- Jun 26, 2019
-
-
Benni Mack authored
There are some leftovers where PseudoSite is mentioned. Since TYPO3 v10.0 is built on Site Handling completely, this logic is removed. Resolves: #88625 Releases: master Change-Id: I9f3b3a6c9a4bf29c2b509246c02d64aa5f536b4e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61123 Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
Daniel Gorges <daniel.gorges@b13.de> Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by:
-
Benni Mack authored
Checking if cHash matches any GET parameters can be done without $TSFE->cHash_array and $TSFE->hash as all data is built inside PageArguments already. However, $TSFE->cHash_array is still necessary and filled as before when ->setPageArguments() is called. This is a precursor to re-structure the dependencies within TSFE and PSR-15 middlewares. Resolves: #88460 Releases: master Change-Id: I43c2fdc1049d451b3fc9bc06a57b744703a7a323 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60841 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
-
Benni Mack authored
Modules which do not set a proper route path themselves now have a different route path, basically "/module/file/list" for example, whereas there is a proper prefix with "/module/" and no trailing slash anymore. It is still possible to build links to the route paths, and resolve them properly. The "old" route paths will stop working in TYPO3 v11.0. Resolves: #82669 Releases: master Change-Id: If976df458e87b1199933cf1c42c5d3d8ff2407ba Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60433 Tested-by:
Susanne Moog <look@susi.dev> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
-
Benni Mack authored
The introduction of the Session Framework API in v8 introduced generators for fetching authentication service objects within `AbstractUserAuthentication`. Some places were however forgotten, which can safely replaced with the `$this->getAuthServices()` method. Resolves: #88594 Releases: master Change-Id: I987150be574232b549340f4766bb963baa17fd60 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61095 Tested-by:
Alexander Schnitzler <review.typo3.org@alexanderschnitzler.de> Tested-by:
-
- Jun 25, 2019
-
-
Oliver Hader authored
Serialized values in l18n_diffsource are vulnerable to insecure deserialization when being invoked in FormEngine or DataHandler. Resolves: #88323 Releases: master, 9.5, 8.7 Security-Commit: 215de3e52140dc69ccb0e5802ab4234922b1aa63 Security-Bulletin: TYPO3-CORE-SA-2019-020 Change-Id: I03704b35d94e2575e9231656977f3760e6f04e2b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61146 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Oliver Hader authored
Fields `TSconfig` and `tsconfig_includes` of table `pages` can be misused by restricted users to contain malicious instructions and lead to cross-site scripting as well as arbitrary code execution. Since user input cannot be sanitized properly, the field is now available for admin users only. In addition directory traversal in TSconfig static includes has been mitigated. Resolves: #88565 Releases: master, 9.5, 8.7 Security-Commit: b4ab9cd1f0539b3af675b94aa01d26e5c4b3a1d9 Security-Bulletin: TYPO3-CORE-SA-2019-019 Change-Id: I712364fde6a76ad761a0b738756cb151dc5c22e1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61145 Tested-by:
-
Oliver Hader authored
When frontend users logged out their session data (e.g. shopping cart) was transfered into an anonymous session. This session could have been reused by a different user working with the very same browser. In order to enhance security aspects on this topic session data is purged when an according frontend user is logging out. Since this might be breaking for some scenarios a new feature toggle has been introduced which allows to keep the previous behavior: boolean 'security.frontend.keepSessionDataOnLogout' in $GLOBALS['TYPO3_CONF_VARS']['SYS']['features'] Resolves: #88139 Releases: master, 9.5, 8.7 Security-Commit: 89c45f80388f24f08f827c474daa5ab8fda63da2 Security-Bulletin: TYPO3-CORE-SA-2019-018 Change-Id: I869f3bee7c6bf6e2ae51bcd86273b6abc15f09c5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61144 Tested-by:
-
Oliver Hader authored
