Packages/TYPO3.CMS.git
3 years ago[RELEASE] Release of TYPO3 6.2.19 37/46837/2 6.2.19 TYPO3_6-2-19
TYPO3 Release Team [Tue, 23 Feb 2016 11:08:11 +0000 (12:08 +0100)]
[RELEASE] Release of TYPO3 6.2.19

Change-Id: Iee319320400b384e4af96ca13e0e5c0ea4221a4e
Reviewed-on: https://review.typo3.org/46837
Reviewed-by: TYPO3 Release Team <typo3cms@typo3.org>
Tested-by: TYPO3 Release Team <typo3cms@typo3.org>
3 years ago[SECURITY] Limit the search results per page 30/46830/2
Benni Mack [Tue, 23 Feb 2016 10:44:49 +0000 (11:44 +0100)]
[SECURITY] Limit the search results per page

Indexed Search allows to show up to 100.000
entries per page by configuring the paging
entry via a GET/POST variable, leading to a
possible DoS attack.

The max limit is set to 100 entries per page,
as a reasonable limit for the website search
results.

Resolves: #73458
Releases: master, 7.6, 6.2
Security-Commit: 8dc6e3c41d53788966b1ab220acd49a815ccfe7f
Security-Bulletins: TYPO3-CORE-SA-2016-005, 006, 007, 008
Change-Id: I46d825d918d716c6059bb732d3b808dd4bafdc9c
Reviewed-on: https://review.typo3.org/46830
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] Escape output of tt_content.default 29/46829/2
Georg Ringer [Tue, 23 Feb 2016 10:44:39 +0000 (11:44 +0100)]
[SECURITY] Escape output of tt_content.default

Escape the value of the field CType in tt_content.default.

Resolves: #73450
Releases: master, 7.6, 6.2
Security-Commit: fa4c55b136648dd01115c346d9fd0c90b303f2d1
Security-Bulletins: TYPO3-CORE-SA-2016-005, 006, 007, 008
Change-Id: Ica19c572bf46b6f2b11333b6759804d3537e7469
Reviewed-on: https://review.typo3.org/46829
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] Stored XSS in shortcut functionality 28/46828/2
Wouter Wolters [Tue, 23 Feb 2016 10:44:29 +0000 (11:44 +0100)]
[SECURITY] Stored XSS in shortcut functionality

Resolves: #73449
Releases: 6.2
Security-Commit: c4df50a433362c2a3976f40bcbc5be82d4cb3cb6
Security-Bulletins: TYPO3-CORE-SA-2016-005, 006, 007, 008
Change-Id: I7881425226a6a23b9acf6a1870b82c4dcf0fee93
Reviewed-on: https://review.typo3.org/46828
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] XML entity expansion 27/46827/2
Benni Mack [Tue, 23 Feb 2016 10:44:20 +0000 (11:44 +0100)]
[SECURITY] XML entity expansion

Remote XML entites can be loaded in places where TYPO3 expects
only local files to be fetched. All places are changed so
the option to load entities is disabled.

Resolves: #61269
Releases: master, 7.6, 6.2
Security-Commit: ed1cd758fafc81ed44f8f829ad3ed3a86c5db649
Security-Bulletins: TYPO3-CORE-SA-2016-005, 006, 007, 008
Change-Id: Ic5513ce257f0a6aa1a9cce7a617b59ed09341a78
Reviewed-on: https://review.typo3.org/46827
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[TASK] Remove adodb diff 17/46817/2
Christian Kuhn [Mon, 22 Feb 2016 19:58:33 +0000 (20:58 +0100)]
[TASK] Remove adodb diff

There is a list of patches we applied to adodb manually in
typo3/sysext/adodb/Documentation/Index.rst. This, together
with 'git log' should be enough in case adodb is updated.
The diff file is pain to maintain and also does not
contain all changes that were done to adodb.

Change-Id: If0525ce90b637541d659569f697377f011b8ad37
Resolves: #73607
Releases: master, 7.6, 6.2
Reviewed-on: https://review.typo3.org/46817
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
3 years ago[TASK] Disallow Composer installation with PHP 7.x 07/46707/2
Mathias Brodala [Tue, 16 Feb 2016 11:29:59 +0000 (12:29 +0100)]
[TASK] Disallow Composer installation with PHP 7.x

TYPO3 6.2 is not compatible with PHP 7.x thus properly declare this
for Composer installations.

Resolves: #73480
Releases: 6.2
Change-Id: I857a07199109f63b51079094d035b6f1ab9efb52
Reviewed-on: https://review.typo3.org/46707
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Tested-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
3 years ago[BUGFIX] Fix disabled menu item state for l18n_cfg=1 43/46743/2
Mathias Brodala [Wed, 17 Feb 2016 10:25:07 +0000 (11:25 +0100)]
[BUGFIX] Fix disabled menu item state for l18n_cfg=1

This fixes an issue introduced with the backport of the
change in #73083 to TYPO3 6.2.

Resolves: #73518
Related: #73083
Releases: 6.2
Change-Id: I8fef570b15e8bbf94da124f47a5bd4b3158c1b9f
Reviewed-on: https://review.typo3.org/46743
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Mario Rimann <typo3-coding@rimann.org>
Tested-by: David Hoeckele <david@hoeckele.net>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
3 years ago[BUGFIX] Remove addQueryStringMethod parameter from widget links 50/46350/2
Nicole Cordes [Fri, 29 Jan 2016 13:42:20 +0000 (14:42 +0100)]
[BUGFIX] Remove addQueryStringMethod parameter from widget links

Resolves: #58752
Releases: master, 7.6, 6.2
Change-Id: I1d03d62cf0028089bdd0c5a6e7ef555be36349fb
Reviewed-on: https://review.typo3.org/46350
Reviewed-by: Stefan Froemken <froemken@gmail.com>
Tested-by: Stefan Froemken <froemken@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 years ago[TASK] Set TYPO3 version to 6.2.19-dev 01/46701/2
TYPO3 Release Team [Tue, 16 Feb 2016 11:08:37 +0000 (12:08 +0100)]
[TASK] Set TYPO3 version to 6.2.19-dev

Change-Id: Ic95d24625134cb1dd28046d0b81463f7ff49fcd5
Reviewed-on: https://review.typo3.org/46701
Reviewed-by: TYPO3 Release Team <typo3cms@typo3.org>
Tested-by: TYPO3 Release Team <typo3cms@typo3.org>
3 years ago[RELEASE] Release of TYPO3 6.2.18 00/46700/2 6.2.18 TYPO3_6-2-18
TYPO3 Release Team [Tue, 16 Feb 2016 11:07:46 +0000 (12:07 +0100)]
[RELEASE] Release of TYPO3 6.2.18

Change-Id: Ia39733d7ffe9023f57907b8dc1b130f96daaf3be
Reviewed-on: https://review.typo3.org/46700
Reviewed-by: TYPO3 Release Team <typo3cms@typo3.org>
Tested-by: TYPO3 Release Team <typo3cms@typo3.org>
3 years ago[SECURITY] SQLi in DBAL 96/46696/2
Morton Jonuschat [Tue, 16 Feb 2016 10:43:49 +0000 (11:43 +0100)]
[SECURITY] SQLi in DBAL

When dbal is in native mode but sql_query.passthrough is disabled
in extension configuration, the values of queries are unescaped
and passed that way to MySQL, leading to an SQLi vulnerability.

