The ResourceStorage does not properly make use of the Indexer.
As result the indexRecord is not properly updated after a
file change.

This patch cleans up the ResourceStorage so it doesn't update
the index properties itself but leaves that to the indexer.

Resolves: #53655
Releases: 6.2
Change-Id: I249505a1bc0b93f8b3ffb0e9cb2b7f10a9a9968e
Reviewed-on: https://review.typo3.org/25481
Reviewed-by: Stefan Neufeind
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

ElementBrowser calls Folder::getFiles() with wrong parameters.
Properly implement the file extensions filter.

Resolves: #51752
Releases: 6.2, 6.1, 6.0
Change-Id: I56468c79225e2d3baa5e5784571074532e2287ad
Reviewed-on: https://review.typo3.org/25359
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

If an editor has got no file mounts, an uncaught exception
is shown in the element browser.

Fix this by checking if there is a selected folder at all.

Resolves: #52969
Releases: 6.2
Change-Id: I5f9e8cc7994edd69f6db6ae1cc647ee31e4930c6
Reviewed-on: https://review.typo3.org/25357
Reviewed-by: Stefan Neufeind
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

A regular expression in FrontendLoginController
contains an unknown modifier. Fix it by replacing the
/ to # at the beginning and the end of the regular
expression.

Change-Id: Id4d3439c1cdbec691d977570bf76ba0c7bad493c
Resolves: #52059
Releases: 6.2, 6.1, 6.0
Reviewed-on: https://review.typo3.org/23881
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

This fixes a wrong parsing of \r\n characters for radio
button options.

Resolves: #53727
Releases: 6.2, 6.1, 6.0
Change-Id: I9a88be010a7dd982776bee4a98ba99d97fcc406b
Reviewed-on: https://review.typo3.org/25482
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

ElementBrowser::isReadOnlyFolder is not required any more because the
check if the folder is writable has been moved to the methods that
create the file upload and folder creation forms.

The method and the parts where it was used were removed.

Additionally the check if the user is allowed to create folders
by TSConfig was moved to the createFolder method to reduce the amount
of duplicate code.

Resolves: #47648
Releases: 6.2, 6.1, 6.0
Change-Id: Ic6504c8def80012cbe420fc83539cfa859a53c0d
Reviewed-on: https://review.typo3.org/25358
Reviewed-by: DANIEL Rémy
Tested-by: DANIEL Rémy
Reviewed-by: Fabien Udriot
Tested-by: Fabien Udriot
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

Icons in the pagetree should show cursor:pointer on hover.
This changed with ExtJS-upgrade in #52933 because of
x-unselectable.

Since in the pagetree we need x-unselectable unfortunately
manually bring back the old cursor-behaviour.

Change-Id: If6fa45b0e3491d9180855a4d0a462c5fb559d476
Resolves: #54238
Releases: 6.2
Reviewed-on: https://review.typo3.org/26099
Reviewed-by: Alexander Stehlik
Tested-by: Alexander Stehlik
Reviewed-by: Marcin S?gol
Tested-by: Marcin S?gol
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

Change-Id: Id2dc49c9a5e5ca3ede14bc82218dd9ccdc7628ca
Resolves: #54123
Releases: 6.2
Reviewed-on: https://review.typo3.org/25844
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Xavier Perseguers
Reviewed-by: Markus Klein
Tested-by: Markus Klein

In the class "DefaultFactory", "fileadmin" is hardcoded.
The function "getDefaultStructureDefinition"
must take care of the $GLOBALS['TYPO3_CONF_VARS']
['BE']['fileadminDir'] configuration variable.

Resolves: #53872
Releases: 6.2
Change-Id: I17c836a58ea70d218170a33e28ca578bb50eef0b
Reviewed-on: https://review.typo3.org/25640
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
Reviewed-by: Stefan Neufeind
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Fix superfluous comparison against boolean in
OpendocsController::checkAccess

Change-Id: I0682042848f2f25856506d5949fc724853c43948
Resolves: #54052
Releases: 6.2
Reviewed-on: https://review.typo3.org/25739
Reviewed-by: Jo Hasenau
Reviewed-by: Michiel Roos
Tested-by: Michiel Roos
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Fix superfluous comparison against boolean in
DataHandler::versionizeRecord

Change-Id: I345917b9eb29f3cbb39a137f624926888dec623a
Resolves: #54051
Releases: 6.2
Reviewed-on: https://review.typo3.org/25738
Reviewed-by: Jo Hasenau
Reviewed-by: Michiel Roos
Tested-by: Michiel Roos
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Fix superfluous comparison against boolean in
RelationHandler::readForeignField