Due to an incomplete condition it was possible for regular backend users to make use of the import module - which only would be accessible to admin users or to those users have User TSconfig `options.impexp.enableImportForNonAdminUser` enabled. Resolves: #88284 Releases: master, 9.5 Security-Commit: a3ca05df1e9e9269b45daf9dd79517df9d202604 Security-Bulletin: TYPO3-CORE-SA-2019-017 Change-Id: I9ac9a026d5715f9c03eda37f0ef84178640b2f1d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61143 Tested-by:
-
Benni Mack authored
The symfony/cache component is not directly used by the core but is a dependency of symfony/expression-language which is used in the core. The affected symfony/cache packages have been marked as "conflict" in the composer.json. See https://symfony.com/blog/cve-2019-10912-prevent-destructors-with-side-effects-from-being-unserialized Resolves: #88215 Releases: master, 9.5 Security-Commit: d13c36e9e9951030a0787c63674634a52ff0aae3 Security-Bulletin: TYPO3-CORE-SA-2019-016 Change-Id: If98391ceef88561507d0095d26455a8da128f01e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61142 Tested-by:
-
Oliver Hader authored
URLs defined using TYPO3's internal t3://url/?url=... notation are now hardened against using `javascript:` and`data:` URL schemes. Resolves: #88476 Releases: master, 9.5, 8.7 Security-Commit: 1a873c662524a62b192661da45d27e223e517d18 Security-Bulletin: TYPO3-CORE-SA-2019-015 Change-Id: Ia9ca8784a1779492762e5a36fcb1ada67bb6c56a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61141 Tested-by:
-
Andreas Fernandez authored
The ElementInformationController now checks a backend user has sufficient permissions to see each referenced record. Resolves: #88317 Releases: master, 9.5, 8.7 Security-Commit: 4322d6b827c09b98b35ab4ef47753e9c20f7f117 Security-Bulletin: TYPO3-CORE-SA-2019-014 Change-Id: I49d077e5628465111b4460dd3cb673182d09eaa0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61140 Tested-by:
-
Benni Mack authored
The functionality to set a custom TCEMAIN.previewDomain via PageTS is not in use anymore as SiteHandling is using the proper domain anyway already. Conceptually this does not work anymore, as the base (domain + path prefix) determines Language + Site / PageTree entry point. Setting this to something else via TCEMAIN.previewDomain would not work anyways, so this hack is removed, as we now can safely determine the full (speaking) URL with Site Handling. In addition, the method BackendUtility::getViewDomain() is now deprecated. Resolves: #88499 Releases: master Change-Id: Id88c16e2e86ccce8a2e7be02af0e2a39802624c0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60773 Tested-by:
-
- Jun 24, 2019
-
-
Alexander Schnitzler authored
In order to have a meaningful class doc block for the BitSet class, the former doc block has been replaced with an explanation of how to use the BitSet class. The explanation is similar to the one in the rst file which has been introduced along the class. Releases: master Resolves: #88611 Releates: #88596 Change-Id: Ie6c5043a38db612f050438123ab9cd12d8030e9c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61100 Reviewed-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
Björn Jacob <bjoern.jacob@tritum.de> Reviewed-by:
Alexander Schnitzler <typo3@alexanderschnitzler.de> Tested-by:
-
Benni Mack authored
The configuration within `sys_preview` contained the Backend User ID. Previously, until TYPO3 v9, this was used to simulate a backend user with his/her permissions, however this was changed with the introduction of Middlewares and a custom PreviewUserAuthentication object. This information does not need to be stored, as it hasn't been evaluated anymore anyways. Resolves: #88601 Releases: master Change-Id: I2b3c4979f38a3c1343a0f5bff3c2bd762affc0e1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61108 Tested-by:
Daniel Goerz <daniel.goerz@posteo.de> Tested-by:
-
Joerg Kummer authored
Correct closing tag in PHP comment example. Resolves: #88619 Releases: master, 9.5 Change-Id: Ic90351399eccc4435231bbd4ccbc74c33727d70c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61120 Tested-by:
Daniel Siepmann <daniel.siepmann@typo3.org> Tested-by:
-
- Jun 21, 2019
-
-
Alexander Schnitzler authored
The BitSet class has been put into a DataStructure namespace although the core puts classes of these kind into a Type namespace. Therefore, the class has been moved. Releases: master Resolves: #88596 Change-Id: I18385a5c761e002f36bc33dcaeeb26ce7f6d187e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61098 Reviewed-by:
Mathias Brodala <mbrodala@pagemachine.de> Reviewed-by:
-
Daniel Siepmann authored
As this is what its called. This also should make searches easier, as there is only one way to write it. Relates: #88600 Releases: master, 9.5 Change-Id: Ib6fcd4402b4a34aeaf0735a40788a18a324587dd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61103 Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Tested-by:
Tom Warwick <tom.warwick@typo3.org> Tested-by:
Claus Due <claus@phpmind.net> Reviewed-by:
-
Helmut Hummel authored
By concept for frontend rendering the page title and meta tags are not meant to be stored in page cache in order to allow non cachable plugins to modify those. Currently both page title and meta tags are stored in separate cache entries, which violates the concept above and unnecessarily tightly couples those code parts to the TypoScriptFrontendController and internal logic of it. This patch removes these caches. In order to properly handle the uncached rendering state, we make sure the meta tag registry is properly serialized with all managers. Resolves: #88179 Releases: master, 9.5 Change-Id: If5200398bf9ab9db09ab97403c976d82cb33d01d Signed-off-by:
Frank Naegler <frank.naegler@typo3.org> Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60520 Tested-by:
Helmut Hummel <typo3@helhum.io> Tested-by:
Richard Haeser <richard@maxserv.com> Reviewed-by:
-
Susanne Moog authored
Some tests still use hardcoded 'typo3temp' for creating files and folders. Where possible, this has been changed to use varPath from Environment class instead. Resolves: #88551 Releases: master Change-Id: I2d9a8edfb3fb33cc8f86f8e487603d0c72ef3ff0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60946 Tested-by:
-
Benni Mack authored
In preparation for our next maintenance release, symfony components are updated to their latest versions. Composer Command: composer update symfony/* --with-all-dependencies Resolves: #88595 Releases: master, 9.5 Change-Id: Ib380cbe7fec57488bf0ca10328486bc9c5fcbd5c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61096 Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
-
- Jun 19, 2019
-
-
Oliver Hader authored
With #88366 "cache_" prefix has been deprecated. However, when retrieving a deprecated cache like "cache_subject" its identifier gets transformed to just "subject" which is (probably) not available in cache configuration keys. That's why keys of cache configurations have to be transformed as well. Resolves: #88512 Releases: master Change-Id: I224d55e71011a437ed2e990d13b1edbee08770b7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60892 Tested-by:
-
Benni Mack authored
Profiling shows that when linking to 100 pages, SiteFinder (which instantiates SiteConfiguration) is instantiated 100 times. Although SiteFinder information might change during one request, the SiteConfiguration does not (except when updating the Configuration via API). So, a first-level-cache can be used to avoid calls to "cache_core" multiple times during one request, and SiteConfiguration can become a Singleton instance. Resolves: #88577 Releases: master, 9.5 Change-Id: I3d9167da9442d684d32a73d6cf2003c91bdf4d68 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61078 Tested-by:
Benjamin Franzke <bfr@qbus.de> Tested-by:
-
Devid Messner authored
Resolves: #87147 Releases: master, 9.5 Change-Id: Ia909104bc663d4191f21cb1bf0e25c0212388e2f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/59133 Tested-by:
-
Benni Mack authored
This change removes the "TCEforms" option when parsing FlexForms data in DataHandler, when dealing with FlexForms that contain sheets. This way, FlexForms RTE configuration is properly set and no double spacings for linebreaks are used. According to the issue, this only happened when fields specifically within sheets are configured, for fields without sheets, this has been working already. In order to ensure both cases are working, tests are applied for both variants. Resolves: #80778 Resolves: #81748 Releases: master, 9.5, 8.7 Change-Id: I38facfa9e1065d4730f895aa178a049c07c443f8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60902 Tested-by:
Jan Kornblum <jan.kornblum@gmx.de> Tested-by:
-
- Jun 18, 2019
-
-
Andreas Fernandez authored
All modules of the Install Tool used in modal windows now share a common abstract class that contains some boilerplate code required for most modules. Resolves: #88518 Releases: master Change-Id: I0c2f03f098c731e5a0c499ce91400c22a8c1f890 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60897 Tested-by:
Jonas Eberle <flightvision@googlemail.com> Tested-by:
Simon Gilli <typo3@gilbertsoft.org> Reviewed-by:
-
Susanne Moog authored
composer require --dev typo3/testing-framework:~5.0.10 Releases: master Resolves: #88580 Change-Id: I1dcef11cee0caa730463919146b3732d7838e683 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61081 Tested-by:
-
Manuel Selbach authored
doctrine/dbal 2.8.x ran into unmaintained mode: https://www.doctrine-project.org/projects/dbal.html We should upgrade to at least 2.9: composer req doctrine/dbal:^2.9 Resolves: #88579 Releases: master Change-Id: I18962bd313018abec8e52bada6df9aca6aa4143f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61080 Tested-by:
-
Sybille Peters authored
Resolves: #88578 Releases: master, 9.5 Change-Id: I5fc57a9c61d5f02838f3afd3c305ae0b7b037dfc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61079 Tested-by:
Joerg Kummer <typo3@enobe.de> Reviewed-by:
-
Benjamin Franzke authored
As it produced a warning: 1) TYPO3\CMS\Frontend\Tests\Unit\DataProcessing\SiteProcessorTest:: nullIsProvidedIfSiteCouldNotBeRetrieved Trying to configure method "getSiteFinder" which cannot be configured because it does not exist, has not been specified, is final, or is static Resolves: #88576 Related: #88568 Releases: master Change-Id: Icf72100282ce24c87b6bb9f49fc978b6187a817e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61074 Tested-by:
-
- Jun 17, 2019
-
-
Jonas Eberle authored
Rephrases button title and success message for user preference reset. Resolves: #88520 Releases: master, 9.5 Change-Id: Ib2d3180a417366249df8fa9c1faa47c74cca022a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61040 Tested-by:
Tymoteusz Motylewski <t.motylewski@gmail.com> Reviewed-by:
-
Manuel Selbach authored
doctrine/dbal 2.8.x ran into unmaintained mode: https://www.doctrine-project.org/projects/dbal.html We should upgrade to at least 2.9: composer req doctrine/dbal:^2.8.1 which installs 2.9.2 Resolves: #88553 Releases: master, 9.5 Change-Id: Id0c20cbb3102b5086e1c4d9dcef1b32fed67db7d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60994 Tested-by:
Manuel Selbach <manuel_selbach@yahoo.de> Reviewed-by:
-
Benni Mack authored
Locales resolves the user-defined TYPO3-languages and its dependencies via TYPO3_CONF_VARS, which are only finally available when all extensions' ext_localconf.php is included. For this reason, Locales::initialize() can be deprecated and moved into the regular constructor, but then the Bootstrap should not do the initialization anymore, which happens at the point now, when Locales first gets initialized (which happens in Frontend within TSFE and PageRenderer and in Backend within $LANG). For this reason, it is removed from Bootstrap, where it was first placed in TYPO3 4.6 when no proper bootstrap set up was given. Resolves: #88569 Releases: master Change-Id: Ife2e248412c1b206abffcdd21df0d01e44834cea Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61046 Tested-by:
-
Benni Mack authored
SiteMatcher is a container around SiteFinder now as PseudoSite handling was removed, so SiteFinder can be used directly. Resolves: #88568 Releases: master Change-Id: Ib0f5a42351ed5c11c25458b74074b80f5c574bbd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61043 Tested-by:
-
Alexander Schnitzler authored
This patch removes the automatical registration of two types of validators. - model validators - type validators Model validators are those validators that follow a specific namespace and class naming derived from domain models. Given a model \Vendor\Extension\Domain\Model\Foo, extbase searched for a valiator \Vendor\Extension\Domain\Validator\FooValidator. If it existed, it had been registered automatically and could not be disabled at all. Type validators are similiar to model validators. Given a non model action parameter or model property like int, string, float, DateTime and such, extbase searched for validators in the namespace TYPO3\CMS\Extbase\Validation\Validator. There is a TYPO3\CMS\Extbase\Validation\Validator\StringValidator for example which had been registered for string type params and properties. Said validators could not be disabled at all. There are several reasons why the automatic registration has been removed: - First of all, this behaviour led to an unknown amount of actual registered validators. Developers that are new or simply not familiar with the concept of validation magic