Resolves: #58896
Releases: 6.2, 4.5
Security-Commit: 3594142daa7e7157aeb21c0ca5db95b5367236d8
Security-Bulletinsp: TYPO3-CORE-SA-2016-001, 002, 003, 004
Change-Id: Id76c0fb523a1835b0a9d2a1afa4ba1ebdda73303
Reviewed-on: https://review.typo3.org/46696
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] XSS in form extension 95/46695/2
Wouter Wolters [Tue, 16 Feb 2016 10:43:40 +0000 (11:43 +0100)]
[SECURITY] XSS in form extension

Resolves: #54205
Releases: 6.2
Security-Commit: 8d990b6db4deb63241f3d70a78dff0039094c98a
Security-Bulletinsp: TYPO3-CORE-SA-2016-001, 002, 003, 004
Change-Id: Id50b00b6bfc2fcf8461ac32285ee9d4b6d15ca3f
Reviewed-on: https://review.typo3.org/46695
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] XSS in content element "Form" 94/46694/2
Helmut Hummel [Tue, 16 Feb 2016 10:43:32 +0000 (11:43 +0100)]
[SECURITY] XSS in content element "Form"

Encode field names and options of select and radio elements.

Resolves: #25244
Releases: 6.2
Security-Commit: 7121a0c39e8801e860e29b77c6e33319bc27fd75
Security-Bulletinsp: TYPO3-CORE-SA-2016-001, 002, 003, 004
Change-Id: I2c2a1a71499ee4757b420df64a3604576d945da4
Reviewed-on: https://review.typo3.org/46694
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] XSS in Link Validator 93/46693/2
Steffen Müller [Tue, 16 Feb 2016 10:43:23 +0000 (11:43 +0100)]
[SECURITY] XSS in Link Validator

Properly escape error message when showing broken links
in EXT:linkvalidator

Resolves: #72240
Releases: master, 7.6, 6.2
Security-Commit: af8f931d4209735c7118b09b0eccadbb116197ab
Security-Bulletinsp: TYPO3-CORE-SA-2016-001, 002, 003, 004
Change-Id: Ifb1b76a27fbd27260f386a6801e8c9d1c018a95f
Reviewed-on: https://review.typo3.org/46693
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[BUGFIX] Deduplicate "Hide default translation of page" logic 16/46616/2
Morton Jonuschat [Fri, 12 Feb 2016 10:45:22 +0000 (11:45 +0100)]
[BUGFIX] Deduplicate "Hide default translation of page" logic

Resolves: #73083
Releases: master, 7.6, 6.2
Change-Id: I35dfbeb2034990b5746568a733c3e11240a4399d
Reviewed-on: https://review.typo3.org/46450
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Markus Sommer <markussom@posteo.de>
Tested-by: Markus Sommer <markussom@posteo.de>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
(cherry picked from commit e28c56540792cf19fc3782cd894eb5c9e0af6aa4)
Reviewed-on: https://review.typo3.org/46616

3 years ago[FOLLOWUP][BUGFIX] Table wizard: large fields and BR-tags 13/46613/2
Morton Jonuschat [Fri, 12 Feb 2016 09:39:48 +0000 (10:39 +0100)]
[FOLLOWUP][BUGFIX] Table wizard: large fields and BR-tags

Add the missing conversion of LF to <BR> in the frontend output.

Resolves: #72388
Releases: master, 7.6, 6.2
Change-Id: I3ba824904bda6a652c386a8b0fa3e8c1dfbf1859
Reviewed-on: https://review.typo3.org/46040
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Tested-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
(cherry picked from commit 1d2d368f1bdac991f9191eb81670e0bfc14c960e)
Reviewed-on: https://review.typo3.org/46613
Reviewed-by: Michael Oehlhof <typo3@oehlhof.de>
Tested-by: Michael Oehlhof <typo3@oehlhof.de>
3 years ago[BUGFIX] Failing Unit Tests on Windows systems 03/46603/2
Nicole Cordes [Fri, 29 Jan 2016 11:56:23 +0000 (12:56 +0100)]
[BUGFIX] Failing Unit Tests on Windows systems

Due to realpath usage some Unit Tests are failing on Windows systems.
The tests have to ensure that forward slashes are used for comparison.

Resolves: #73006
Releases: master, 7.6, 6.2
Change-Id: Iee64ab873d519fee07c6b69e63de1f7d645c071b
Reviewed-on: https://review.typo3.org/46603
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
3 years ago[BUGFIX] Re-enable export of multiple records via clipboard 54/46554/2
Bernhard Kraft [Tue, 26 Jan 2016 12:49:41 +0000 (13:49 +0100)]
[BUGFIX] Re-enable export of multiple records via clipboard

The change of #57873 introduced a regression which doesn't allow
the export of multiple records via the clipboard module anymore.

The wrong parameter generation is fixed with this patch.

Resolves: #59180
Releases: master, 6.2
Change-Id: Iffa9e0ec4b816903bd935c65e5f9ba7230695802
Reviewed-on: https://review.typo3.org/46554
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 years ago[BUGFIX] Fallback to version of ext_emconf.php if not found in Composer 71/37971/5
Peter Niederlag [Fri, 20 Mar 2015 12:37:58 +0000 (13:37 +0100)]
[BUGFIX] Fallback to version of ext_emconf.php if not found in Composer

Resolves: #65866
Releases: 6.2
Change-Id: I9e8383de10e2df1b722fda4b55d1379908f13138
Reviewed-on: https://review.typo3.org/37971
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Adrien Crivelli <adrien.crivelli@ecodev.ch>
Tested-by: Adrien Crivelli <adrien.crivelli@ecodev.ch>
Reviewed-by: Fabien Udriot <fabien.udriot@ecodev.ch>
Reviewed-by: Xavier Perseguers <xavier@typo3.org>
Tested-by: Xavier Perseguers <xavier@typo3.org>
3 years ago[BUGFIX] impexp ignore file reference records with missing related files 24/46524/2
Marc Bastian Heinrichs [Mon, 8 Feb 2016 12:37:07 +0000 (13:37 +0100)]
[BUGFIX] impexp ignore file reference records with missing related files

It could happen, that an export contains sys_file_reference records
with relations to sys_files records, that was missing in the exporting
instance. This causes exceptions on importing the sys_file_reference
records, because the related sys_file record is checked on saving of
the sys_file_reference record.
To prevent this this sys_file_reference are ignored on import.

Resolves: #58693
Releases: master, 7.6, 6.2
Change-Id: I68afed93502553b0d55eb858bdb6da5641d1e5f0
Reviewed-on: https://review.typo3.org/46524
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 years ago[BUGFIX] ImpExp: Correct casing for FAL function call 13/46513/2
Benni Mack [Fri, 5 Feb 2016 21:30:55 +0000 (22:30 +0100)]
[BUGFIX] ImpExp: Correct casing for FAL function call

The function call on the folder object must use correct casing of
the function name for PHP 7 compatibility.

Resolves: #73158
Releases: master, 7.6, 6.2
Change-Id: I09e45663707b462914f361de560eba1b3e3bcbf0
Reviewed-on: https://review.typo3.org/46513
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 years ago[BUGFIX] Off-by-one error in FAL's LocalDriver 02/46502/2
Andreas Fernandez [Fri, 5 Feb 2016 15:53:31 +0000 (16:53 +0100)]
[BUGFIX] Off-by-one error in FAL's LocalDriver

Currently, the LocalDriver of FAL has an off-by-one issue. The passed
starting pointer gets decremented by one, causing issues in the file list
while browsing.

The pointer decrement is removed with this change.

The whole core does not call ``ResourceStorage->getFilesInFolder()``
with the parameters``$start`` and ``$maxNumberOfItems`` having
another value than 0, so this change is assumed to be safe.

Change-Id: I4e24f18b3222f2abdbed83fbbcb18c73d6e52316
Resolves: #73103
Releases: master, 7.6, 6.2
Reviewed-on: https://review.typo3.org/46502
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
3 years ago[BUGFIX] Reallow '0' as valid userFunc argument in TypoScript 28/46428/3
Frank Naegler [Mon, 1 Feb 2016 13:32:06 +0000 (14:32 +0100)]
[BUGFIX] Reallow '0' as valid userFunc argument in TypoScript

With #47301 the parsing of userFunc in TypoScript has changed.
The change prevents '0' as valid argument.

This patch fix the '0' bug but also adds some new unit tests.
The parser method also includes a bug with quoted values which are not the
last argument. this bug is now fixed too.

