When a TYPO3 exception is handled through registered exception
handlers, log writers may log sensitive information to logs,
since the full stacktrace is logged.

With this change, exception handlers that extend
AbstractExceptionHandler except DebugExceptionHandler will
by default not include the exception object any more and
thereby not log the full stacktrace.

Resolves: #96866
Releases: main, 11.5, 10.4
Change-Id: Iaf233eefc9a1a60334a47753baf457e8282e68c0
Security-Bulletin: TYPO3-CORE-SA-2022-002
Security-References: CVE-2022-31047
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74893


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The import functionality of the import/export module is already
restricted to admin users or users, who explicitly have access through
the user TSConfig setting "options.impexp.enableImportForNonAdminUser".

The export functionality has the following security drawbacks:

* Export for editors is not limited on field level
* The "Save to filename" functionality saves to a shared folder, which
  other editors with different access rights may have access to.

Both issues are not easy to resolve and also the target audience for
the Import/Export functionality are mainly TYPO3 admins.

Therefore, now also the export functionality is restricted to TYPO3
admin users and to users, who explicitly have access through the new
user TSConfig setting "options.impexp.enableExportForNonAdminUser".

Additionally, the contents of the temporary "importexport" folder in
file storages is now only visible to users who have access to the
export functionality.

In general, it is recommended to only install the Import/Export
extension when the functionality is required.

Resolves: #94951
Releases: main, 11.5, 10.4
Change-Id: Iae020baf051aeec0613366687aa8ebcbf9b3d8b2
Security-Bulletin: TYPO3-CORE-SA-2022-001
Security-References: CVE-2022-31046
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74892


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Some default fields (e.g. tt_content.bodytext) can contain null values.
TYPO3 first fetches the data in the default language and then overlays
the rows data with the translation values. The overlay method inspects
each array item with the php isset() function. This validates not only
the existence of the array key, but also the values. null and
false values evaluated as false. Empty strings evaluate as true.
This leads to inconsistent output in the frontend.

The overlay now valides only the array key existence and applies also
empty values.

Resolves: #97616
Releases: main, 11.5, 10.4
Change-Id: I4b01c52e9ac7adde786b3395bce870bc0a354b58
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74837


Tested-by: André Buchmann <andy.schliesser@gmail.com>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: André Buchmann <andy.schliesser@gmail.com>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Benni Mack <benni@typo3.org>

The package guzzlehttp/guzzle has been updated to version 7.4.4
and 6.5.7 which both fix the security issues [1] and [2]. Since
TYPO3 is not affected by the issues by default, this is handled
as a public bugfix.

3rd party extensions may however be affected by the vulnerabilities
if `Authorization` or `Cookie` headers are used.

Executed commands:

    composer require \
        guzzlehttp/guzzle:^6.5.7 \
        -W
    composer require \
        -d typo3/sysext/core \
        guzzlehttp/guzzle:^6.5.7 \
        --no-update

[1] https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q
[2] https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9

Resolves: #97759
Releases: main, 11.5, 10.4
Change-Id: I6ed48f2b03e5e0ca82a9aa493499a5eaf65b184c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74879


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

This change adds the ability to clean rendered documentation
folder and files in all system extension folders in one go.
Mentioned folders are `typo3/sysext/*/Documentation-GENERATED-temp`.

Added command/testsuite:

* `Build/Scripts/runTests.sh -s cleanRenderedDocumentation`

Additionally the already combined cleaning command `-s clean`
is extended to delete rendered documentation in the same run.

Resolves: #97673
Releases: main, 11.5, 10.4
Change-Id: I344f897769cd5f475d43db67dd1b27693f49a658
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74842


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

A dialog trying to prevent overriding existing files in the filelist
module shows an incorrect modification date of files that are existing
on the server-side. When using regular unix timestamps (instead of
micro-timestamps), dedicated `moment.unix` function has to be used.

Resolves: #97724
Releases: main, 11.5, 10.4
Change-Id: Ieb5a00aaf87410e9721e39d91b9e0da13a109bc6
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74816


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

The "page" and "pages" translation keys are backwards.
This patch makes them forwards.

Resolves: #96795
Releases: main, 11.5
Change-Id: I3dde22d5a6f9ae7c62fe8c60156d6131f676a11c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74833


Tested-by: core-ci <typo3@b13.com>
Tested-by: Simon Schaufelberger <simonschaufi+typo3@gmail.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Simon Schaufelberger <simonschaufi+typo3@gmail.com>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

This is now covered by the annotations using generics in the testing
framework base class, and hence not needed anymore.

(Removing it also helps get consistent behavior from PhpStorm's
static type analysis.)

Resolves: #97736
Releases: main, 11.5, 10.4
Change-Id: Ia7d7e790bb92eaf1c9b7ffa4f9d97b2b0a50dee3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74769


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Stefan Bürk <stefan@buerk.tech>

+ npm package moment up to v2.29.2 contained a vulnerability
  (https://github.com/advisories/GHSA-8hfj-j24r-96c4) which only
  affected npm server users - in order to avoid confusion concerning
  security aspects, the package version is raised
+ npm package moment-timezone was upgraded to recent timezone data
  "IANA TZDB 2021"

Executed commands:

cd Build; \
  nvm use; \
  yarn upgrade moment moment-timezone; \
  yarn exec grunt clear-build; \
  yarn exec grunt build

Resolves: #97723
Releases: main, 11.5, 10.4
Change-Id: I84ea9ca6b696d74aab70cfa45e6d41a95ae0159d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74804


Tested-by: core-ci <typo3@b13.com>
Tested-by: Simon Schaufelberger <simonschaufi+typo3@gmail.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Simon Schaufelberger <simonschaufi+typo3@gmail.com>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Update copyright year to 2022

Resolves: #97704
Releases: main, 11.5, 10.4
Change-Id: I15e6c0674ac293eecad88f95379ec33679dda8d4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74759


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

The package guzzlehttp/guzzle has been updated to 7.4.3 and 6.5.6
respectively, both fixing a security vulnerability related to
cross-domain cookie leakage [1]. Since TYPO3 is not affected by
this issue by default, this is handled as a public bugfix.

However, 3rd party code (e.g. thru extensions) may be affected by this
issue, as long `'cookies' => true` is used in requests done by Guzzle.

Executed commands:

    composer require \
        guzzlehttp/guzzle:^6.5.6 \
        -W
    composer require \
        -d typo3/sysext/core \
        guzzlehttp/guzzle:^6.5.6 \
        --no-update

[1] https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3

Resolves: #97694
Releases: main, 11.5, 10.4
Change-Id: I39071c917c7ed26392f66b0ea2f774ecbceead9f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74772


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

The note about jumping to a previous version of the
page is obsolete, because you can switch no further
than version 8.7 with the version selector and the
older version is in v7.6.

In any case, if someone needs the information for
version 7.6 and below they must use other means
anyway (e.g. use Git repository and render locally)
since these older versions are no longer rendered
on docs.typo3.og.

Resolves: #97632
Releases: main, 11.5, 10.4
Change-Id: Iedbb482c4086ed4740410acc3c6e82f47607ec52
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74686


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Use the correct middleware name 'typo3/cms-frontend/authentication' in
the changelog instead of referring to a non-existing name.

Releases: main, 11.5, 10.4
Resolves: #97660
Change-Id: I5ebb586689f3173e1cc2a06049fd4b4d40430972
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74694


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Brings a multibyte fix when dealing with word-based
diffs, which is our default usage.

composer req lolli42/finediff:^1.0.1

Resolves: #97611
Releases: main, 11.5, 10.4
Change-Id: I601842ed75917f9a6d438191273e602238d3edda
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74607


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Change-Id: I308c3851b4aeb0422acb4bf03c3285928cdd5e99
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74595


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: I5ebedca1cf34181ad228aa833aaa651a46aebec7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74594


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Avoid a postgresql error when previewing a page from the backend which
has an access protection by a fe_group due to PreviewSimulator faking
a fe_user with uid PHP_INT_MAX and sql failure to update the is_online
status of this fake user in PostgreSQL as column fe_users.uid is of type
integer and thus has max value of 2147483647 instead of PHP_INT_MAX.

Releases: main, 11.5, 10.4
Resolves: #97564
Change-Id: I16c866c368a9b3f5ac6bdfacf2c6660a7046df5a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74552


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Latest docker:20.10-dind (currently 20.10.15)
triggers an error on CI:

Error response from daemon: failed to create shim task: OCI
runtime create failed: runc create failed: unable to start
container process: unable to apply cgroup configuration:
mkdir /sys/fs/cgroup/rdma/docker: permission denied: unknown

The image is the 'sub-container' in CI on runner hosts,
that runs all the test images like the php and database
images.

This error *may* have to do with sysbox, which is a security
layer on runner hosts to separate CI jobs from each other.
We however currently don't know exactly what is going on.

For the time being, we pin the dind image to its previous
verion docker:20.10.14-dind

Change-Id: Ie59be69680e1f444c115f2249ca8709bbfdd1e3e
Releases: main, 11.5, 10.4
Resolves: #97570
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74543


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Scrolling the list module with 100 entries causes framerate
to drop below 15fps on low DPI devices in Google Chrome
with subpixel font rendering enabled, which is the default
for low DPI (=non HiDPI/retina) devices on Linux and MacOS.

Without this fix Google Chrome rerenders the entire module
contents on every scroll step in order to perform full
subpixel rendering (for a possibly changing/changed
background), as Chrome only promots scrolling layers to
composited (fast!) layers when the background is opaque [1].
Large tables amplify this issue as the entire table –
not just the visible content – needs to be (re)drawn in
order to calculate the expensive table layout.

An explicit background color preserves subpixel
font rendering capabilities while allowing the browser
to avoid expensive redraws as the scrolling layer is
promoted to a separate, opaque composition layer.
Other possible workarounds like `transform: translateZ(0)`
or `will-change: transform` would degrade font quality [2],
as Chrome would disable subpixel rendering in that case.

This issue has been already been implicitly fixed in TYPO3 v11
as #93489 moved the scroll layer from .module-body to .module,
where an explicit background color is present.

[1] https://bugs.chromium.org/p/chromium/issues/detail?id=381840#c51
[2] https://bugs.chromium.org/p/chromium/issues/detail?id=597678#c3

Releases: 10.4
Resolves: #97144
Related: #93489
Change-Id: I63ce557169a3b8683430e3cdca746abb4c5ce60a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74528


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

Currently acceptance tests do not work on arm64 (Apple M1)
due to the lack of support in the selenium docker image.

This has been fixed by detecting arm64 and switch to
arm64 compatible image (seleniarm/standalone-chromium).

Resolves: #97541
Releases: main, 11.5, 10.4
Change-Id: I531e7e1d7f0f11a1c6d850699eee3b4a9aa3e5d0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74513


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Switchable controller actions are removed with TYPO3 12.0. The deprecation
note is adjusted to reflect it.

Resolves: #97523
Related: #89463
Related: #96282
Releases: main, 11.5, 10.4
Change-Id: Iad04bbb573f2b87ce87a8faabe25c97a8812f937
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74464


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Calling a site using http://example.org/index.php/invalid/ leads to
~/index.php/whatever/ being used as internal script path, which causes
errors or internal side-effects.

This behavior seems to occur only on web-servers using Apache with
PHP-CGI or PHP-FPM, using PHP setting `cgi.fix_pathinfo = 1`.

In case `cgi.fix_pathinfo` is enabled, the current script name is
retrieved from `$_SERVER['SCRIPT_FILENAME']` instead.

Resolves: #97543
Releases: main, 11.5, 10.4
Change-Id: Ia5f6b705253d42d4fc409b90b21d0363c4b97974
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74505


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

composer v2 is no longer an experimental feature of
Docker Desktop for MacOS/Windows. Broken composer v2
error message should be updated to give proper actual
information how to disable it correctly.

Resolves: #97489
Releases: main, 11.5, 10.4
Change-Id: I7c4199e5d3d3c47bbadba8210cc96b0385ab6fcc
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74456


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>

When uploading new assets to the filelist,
the metadata (e.g. width and height) are
automatically extracted from the corresponding
files. This does not work for online media files,
e.g. a YouTube video. Therefore, the corresponding
services' oembed API is used to retrieve the
related metadata.

YouTube however changed their oembed API recently
to always set a width of "200" and a height of "113"
by default. This is obviously far too small for any
use case.

Since YouTube is following the oembed specification
(https://oembed.com/#section2.2), it's possible to
provide the "maxwidth" and "maxheight" parameters
to the oembed URL. This way YouTube returns
meaningful values for width and height.

Actually a similar change was already done to
the Vimeo integration in #85176. Vimeo however
supports the custom "width" parameter, which is
not mentioned in the specification and also not
supported by YouTube.

Resolves: #97481
Related: #85176
Releases: main, 11.5, 10.4
Change-Id: If902cf17b12fc510592a48828d8304fad42e2bfa
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74454


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Add script to 'Build/Scripts/runTests.sh' to clean build and
test related files and folders to get fast a clean state.
Local instance related files are untouched and kept intact.

Added commands:

> Build/Scripts/runTests.sh -s clean
> Build/Scripts/runTests.sh -s cleanBuild
> Build/Scripts/runTests.sh -s cleanCache
> Build/Scripts/runTests.sh -s cleanTests

Resolves: #97355
Releases: main, 11.5, 10.4
Change-Id: I05c9dd966f4703315474e369dad52b1a40881c60
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74400


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>

Over time dangling local anonymous docker volumes
pollutes local docker environments and consuming
space on core contributors discs.

This patch additionally removes dangling, unused
anonymous local docker volumes when updating core
testing images are requested with:

> Build/Scripts/runTests.sh -u

Resolves: #97361
Releases: main, 11.5, 10.4
Change-Id: I6b25a88a9ff119035eea7d5efd6c415bd490a3eb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74306


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Having a CODE_OF_CONDUCT.md document that links to the TYPO3 code
of conduct provides users who view the project source on GitHub
easy, direct access to the full text.

Releases: main, 11.5, 10.4
Resolves: #97376
Change-Id: I6509b402a5229cbd926ce42b4fd6a1c0e60e0fc2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74300


Tested-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Lina Wolf <112@linawolf.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Lina Wolf <112@linawolf.de>

- align README.rst, Index.rst, Includes.txt, Includes.rst.txt,
  Settings.cfg
- add genindex.rst, Sitemap.rst
- remove outdated Targets.rst
- reference manual's start page with :doc:`<manual>:Index`

Adding the custom label `start` to the beginning of the manual's
Index.rst is redundant. Use :doc:`<manual>:Index` instead of
:ref:`<manual:start>` to refer to it.

- replace :ts: with :typoscript: text role

The ambiguous :ts: text role has been removed to
not confuse the writer with typescript and typoscript.

- rename Includes.txt to Includes.rst.txt
- align reST validator at Build/Scripts/validateRstFiles.php
- remove outdated encoding note

- fix rendering warnings of EXT:core
- fix rendering warnings of EXT:fluid_styled_content
- fix rendering warnings of EXT:form
- fix rendering warnings of EXT:linkvalidator
- fix rendering warnings of EXT:lowlevel
- fix rendering warnings of EXT:rte_ckeditor

See https://docs.typo3.org/m/typo3/docs-how-to-document/main/en-us/GeneralConventions/FileStructure.html for further details.

Resolves: #97258
Releases: main, 11.5, 10.4
Change-Id: I791c905d294a1eb71bd30ff2260f68be2b22f41e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74233


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Susanne Moog <look@susi.dev>
Tested-by: Lina Wolf <112@linawolf.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Susanne Moog <look@susi.dev>
Reviewed-by: Lina Wolf <112@linawolf.de>

The CropViewHelper does not have a "length" argument, but the
"maxCharacters" argument is mandatory. From the context it is clear that
the wrong argument was accidentally used here and that this needs to be
renamed.

Releases: main, 11.5, 10.4
Resolves: #97362
Change-Id: I4e8b443f48006024a5949a143f50ed309cdd3d9c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74294


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Change-Id: I947cde3378f0d3ca02ef59c35cc7b0e18b85e751
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74273


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: Ib8848fca36837bde9b0f0dc528e44e4ee2fde0af
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74272


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The check for doing the functional test splitting
script and running the selected chunk used similar
but different minimum chunk value to check against.
Thus the splitting script has not been executed in
all chunk execution contexts.

This patch uses now exactly the same check in the
'Build/Scripts/runTests.sh' like it is defined in
the corresponding docker-compose service config.

Furthermore all previous created functional split
files are now removed to avoid leftovers, which
occured if re-run has lower chunksize defined.

Example which is now properly fixed:

> Build/Scripts/runTests.sh -s functional -c 1/1

Example with partial part files from previous run:

> Build/Scripts/runTests.sh -s functional -c 1/10
> Build/Scripts/runTests.sh -s functional -c 1/8

Resolves: #97283
Releases: main, 11.5, 10.4
Change-Id: Id3a0d1c85540b4e7e46aaea69cf2d96839e8e72e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74194


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

This patch applies the new documentation standards to the .editorconfig.

Resolves: #97302
Releases: main, 11.5, 10.4
Change-Id: I798b355f71dfa7ba8ac20ad424105e99a5c870cc
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74141


Tested-by: core-ci <typo3@b13.com>
Tested-by: Lina Wolf <112@linawolf.de>
Reviewed-by: Lina Wolf <112@linawolf.de>

When core functional tests started to heavily rely
on CSV based import- and assertion files, we found
that editing such .csv files in Microsoft Excel leads
to warnings if the number of columns is not identical
for each row.

Script checkIntegrityCsvFixtures.php has then been
established to verify all rows of .csv fixture files
have the same amount of fields per file, and has been
enabled as CI job to ensure all existing fixture
files follow this.

Nowadays, this restriction feels archaic: Devs actively
working with these CSV files typically edit them in
an IDE like PhpStorm directly and don't use Excel for
this anymore. The PhpStorm plugin "Rainbox CSV" also
helps by coloring these files and other alternatives
like libreoffice do not have this 'all rows must have
same number of colums' restriction.

The patch drops the script, the runTests.sh usage and
the CI calls. This has the additional advantage that
line breaks for single fields are now possible, which
will further improve handling and readability of field
values in upcoming patches.

Resolves: #97274
Related: #83943
Releases: main, 11.5, 10.4
Change-Id: I2b4c2afc98c8471bccae1afb15e055182b563ee7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74131


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

In accordance with the core code base, "libs" in
"includeJSFooterlibs" must be lowercase.

Releases: main, 11.5, 10.4
Resolves: #97251
Change-Id: I0b1d25d6f22254cf7d3747cf66ab0c7e2e611628
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74133


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Recent CKEditor4 v4.18.0 addressed several vulnerabilities:
* CVE-2022-24728 (XSS via attributes & comments)
* CVE-2022-24729 (reDoS via Dialog Plugin API)
* see https://ckeditor.com/cke4/release/CKEditor-4.18.0 for details

Mentioned known vulnerabilities are not considered relevant for the
TYPO3 backend user interface. By-passing CKEditor's XSS protection
allows to persist malicious markup in database fields, which is
mitigated during frontend rendering by typo3/html-sanitizer.

That's why this issue is handled as regular bugfix.

Executed commands:
  cd Build/
  nvm use
  yarn add ckeditor4@^4.18.0
  rm -r ../typo3/sysext/rte_ckeditor/Resources/Public/JavaScript/Contrib/
  yarn exec grunt build

Resolves: #97239
Releases: main, 11.5, 10.4
Change-Id: I3be12120c316b334e7efd237d0300e6d3cd165a8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74058


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Benni Mack <benni@typo3.org>

Recent guzzlehttp/psr7 versions address vulnerability CVE-2022-24775.
Mentioned known vulnerability is not considered relevant for the
TYPO3 core. That's why this issue is handled as regular bugfix.

Commands executed:
  composer req guzzlehttp/psr7:^1.8.5
  composer req guzzlehttp/psr7:^1.8.5 \
    -d typo3/sysext/core --no-update

Resolves: #97240
Releases: main, 11.5, 10.4
Change-Id: I915b5620140912ecf1e0dc5bc887f4cc25ffb85a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74061


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

The confirmation password, required for accessing
the install tool through the backend, now uses the
autocomplete attribute to prevent password managers
from initiating a "change password" workflow.

Resolves: #92969
Releases: master, 10.4
Change-Id: I27bc81e7ebaa9684b4e15c7208841ca5e3a4338d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73998


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Resolves: #91204
Releases: 10.4
Change-Id: I68be95cc7517d505ef555ab321119f539c956603
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73858


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Simon Schaufelberger <simonschaufi+typo3@gmail.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Simon Schaufelberger <simonschaufi+typo3@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

Change-Id: Ie878e940ba6365fd72649a25e23d26e06c0db365
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73853


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>