-Id: I265514f32d66f48348f18860c36e2d5bd064d742 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73894 Tested-by:
-
- Mar 14, 2022
-
-
Benni Mack authored
This change moves the check if a page can be accessed by a BE_USER and if a page is rendered in preview, while executing a Frontend Request, to the PSR-15 "TypoScriptFrontendInitialization" middleware. This way, TSFE itself does not need to know / set any preview mechanism itself, since this is now handled already during the Frontend Request flow. For this reason, the "determineId()" method can now include the logic of "fetch_the_id()", allowing "fetch_the_id()" (protected) to be completely removed. It's now much easier to grasp that "determineId()" actually just determines the final ID / Page / Rootline incl. translations based on the given request. This is a precursor patch to introduce new PSR-14 events that are better suited in the request workflow than existing hooks. Resolves: #97176 Releases: main Change-Id: I3bc1a8709288f01fe6978982572acba6f53f77b3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73905 Tested-by:
Susanne Moog <look@susi.dev> Tested-by:
-
Oliver Bartsch authored
In our process of using dedicated TCA types, the new TCA type "link" is introduced and replaces "renderType=link" of TCA type "input". Notable changes to the previous "inputLink" behaviour: - "linkPopup" fieldControl is now always used by the FormEngine element - Corresponding fieldControl options are migrated to columns config - The type now makes use of include lists instead of exclude lists - The allowed link types are now evaluated in DataHandler - "trim" is always done in DataHandler and FormEngine - "max" is no longer evaluated - "softref=typolink" is automatically set As mentioned, the TCA type "link" uses include lists. This also required to adjust the LinkPopup fieldControl, as well as the Link Browser classes. The previously used "blinkLink[Fields|Options]" options are still supported in case the "LinkPopup" fieldControl is used for another TCA type. However, they might be deprecated soon. Finally, the TSconfig key for the MailLinkHandler is renamed from "mail" to "email", to unify the naming in the codebase. Resolves: #97159 Releases: main Change-Id: Ied9e957b973ed8904736e5d4353a989ea76065d8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73866 Tested-by:
-
Susanne Moog authored
Since #96906 the JavaScript files of the adminpanel have been lowercased, however, their inclusion was not changed to reflect that - which made the loading of these files fail. The loading has been adjusted to use the lowercased names, too. Resolves: #97181 Related: #96906 Releases: main Change-Id: I5203b0a2fcdce1973f681e29ddec228b93105831 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73909 Reviewed-by:
-
Francois Suter authored
In class \TYPO3\CMS\Workspaces\Preview\PreviewUriBuilder the value for TSconfig option "options.workspaces.previewPageId" is tested for a syntax like field:value but if the actual value does not use a colon, it will result in an undefined array key warning. Resolves: #97169 Releases: main, 11.5 Change-Id: I08fc2865a7163e7770bf6ee56a24369b15ff0240 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73899 Tested-by:
-