Change-Id: I77f17dee6a14da7779dfe8e37bc73f33a3d02cb5
Resolves: #54048
Releases: 6.2
Reviewed-on: https://review.typo3.org/25735
Reviewed-by: Jo Hasenau
Reviewed-by: Michiel Roos
Tested-by: Michiel Roos
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Fix superfluous comparison against boolean in
Laguage::getLanguages

Change-Id: Idbf4c1f234eb1c60c01ea130095759ef49ce71c0
Resolves: #54054
Releases: 6.2
Reviewed-on: https://review.typo3.org/25741
Reviewed-by: Xavier Perseguers
Reviewed-by: Michiel Roos
Tested-by: Michiel Roos
Reviewed-by: Markus Klein
Tested-by: Markus Klein

With commit 6eb7a548 performance optimized class
instantiation code has been committed. This code
removed the side effect of a reflection exception
being thrown when a not existing class is instantiated.

Code in ContentObjectRenderer relied on this side
effect, so we have to fix that and properly test
if the class exists instead.

Additionally this change adds some more comments
to the new instantiation code that has been forgotten
in the last commit.

Resolves: #54425
Releases: 6.2
Change-Id: I8962434d60f80daf77ccdce7a8148e26f8fee267
Reviewed-on: https://review.typo3.org/26440
Reviewed-by: Marcin S?gol
Tested-by: Marcin S?gol
Reviewed-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Anja Leichsenring
Reviewed-by: Anja Leichsenring
Tested-by: Tobias Liegl
Reviewed-by: Frans Saris
Tested-by: Frans Saris
Reviewed-by: Dmitry Dulepov
Tested-by: Dmitry Dulepov
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

PHP reflection has quite an overhead in performance.
Use a switch construct like in Flow instead to
instantiate classes with up to 8 arguments without
reflection.

Resolves: #53682
Releases: 6.2, 6.1, 6.0
Change-Id: I82ecf0b1ea9a412a39b4429d7689f2bb6489f3df
Reviewed-on: https://review.typo3.org/26363
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind

This patch prevents the creation of sys_refindex entries that point to no
table and no record.

Additionally it fixes the array structure for the creation of
sys_refindex records for sys_file relations.

For deleted file references no reference will be created between
sys_file and the referenced table.

The configuration for the uid_foreign field was changed from a select
field for tt_content records to a normal input field to prevent the
creation of invalid refindex data. To which table uid_foreign is
pointing depends on the tablenames field.

To make sure both sides of the relation of a sys_file_reference appear
in the refindex table the exclusion of sys_file_reference as
foreign_table is removed.

Resolves: #53712
Releases: 6.2, 6.1, 6.0
Change-Id: Ic864ade10e4e97fbd9017b9c779be68d911dd626
Reviewed-on: https://review.typo3.org/25476
Reviewed-by: Fabien Udriot
Tested-by: Fabien Udriot
Reviewed-by: Frans Saris
Tested-by: Frans Saris
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

In the previously merged patch are some glitches and a regression:
- The usage (and test for existence) of deprecated functions has been
  removed.
- The value passed by the old behaviour is now considered last place
  in the array providing the lookup paths
- The typo preventing usage setLayoutPaths() has been removed.

Intended usage:
plugin.tx_a.view.templateRootPaths {
	default = <some default path>
	extendedA = <some additional path>
}
The array gets reversed and the first hit will be used as template.
In case only numeric indizes are used, the entries get ordered.
See unit tests for a more specific description.

Change-Id: If4fa75347614cf9b352c6016430a928833cc62cd
Resolves: #52971
Documentation: #52761
Releases: 6.2
Reviewed-on: https://review.typo3.org/24903
Reviewed-by: Alexander Stehlik
Tested-by: Alexander Stehlik
Reviewed-by: Marc Bastian Heinrichs
Tested-by: Marc Bastian Heinrichs

Since the labels and values of select items are run through
htmlspecialchars by the FormEngine there is no need to use
htmlspecialchars in the renderTceformsSelectDropdown() method which
generates the select items for the filemount Backend form.

The current code will htmlencode the select value twice which results
in a htmlencoded value in the database which causes problems with
directory names that contain special characters.

Resolves: #54027
Releases: 6.2, 6.1, 6.0
Change-Id: I7ec8262f6c3d20879cde0679636a6a8e5c1d19cd
Reviewed-on: https://review.typo3.org/25770
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Oliver Klee
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Due some regressions on side of travis
(https://github.com/travis-ci/travis-ci/issues/1710) an older git version
is used which doesn't support things like "--single-branch".

To avoid this, git is updated to latest version on the build server before
starting cloning

Change-Id: Ic5f698e84f378b9fed6bd64398b8058a20be860e
Resolves: #54369
Releases: 6.2
Reviewed-on: https://review.typo3.org/26366
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

To make sure calls to filesize() etc. return correct values the PHP
method clearstatcache() is called in the LocalDriver after contents
were written to a file.

