Remove the second parameter of sL and replace it
with htmlspecialchars directly in the code.

Resolves: #76325
Related: #71917
Releases: master
Change-Id: I6668eea01d80446a6b6f2ec95435c6e3d93cb0c3
Reviewed-on: https://review.typo3.org/48346


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

Remove the second parameter of sL and replace it
with htmlspecialchars directly in the code.

Resolves: #76325
Related: #71917
Releases: master
Change-Id: Ibaae459cb81a4fb9616e953d772603acf85e4d11
Reviewed-on: https://review.typo3.org/48344


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

Remove the second parameter of sL and replace it
with htmlspecialchars directly in the code.

Resolves: #76325
Related: #71917
Releases: master
Change-Id: I6267c45daeddf9a652ad63acb014c824721df25f
Reviewed-on: https://review.typo3.org/48338


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Michael Oehlhof <typo3@oehlhof.de>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>

Resolves: #76329
Releases: master,7.6
Change-Id: Ie5320e71aa8ded5b744997b6f1ca71c3542aa2f0
Reviewed-on: https://review.typo3.org/48334


Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

Change-Id: I09d769584dc4389d0d6e0d2ffa3e8e1b0fa571ad
Resolves: #76327
Releases: master
Reviewed-on: https://review.typo3.org/48333


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>

Remove the second parameter of getLL and replace it
with htmlspecialchars directly in the code.

Resolves: #76321
Related: #71917
Releases: master
Change-Id: I513c5915c9273c906b6b828d65425ac8ee485e12
Reviewed-on: https://review.typo3.org/48332


Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

Remove the second parameter of getLL and replace it
with htmlspecialchars directly in the code.

Resolves: #76321
Related: #71917
Releases: master
Change-Id: Ieabcf550883ebcf85fe13232caab249b0f37e4b1
Reviewed-on: https://review.typo3.org/48330


Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

There is a funny comment for this call within TypoScriptParser.
Reading the code, there seems to be no part that works with
references on this variable in setVal().

The patch now removes this odd construct. In the
unlikely case some issue still pops up later, we would
at least have a clear way to reproduce then ...

Change-Id: I70f5f8915386a7a4b5038d66611b4ec359f5c1fa
Resolves: #76323
Releases: master
Reviewed-on: https://review.typo3.org/48327


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

This change allows the IconViewHelper in the reports module
to be used not just from typo3/ (e.g. if a person puts typo3/index.php
to a different place or wants to show the reports in the install tool).

Resolves: #76322
Releases: master
Change-Id: I7067654b3fff5ac75fb9883b708ddb28a9ddc7d1
Reviewed-on: https://review.typo3.org/48321


Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>

Use the charset name 'utf8' instead of 'utf-8' for MySQL connections as
some MySQL server versions silently ignore the connection charset name
'utf-8' and work with the global default connection charset instead.
Using 'utf8' as charset name doesn't exhibit this behavior.

Also changes the silent upgrade wizard to only set the default driver
and connection charset if no value has been configured, this avoids
silently changing non-default values for these options.

Change-Id: I94e1e7c557aff890cec357ef9ee069ae9aa052c6
Resolves: #76265
Releases: master
Reviewed-on: https://review.typo3.org/48310


Tested-by: Riccardo De Contardi <erredeco@gmail.com>
Tested-by: Gianluigi Martino <gmartino27@gmail.com>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>

Releases: master
Resolves: #76316
Change-Id: I40c05c0d6a342b3d3c19dc164ae7716076aa3df2
Reviewed-on: https://review.typo3.org/48307


Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>

Resolves: #76307
Releases: master
Change-Id: Ie75ab139102cedb6e5bc01ffb59bbf51c900dded
Reviewed-on: https://review.typo3.org/48293


Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>

Resolves: #76294
Releases: master
Change-Id: Ifca415dd965473cde9cec29ca21a476491540845
Reviewed-on: https://review.typo3.org/48284


Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>

Resolves: #75397
Releases: master, 7.6
Change-Id: I7cb4f04e38e3d9f755aaf92012eb56d71a1ad6f7
Reviewed-on: https://review.typo3.org/48110


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>

When an admin user tries to upload a file which has a fileextension
that is included in the fileDenyPattern, the upload is denied.

With the security fix in #51326 admin users are now able to change
the extension of a file to any value, since the fileDenyPattern is
not checked for admin users. This leads to the situation, that admin
users can create/rename files in the filelist with a fileextension
of their choice.

To keep the behavior consistent, this patch re-enables the check
of the fileDenyPattern for admin users in the filelist.

Resolves: #60173
Releases: master, 7.6, 6.2
Change-Id: I3b819e70cf2218a4580203ac7b7a6b0c3c5087ab
Reviewed-on: https://review.typo3.org/32610


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>

To mitigate potential "unsecure unserialize()" issues, the new PHP7
feature to allow only specific classes or to totally deny object
creation is rolled out throughout the core in v8.