could easily become frustrated. - Then there is the problem that validation takes place, no matter if it was needed or wanted. A domain validator, which looked quite handy in the first place, had to be reduced to the validation logic that would fit all cases where according objects had been passed into methods. No matter the context. The context however matters a lot. One might want to have different validation rules depending on if objects are created, updated or deleted. This distinction was impossible and therefore model validators could be a burden. - Last but not least, the automatic registration is a problem when introducing validation groups. Validation groups cover the context aspect mentioned earlier. By grouping validations one can create and register different validators and apply them given by contexts like create, update, delete and such. Releases: master Resolves: #87957 Change-Id: If8f590a1bedb428c8884cd61828d8cc671ee92e1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60298 Tested-by:
Stefan Froemken <froemken@gmail.com> Tested-by:
-
Susanne Moog authored
Some unit tests still have problems on Windows. - setlocale will not error even if the locale is not found - file permissions don't work the same as the unix style version - absolute paths do not start with a slash - files from finder may contain mixed slashes - generating different hash values when used as key Tests have either been adjusted to accomodate the differing behaviour or skipped if appropriate. Resolves: #88552 Releases: master Change-Id: I32344c2a0a0797db087a3ccad45d3b626715ab77 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60945 Tested-by:
Benjamin Kott <benjamin.kott@outlook.com> Tested-by:
-
Benni Mack authored
When parsing TypoScript, PageTSconfig and UserTSconfig is taking into account for evaluting if "TSFE.constants" is set in PageTSconfig. If this is used, this acts as a default constant. However, this feature has various drawbacks, and has been superseded by actually having constants globally (FE/BE) and via Conditions available. For frontend calls with empty pagesection caches, this improves performance greatly, especially in pages on a deeper level (recursion). This also reduces the footprint to have the TypoScriptParser (incl. condition matching) being called too often. Resolves: #88564 Releases: master Change-Id: Icbdfa9918a9a79510a87198bf033c4de96d71107 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61034 Tested-by:
Georg Ringer <georg.ringer@gmail.com> Tested-by:
-
- Jun 14, 2019
-
-
Georg Ringer authored
The following methods of `\TYPO3\CMS\Core\Utility\VersionNumberUtility` are unused and can be deprecated: - `splitVersionRange` - `raiseVersionNumber` - `convertIntegerToVersionNumber` Resolves: #88554 Releases: master Change-Id: I28378a39d7cae4d2ae09cfb6a85c5d294565a2f7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60997 Tested-by:
-
Benni Mack authored
There are a lot of places where AbstractUserAuthentication and the dependents (BE/FE user auth) set various settings, both in the constructor and the start() method. All possible settings are now moved to the constructor, or to dependent properties in subclasses. Some changes are now in place: - UserAuth->loginType must be set now (which was previously in start()). This is now checked in the constructor. - Most of the variables (sessionTimeout/sessionDateLifetime) are now set and evaluated inside the constructor, making start() much simpler to understand and read. Resolves: #88527 Releases: master Change-Id: Ie03b8b93f869f5bafae8f660d6c983bec308f2fa Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60875 Reviewed-by:
-
Andreas Fernandez authored
Resolves: #88262 Resolves: #85346 Releases: master, 9.5 Change-Id: Ia72ef1b670841d90ec0251c99b7f4d3dc1e7770a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60900 Tested-by:
Riccardo De Contardi <erredeco@gmail.com> Tested-by:
Sven Juergens <typo3@blue-side.de> Tested-by:
-
Benni Mack authored
Introduced with https://review.typo3.org/c/Packages/TYPO3.CMS/+/60895 cHash's that are used within the URL but not needed anymore, should rather create a redirect instead of silently unsetting the cHash argument. Related: #41033 Resolves: #88531 Releases: master, 9.5 Change-Id: Iaae3e72160c055f8848942d506f7cc3e25d31af4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60905 Tested-by:
Nicole Cordes <typo3@cordes.co> Tested-by:
-