Resolves: #72936
Related: #47301
Releases: master, 7.6, 6.2
Change-Id: Ic8df6ea21642e012438dba0a6a299c15939ab119
Reviewed-on: https://review.typo3.org/46428
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
3 years ago[BUGFIX] CategoryRegistry::addTcaColumn() ignores displayCond 81/46381/2
Benni Mack [Fri, 29 Jan 2016 22:16:16 +0000 (23:16 +0100)]
[BUGFIX] CategoryRegistry::addTcaColumn() ignores displayCond

Adds check for displayCond and include it if present.

Resolves: #70307
Releases: master, 7.6, 6.2
Change-Id: I94b61bd2f098b279745028731b8392a9bf3389b2
Reviewed-on: https://review.typo3.org/46381
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 years ago[BUGFIX] Clear cache system icon is shown for non admin in dev context 25/46325/2
Benni Mack [Fri, 29 Jan 2016 08:57:49 +0000 (09:57 +0100)]
[BUGFIX] Clear cache system icon is shown for non admin in dev context

If the context is in development mode, the clear cache system icon
is always shown in the toolbar, even if the user is not an admin.

Resolves: #72964
Releases: master, 7.6, 6.2
Change-Id: I674df49fee14ded4b2190cca098ddf146047e5f0
Reviewed-on: https://review.typo3.org/46325
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
3 years ago[TASK] Switch mirror links to https 40/46240/2
Nicole Cordes [Tue, 26 Jan 2016 11:05:08 +0000 (12:05 +0100)]
[TASK] Switch mirror links to https

As the typo3.org (and other mirror) structure switched to ssl protocol
by default, we have to adjust the url generation.

Resolves: #72943
Releases: master, 7.6, 6.2
Change-Id: I2fc79f300584fdb1392c9c1fe920f029703dce25
Reviewed-on: https://review.typo3.org/46240
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
3 years ago[BUGFIX] SimpleFileBackend::setCacheDirectory returns valid path name 58/46158/2
Jan Helke [Fri, 22 Jan 2016 09:58:24 +0000 (10:58 +0100)]
[BUGFIX] SimpleFileBackend::setCacheDirectory returns valid path name

The comment for the method
\TYPO3\CMS\Core\Cache\Backend\SimpleFileBackend::setCacheDirectory()
states clearly, that it is possible to provide an absolute path as
cache directory. However, in the lower part of the function, it is
stated, that if ($cacheDirectory0 == '/') the documentRoot should be
set to '/'. That results in a returned path like '//...'.
This causes problems within
\TYPO3\CMS\Core\Utility\GeneralUtility::validPathStr(), because pathes
with '//' in it are always invalid.

Resolves: #72635
Releases: master, 7.6, 6.2
Change-Id: I30e7743ba9835c99382b7c04153f91e688ead5fc
Reviewed-on: https://review.typo3.org/46158
Reviewed-by: Jan Helke <typo3@helke.de>
Reviewed-by: Frank Nägler <frank.naegler@typo3.org>
Tested-by: Frank Nägler <frank.naegler@typo3.org>
3 years ago[BUGFIX] Remove newline from PLACEHOLDER marker in indexed_search 54/46154/2
Wouter Wolters [Fri, 22 Jan 2016 13:35:14 +0000 (14:35 +0100)]
[BUGFIX] Remove newline from PLACEHOLDER marker in indexed_search

Resolves: #72892
Releases: 6.2
Change-Id: Ib6622261ba616e068c2e06499f049295b614ce46
Reviewed-on: https://review.typo3.org/46154
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
3 years ago[TASK] Hide "Save document and create a new one" in filelist 20/46120/2
Gianluigi Martino [Wed, 20 Jan 2016 21:28:29 +0000 (22:28 +0100)]
[TASK] Hide "Save document and create a new one" in filelist

The button "Save document and create a new one" is not needed when editing
files in filelist

Change-Id: If2b74e0eeb23da2a6731f0a925ed3e4c8f3dcfa4
Resolves: #72786
Releases: 6.2
Reviewed-on: https://review.typo3.org/46120
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Frank Nägler <frank.naegler@typo3.org>
Tested-by: Frank Nägler <frank.naegler@typo3.org>
3 years ago[BUGFIX] Add missing return type to createVersionNumberedFilename 76/46076/3
Thomas Löffler [Tue, 19 Jan 2016 11:45:33 +0000 (12:45 +0100)]
[BUGFIX] Add missing return type to createVersionNumberedFilename

Change-Id: Id8420d96e4cbfd8809cddc76a763e01141023561
Releases: 6.2
Reviewed-on: https://review.typo3.org/46076
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
3 years ago[BUGFIX] Clarify extension dependency skipping 30/46030/2
Nicole Cordes [Sun, 17 Jan 2016 00:48:54 +0000 (01:48 +0100)]
[BUGFIX] Clarify extension dependency skipping

In Extension Manager the text that explains the skip of dependencies is
missing the information that only system extension dependencies are
skipped.

Resolves: #72762
Releases: 6.2
Change-Id: Icb2a8ebcf1d1dbfc6ae79a95fbd8f2ad075942de
Reviewed-on: https://review.typo3.org/46030
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Frank Nägler <frank.naegler@typo3.org>
Tested-by: Frank Nägler <frank.naegler@typo3.org>
3 years ago[BUGFIX] Apply hsc() to exception debug output 91/45991/2
Markus Klein [Sat, 16 Jan 2016 09:31:11 +0000 (10:31 +0100)]
[BUGFIX] Apply hsc() to exception debug output

Resolves: #72755
Releases: master, 7.6, 6.2
Change-Id: If62a72ccc0f8daa47b5cd67b1e2f3fb30f2bf1dc
Reviewed-on: https://review.typo3.org/45991
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 years ago[BUGFIX] Copy DataHandler::enableLogging to sub objects 55/45955/2
Morton Jonuschat [Fri, 15 Jan 2016 16:01:53 +0000 (17:01 +0100)]
[BUGFIX] Copy DataHandler::enableLogging to sub objects

Releases: master, 7.6, 6.2
Fixes: #72357
Change-Id: I33ff172e1c8ad851050d41933eeeeffc1d6c28dd
Reviewed-on: https://review.typo3.org/45389
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Stephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
(cherry picked from commit c5bafa6c6fbec9fca73dded0654b7db04e530172)
Reviewed-on: https://review.typo3.org/45955

3 years ago[BUGFIX] Table wizard: large fields and BR-tags 53/45953/2
Anja Leichsenring [Fri, 15 Jan 2016 15:50:46 +0000 (16:50 +0100)]
[BUGFIX] Table wizard: large fields and BR-tags

Large fields output newline as br-tag in frontend

Resolves: #72388
Releases: master, 7.6, 6.2
Change-Id: I8c225548249fc013452641c0316091701fcdca6a
Reviewed-on: https://review.typo3.org/45953
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 years ago[FOLLOWUP] Fix call to not existing function 42/45942/3
Anja Leichsenring [Fri, 15 Jan 2016 13:52:07 +0000 (14:52 +0100)]
[FOLLOWUP] Fix call to not existing function

StringUtility::beginsWith() does not exist in TYPO3 6.2.
Replace the usage with GeneralUtility::isFirstPartOfStr().

Resolves: #72734
Related: #72648
Releases: 6.2
Change-Id: I473dac2c7c9d87eb5774da390cca271e49f9271f
Reviewed-on: https://review.typo3.org/45942
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
3 years ago[BUGFIX] Automatically remove BOM from files before concatenation 38/45938/3
Christian Futterlieb [Fri, 15 Jan 2016 13:01:09 +0000 (14:01 +0100)]
[BUGFIX] Automatically remove BOM from files before concatenation

Resolves: #72648
Releases: master, 7.6, 6.2
Change-Id: I12d97a4bda70879c039d8b05390cc5e37fbeef51
Reviewed-on: https://review.typo3.org/45938
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 years ago[TASK] Allow access to visible content within /.well-known/ directory 27/45927/2
Cedric Ziel [Thu, 14 Jan 2016 18:18:24 +0000 (19:18 +0100)]
[TASK] Allow access to visible content within /.well-known/ directory

Allow access to the visible content from within the `/.well-known/`
hidden directory. The access to all other hidden files and directories
(starting with a dot) is still blocked.

The /.well-known/ directory represents the standard (RFC 5785) path
prefix for "well-known locations", and therefore, access to its visible
content should not be blocked.

Resolves: #72712
Releases: master,7.6,6.2
Change-Id: I533d38a12da5cae59abed4fc00d597814d28fa04
Reviewed-on: https://review.typo3.org/45927
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 years ago[BUGFIX] ImpExp: Do not show error message for recursive relations 98/45898/2
Markus Klein [Thu, 14 Jan 2016 17:29:25 +0000 (18:29 +0100)]
[BUGFIX] ImpExp: Do not show error message for recursive relations

Having recursive relations of records is a valid use case and must
not trigger an error message.

Releases: master, 7.6, 6.2
Resolves: #72709
Change-Id: I22a6216bca69fad33ab99387524965728757c057
Reviewed-on: https://review.typo3.org/45898
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
3 years ago[BUGFIX] Remove debug echo from checkDeniedSuburls 32/45732/2
Morton Jonuschat [Fri, 8 Jan 2016 18:49:50 +0000 (19:49 +0100)]
[BUGFIX] Remove debug echo from checkDeniedSuburls

Resolves: #72598
Releases: master,7.6,6.2
Change-Id: I585f5d24678f63d576a61ff779daee634c8556a8
Reviewed-on: https://review.typo3.org/45705
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
(cherry picked from commit fb036404d28e335def09ebbf2af4d6040665f96f)
Reviewed-on: https://review.typo3.org/45732

3 years ago[TASK] Update copyright year to 2016 46/45546/2
Benni Mack [Fri, 1 Jan 2016 19:30:06 +0000 (20:30 +0100)]
[TASK] Update copyright year to 2016

Resolves: #72501
Releases: master, 7.6, 6.2
Change-Id: I6b2636913da50e6b79ea3990175914add03a6cf3
Reviewed-on: https://review.typo3.org/45546
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 years ago[SECURITY] XSS in belog module 23/45523/2
Morton Jonuschat [Wed, 30 Dec 2015 17:17:06 +0000 (18:17 +0100)]
[SECURITY] XSS in belog module

The username of a backend user and title of a workspace record
miss accordant escaping if being rendered in the belog module.

Since this has only impact on admin users in the backend, the
fix is handled in public instead of a security release.

Resolves: #72475
Releases: master, 7.6, 6.2
Change-Id: Ib165f8ef849a641984fc5fb834b30983f7b63a54
(cherry picked from commit 056323e9141c9028d07c1e12543584e03b5f0c9e)
Reviewed-on: https://review.typo3.org/45523
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
3 years ago[BUGFIX] Computed properties are queried in workspace context 91/45491/2
Oliver Hader [Tue, 29 Dec 2015 15:58:50 +0000 (16:58 +0100)]
[BUGFIX] Computed properties are queried in workspace context

This is a follow-up to issue #68643 to sanitize all places that
reuse the fields (including the computed properties) of a record.

Resolves: #66135
Releases: master, 7.6, 6.2
Change-Id: Ifb57193ff07e3d9ddae50568a0dce741f9aaf12d
Reviewed-on: https://review.typo3.org/45491
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[TASK] Expose identifier and path of functional test instance 87/45487/2
Oliver Hader [Tue, 29 Dec 2015 10:48:06 +0000 (11:48 +0100)]
[TASK] Expose identifier and path of functional test instance

Identifier and path of a functional test instance is created during
bootstrapping the testcase. However, if one needs to define particular
path settings to the initialization phase, this will end up in being
a chicken-or-the-egg problem.

That's why the mentioned two parts are exposed as static functions
and wrapped by the functional test base class.

Resolves: #72450
Releases: master, 7.6, 6.2
Change-Id: I111768133456974010d49b02225e41f9b74dbcff
Reviewed-on: https://review.typo3.org/45487
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[BUGFIX] Fix NumberRangeValidator using startRange and endRange 09/45109/7
Stephan Großberndt [Wed, 9 Dec 2015 19:46:12 +0000 (20:46 +0100)]
[BUGFIX] Fix NumberRangeValidator using startRange and endRange

Re-enable the validation using "startRange" and "endRange" in
NumberRangeValidator instead of using the default values from "minimum"
and "maximum".

Resolves: #72047
Releases: 6.2
Change-Id: I11b7f3699f60964906f2b84a5581491ce255e3ac
Reviewed-on: https://review.typo3.org/45109
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 years ago[TASK] Set TYPO3 version to 6.2.18-dev 86/45386/2
TYPO3 Release Team [Mon, 21 Dec 2015 10:59:19 +0000 (11:59 +0100)]
[TASK] Set TYPO3 version to 6.2.18-dev

Change-Id: I17075af3b1eb891d05f25a96d4920b8ec4589e2d
Reviewed-on: https://review.typo3.org/45386
Reviewed-by: TYPO3 Release Team <typo3cms@typo3.org>
Tested-by: TYPO3 Release Team <typo3cms@typo3.org>
3 years ago[RELEASE] Release of TYPO3 6.2.17 85/45385/2 6.2.17 TYPO3_6-2-17
TYPO3 Release Team [Mon, 21 Dec 2015 10:58:10 +0000 (11:58 +0100)]
[RELEASE] Release of TYPO3 6.2.17

Change-Id: I3e419c4e96dcee01f7d125801c125e43384b9b83
Reviewed-on: https://review.typo3.org/45385
Reviewed-by: TYPO3 Release Team <typo3cms@typo3.org>
Tested-by: TYPO3 Release Team <typo3cms@typo3.org>
3 years ago[BUGFIX] Prevent Javascript error for Flexform sections 56/45356/5
Oliver Hader [Fri, 18 Dec 2015 15:10:34 +0000 (16:10 +0100)]
[BUGFIX] Prevent Javascript error for Flexform sections

This patch resolves a regression which occurs on deleting
Flexform sections with an RTE.

Resolves: #72322
Releases: 6.2
Change-Id: I620d8701eb8fccb277d0ba58d7c8e3551c463db2
Reviewed-on: https://review.typo3.org/45356
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
3 years ago[!!!][BUGFIX] Severe data-loss on workspaces publishing action 20/45320/4
Oliver Hader [Wed, 16 Dec 2015 18:58:39 +0000 (19:58 +0100)]
[!!!][BUGFIX] Severe data-loss on workspaces publishing action

If pages records in a given scenario are published this causes
a severe data-loss for the whole TYPO3 installation since all
records are deleted. Actually they are marked as deleted, but
that's not less problematic.

The scenario for this in a draft workspace is having reordered
sub-pages (move-placeholder) and a parent-page that is marked
for deletion. On publishing the parent-page, the delete process
iterates over all pages on the root-level due to some essential
missing checks and an implicit type-cast from null to interger
zero (0) on the pages.pid value.

The accordant places are validated now. In addition to that the
possibility to delete everything implicitly from the root-page
is disabled to prevent other programmatic flaws like this.

Resolves: #72273
Releases: master, 6.2
Change-Id: I175f220cc0939124e34713fff07685ba902ad385
Reviewed-on: https://review.typo3.org/45320
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[BUGFIX] DBAL: use correct default value for native connection 40/45340/2
Melanie Kalka [Thu, 17 Dec 2015 16:22:52 +0000 (17:22 +0100)]
[BUGFIX] DBAL: use correct default value for native connection

DBAL uses an empty string for the portnumber parameter
for mysqli real_connect, which results in a PHP warning,
because an integer (or null) is required.

Changing the fallback to null resolves this issue and
results in a working database connection.

Resolves: #72285
Releases: master, 6.2
Change-Id: Ie0e04f3ab04996ab634f99c3d2ab545d4a3b3819
Reviewed-on: https://review.typo3.org/45340
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
3 years ago[TASK] Extend workspace functional tests on placeholder deletion 39/45339/2
Oliver Hader [Thu, 17 Dec 2015 10:47:26 +0000 (11:47 +0100)]
[TASK] Extend workspace functional tests on placeholder deletion

Actions performed in a workspace:
* move existing page below sibling on same level (move-placeholder)
* create new page on parent page (new-placeholder)
* delete the parent page

Attention:
The test assertions reflect the status quo which is faulty and has
to be fixed on a separate bugfix.

Resolves: #72291
Releases: master, 6.2
Change-Id: I85e10569c36a4c669a479434a5ce973d3fb9fe5c
Reviewed-on: https://review.typo3.org/45339
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[BUGFIX] substituteMarkerArrayCached() must accept special chars 36/45336/4
Markus Klein [Thu, 17 Dec 2015 14:44:37 +0000 (15:44 +0100)]
[BUGFIX] substituteMarkerArrayCached() must accept special chars

Add a bunch of unittests and streamline the code as well
by removing a useless preg_match_all() call.
Rename some variables and add comments.

Resolves: #72252
Releases: master, 6.2
Change-Id: I2a31a1c2ab6d83528428693213b922f0e1bc6fe5
Reviewed-on: https://review.typo3.org/45336
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 years ago[BUGFIX] Missing check before foreach loop 30/45330/2
Oliver Hader [Thu, 17 Dec 2015 10:41:06 +0000 (11:41 +0100)]
[BUGFIX] Missing check before foreach loop

PHP Warning: Invalid argument supplied for foreach()
in typo3/sysext/core/Classes/DataHandling/DataHandler.php line 5285

Resolves: #72289
Releases: master, 6.2
Change-Id: If83dee7261ce3dd6d1fbf3bb81d8f2e53741c4c7
Reviewed-on: https://review.typo3.org/45330
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[BUGFIX] Disclose exceptions on CLI in production context 31/45331/2
Helmut Hummel [Thu, 17 Dec 2015 11:18:09 +0000 (12:18 +0100)]
[BUGFIX] Disclose exceptions on CLI in production context

It is pointless to hide the exception message on CLI
in the production context. On CLI there are privileged
users only anyway and hiding this information from them
leads to wasted hours of debugging.

Output the necessary information also in ProductionExceptionHandler

Resolves: #72265
Releases: master, 6.2
Change-Id: I778b057fc7e170af2a2fcdb1befb2a4400449ce7
Reviewed-on: https://review.typo3.org/45331
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 years ago[TASK] Provide labels for all log types 24/45324/2
Anja Leichsenring [Wed, 16 Dec 2015 19:37:59 +0000 (20:37 +0100)]
[TASK] Provide labels for all log types

Change-Id: Ief05c75376ef8b3b2fc8fa8c3ca52e2efbf24198
Resolves: #72256
Releases: master, 6.2
Reviewed-on: https://review.typo3.org/45324
Reviewed-by: Stephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Tested-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 years ago[BUGFIX] Empty row in table content element shows &nbsp; 17/45317/2
Wouter Wolters [Wed, 16 Dec 2015 14:34:44 +0000 (15:34 +0100)]
[BUGFIX] Empty row in table content element shows &nbsp;

When an empty row in a table content element is shown in the
frontend, with htmlSpecialChars set to 1, &nbsp; is shown.
Use a real space instead.

Resolves: #72263
Releases: master,6.2
Change-Id: I60304607caa4fc90451216426f4ed73f01bf75fc
Reviewed-on: https://review.typo3.org/45317
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 years ago[TASK] Set TYPO3 version to 6.2.17-dev 86/45286/2
TYPO3 Release Team [Tue, 15 Dec 2015 10:58:03 +0000 (11:58 +0100)]
[TASK] Set TYPO3 version to 6.2.17-dev

Change-Id: I8d118edb71a7fa83d71ef30c1d0d61f73b7657f7
Reviewed-on: https://review.typo3.org/45286
Reviewed-by: TYPO3 Release Team <typo3cms@typo3.org>
Tested-by: TYPO3 Release Team <typo3cms@typo3.org>
3 years ago[RELEASE] Release of TYPO3 6.2.16 85/45285/2 6.2.16 TYPO3_6-2-16
TYPO3 Release Team [Tue, 15 Dec 2015 10:56:38 +0000 (11:56 +0100)]
[RELEASE] Release of TYPO3 6.2.16

Change-Id: I924bade8d113a0f23a3b27e94980a399dcd68ce6
Reviewed-on: https://review.typo3.org/45285
Reviewed-by: TYPO3 Release Team <typo3cms@typo3.org>
Tested-by: TYPO3 Release Team <typo3cms@typo3.org>
3 years ago[SECURITY] Open shockwave inclusion in flvplayer.swf 74/45274/2
Oliver Hader [Tue, 15 Dec 2015 10:35:59 +0000 (11:35 +0100)]
[SECURITY] Open shockwave inclusion in flvplayer.swf

File inclusion is now protected by an additional signed hash
from the providing server which is validated further in the
Flash Player. In case of mismatching hash values, no external
shockwave file will be loaded.

This feature has been moved to ext:mediace in TYPO3 7 LTS.

Resolves: #59417
Releases: 6.2, 4.5
Security-Commit: 6c4814ce17122b669e209836e6e361958ba07df0
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: I9cff37b97a101b5da2834e046137c025ecbbebcc
Reviewed-on: https://review.typo3.org/45274
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] Escape caption of media using css_styled_content 73/45273/2
Georg Ringer [Tue, 15 Dec 2015 10:35:47 +0000 (11:35 +0100)]
[SECURITY] Escape caption of media using css_styled_content

The caption must be escaped. As this is only a textarea, the parsefunc
is not needed.

Furthermore, the fields "altText" and "titleText" use htmlspecialchars instead of stripHtml.

Resolves: #41690
Releases: master, 6.2
Security-Commit: 8b11cfd8fba0c68effad41f4fdc07f4b593a62cc
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: Ia32b37e93cbe3d5f171a7986fb17539d84e99325
Reviewed-on: https://review.typo3.org/45273
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] XSS in search results 72/45272/2
Wouter Wolters [Tue, 15 Dec 2015 10:35:34 +0000 (11:35 +0100)]
[SECURITY] XSS in search results

Page titles are not escaped in getPathFromPageId

Resolves: #23155
Releases: 6.2
Security-Commit: 9f2f01429e4cfd9f705b345a8b3c53dfd0bac63d
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: I65f106e1b504bf9ac45f869ae97582f0cb24f52a
Reviewed-on: https://review.typo3.org/45272
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] Fix XSS in rtehtmlarea 71/45271/2
Georg Ringer [Tue, 15 Dec 2015 10:35:20 +0000 (11:35 +0100)]
[SECURITY] Fix XSS in rtehtmlarea

The SpellCheckingController needs to quote external parameters.

Resolves: #37399
Releases: master, 6.2
Security-Commit: 9a6fe2c031c850eb4cd357bd3a1f13becd18f48b
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: I93f43a8ac8ffa28488527fd812c45e64048dfe23
Reviewed-on: https://review.typo3.org/45271
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] Fix XSS in bullet list element 70/45270/2
Georg Ringer [Tue, 15 Dec 2015 10:35:03 +0000 (11:35 +0100)]
[SECURITY] Fix XSS in bullet list element

Replace parsefunc with htmlSpecialChars for the lines of bullet list

Resolves: #71683
Releases: master, 6.2
Security-Commit: 0099f4a51b6d1b994177ab1caa920d6ccf10afe2
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: I7415c3cabb6412b6c06dae7c7d88bddf52e1d37c
Reviewed-on: https://review.typo3.org/45270
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] Replace parseFunc with htmlspecialchars in element "table" 69/45269/2
Georg Ringer [Tue, 15 Dec 2015 10:34:48 +0000 (11:34 +0100)]
[SECURITY] Replace parseFunc with htmlspecialchars in element "table"

Instead of using the lib.parseFunc htmlspecialchars is used for
the table cell rendering.

Resolves: #25245
Releases: master, 6.2
Security-Commit: 3d64bcca9bf08bbb472d016145fc1e1befc75daf
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: Ifd285572be52cdceddd72fdac5da01f7c632f2d0
Reviewed-on: https://review.typo3.org/45269
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] XSS in Link Validator 68/45268/2
Georg Ringer [Tue, 15 Dec 2015 10:34:33 +0000 (11:34 +0100)]
[SECURITY] XSS in Link Validator

Properly escape user input when showing broken links
in EXT:linkvalidator

Resolves: #68735
Releases: master,6.2
Security-Commit: 8c9a2eaa768534d8781073889c07e075e1c3c34e
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: Ic2cf727c4b3c213503254ee79301553eb6739a1a
Reviewed-on: https://review.typo3.org/45268
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] Possible XSS in felogin messages 67/45267/2
Georg Ringer [Tue, 15 Dec 2015 10:34:15 +0000 (11:34 +0100)]
[SECURITY] Possible XSS in felogin messages

Change default TypoScript to encode messages in felogin
with htmlspecialchars.

Fix two occurences of _LOCAL_LANG messages where htmlspecialchars
was missing.

Resolves: #25243
Releases: master, 6.2
Security-Commit: dd8cdadc5ff64ff415035490646e8cf2578ee396
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: I186f8cb344b9b16f38d11926529a52e7ed4c831d
Reviewed-on: https://review.typo3.org/45267
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] XSS through WS comments 66/45266/2
Wouter Wolters [Tue, 15 Dec 2015 10:34:02 +0000 (11:34 +0100)]
[SECURITY] XSS through WS comments

Resolves: #25227
Releases: master, 6.2
Security-Commit: f87f24a062c9443c571563eb443486190da12fb4
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: Ia57f5ed9110f6915118387b6315252001e1e44e6
Reviewed-on: https://review.typo3.org/45266
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] Link fields accept inline javascript code 65/45265/2
Oliver Hader [Tue, 15 Dec 2015 10:33:48 +0000 (11:33 +0100)]
[SECURITY] Link fields accept inline javascript code

JavaScript can be submitted for every link field and will be
rendered in the frontend passed through typolink. To circumvent
that, the URI scheme and prefix "javascript:" will be disallowed.

The extension "javascript_handler" allows however to bring back
that insecure behavior since some installations might rely on it.

Resolves: #71698
Releases: master, 6.2
Security-Commit: c9f5b7ced589c2d58a8c6099e5491923ace2e9a7
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: I5a0bcb990686fa1e768974afe561f6b195906552
Reviewed-on: https://review.typo3.org/45265
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] Fix several XSS issues 64/45264/2
Nicole Cordes [Tue, 15 Dec 2015 10:33:35 +0000 (11:33 +0100)]
[SECURITY] Fix several XSS issues

Resolves: #59150
Releases: master, 6.2
Security-Commit: 897e553b01145fe2867f362aa8025a71bc620961
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: I16ef6ad6e7146a9963139d2fa419dbc6ed88b774
Reviewed-on: https://review.typo3.org/45264
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[SECURITY] Prevent XSS in TER download dialog 63/45263/2
Nicole Cordes [Tue, 15 Dec 2015 10:33:22 +0000 (11:33 +0100)]
[SECURITY] Prevent XSS in TER download dialog

Due to the json request format during a TER extension installation,
the EM is susceptible to XSS.

Resolves: #71524
Releases: master, 6.2
Security-Commit: f109bf3ef49b88ed8b39e053b285e8f239210136
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: Ib47ec9f715578871d3c1a67aaca2b99d27a07f8e
Reviewed-on: https://review.typo3.org/45263
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[BUGFIX] Handle content with no markers in substituteMarkerArrayCached 56/45256/2
Markus Klein [Mon, 14 Dec 2015 22:12:47 +0000 (23:12 +0100)]
[BUGFIX] Handle content with no markers in substituteMarkerArrayCached

If the content has no markers at all, the full content
needs to be returned.
Additionally, the result does not need to be cached
if no markers are present.

Resolves: #72224
Releases: master, 6.2
Change-Id: I8fd39ab705eaa2217bba4fd5a069d940e677ea47
Reviewed-on: https://review.typo3.org/45256
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
3 years ago[BUGFIX] Make openid usable on IE 11 57/45257/2
Markus Klein [Mon, 14 Dec 2015 22:54:41 +0000 (23:54 +0100)]
[BUGFIX] Make openid usable on IE 11

Make sure there is no password set.
This might be the case, as the custom placeholder JS will set
the placeholder value as value of the field on IE.

Resolves: #64552
Releases: 6.2
Change-Id: Iac4cf14d85292a5be76ef2f739802ad6d710f1ee
Reviewed-on: https://review.typo3.org/45257
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
3 years ago[BUGFIX] Track pids of deleted/moved records to clear cache 13/45213/5
Jan Helke [Fri, 11 Dec 2015 13:08:33 +0000 (14:08 +0100)]
[BUGFIX] Track pids of deleted/moved records to clear cache

Clearing caches is done after all operations. The pid can't be read from
the deleted or from the old location of the moved record so an array
remembers these pids for the clear cache operation.

Resolves: #61017
Releases: master, 6.2
Change-Id: I4552d2b9b2a6ea475563fd62a62f29a57fe9df70
Reviewed-on: https://review.typo3.org/45213
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[BUGFIX] Indexed Search: Fix warning for empty search word 22/45222/4
Tymoteusz Motylewski [Sat, 12 Dec 2015 13:41:52 +0000 (14:41 +0100)]
[BUGFIX] Indexed Search: Fix warning for empty search word

The Extbase plugin throws a warning when the search word is empty.
This was already fixed in a bigger change in v7, which can not be
easily backported. This is a simple fix for v6.

Resolves: #69317
Releases: 6.2
Change-Id: I185bca27f9ee7563deb8ae943563915a6e5f0a62
Reviewed-on: https://review.typo3.org/45222
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Tested-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 years ago[TASK] travis-ci: PHP 5.6 not allowed_failure anymore 86/45186/2
Christian Kuhn [Tue, 8 Dec 2015 16:30:19 +0000 (17:30 +0100)]
[TASK] travis-ci: PHP 5.6 not allowed_failure anymore

Change-Id: Ide32a6a582ec7dd1671b97b9d11c9b88a56953fd
Resolves: #72112
Related: #66473
Releases: 6.2
Reviewed-on: https://review.typo3.org/45186
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
3 years ago[FOLLOWUP][BUGFIX] ImageViewHelper should catch exceptions 70/45170/3
Andreas Allacher [Mon, 7 Dec 2015 09:57:36 +0000 (10:57 +0100)]
[FOLLOWUP][BUGFIX] ImageViewHelper should catch exceptions

We also need to catch RuntimeException and InvalidArgumentException.
InvalidArgumentException might be thrown if a storage does not exist.
RuntimeException if a file is outside a storage.

Change-Id: I994d8e7ef8b515f23ccc01847cefac0202f14b6f
Releases: master, 6.2
Resolves: #71686
Reviewed-on: https://review.typo3.org/45170
Reviewed-by: Josef Glatz <josef.glatz@typo3.org>
Tested-by: Josef Glatz <josef.glatz@typo3.org>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
3 years ago[BUGFIX] Use strict authMode access check for list_type 67/45167/2
Frank Nägler [Mon, 7 Dec 2015 12:14:34 +0000 (13:14 +0100)]
[BUGFIX] Use strict authMode access check for list_type

Enforcing a strict authMode check is required to make sure
that editors only see those content elements of type CType='list'
which they are allowed to see.

Resolves: #32209
Releases: master, 6.2
Change-Id: I47f92a03a3dacbbf686fd9592ea679a40f3a828b
Reviewed-on: https://review.typo3.org/45167
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
3 years ago[BUGFIX] Live search shows move placeholders in draft workspace 25/44925/2
Alexander Opitz [Tue, 24 Nov 2015 09:28:55 +0000 (10:28 +0100)]
[BUGFIX] Live search shows move placeholders in draft workspace

This patch makes sure that all records that have a t3ver_move_id
other than 0 are ignored.

Resolves: #37896
Releases: master, 6.2
Change-Id: Id0b45ebdc72522f46bc9b51261eeca2e01d48db9
Reviewed-on: https://review.typo3.org/44925
Reviewed-by: Michael Oehlhof <typo3@oehlhof.de>
Tested-by: Michael Oehlhof <typo3@oehlhof.de>
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Jigal van Hemert <jigal.van.hemert@typo3.org>
Tested-by: Jigal van Hemert <jigal.van.hemert@typo3.org>
3 years ago[BUGFIX] Avoid overly large regex in substituteMarkerArrayCached 32/45132/2
Benni Mack [Fri, 4 Dec 2015 22:54:45 +0000 (23:54 +0100)]
[BUGFIX] Avoid overly large regex in substituteMarkerArrayCached

Fetch the actually used markers from the content and only
generate the replace regex for those.
This avoids problems where 1000 markers may be passed in,
but only 10 are actually used.

Resolves: #44270
Releases: master, 6.2
Change-Id: I05f60960949e945249b045a8ae8e8430f7d8f7e6
Reviewed-on: https://review.typo3.org/45132
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 years ago[BUGFIX] Avoid wrong SQL query in fe_login user group redirect 31/45131/2
Frederic Gaus [Mon, 11 May 2015 15:07:11 +0000 (17:07 +0200)]
[BUGFIX] Avoid wrong SQL query in fe_login user group redirect

Ensure that no invalid group data is collected and check
if any group is set at all before running the SQL query.

Change-Id: I5792ff606d60ba5e5a108ed18c2ec91e354f85ff
Resolves: #64966
Releases: master, 6.2
Reviewed-on: https://review.typo3.org/45131
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 years ago[BUGFIX] Ignore placeholders when copying records 71/45071/4
Oliver Hader [Sat, 31 Oct 2015 19:46:46 +0000 (20:46 +0100)]
[BUGFIX] Ignore placeholders when copying records

Copying records would make placeholders for draft elements visible in the
copy. This is due to the fact that t3ver_state information is removed upon
copy and the records itself are not ignored either. To circumvent that, now
only relevant records are selected for each scope, being live workspace or
any draft workspace. This also means, that new placeholders are copied if
the process has been initiated on a real draft workspace, which does not
happen if the duplication process was triggered in the live workspace.

Resolves: #36946
Resolves: #42075
Releases: master, 6.2
Change-Id: I0952d1a46d1cc02e0ec97f7cbbc9abc700e00c07
Reviewed-on: https://review.typo3.org/45071
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[BUGFIX] Sanity check is missing within MediaContentObject 12/45112/3
Thilo Schumann [Thu, 3 Dec 2015 16:10:29 +0000 (17:10 +0100)]
[BUGFIX] Sanity check is missing within MediaContentObject

Resolves: #67757
Releases: 6.2
Change-Id: I120ce5214ddb46891278adfaaaec19a897e85434
Reviewed-on: https://review.typo3.org/45112
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Tested-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Xavier Perseguers <xavier@typo3.org>
Tested-by: Xavier Perseguers <xavier@typo3.org>
3 years ago[BUGFIX] ImageViewHelper should catch exceptions 22/45122/4
Benni Mack [Fri, 4 Dec 2015 08:13:39 +0000 (09:13 +0100)]
[BUGFIX] ImageViewHelper should catch exceptions

The ImageViewHelper should catch the following exceptions:
1.) \UnexpectedValueException:
This can happen if a file has been replaced with a folder.

2.) \TYPO3\CMS\Core\Resource\Exception\ResourceDoesNotExistException
If a file was deleted (or renamed directly in the file system).
Such a scenario should still result in a proper page.

Change-Id: I73fa4c279d779a524c0a10021df56529dde052fc
Releases: master, 6.2
Resolves: #71686
Reviewed-on: https://review.typo3.org/45122
Reviewed-by: Andreas Allacher <andreas.allacher@gmx.at>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Allacher <andreas.allacher@gmx.at>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
3 years ago[BUGFIX] DebuggerUtility: Treat null results of lazy objects correctly 01/45101/2
Morton Jonuschat [Wed, 2 Dec 2015 21:17:47 +0000 (22:17 +0100)]
[BUGFIX] DebuggerUtility: Treat null results of lazy objects correctly

Resolves: #71951
Releases: master, 6.2
Change-Id: I590f1915fad84e09a6e45988d1adf17f61598c46
Reviewed-on: https://review.typo3.org/45101
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
3 years ago[BUGFIX] Create FAL processing folders on upgrade 22/38622/5
Daniel Neugebauer [Fri, 10 Apr 2015 11:21:47 +0000 (13:21 +0200)]
[BUGFIX] Create FAL processing folders on upgrade

The Upgrade Wizard's step to migrate filemounts to FAL storages now
creates all missing processing folders.

This is done implicitely by calling getProcessingFolders() on all
storages, thus not introducing any new code to explicitely perform any
manipulation on the file system. If this is not done during migration
regular API calls may fall into an infinite loop, attempting to re-run
getProcessingFolders() due to isWithinFileMountBoundaries check before
any can be created if ResourceStorage has evaluatePermissions set to
false. See bug #66341 for details.

Resolves: #66341
Releases: 6.2
Change-Id: I5839ffe74439d499594e0e1b93a356aaaaac6aca
Reviewed-on: https://review.typo3.org/38622
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[BUGFIX] Fix serializable object creation with PHP 5.6 22/40522/11
Helmut Hummel [Fri, 17 Apr 2015 15:47:43 +0000 (17:47 +0200)]
[BUGFIX] Fix serializable object creation with PHP 5.6

This makes use of doctrine/instantiator to catch this and many
other PHP issues when instantiating objects without constructor.

Resolves: #66473
Resolves: #66885
Releases: 6.2
Change-Id: Ibeaf94ca8227befc4f5a863dd4b688c54b8fcd4c
Reviewed-on: https://review.typo3.org/40522
Reviewed-by: Stephan Großberndt <stephan@grossberndt.de>
Tested-by: Stephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Alexander Opitz <opitz.alexander@googlemail.com>
Tested-by: Alexander Opitz <opitz.alexander@googlemail.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[BUGFIX] Add favicon without scheme 21/44921/3
Morton Jonuschat [Mon, 23 Nov 2015 19:45:30 +0000 (20:45 +0100)]
[BUGFIX] Add favicon without scheme

Remove the scheme when rendering the link to a favicon in order to
avoid mixed content because the cached header of a page is used for
both HTTP and HTTPS.

Resolves: #69665
Releases: master, 6.2
Change-Id: I39d51bcf31a98369645d144f670e4d6200c2402d
Reviewed-on: https://review.typo3.org/44921
Reviewed-by: Stephan Großberndt <stephan@grossberndt.de>
Tested-by: Stephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Frank Nägler <frank.naegler@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 years ago[BUGFIX] Empty grid list in frontend workspace preview 05/44305/2
Oliver Hader [Mon, 26 Oct 2015 23:03:36 +0000 (00:03 +0100)]
[BUGFIX] Empty grid list in frontend workspace preview

The grid list of the frontend workspace preview stayed empty due to
several JavaScript issues. First one is a CORS thingy with local
document.domain values being set and for the list IFRAME being set
too late (and thus running into CORS error). Besides that the tabs
component is only available in the backend workspace module and
leads to another error if expected and used in the frontend preview.

Resolves: #66169
Releases: master, 6.2
Change-Id: I5bf3dd7760c9382527d85e6e7e8e0ad5dca81c05
Reviewed-on: https://review.typo3.org/44305
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[TASK] Add possibility to purge workspaces move placeholder 69/45069/2
Oliver Hader [Mon, 30 Nov 2015 17:16:59 +0000 (18:16 +0100)]
[TASK] Add possibility to purge workspaces move placeholder

During resolving references in a workspace context overlays and
delete-placeholder are considered and it's possible to define
whether they are kept or substituted. This mechanism is missing
for move-placeholders as well.

Resolves: #71990
Releases: master, 6.2
Change-Id: Id0a5326c968b5ceaca2af4c092f9907a91797823
Reviewed-on: https://review.typo3.org/45069
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[TASK] Extend regular workspaces DataHandler functional tests 67/45067/3
Oliver Hader [Mon, 30 Nov 2015 15:13:59 +0000 (16:13 +0100)]
[TASK] Extend regular workspaces DataHandler functional tests

The following actions are added:
* delete content and copy either draft or live page
* change content sorting and copy either draft or live page
* move content around and copy either draft or live page

Resolves: #71988
Releases: master, 6.2
Change-Id: I398fc9f0e7f91a9a944c74868d2718fdf19aa9f8
Reviewed-on: https://review.typo3.org/45067
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[TASK] Extend workspaces DataHandler functional tests 64/45064/2
Oliver Hader [Mon, 30 Nov 2015 14:46:09 +0000 (15:46 +0100)]
[TASK] Extend workspaces DataHandler functional tests

Add content element on different page in base scenario.

Resolves: #71986
Releases: master, 6.2
Change-Id: I87f198301fa8090c96a7c2e22eab9ecc59900405
Reviewed-on: https://review.typo3.org/45064
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 years ago[TASK] Travis: Disable Xdebug 43/45043/2
Nicole Cordes [Sat, 28 Nov 2015 23:31:25 +0000 (00:31 +0100)]
[TASK] Travis: Disable Xdebug

Resolves: #71947
Releases: master, 6.2
Change-Id: I06ad0771dd87d5186818028b4bea7bd61ee305d9
Reviewed-on: https://review.typo3.org/45043
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 years ago[BUGFIX] EXT:form - OPTGROUP cannot be a child element of SELECT 92/43492/3
Ralf Zimmermann [Thu, 24 Sep 2015 21:44:37 +0000 (23:44 +0200)]
[BUGFIX] EXT:form - OPTGROUP cannot be a child element of SELECT

Resolves: #69376
Releases: 6.2
Change-Id: I9e77649203466e37067384f7043e7f1a6ce5fa7e
Reviewed-on: https://review.typo3.org/43492
Reviewed-by: Bjoern Jacob <bjoern.jacob@tritum.de>
Tested-by: Bjoern Jacob <bjoern.jacob@tritum.de>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
3 years ago[BUGFIX] EXT:form - accept-charset in form not working 55/44955/4
Ralf Zimmermann [Thu, 26 Nov 2015 12:44:29 +0000 (13:44 +0100)]
[BUGFIX] EXT:form - accept-charset in form not working

Let the wizard write the correct attribute name "accept-charset"
instead of "acceptcharset". Avoid non existing attribute-class loading
if an attribute name contains non-alphabetic characters.

Resolves: #62713
Releases: 6.2
Change-Id: Iaadf8829b40a39061665dcea529f44ccf2d0a294
Reviewed-on: https://review.typo3.org/44955
Reviewed-by: Bjoern Jacob <bjoern.jacob@tritum.de>
Tested-by: Bjoern Jacob <bjoern.jacob@tritum.de>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
3 years ago[BUGFIX] Allow reply-to mail header in EXT:form 61/43661/4
Ralf Zimmermann [Thu, 26 Nov 2015 11:28:11 +0000 (12:28 +0100)]
[BUGFIX] Allow reply-to mail header in EXT:form

In EXT:form it was not possible to set a reply-to header in the email
and so the entered mail address was used as "from" which could cause SPF
failures.

The reply-to was there in the old mailform (e.g. TYPO3 4.5) but not in
the new extension which is the successor. That is why this issue handled
as bugfix.

Resolves: #69395
Related: #68771
Releases: 6.2

Change-Id: I1e7b77d3196c4a921d2902f212d03815bb3e0eb9
Reviewed-on: https://review.typo3.org/43661
Reviewed-by: Bjoern Jacob <bjoern.jacob@tritum.de>
Tested-by: Bjoern Jacob <bjoern.jacob@tritum.de>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 years ago[BUGFIX] Assure correct INCLUDE_TYPOSCRIPT with relative paths on subpages 52/44952/2
Daniel Goerz [Thu, 26 Nov 2015 11:41:44 +0000 (12:41 +0100)]
[BUGFIX] Assure correct INCLUDE_TYPOSCRIPT with relative paths on subpages

If a subpage has a template that clears the setup, INCLUDE_TYPOSCRIPT
will not work with relative paths anymore. This patch assures that always
the correct file is included.

Change-Id: I43b524c7c0fde7211ccbfc8481e2bbfd00bb4c0e
Resolves: #71197
Releases: master, 6.2
Reviewed-on: https://review.typo3.org/44952
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Frank Nägler <frank.naegler@typo3.org>
Tested-by: Frank Nägler <frank.naegler@typo3.org>
3 years ago[TASK] Disallow multi-line HTTP headers 00/44900/2
Helmut Hummel [Sun, 22 Nov 2015 13:00:52 +0000 (14:00 +0100)]
[TASK] Disallow multi-line HTTP headers

PHP removed the support for this deprecated HTTP specification
in recent versions of PHP, thus we should remove these as well.

Besides that, we add an additional check for newlines
in GeneralUtility::locationHeaderUrl() to prevent potential
issues with Internet Explorer.
These lines can be removed once the minimum PHP requirement
are raised.

Releases: master, 6.2
Resolves: #58816
Change-Id: I38d26affd31913b82a972ac90ebf906a45b92e05
Reviewed-on: https://review.typo3.org/44900
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Frank Nägler <frank.naegler@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 years ago[BUGFIX] Save parents localized uid as child reference 26/44926/2
Nicole Cordes [Wed, 9 Sep 2015 09:29:57 +0000 (11:29 +0200)]
[BUGFIX] Save parents localized uid as child reference

This patch resolves problems with updating translated records which
have a relation to a parent object. The backend expects the localized
uid as parent id but extbase currently saves the original uid. This
leads to wrong relation information within the child record.

Resolves: #69630
Releases: master, 6.2
Change-Id: Ib0af8b5fa13c03e15c4db5cb0ac1a81c8ee568eb
Reviewed-on: https://review.typo3.org/44926
Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Tested-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 years ago[BUGFIX] Position NULL-Checkbox left of TCA input 43/44043/3
Stephan Großberndt [Wed, 14 Oct 2015 08:54:14 +0000 (10:54 +0200)]
[BUGFIX] Position NULL-Checkbox left of TCA input

Positioning of the checkbox to nullify an TCA field is handled by the
FormEngine-Rewrite on master but not on 6.2. This patch positions the
NULL-Checkbox left of TCA input instead of to the far right.

Resolves: #52261
Releases: 6.2
Change-Id: Icc9e3d8d20a0bf728906275fe8041abd2b7446d9
Reviewed-on: https://review.typo3.org/44043
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Tested-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
3 years ago[BUGFIX] Check webmounts for backend user in workspace preview 97/44897/2
Nicole Cordes [Sun, 22 Nov 2015 12:03:36 +0000 (13:03 +0100)]
[BUGFIX] Check webmounts for backend user in workspace preview

This patch adds a check if the current backend user used for workspace
authentication has access to the current requested page. If the user
doesn't have access the workspace version of that page can't be displayed
and the live version is shown instead.

Resolves: #71734
Releases: master, 6.2
Change-Id: I66b79f9ee36ed3037729dceedd9410ccd85880f4
Reviewed-on: https://review.typo3.org/44897
Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>