Since a lot of places use unserialize() and some are critical or
hard to understand, this is done with a series of patches for
single areas.

This patch denies object creation at all places where
$GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['anExtension'] is
unserialized() - the extension manager and ext_conf_template.txt
handling never handles objects at this place, so it should be
safe to deny objects at all places.

Change-Id: Ie96e6fb6837418fd765f883b216b7a9c5af5795d
Resolves: #76320
Releases: master
Reviewed-on: https://review.typo3.org/48314


Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Double slash one-line comments are standard in many languages.
Make them standard in TypoScript, too.

Deprecated:
  / Line comment headed by single slash

Resolves: #76104
Releases: master
Change-Id: Id78391f973cdf8147bf91b269996f31d475de717
Reviewed-on: https://review.typo3.org/48051


Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>

Remove the second parameter of getLL and replace it
with htmlspecialchars directly in the code.

Resolves: #76321
Related: #71917
Releases: master
Change-Id: Iaccd3e31b235632fac9022e9120a35426bd5d99b
Reviewed-on: https://review.typo3.org/48320


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>

The MenuViewHelperTrait has been marked as deprecated.
All methods of the Trait have been implemented in a new
AbstractMenuViewHelper class.

Resolves: #75209
Releases: master
Change-Id: Ie8cad645c80c3cb7814dd2b69f22feb729334779
Reviewed-on: https://review.typo3.org/48111


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>

Explain the creation and name of the variable in concise words.

Resolves: #76195
Related: #76194
Releases: master
Change-Id: Ifff61c38dbb4ea07f79cb42cfe7f6aca41e5fbe1
Reviewed-on: https://review.typo3.org/48132


Reviewed-by: Olaf Schmidt-Wischhöfer <osw@eadi.org>
Tested-by: Olaf Schmidt-Wischhöfer <osw@eadi.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

Use `$table` for logging instead of the hardcoded `pages` table.

Resolves: #74125
Releases: master, 7.6
Change-Id: I13b4306bdc54cf461d23c401d54c04983059df46
Reviewed-on: https://review.typo3.org/48318


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>

In case `$rows` in the method `DataHandler::copySpecificPage()` is null,
the foreach loop will throw an error.
`$rows` may become null if an extension brings TCA but the table does not
have `uid` field, for example.

It's now checked whether the result being iterated is an array, otherwise
an error is logged.

Resolves: #74125
Releases: master, 7.6
Change-Id: I20cb101155632309b9e08600fcd33e655c1c9d2f
Reviewed-on: https://review.typo3.org/48311


Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

Mark stdWrap_removeBadHTML as deprecated in doc comment.

Resolves: #15415
Releases: master
Change-Id: I4534a8b93b731f8e736752e712c0c13293b0b05d
Reviewed-on: https://review.typo3.org/48313


Reviewed-by: Elmar Hinz <t3elmar@gmail.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

Resolves: #15415
Releases: master
Change-Id: Iac92d6d36e2a84b069fa7c4a17d2dc567d952309
Reviewed-on: https://review.typo3.org/48301


Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

The PHP char() function only works reliably with ASCII codes
independent of the actual char set.

See http://php.net/manual/en/function.chr.php

Releases: master
Resolves: #76315
Change-Id: Ia87b95239fc4678f297571704f031003f84a5759
Reviewed-on: https://review.typo3.org/48306


Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

Instead of passing the simple value "1" to QueryGenerator->getTreeList()
use a page permission clause created using $BE_USER->getPagePermsClause()
when determining the recursive storage pids. Passing the unprocessed value
"1" causes invalid SQL statements and does not perform any access checks.

Releases: master, 7.6
Resolves: #75912
Change-Id: I6edadd627c0a9c01a78c3cb55805455fed710d14
Reviewed-on: https://review.typo3.org/48220


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>

It's possible to open some backend modules (e.g. RTE or
EditDocumentController) in a new tab. However, the configuration for
popups is missing in such case, causing e.g. opening the "Insert image"
wizard of RTE is not possible anymore.

Place configuration inline in TYPO3.settings to not have this problem of
missing configuration.

Resolves: #76285
Releases: master
Change-Id: I1405dd90e4e00fc709d504af2ed0a936a6374fce
Reviewed-on: https://review.typo3.org/48276


Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>

Due to the wrong approach of RemoveXSS it is not 100%
safe and does not keep its promise.

Resolves: #76164
Releases: master
Change-Id: I8aa0a05f7866041f392441fa852bae5a7c202142
Reviewed-on: https://review.typo3.org/48102


Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

Resolves: #76303
Releases: master, 7.6
Change-Id: Ia03f62ccc1c7c989a4284de36ac814758c63d288
Reviewed-on: https://review.typo3.org/48290


Tested-by: Riccardo De Contardi <erredeco@gmail.com>
Reviewed-by: Stephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Stephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Gianluigi Martino <gmartino27@gmail.com>
Tested-by: Gianluigi Martino <gmartino27@gmail.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

Fluid variables must never be used in JavaScript context.
Instead they should be put into data attributes, which can be
accessed from JavaScript easily.

Resolves: #76304
Releases: master
Change-Id: I16c0d6b265ad446d73cbe285be7653d1a8ebcfd2
Reviewed-on: https://review.typo3.org/48291


Reviewed-by: Stephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Stephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

When adding visibility information in DebuggerUtility
it was not respected that this utility can also be used to output in cli.

Add the missing condition and output HTML only if requested.

Additionally when the property has nested objects,
the visibility info must be right after the property not after
every nested object.

Also prettify object type output on command line on the go.

Resolves: #76301
Related: #76008
Releases: master
Change-Id: If82192bf9d1fb0ca1dc843242167d01b1a915f6e
Reviewed-on: https://review.typo3.org/48287


Reviewed-by: Elmar Hinz <t3elmar@gmail.com>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Elmar Hinz <t3elmar@gmail.com>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>

By using the <code>-tag, the output of paths is improved:

- XCLASS usage
- Path to ENABLE_INSTALL_TOOL
- Path to deprecation log

Resolves: #76288
Releases: master, 7.6
Change-Id: I591009cd52ba1dec6d25ff135e76b7b536b84193
Reviewed-on: https://review.typo3.org/48282


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Jigal van Hemert <jigal.van.hemert@typo3.org>
Tested-by: Jigal van Hemert <jigal.van.hemert@typo3.org>

The URI is HSC'd by default. Using the output unformatted produces
a correct URI for use inside JS.

Resolves: #76289
Releases: master
Change-Id: Iec7b9aaa0a26ec9acfe6ba49924373965a989a2f
Reviewed-on: https://review.typo3.org/48283


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

Resolves: #76296
Releases: master
Change-Id: I039e031ff6f46c94d474c35c43de372cfc5b0fc2
Reviewed-on: https://review.typo3.org/48286


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Elmar Hinz <t3elmar@gmail.com>
Reviewed-by: Gianluigi Martino <gmartino27@gmail.com>
Tested-by: Gianluigi Martino <gmartino27@gmail.com>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>

The patch for #70463 introduced a regression which caused
added elements to include HTML markup.

Resolves: #76286
Releases: master, 7.6
Change-Id: I596602b03fd65f2e8d95171c2f2f79ff57006f14
Reviewed-on: https://review.typo3.org/48277


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Johannes Kasberger <johannes.kasberger@reelworx.at>
Tested-by: Johannes Kasberger <johannes.kasberger@reelworx.at>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

Resolves: #76150
Releases: master
Change-Id: Ia51ec33ba4aacabc884292d4a9508ce0d2c4cd9d
Reviewed-on: https://review.typo3.org/48078


Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

With the introduction of Doctrine DBAL the obsolete settings of
all upgrade wizards related to TYPO3 CMS 7 are added again.

Remove them now again.

Resolves: #76258
Related: #75454
Releases: master
Change-Id: Ib86591525724b2fd189038a04dfa645815f4fe55
Reviewed-on: https://review.typo3.org/48238


Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>

Resolves: #76098
Releases: master, 7.6
Change-Id: I4ceb644328671cd3355340d6b6991d60e88b265a
Reviewed-on: https://review.typo3.org/48046


Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Christoph Kratz <ckr@rtp.ch>
Tested-by: Christoph Kratz <ckr@rtp.ch>
Reviewed-by: Marvin Dettinger <mde@rtp.ch>
Tested-by: Marvin Dettinger <mde@rtp.ch>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>

Resolves: #76278
Releases: master, 8.1, 7.6, 6.2
Change-Id: Iedb71737ab3b69f2873292ea1cab165e0ec21cec
Reviewed-on: https://review.typo3.org/48265


Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Frans Saris <franssaris@gmail.com>
Tested-by: Frans Saris <franssaris@gmail.com>
Reviewed-by: Stephan Großberndt <stephan@grossberndt.de>
Tested-by: Stephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
Tested-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
Reviewed-by: Jigal van Hemert <jigal.van.hemert@typo3.org>
Tested-by: Jigal van Hemert <jigal.van.hemert@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Jan Helke <typo3@helke.de>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>

Instead of only checking for valid request arguments by using a hmac,
we now check the complete request including action, controller and vendor
to avoid spoofing these arguments and bypassing other security checks
during forwarding to the referring action.

Additionally, ReferringRequest is now separate from regular Request.
The meaning of properties starting with "@" is only valid for
processing a referring request. To avoid mixed concerns in using
the same Request implementation for regular requests and referring
requests, they are separated now.

Resolves: #76231
Resolves: #76256
Releases: master, 7.6, 6.2
Security-Commit: 3562e177f1720e62cab84232dcc67c580a3cc3db
Security-Bulletin: TYPO3-CORE-SA-2016-013
Change-Id: Ic94e11341df98c1326dc73c92a5c9e061a64cc9e
Reviewed-on: https://review.typo3.org/48258


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>