- Sep 13, 2022
-
-
Oliver Hader authored
see https://github.com/TYPO3/html-sanitizer/releases/tag/v2.0.16 composer req masterminds/html5:^2.7.6 typo3/html-sanitizer:^2.0.16 composer req masterminds/html5:^2.7.6 typo3/html-sanitizer:^2.0.16 \ -d typo3/sysext/core --no-update Resolves: #98340 Releases: main, 11.5, 10.4 Change-Id: I254ea25410e01f7610b0c4ef8b83441ab216f1ca Security-Bulletin: TYPO3-CORE-SA-2022-011 Security-References: CVE-2022-36020 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75714 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Oliver Hader authored
Variables in child nodes like `<f:asset.css>{value}</f:asset.css>` were not encoded and allow cross-site scripting. In case values shall be taken as is, corresponding `f:format.raw` instruction has to be used. Resolves: #97900 Releases: main, 11.5, 10.4 Change-Id: Id843a41c42bbe1f74cdc4efbc117b24d20026b97 Security-Bulletin: TYPO3-CORE-SA-2022-010 Security-References: CVE-2022-36108 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75713 Tested-by: -
Oliver Hader authored
FileDumpController is used to expose stored files from the backend user interface through a corresponding service-side process. Since content-security-policy settings for files served directly by the web server won't be applied, FileDumpController has to take care. Resolves: #98221 Releases: main, 11.5, 10.4 Change-Id: I4fde10e48e33fa08452eddf876172f56b4f38e28 Security-Bulletin: TYPO3-CORE-SA-2022-009 Security-References: CVE-2022-36107 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75712 Tested-by:
-
Torben Hansen authored
When a TYPO3 backend user performs a password reset request, a password reset link including an expiration time is sent to the user. The expiration time is included in HMAC calculation of the saved password reset hash, but it is never evaluated if the expiration time is exceeded. This change adds the missing validity check for the expiration time included in the password reset link. Resolves: #97998 Releases: main, 11.5, 10.4 Change-Id: I8a1730faf6489e5c5eebb44ff4f82606785bd637 Security-Bulletin: TYPO3-CORE-SA-2022-008 Security-References: CVE-2022-36106 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75711 Tested-by:
-
Oliver Hader authored
Observing response time during user authentication can be used to distinguish between existing and non-existing user accounts. This change introduces `MimicServiceInterface::mimicAuthUser` - to be implemented by 3rd party authentication services - which simulates corresponding times regular processing would usually take. Resolves: #98217 Releases: main, 11.5, 10.4 Change-Id: I143ae0d3877dffe6f2decbb3f0cf8c9d9cb6ca0b Security-Bulletin: TYPO3-CORE-SA-2022-007 Security-References: CVE-2022-36105 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75710 Tested-by:
-
Oliver Hader authored
This fixes TYPO3-CORE-SA-2021-005 again, which accidentally had been removed during TYPO3 v11 development. An inaccessible error page amplified potential denial-of-service scenarios. Resolves: #97818 Releases: main, 11.5 Change-Id: Ia9c666731f70db5e0a60572cd008f1d0c541af37 Security-Bulletin: TYPO3-CORE-SA-2022-006 Security-References: CVE-2022-36104 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75709 Tested-by:
-
Oliver Hader authored
This change addresses several "undefined array key" issues that have been identified by PsalmPHP (see issue #98321). Resolves: #98325 Releases: main, 11.5 Change-Id: I340f49059677c05348a3d4fedc2aa4ed0aca843b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75703 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Oliver Bartsch <bo@cedev.de> Reviewed-by:
-
Oliver Hader authored
The changes applied for issue #93887 introduced a bunch of regressions, which were partially addressed. However, there are still much more issues related to cache handling that have been introduced by mentioned change. #97977: This reverts commit f8fa1be3 #98023: This reverts commit 8129d55e #93887: This reverts commit 9f933f2c Resolves: #98336 Reverts: #97977 Reverts: #98023 Reverts: #93887 Releases: main, 11.5 Change-Id: I731069b7d2485bf1bd94e78ebe3e9500d2a752ea Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75695 Tested-by:
Elias Häußler <e.haeussler@familie-redlich.de> Tested-by:
-
Stefan Bürk authored
With #98331 friendsofphp/php-cs-fixer has been raised in v11. However, pre-merge ci only scans for cgl in changed php files. Thus no scan has been run on all php files and cgl violations were not detected. Nightly revealed them. This change runs cgl fix on all files to align them to the current rules and style. Used commands: > Build/Scripts/runTests.sh -s cgl Resolves: #98338 Related: #98331 Releases: 11.5 Change-Id: I98863b7bc28ea4e751a0b69f65eb4589db97b844 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75698 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
Stefan Bürk <stefan@buerk.tech> Reviewed-by:
-
- Sep 12, 2022
-
-
Oliver Hader authored
To avoid divergent code-style results among other Git branches, package friendsofphp/php-cs-fixer is upgraded to version 3.9.5. Resolves: #98331 Releases: 11.5 Change-Id: I9cac87b225b816dc5c4a943ef4a90827a164496c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75691 Tested-by:
Christian Kuhn <lolli@schwarzbu.ch> Tested-by:
-
- Sep 09, 2022
-
-
Andreas Fernandez authored
Resolves: #98306 Releases: 11.5 Change-Id: I7a5ec64e330a6a779abb5ed95eb6c70acb221785 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75670 Tested-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
-
linawolf authored
Fixed the display of pseudocode to simple rest as these get displayed in TYPO3 Explained. This resolves rendering warnings and incorrect code display Releases: main, 11.5 Resolves: #98305 Change-Id: Iafe32a55722ee0ad475f0f4b562aef548e47a7be Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75639 Tested-by:
Lina Wolf <112@linawolf.de> Reviewed-by:
-
- Sep 08, 2022
-
-
Georg Ringer authored
Avoid mistakes, especially by copy & paste, and trim the given data before closing the modal and delegating the data. Resolves: #98220 Releases: main, 11.5 Change-Id: Ie1a5670653fc28e16c54e1b7b1d1452a1e4f1917 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75666 Tested-by:
-
Andreas Fernandez authored
If a backend user switches pages in the list module right after the clipboard is being loaded, the error message "An error occurred while fetching clipboard data" may arise as a "global" notification which is technically correct but confuses users. To relax the situation, the error message is now rendered as a regular alert box where the clipboard is expected to be and only if there is a real error. Resolves: #98242 Releases: main, 11.5 Change-Id: Ia1fddba64ac459601789aa7f68151840ddeadb3c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75665 Tested-by:
-
- Sep 07, 2022
-
-
Stephan Großberndt authored
README.md and CONTRIBUTING.md use the current repository links with this change. The change also includes several minor edits. Resolves: #98260 Releases: main, 11.5, 10.4 Change-Id: I77d4741df4134ae0babec2415cd8f5345592e29e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75633 Tested-by:
Stephan Großberndt <stephan.grossberndt@typo3.org> Reviewed-by:
-
Oliver Bartsch authored
When changing the doktype of a page in the "create multiple pages" wizard, the corresponding icon does now correctly update by using the correct data attribute name again. Resolves: #98279 Releases: main, 11.5 Change-Id: Iaba7517e0486c42ce61aeadfe3ce478a27208114 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75637 Tested-by:
-
Andreas Fernandez authored
Resolves: #98273 Releases: main, 11.5 Change-Id: I521d855fb4dc8fbafb302de16f8d446abfb4d9e1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75636 Tested-by:
-
- Sep 06, 2022
-
-
Stefan Bürk authored
With PHP8.2 setting dynamic properties has been deprecated. This is also valid if it is set through unserialization and emits a deprecation warning. Thus this fails hard in tests. Thus one test fails, which is expclicitly testing unserialization with invalid dynamic class properties. This change moves the test to unitDeprecated tests, which will not fail on deprecation warnings. This acts pre-patch to update PHP8.2 testing to `PHP8.2.0 RC1`. Resolves: #98266 Releases: main, 11.5 Change-Id: I7bf87b0ade906727f6222d31a1b735f452717138 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75632 Tested-by:
-
Andreas Fernandez authored
The FormEngine review module broke with the introduction of Bootstrap 5 due to changed API of its Popover module. Our internal Popover wrapper is now used to render the list of failed fields again. This also introduces another bugfix in the Popover wrapper which updates the Popover's content once it was rendered already. Additionally, a nasty workaround is added: previously, the field id was stored as a data attribute to the list item in the validation list. Somewhere in the Popover > Bootstrap > PopperJS handling, those custom data attributes are removed before rendering the HTML. To circumvent this issue, the field is now added as last element in the `classList` DOMTokenList for later use. Resolves: #94774 Releases: main, 11.5 Change-Id: I00d8196102f08548c8ec3433c1d0f0c8c7f05d04 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75612 Tested-by:
-
- Sep 05, 2022
-
-
Andreas Fernandez authored
The check for `inData.action` didn't work anymore for a long time as `action` is not set in the controllers anymore. To check if we're in the export view, the existing check for `import.mode` is re-used instead. Resolves: #98258 Releases: main, 11.5 Change-Id: I7ce3e572d2fe90ded1f6d100461c616b0b768e5f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75604 Tested-by:
-
Josef Glatz authored
All values are default values except the redirectTTL value. Releases: main, 11.5, 10.4 Resolves: #98238 Change-Id: Ifef0b35445828aa4b82084b5a4216174b9ad3e89 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75576 Tested-by:
-
- Sep 02, 2022
-
-
Stefan Bürk authored
PHPStan fails with composer max installation due changes in the detection. Raising the version to corresponding version leads to abnormal performance decrease. Thus not an option we can use. This change pins phpstan to a fixed version to avoid failing nightlies until the performance issue in the PHPStan tool has been fixed. See: https://github.com/phpstan/phpstan/issues/7903 Used commands: > composer req --dev "phpstan/phpstan":"1.8.2" Resolves: #98253 Releases: main, 11.5 Change-Id: I38a31b87c36b9ae4c5915422dd3f09a6fca38b57 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75601 Tested-by:
-
Stefan Bürk authored
PHP8.1 introduced native return types to native methods and interfaces, which crashes if they are not compatible. As a workaround the introduced `#[\ReturnTypeWillChange]` attribute can be used to mitigate this, which has been used to mitigate quite some issues with it. PHPStan has released a new version which fixes a bunch of bugs, which detects more issues in core. These will be addressed with the dedicated PHPStan raise patch #98246. However, one issue cannot be solved or added to the baseline and must be fixed beforehand. The reason is, that phpstan also evaluates the PHPDoc return type. This change uses the `#[\ReturnTypeWillChange]` attribute to silence this as a backportable intermediate solution. Resolves: #98251 Related: #98246 Releases: main, 11.5 Change-Id: I24e7d24e735d2dffbca0eca21de602c40f7e7d2a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75575 Tested-by:
-
Nikita Hovratov authored
With patch #97786 a bug was fixed, to only toggle inline controls in their own scope. For this a new helper class was introduced and added for vanilla inline controls. However, there are two other special inline control types for record selectors. Most commonly known from the FileSelector for FAL. The helper class is now added there as well. Resolves: #98233 Related: #97786 Releases: main, 11.5 Change-Id: Ifb2eb4205ecec50540a70943163c639f04de5ea1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75574 Tested-by:
-
- Aug 30, 2022
-
-
Lina Wolf authored
Releases: main, 11.5 Resolves: #98219 Change-Id: Ib60a14ff4a80eb4333187d3eff4ebf2a0262383d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75573 Tested-by:
-
linawolf authored
Replace the todo with information. Thanks at Florian Weiss for pointing this out and providing me with the screenshot Releases: main, 11.5 Resolves: #98215 Change-Id: Ia14e18ecd260ee9dfa98dae88aa68e8e7b4f1612 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75572 Tested-by:
-
- Aug 28, 2022
-
-
Stefan Bürk authored
Symfony recently released new version v5.4.12 and v6.1.4 of the framework which contains a change in `symfony/mailer` throwing a TransportException and passing null as 2nd ($code) argument. This is deprecated since PHP8.1 and emits now a corresponding depcreaction warning in some circumenstances and breaking one mailer unit test. See: https://github.com/symfony/symfony/issues/47402 This change temporarly skips the test for PHP8.1 until the fix has been merged and released a new version by symfony. Resolves: #98216 Releases: main, 11.5 Change-Id: I12a18f425bd573e1943dddad909c7c3256c1fd87 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75501 Tested-by:
-
- Aug 25, 2022
-
-
Oliver Hader authored
Change-Id: Ic0df4413b78775ca2c9fc17e0180c4f1ba3db6c5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75548 Tested-by:
-
Oliver Hader authored
Change-Id: I16a29c9ce3ae6d3d430b2d09b0cc952533e67cfe Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75547 Tested-by:
-
- Aug 24, 2022
-
-
Daniel Hettler authored
Properly guard array key access for "sheetTitle" in `\TYPO3\CMS\Backend\Form\Container\FlexFormTabsContainer->render()`. Resolves: #98201 Releases: main, 11.5 Change-Id: Iafa5fd4623d53501e655739d7aabc543d26ed216 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75500 Tested-by:
-
Oliver Bartsch authored
InlineControlContainer allows to add custom controls via a userFunc (hook). However, since the resultArray was not passed to the userFunc, e.g. no JS module could be added for the custom control. This is now fixed by passing the resultArray by reference to the userFunc. Resolves: #98199 Releases: main, 11.5 Change-Id: I404d2673a65bb40cf7f389fb5c0f7bec7dcd7c4c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75499 Tested-by:
-
Tobias Jungmann authored
If a preview page is already open, clicking on the "view" button in the content editor window would not reload the page. That means, that the preview page would not show changes if the preview page url and the target url are similar (e.g. only differentiate in hash/query or are exactly the same). This patch looks if a window with the given windowName is already open (looking in `this.windows` did not work well because the existing windows aren't saved in a global context, yet) and compares the URL of an open window (if there's one) with the given URL. If the URLs are similiar (i.e. the origin and the path name are the same) the page will be reloaded. Resolves: #93706 Releases: main, 11.5 Change-Id: Ib3d9e49f56e6ef45df1cd7d82fa58dffb74a3750 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75492 Tested-by:
Benjamin Franzke <bfr@qbus.de> Tested-by:
-
Stefan Bürk authored
With #95819 the detection of Domain Object properties was changed to use ClassSchema in order to support uninitialized properties is models. This was not possible with `DomainObjectInterface::_getProperties()` which used `get_object_vars()` under the hood. However, with mentioned change, other properties which had been ignored by `get_object_vars()` were now propagated to persistence, even if those properties were not configured in TCA. The change in behavior is considered a regression and is now addressed: The retrieval of the property value is delayed until after it is ensured that the property is a persistable property (which asserts that we are not reading from private properties). Resolves: #98148 Related: #95819 Releases: main, 11.5 Change-Id: I94d41715a49953045d32361a00bc274c15112a1e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75541 Tested-by:
-
- Aug 22, 2022
-
-
Kevin Appelt authored
The check if the image has to be processed has been moved to dedicated methods to enhance readability and testability The condition still checks if the image is wider than the defined maximum width. The check if the entire image is used should now be easier to understand. No offset and 100% of the width and height of the image correspond to the full image and negated in its entirety. Resolves: #98118 Releases: main, 11.5 Change-Id: I8283e2f74310654455fb247e84c9e4204f3e1dd4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75531 Tested-by:
-
Oliver Hader authored
Avoid undefined array key warning in case 'config' is not given in TypoScript settings. Resolves: #98145 Releases: main, 11.5 Change-Id: I20df94bd34f9f7197eee7905f5aa1c2af35d0601 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75530 Tested-by:
-
- Aug 21, 2022
-
-
Peter Kraume authored
Resolves: #98183 Releases: main, 11.5 Change-Id: Ib4d123e86a9b158b86e20322fc53ca94ff5b9be7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75528 Tested-by:
Nikita Hovratov <nikita.h@live.de> Reviewed-by:
-
- Aug 19, 2022
-
-
Chris Müller authored
If either labels or base are not given, the default values kick in: labels = iec and base = 1024 With the new fallback values in place test ContentObjectRendererTest notAllStdWrapProcessorsAreCallableWithEmptyConfiguration() needs a minor adaption. Resolves: #98154 Releases: main, 11.5 Change-Id: Ib2a242454197be94a75fb3d5bffbb8d0be8a1523 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75519 Tested-by:
-
Torben Hansen authored
This patch fixes a warning on PHP 8.1, when a FlexForm has a sheet with no fields in it. Resolves: #98166 Releases: main, 11.5 Change-Id: Iec814a10bb755fb78a8de95b432d8cb6042a07d3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75518 Tested-by:
-
Andreas Fernandez authored
The configuration definition of `content` in the Modal API is extended to accept objects of types `Element` and `DocumentFragment` as well, which allows passing arbitrary DOM nodes to the API, if TypeScript is used. Since jQuery is still the main actor in the Modal API, no further adjustments are required for now as jQuery can consume the added types. In the same run, the API definition got stricter as `Modal.advanced()` allowed to pass any arbitrary configuration not covered by the internal `Configuration` interface. Resolves: #98164 Releases: main, 11.5 Change-Id: Ibf7cc836fcffa870a1eb4c5d4615c44e046cf192 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75515 Tested-by:
-
- Aug 17, 2022
-
-
Torben Hansen authored
Since ext:felogin already uses strict type declarations for function arguments and return types, various parameter- and return-type declarations in PHPDoc comments can safely be removed. With this patch the following changes are applied: * removed superfluous @param type declarations * removed superfluous @return declarations * removed non-thrown @throws annotations * added missing function type declarations in tests Used command: > Build/Scripts/runTests.sh -s phpstanGenerateBaseline Resolves: #98139 Releases: main, 11.5 Change-Id: I47749a748e808f6801928951397ed0bff8d6a115 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75446 Tested-by:
-