Resolves: #54302
Releases: 6.2
Change-Id: Ia30e519d17aa3cf37856096f1cdac567b5729aec
Reviewed-on: https://review.typo3.org/26278
Reviewed-by: Markus Klein
Reviewed-by: Frans Saris
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer

The second typolink parameter, that is the target, can be abused to
introduce XSS code into the generated link. Escaping the parameter
with quoteJSvalue solves the problem.

Change-Id: Ie91b022a2ffed039fb365e6b0be2ea39f7096514
Fixes: #31206
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 484cf1aea8d3e66db547325fe4d843d50a668162
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26225
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Encode user-input in JavaScript context for colorpicker.

Change-Id: I1121d6d20c90e476a2d0ea4f000b180e843a4ce0
Fixes: #42772
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: b6fec0611604ccdce95d4d33cd7dcae0911a5d9a
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26224
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

An hmac of the editor controlled auto respond message was used to verifiy
the correctness of this message on submit. To prevent this, we add an
additional secret.

Change-Id: I1551feebd4dd84abeb3fb098175384f425f605a9
Fixes: #45043
Releases: 4.5, 4.7, 6.0, 6.1, 6.2
Security-Commit: 344975268f4b9eb4ce7c664958647b9268ea03a8
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26223
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Change-Id: I88807af69635d75f1fbefc62b4672e945397fb07
Fixes: #48691
Releases: 6.2, 6.1, 6.0
Security-Commit: 715b2c58c53f0109acce8c52df08d5dffea79f49
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26222
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

It has been possible for authenticated editors
to show content of arbitrary tables and fields
that are defined in TCA by manipulating
GET parameters of the forms and table wizard.

This change adds a check if the editor has access
to the given record.

Change-Id: I8e27e5ffbccf148d951b50b21d9e15cc8e317442
Fixes: #41714
Releases: 4.5, 4.7, 6.0, 6.1, 6.2
Security-Commit: 52d4e3eced81639820db6d75f3d65d14c5234072
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26221
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The eID script of the openid extension does not
validate the given redirect url, leading to
an open redirection vulnerability.

Add and verify hmac of the redirect url.

Change-Id: I0d65390b61dd5cf92151d36e490a194624b98b8f
Fixes: #54099
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 5c6a45c0f843a93ab048a3df4bb352b8e02099b2
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26220
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Usage of unverified input parameters in wizard URL leads to a possible
XSS vulnerability in backend_layout wizard.
The solution is the introduction of a hmac validation of the parameters
used in JavaScript.

Change-Id: I48f89309fc062d132e283d4fd9179ccbfdcfda4c
Fixes: #36768
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: a3ac48f5d66c566d241295d87cc8d7eb4d10c274
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26219
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

The tree Display/* ViewHelpers introduce a XSS vulnerability by
using unescaped parameters in HTML.

Change-Id: I0dadb03105d3eaa520f10f0375a46c83fa56c269
Fixes: #47086
Releases: 6.2, 6.1, 6.0
Security-Commit: 1e0f51f204efd9efacec8aef8ea08e2a8122177b
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26218
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

As parameters passed to an ErrorObject can be user input, the
output of those parameters in the ActionController::errorAction() method
could lead to a cross side scripting possibility.

The offending output has been removed without substitution.

Change-Id: I01385c54bb384a86fc6428f67171e7010b821cc2
Fixes: #54074
Releases: 6.2, 6.1, 6.0, 4.7. 4,5
Security-Commit: ec947ba22bd673827899c5e82857b293dff8b4b0
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26217
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

If the TCEforms wizard "add" is used, the original opened document
is closed and a new one is created in which you then add a new
element to be related.

In order to "store" the originating document which has been
edited, the Wizard/AddController and EditDocumentController
exchange state data in an URL-parameter.

This state-array is serialized in the EditDocumentController
and again unserialized in the Wizard/AddController from that
GET parameter. Without any checks, every code can be injected
to be unserialized here - even though we just need an array
with some data.

This patch changes serialize/unserialize to json_encode and
json_decode. Since the GET parameter only is used in
conjunction of these two classes it is save to changes the
format how the URL parameters are serialized.

Change-Id: I3b41bd0a688f067af2ea4a345ce0264f61bdecf7
Fixes: #54073
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 7148349140f9c8ccb6d847ef58cf1e032711315b
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26216
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

This reverts commit 8e022bcb

Merged a Feature after Feature Freeze is not acceptable. Sorry. Patch is pushed new but will not be available in 6.2.

Change-Id: I39baa58c70b0e942d01c1c37bbf793b873db385d
Reviewed-on: https://review.typo3.org/26055
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

In order to provide the full functionality known from the
switch/case PHP function, a default case possibility is
introduced. Use it like:
<f:switch expression="{person.gender}">
  <f:case value="female">Mrs.</f:case>
  <f:case value="male">Mr.</f:case>
  <f:case default="TRUE">Mrs. or Mr.</f:case>
</f:switch>

Resolves: #49371
Documentation: #54283
Change-Id: I6b71ec39173ab957aa392bd595a65ceddadc81c9
Releases: 6.2
Reviewed-on: https://review.typo3.org/23739
Reviewed-by: Cedric Ziel
Tested-by: Cedric Ziel
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring

The filemetadata extension adds additional fields to the sys_file_metadata
table. The field creator_tool is defined in SQL and TCA, but not added to
any palette or tab. This patch adds the field to the palette with
related authoring information.

Releases: 6.2
Fixes: #54259
Change-Id: I9e3c3af618b04ddde1c96b3dcb1e4cdf209f6eec
Reviewed-on: https://review.typo3.org/25993
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

The Context-Menu of files misses the editing pen allowing
to directly edit the metadata of the file. Currently it
only shows the edit-content possibility in case it is a
text file.

This patch adds the missing option.

Resolves: #52835
Releases: 6.2
Change-Id: I869d8a57d2cacc04455df5189b5cc7af02c2e9cf
Reviewed-on: https://review.typo3.org/25811
Reviewed-by: Steffen Müller
Tested-by: Steffen Müller
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter

When the file list has been reworked to use FAL instead of
plain PHP file functions the feature to go one level up has
been removed accidentilly. This patch reintroduces the
original behaviour known from TYPO3 CMS 4.x.

Releases: 6.2
Resolves: #51866
Change-Id: Iad334c90d575f2b2f3b47af71e23c721edd76e1e
Reviewed-on: https://review.typo3.org/25812
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Steffen Müller
Tested-by: Steffen Müller

Fix superfluous comparison against boolean in
CronCommand::dayMatchesCronCommand

Change-Id: Ia1d852ffbbc772dd89587d304b1234e11e372d2d
Resolves: #54050
Releases: 6.2
Reviewed-on: https://review.typo3.org/25737
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Markus Klein
Tested-by: Markus Klein

When using aliased ViewHelper class names and old Tx_ namespace in
template and ViewHelper uses closing tag (not self-closing) an
error is thrown, saying closing tag ViewHelper is not the same
as openening tag ViewHelper (closing tag uses old class name,
opening tag uses new). To solve, TemplateParser now checks if
resolved ViewHelper class names are aliases of other classes and
if so, uses the real class name instead of the alias.

Steps to reproduce error:

* template namespace: {namespace myext=Tx_Myext_ViewHelpers}
* template code: <myext:vh>test</myext:vh>
* namespaced VH class: \Myext\ViewHelpers\VhViewHelper
* ClassAliasMap: Tx_Myext_ViewHelpers_VhViewHelper ->
  \Mext\ViewHelpers\VhViewHelper
* framework: render template using any View

Error 1224485398 "closing tag does not match opening tag" thrown.

Steps taken to fix error:

* run constructed class name through alias resolve method.

Fixes: #54115
Releases: 6.2, 6.1, 6.0
Change-Id: I070b6199095ec84c7213cfc0c3775f5f08340840
Reviewed-on: https://review.typo3.org/25814
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Since the Release of Microsoft IE 11 there is no "MSIE" hint in
its user agent header anymore. Therefore the existing patterns
fail and the browser is detected as unknown browser.

TYPO3 deactivates several features for unknown browser. As a
result f.e. the RTE does not load.

This change adds special treatment for IE11+ by introducing an
additional regular expression matching the new user agent format
and looking for the Trident engine to be present.

In addition unit tests for common IE 9-11 user agents are added.

Change-Id: I389f344a498ac77f3e6445656dd125fd5d236a98
Resolves: #54124
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/25848
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Needed to workaround a login-problem with IE11.

ExtJS tries to clear a cookie with different settings than when
setting the cookie. In IE11 this leads to problems with the cookie
being set twice on the next call to set(). The get() however
would return the first (empty) cookie.

Using set() with a date in the past also clears the cookie but
will correctly use the same path-settings.

Change-Id: Ieff22129895cd89ca2e1429703daf1636596ecb6
Resolves: #53818
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/25852
Reviewed-by: Henrik Ziegenhain
Tested-by: Henrik Ziegenhain
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Steffen Ritter
Reviewed-by: Markus Klein
Tested-by: Markus Klein

The defaultTypoScript_setup has a different configuration than
defaultTypoScript_constants.
Make them equal.

Resolves: #53852
Releases: 6.2
Change-Id: Ide8be9b4653ed17e3a0ee7a0222bd384a986b3ce
Reviewed-on: https://review.typo3.org/25634
Reviewed-by: Wouter Wolters
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn