Packages/TYPO3.CMS.git
8 days ago[TASK] Upgrade ckeditor to 4.11.3 53/60253/3 TYPO3_8-7
Andreas Fernandez [Thu, 14 Mar 2019 20:21:33 +0000 (21:21 +0100)]
[TASK] Upgrade ckeditor to 4.11.3

This patch updates ckeditor to the latest version 4.11.3.

Used command:

    yarn upgrade ckeditor

List of changes:
https://github.com/ckeditor/ckeditor-releases/compare/4.11.1...4.11.3

Resolves: #87905
Releases: master, 9.5, 8.7
Change-Id: Iafbde59625de902774997ca0acffc9a92ba36534
Reviewed-on: https://review.typo3.org/c/60253
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
12 days ago[BUGFIX] Use correct default value for sys_file_storage|is_public 72/60072/2
Georg Ringer [Mon, 11 Mar 2019 06:12:57 +0000 (07:12 +0100)]
[BUGFIX] Use correct default value for sys_file_storage|is_public

Use 1 instead of true as default value.

Resolves: #87873
Releases: master, 9.5, 8.7

Change-Id: I6665ebd5b59336a00ea3019cf30ba5c98123a4f6
Reviewed-on: https://review.typo3.org/c/60072
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
2 weeks ago[BUGFIX] GifBuilder returns already generated images 59/59959/3
Markus Klösges [Tue, 5 Feb 2019 12:26:24 +0000 (13:26 +0100)]
[BUGFIX] GifBuilder returns already generated images

When combining image files with gifbuilder, the hash to identify the
resulting file is now stable with respect to the fact whether the
files are cropped or scaled in the current request or already cropped
before. That leads to stable hashes whenever the same images are
processed with the same configuration, and allows reuse as intended.

Also ensure that fileInfo returned from ContentObjectRenderer contains
width and height information as int, when they are returned from
database as that may lead to different serialized representations of the
configuration

Resolves: #44518
Resolves: #86947
Resolves: #87224
Releases: 8.7, 9.5, master
Change-Id: I833585034cacaf5a0ad66ba3ff04ac3920421085
Reviewed-on: https://review.typo3.org/c/59959
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
2 weeks ago[BUGFIX] Prevent exception in file list 26/59926/2
Susanne Moog [Wed, 6 Mar 2019 10:36:27 +0000 (11:36 +0100)]
[BUGFIX] Prevent exception in file list

When creating a file with a disallowed file
extension an exception was thrown as on creation
the redirect to edit interface on a non-existing
file was called.

Though the better fix might be to prevent the
request for an invalid file to be sent at all
this fix ensures a working file list module in
a more "surgical" way to allow secure backporting.

Resolves: #87527
Releases: master, 9.5, 8.7
Change-Id: I35a054c05b37c09acab83a7aa9eca89cf9ebf6b9
Reviewed-on: https://review.typo3.org/c/59926
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
2 weeks ago[BUGFIX] Reduce strictness for .pl files in fileDenyPattern 14/59914/2
Oliver Hader [Wed, 6 Mar 2019 16:46:56 +0000 (17:46 +0100)]
[BUGFIX] Reduce strictness for .pl files in fileDenyPattern

Files like "file.pl.txt" cannot be uploaded anymore since ".pl" is
considered as executable Perl file. In multilingual scenarios "pl"
is used as reference for Polish content. Since required modules
mod_perl or mod_cgid are not enabled by default, and limited to
be executable only when invoked in location "/cgi-bin/", now only
files ending with ".pl" (e.g. "file.pl") are denied.

Resolves: #87733
Releases: master, 9.5, 8.7
Change-Id: Ib9a69fd3ec04f51653857d2f7309e30b78932653
Reviewed-on: https://review.typo3.org/c/59914
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
2 weeks ago[BUGFIX] Properly render hidden fields for IRRE records 99/59899/2
Helmut Hummel [Fri, 1 Feb 2019 12:20:11 +0000 (13:20 +0100)]
[BUGFIX] Properly render hidden fields for IRRE records

Despite $resultArray['additionalHiddenFields'] being properly
set by the elements, this section is never evaluated
in InlineRecordContainer.

Evaluate content in this property and render the fields
in the HTML output.

Resolves: #87614
Releases: master, 9.5, 8.7
Change-Id: Idb45a906d3cb019e915c94df59fa215405cb1af3
Reviewed-on: https://review.typo3.org/c/59899
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
2 weeks ago[TASK] Change abandoned package mso/idna-convert 85/59885/2
Benni Mack [Wed, 6 Mar 2019 14:16:19 +0000 (15:16 +0100)]
[TASK] Change abandoned package mso/idna-convert

Composer commands:
composer remove mso/idna-convert
composer require algo26-matthias/idna-convert:^1.1.0

Resolves: #87779
Releases: master, 9.5, 8.7
Change-Id: Id7cb8dda54f356479a72bfc0718b1b9256382fb3
Reviewed-on: https://review.typo3.org/c/59885
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
2 weeks ago[BUGFIX] Add check for string to prevent PHP warning 44/59844/2
Peter Kraume [Thu, 21 Feb 2019 13:17:31 +0000 (14:17 +0100)]
[BUGFIX] Add check for string to prevent PHP warning

Resolves: #87762
Releases: master, 9.5, 8.7
Change-Id: I2e7b8b7bee6d69b3e1ae4458257be802d0d97d14
Reviewed-on: https://review.typo3.org/c/59844
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
2 weeks ago[BUGFIX] Force closing tag in PageViewHelper 43/59843/2
Riny van Tiggelen [Wed, 27 Feb 2019 10:08:41 +0000 (11:08 +0100)]
[BUGFIX] Force closing tag in PageViewHelper

Unlike all the other link viewhelpers (based on tagbuilder),
the PageViewHelper does not force the closing tag which
results in an invalid tag when there is no content available.

Resolves: #87804
Releases: master, 9.5, 8.7
Change-Id: Ia49aaf1f2f80be4fa3febee08f5285bebd2c0189
Reviewed-on: https://review.typo3.org/c/59843
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Benni Mack <benni@typo3.org>
3 weeks ago[BUGFIX] Properly use requirejs-loader.js in frontend context 27/59827/2
Oliver Hader [Wed, 27 Feb 2019 09:27:08 +0000 (10:27 +0100)]
[BUGFIX] Properly use requirejs-loader.js in frontend context

The eID handler in frontend context had a wrong method name. Besides
that generating according <script src="requirejs-loader.js"> tag had
flaws in path resolving.

Resolves: #87570
Releases: master, 9.5, 8.7
Change-Id: Ic5a3b824e8ae5aa776fd0e6502682aba6ae282b8
Reviewed-on: https://review.typo3.org/c/59827
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 weeks ago[TASK] Tighten rst validation rule for keyword 21/59821/2
Anja Leichsenring [Fri, 1 Mar 2019 10:23:01 +0000 (11:23 +0100)]
[TASK] Tighten rst validation rule for keyword

Ignore FullyScanned|PartiallyScanned|NotScanned when looking for valid
keywords on rst files and update existing Changelog files accordingly.

Resolves: #87774
Relates: #87772
Releases: master, 9.5, 8.7
Change-Id: I5e9a9c690ddb55ef11c52bde074d4e0175b17837
Reviewed-on: https://review.typo3.org/c/59821
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 weeks ago[BUGFIX] Relax rst validation rules for Feature and Important 19/59819/2
Anja Leichsenring [Sat, 23 Feb 2019 17:39:04 +0000 (18:39 +0100)]
[BUGFIX] Relax rst validation rules for Feature and Important

When looking for FullyScanned|PartiallyScanned|NotScanned ignore Feature
and Important rst files from any version as well as all rst files from
7.x and 8.x

Resolves: #87772
Releases: master, 9.5, 8.7
Change-Id: I7bf2a6068f95603a8ac3e6df4cb336d66963f145
Reviewed-on: https://review.typo3.org/c/59819
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 weeks ago[BUGFIX] Remove PageRenderer debug code 13/59813/2
Oliver Hader [Wed, 27 Feb 2019 08:46:39 +0000 (09:46 +0100)]
[BUGFIX] Remove PageRenderer debug code

Resolves: #87803
Releases: master, 9.5, 8.7
Change-Id: I1d99aa132208d5db14eb3aed49308e95998a0f0e
Reviewed-on: https://review.typo3.org/c/59813
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Benni Mack <benni@typo3.org>
3 weeks ago[BUGFIX] htaccess does not allow pages that end with "rc" 05/59805/2
Christian Kuhn [Mon, 25 Feb 2019 16:23:19 +0000 (17:23 +0100)]
[BUGFIX] htaccess does not allow pages that end with "rc"

Page names that end with 'rc' return 403 if using apache
with the default core delivered .htaccess. The directive
should match '.rc$' instead of only 'rc$'.

Resolves: #87783
Releases: master, 9.5, 8.7
Change-Id: I59fd6b2a0d87556209713a0beedae0c6624d866f
Reviewed-on: https://review.typo3.org/c/59805
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
4 weeks ago[BUGFIX] Only apply hidden restriction for table sys_language 83/59783/4
Manuel Selbach [Thu, 21 Feb 2019 21:05:18 +0000 (22:05 +0100)]
[BUGFIX] Only apply hidden restriction for table sys_language

Previously the HiddenRestriction::class applied the hidden restriction
to both tables, with this change only the hidden field of sys_language
will be checked, which was also the case before the DBAL migration.

Change-Id: Icec2c5c0f0e821933379dfa72ff9686cbf414deb
Resolves: #87768
Releases: 8.7
Reviewed-on: https://review.typo3.org/c/59783
Reviewed-by: Claus Due <claus@phpmind.net>
Reviewed-by: Joerg Kummer <typo3@enobe.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Joerg Kummer <typo3@enobe.de>
Tested-by: Markus Klein <markus.klein@typo3.org>
4 weeks ago[BUGFIX] Initialize database connection with defined character set 23/59323/5
Sascha Egerer [Wed, 2 Jan 2019 17:54:26 +0000 (18:54 +0100)]
[BUGFIX] Initialize database connection with defined character set

The character set must be set based on the configured value
to prevent an exception #1389697515 to be thrown

Related: #71454
Resolves: #85524
Releases: 8.7

Change-Id: I34701429083b4ab7fc568fa1ee94756a49b45da6
Reviewed-on: https://review.typo3.org/c/59323
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
5 weeks ago[TASK] Replace IRC with Slack in composer support section 13/59713/2
Tomas Norre Mikkelsen [Fri, 15 Feb 2019 10:25:13 +0000 (11:25 +0100)]
[TASK] Replace IRC with Slack in composer support section

Remove reference to irc as it is not used anymore. Linking
to Slack instead.

Resolves: #87720
Releases: master, 9.5, 8.7
Change-Id: I7dea0d62329e8e361b8ac37a1d18b9f9f8603943
Reviewed-on: https://review.typo3.org/c/59713
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
5 weeks ago[TASK] Fix formatting of lists in Changelog 02/59702/2
Sybille Peters [Sat, 6 Oct 2018 17:19:22 +0000 (19:19 +0200)]
[TASK] Fix formatting of lists in Changelog

Lists in reStructuredText must be seperated by the rest of a text
a newline. If not, the text is not rendered correctly.
This patch fixes incorrectly formatted lists in the .rst files of
the Changelog.

Resolves: #85995
Releases: master,8.7
Change-Id: Icc390862f77ee99a5f96373e85ef5e09ac4272d5
Reviewed-on: https://review.typo3.org/59702
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Sybille Peters <sypets@gmx.de>
Reviewed-by: Björn Jacob <bjoern.jacob@tritum.de>
Tested-by: Björn Jacob <bjoern.jacob@tritum.de>
Tested-by: Sybille Peters <sypets@gmx.de>
Reviewed-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
Tested-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
5 weeks ago[DOCS] Document rte_ckeditor 01/59701/2
Sybille Peters [Sun, 3 Feb 2019 20:18:08 +0000 (21:18 +0100)]
[DOCS] Document rte_ckeditor

Resolves: #85461
Releases: master, 9.5, 8.7
Change-Id: I36eef1d24fce233639e2047cc2f09d972ccbe046
Reviewed-on: https://review.typo3.org/59701
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
6 weeks ago[TASK] Add language synchronization tests for TCA type inline/CSV 54/59654/2
Oliver Hader [Wed, 6 Feb 2019 14:57:31 +0000 (15:57 +0100)]
[TASK] Add language synchronization tests for TCA type inline/CSV

Adds DataHandler tests that were available for TCA type inline/FF
for inline/CSV as well (initially introduced with issue ##79856).

Resolves: #87666
Releases: master, 9.5, 8.7
Change-Id: I01eadae3fc00a0ba037e1c8ef7e92b6de467266d
Reviewed-on: https://review.typo3.org/59654
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
7 weeks ago[BUGFIX] Use proper exception messages for Scheduler::fetchTask() 14/59614/2
Stefanos Karasavvidis [Wed, 9 Jan 2019 13:16:51 +0000 (15:16 +0200)]
[BUGFIX] Use proper exception messages for Scheduler::fetchTask()

Use a proper message in case a non existent uid was passed and
correctly handle the case where no task uid was passed and no task
is overdue.

Resolves: #87375
Releases: master, 9.5, 8.7
Change-Id: I69d2798cc185451c889bf37d8a007eacf572c163
Reviewed-on: https://review.typo3.org/59614
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Mona Muzaffar <mona.muzaffar@gmx.de>
Tested-by: Mona Muzaffar <mona.muzaffar@gmx.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
7 weeks ago[BUGFIX] Mark scheduler tasks as executed on PHP-level errors 16/59616/2
Andreas Fernandez [Mon, 21 Jan 2019 10:36:51 +0000 (11:36 +0100)]
[BUGFIX] Mark scheduler tasks as executed on PHP-level errors

The scheduler now catches any error implementing the `\Throwable`
interface thrown by a task to be able to mark such task as executed.

Resolves: #87502
Releases: master, 9.5, 8.7
Change-Id: I1f1bebee922c864ce8d7bfc3f0aa6e9434228e98
Reviewed-on: https://review.typo3.org/59616
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
8 weeks ago[TASK] bamboo: db dependency loop needs break condition 69/59569/2
Christian Kuhn [Fri, 25 Jan 2019 11:00:46 +0000 (12:00 +0100)]
[TASK] bamboo: db dependency loop needs break condition

Functional and acceptance tests need a db up and running.
The according container is started as dependency and a
loop delays further execution until the database connected
to its network port. This sometimes goes wrong, for
instance mssql in rare conditions does not come up. This
leads to the loop running "forever", consuming the
executing bamboo agent and the job never finishs.
The patch adds an additional break condition: If db did
not connect to the port after a minute, the job now fails.

Resolves: #87549
Releases: master, 9.5, 8.7
Change-Id: Idc45f57d9cfd2d390cea6bd5319adaf4158340df
Reviewed-on: https://review.typo3.org/59569
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
8 weeks ago[BUGFIX] Prevent FrontendUserImageUpdateWizard to be marked as done 83/59183/4
Nicole Cordes [Mon, 17 Dec 2018 14:59:25 +0000 (15:59 +0100)]
[BUGFIX] Prevent FrontendUserImageUpdateWizard to be marked as done

This patch prevents the FrontendUserImageUpdateWizard to be marked
as done if error(s) occurred and some relations were not migrated
properly.

Resolves: #87188
Releases: master, 9.5, 8.7
Change-Id: I712fae29b83dc873d2c84f164f0096e96c56afab
Reviewed-on: https://review.typo3.org/59183
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Josef Glatz <josef.glatz@typo3.org>
Tested-by: Josef Glatz <josef.glatz@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
8 weeks ago[TASK] Set TYPO3 version to 8.7.25-dev 50/59550/2
Oliver Hader [Tue, 22 Jan 2019 15:26:57 +0000 (16:26 +0100)]
[TASK] Set TYPO3 version to 8.7.25-dev

Change-Id: If901a1348d3d2b7c71d9f6d4cdc1c278c2c66878
Reviewed-on: https://review.typo3.org/59550
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
8 weeks ago[RELEASE] Release of TYPO3 8.7.24 49/59549/2 8.7.24 TYPO3_8-7-24 v8.7.24
Oliver Hader [Tue, 22 Jan 2019 15:25:42 +0000 (16:25 +0100)]
[RELEASE] Release of TYPO3 8.7.24

Change-Id: If0f49e5c703359c9bee49f78a1b116f59661d2de
Reviewed-on: https://review.typo3.org/59549
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
8 weeks ago[BUGFIX] Use Json-based response for RequireJsController 48/59548/4
Benni Mack [Tue, 22 Jan 2019 12:13:59 +0000 (13:13 +0100)]
[BUGFIX] Use Json-based response for RequireJsController

This is a regression due to a very unfortunate
rebasing of a security backport which had the
exact code as changed here in the original change
which was tested.

The main reason is that JsonResponse is only
available in v9 or later.

Resolves: #87519
Releases: 8.7
Change-Id: Ib99cacb32e20d99b8e48940326385bcf5f4a19fa
Reviewed-on: https://review.typo3.org/59548
Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
2 months ago[TASK] Set TYPO3 version to 8.7.24-dev 44/59544/2
Oliver Hader [Tue, 22 Jan 2019 10:11:13 +0000 (11:11 +0100)]
[TASK] Set TYPO3 version to 8.7.24-dev

Change-Id: I97add7062910b1d788b3f63f8e4822320b1f7545
Reviewed-on: https://review.typo3.org/59544
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
2 months ago[RELEASE] Release of TYPO3 8.7.23 43/59543/2 8.7.23 TYPO3_8-7-23 v8.7.23
Oliver Hader [Tue, 22 Jan 2019 10:09:21 +0000 (11:09 +0100)]
[RELEASE] Release of TYPO3 8.7.23

Change-Id: I73b988c86292bed46d62d60e231edee5c978cc4c
Reviewed-on: https://review.typo3.org/59543
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
2 months ago[TASK] Recompile install.css 42/59542/2
Oliver Hader [Tue, 22 Jan 2019 09:48:12 +0000 (10:48 +0100)]
[TASK] Recompile install.css

Resolves: #87517
Releases: 8.7
Change-Id: Ifb44c2858d194f091949197e4cef84480bc87abe
Reviewed-on: https://review.typo3.org/59542
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
2 months ago[SECURITY] Extend file deny pattern 26/59526/2
Oliver Hader [Tue, 22 Jan 2019 08:41:45 +0000 (09:41 +0100)]
[SECURITY] Extend file deny pattern

In order to enhance protection against (possible) executable file
extensions phar, shtml, cgi, pl have been added to the according
file deny pattern.

Releases: master, 9.5, 8.7
Resolves: #87368
Security-Commit: 8d94be6a63744d56f642663f1dc627b223799149
Security-Bulletin: TYPO3-CORE-SA-2019-008
Change-Id: Ia409b444b1334332a7b874f04e3dc139d9df7220
Reviewed-on: https://review.typo3.org/59526
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
2 months ago[SECURITY] Use a fluid template for the ConfirmationFinisher message 25/59525/2
Ralf Zimmermann [Tue, 22 Jan 2019 08:41:37 +0000 (09:41 +0100)]
[SECURITY] Use a fluid template for the ConfirmationFinisher message

The ConfirmationFinisher message is now rendered within a fluid template
to allow styling of the message.
Furthermore, the FormRuntime (and thus all form element values) and the
finisherVariableProvider are available in the template.
Custom variables can be added globally within the form setup or at
form level in the form definition.
By using a fluid template and the associated html escaping, the display
of the ConfirmationFinisher message is protected against XSS / html
injection attacks.

Resolves: #84902
Releases: master, 9.5, 8.7
Security-Commit: b55c0c61af4a60018bc1a25798445f7cd7fece4a
Security-Bulletin: TYPO3-CORE-SA-2019-007
Change-Id: I7456613ff6fd80cd16568a0d7be1c1672f5e125e
Reviewed-on: https://review.typo3.org/59525
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
2 months ago[SECURITY] Raise bootstrap 3.4.0 to fix XSS in JS components 24/59524/2
Benni Mack [Tue, 22 Jan 2019 08:41:30 +0000 (09:41 +0100)]
[SECURITY] Raise bootstrap 3.4.0 to fix XSS in JS components

Fixes an XSS issue in Alert, Carousel, Collapse, Dropdown, Modal,
and Tab components.

Executed tasks:
  cd Build
  yarn add bootstrap-sass@^3.4.0 --dev
  yarn exec grunt

Then copying the contents of Build/node_modules/bootstrap-sass/assets/javascripts/bootstrap.min.js
into typo3/sysext/core/Resources/Public/JavaScript/Contrib/bootstrap/bootstrap.js
additionally adding the AMD factory wrapper.

Resolves: #86580
Releases: master, 9.5, 8.7
Security-Commit: 7d39af7d38a50b5395d9971497a62b53de331ee2
Security-Bulletin: TYPO3-CORE-SA-2019-006
Change-Id: Ib7fd88851d3d431a42059fda292c511d59256bc6
Reviewed-on: https://review.typo3.org/59524
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
2 months ago[SECURITY] XSS issues in Fluid view helpers 23/59523/2
Andreas Wolf [Tue, 22 Jan 2019 08:41:23 +0000 (09:41 +0100)]
[SECURITY] XSS issues in Fluid view helpers

* HtmlentitiesViewHelper
* UrlencodeViewHelper
* StripTagsViewHelper

Resolves: #85764
Releases: master, 9.5, 8.7
Security-Commit: 27d959e4dfcfb4b4b9c395d1fb619c8fe4d9f4cd
Security-Bulletin: TYPO3-CORE-SA-2019-005
Change-Id: If22e4a4959ee674dcd5ccb7d86f885db6dd4187e
Reviewed-on: https://review.typo3.org/59523
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
2 months ago[SECURITY] Backend user privilege escalation for language limitations 22/59522/2
Oliver Hader [Tue, 22 Jan 2019 08:41:16 +0000 (09:41 +0100)]
[SECURITY] Backend user privilege escalation for language limitations

Backend user being limitted to specific languages were allowed to create
or modify pages of the default language (sys_language_uid=0) without
having permission to those.

Resolves: #81512
Releases: 8.7
Security-Commit: 600789924b91d3bb115eea6d85e34259cd328fcc
Security-Bulletin: TYPO3-CORE-SA-2019-003
Change-Id: Ie0bfee764056110f97ddac15285da059b1c8c01b
Reviewed-on: https://review.typo3.org/59522
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
2 months ago[SECURITY] Avoid creation of backend users without password 21/59521/2
Benni Mack [Tue, 22 Jan 2019 08:41:09 +0000 (09:41 +0100)]
[SECURITY] Avoid creation of backend users without password

When using FormEngine it is possible to create a Backend User
without setting a password (or username), which could lead to
issues when using third-party authentication providers.

A hook within DataHandler ensures to set a random username
and/or password if the data is handed into DataHandler without
proper data. Besides that new backend users are disabled per
default and have to be enable manually.

Resolves: #80269
Releases: master, 9.5, 8.7
Security-Commit: 09b19dc181a565ca4a237f96747c0c808eb1c11b
Security-Bulletin: TYPO3-CORE-SA-2019-002
Change-Id: If4fb1e05c5dd8018077daa0c2a47779b2ca14342
Reviewed-on: https://review.typo3.org/59521
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
2 months ago[SECURITY] Avoid disclosing loaded extensions 20/59520/2
Oliver Hader [Tue, 22 Jan 2019 08:41:00 +0000 (09:41 +0100)]
[SECURITY] Avoid disclosing loaded extensions

Inline JavaScript settings for RequireJS and ajaxUrls disclose the
existence of specific extensions in a TYPO3 installation.

In case no backend user is logged in RequireJS settings are fetched
using an according endpoint, ajaxUrls (for backend AJAX routes) are
limited to those that are accessible without having a user session.

Resolves: #83855
Releases: master, 9.5, 8.7
Security-Commit: af76c928bbe6fe05611db0839da879fce132daff
Security-Bulletin: TYPO3-CORE-SA-2019-001
Change-Id: I90dddd2fd3fd81834cd40c8638fa487fa106b07c
Reviewed-on: https://review.typo3.org/59520
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
2 months ago[TASK] Raise guzzlehttp/psr7 composer dependency 15/59515/2
Oliver Hader [Mon, 21 Jan 2019 19:05:36 +0000 (20:05 +0100)]
[TASK] Raise guzzlehttp/psr7 composer dependency

composer update guzzlehttp/psr7

Resolves: #87512
Releases: master, 9.5, 8.7
Change-Id: Ic3dcef632fd1ac65e09f5d8fb6d631ab211e8c3e
Reviewed-on: https://review.typo3.org/59515
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
2 months ago[BUGFIX] Harden CommandUtility invocations 72/59472/2
Oliver Hader [Mon, 10 Dec 2018 07:51:21 +0000 (08:51 +0100)]
[BUGFIX] Harden CommandUtility invocations

In order to harden CommandUtility API arguments used for invoking
system commands are escaped in addition. Since no insecure usages
have been identified in the TYPO3 core nor in public third party
extensions, this change is handled using a public workflow.

| In order to evaluate whether third party extensions open a
| potential attack vector, usages of CommandUtility::checkCommand(),
| CommandUtility::getCommand() and the registration of custom services
| ($GLOBALS[‘T3_SERVICES’]) concerning their ‘exec’ argument have to
| be checked.

Resolves: #87450
Releases: master, 9.5, 8.7
Security-Advisory: TYPO3-PSA-2019-001
Change-Id: If4f2a63045ac7b2473881992f9731a635a768d37
Reviewed-on: https://review.typo3.org/59472
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
2 months ago[TASK] Add `.nvmrc` file 79/59479/2
Andreas Fernandez [Wed, 16 Jan 2019 21:37:15 +0000 (22:37 +0100)]
[TASK] Add `.nvmrc` file

nvm (node version manager) is a tool to have multiple node versions
installed. Since TYPO3 relies on an older node version right now, we can
provide support for nvm by adding a .nvmrc file.

This still requires to have nvm installed and configured on the client.

Resolves: #87468
Releases: master, 9.5, 8.7
Change-Id: Ie16827594fbdebeff1004cd178c28c67a61d60d7
Reviewed-on: https://review.typo3.org/59479
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Josef Glatz <josef.glatz@typo3.org>
Tested-by: Josef Glatz <josef.glatz@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
2 months ago[BUGFIX] Streamline creating text files in filelist module 10/59410/2
Anja Leichsenring [Fri, 11 Jan 2019 14:01:02 +0000 (15:01 +0100)]
[BUGFIX] Streamline creating text files in filelist module

The filelist module allows to create files and redirects to an
according editing view in case the file extension is configured
in $GLOBALS['TYPO3_CONF_VARS']['SYS']['textfile_ext']. However,
any file - except those in file-deny pattern - can be created,
but only text files can be edited directly.

Since this was kind of misleading, creating any file is still
possible, however there's no redirect anymore in case it's not
a text file. Wording in filelist module's view has been adjusted.

Resolves: #72404
Releases: master, 9.5, 8.7
Change-Id: Ibb48769aa571e880d0f5f58cfb650cade3cdb1e0
Reviewed-on: https://review.typo3.org/59410
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Mona Muzaffar <mona.muzaffar@gmx.de>
Tested-by: Mona Muzaffar <mona.muzaffar@gmx.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
2 months ago[TASK] Update copyright year in documentation to 2019 96/59396/2
Stefanos Karasavvidis [Wed, 9 Jan 2019 09:20:56 +0000 (11:20 +0200)]
[TASK] Update copyright year in documentation to 2019

Includes year change in Settings.cfg,  Index.rst files and also
README.md, INSTALL.md and SystemEnvironmentBuilder.php

Resolves: #87313
Releases: master, 9.5, 8.7
Change-Id: Ie056e9b7804af4003c2b67ee5e6d87ffd4eb96ba
Reviewed-on: https://review.typo3.org/59396
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
2 months ago[BUGFIX] Avoid fatal when flushed directory is a symlink 89/59389/2
Helmut Hummel [Tue, 8 Jan 2019 14:33:08 +0000 (15:33 +0100)]
[BUGFIX] Avoid fatal when flushed directory is a symlink

\TYPO3\CMS\Core\Utility\GeneralUtility::flushDirectory tries to
rename the given directory to be able to atomically flush the
contents of the directory. This however fails, when the given
folder is a symlink.

We now catch this case by checking whether the given directory
is a symlink and resolve it with realpath.

While this does not cover all possible cases, it improves the
case where the folder containing the symlink is also writable.

Resolves: #87367
Releases: master, 9.5, 8.7
Change-Id: Ic812a5eaa86cca4d81aee31b4a3fbdce052994a0
Reviewed-on: https://review.typo3.org/59389
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Tested-by: Mathias Brodala <mbrodala@pagemachine.de>
2 months ago[TASK] Stop dangling containers in bamboo 40/59340/2
Christian Kuhn [Sat, 5 Jan 2019 13:51:43 +0000 (14:51 +0100)]
[TASK] Stop dangling containers in bamboo

In rare conditions a bamboo agent does not stop all
created sibling containers at the end of a job. These
dangling containers then make consecutive runs on this
agents fail due to container namespace collisions.
As a self-heal mechanism, all jobs that fiddle with
containers now simply stop any possibly dangling containers
as an early task before starting own ones.

Resolves: #87334
Releases: master, 9.5, 8.7
Change-Id: I80332da8f9b1013dc8d961e7e532faf59b3bd3b8
Reviewed-on: https://review.typo3.org/59340
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
2 months ago[BUGFIX] Sql query export to use search_result_labels setting 39/58839/2
lsascha [Wed, 26 Sep 2018 22:43:34 +0000 (00:43 +0200)]
[BUGFIX] Sql query export to use search_result_labels setting

Releases: master, 8.7
Resolves: #86396
Change-Id: I198fe52a8024dcf392582a78c3fce0f134ed6b7a
Reviewed-on: https://review.typo3.org/58839
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
2 months ago[BUGFIX] Allow to add type=0 to typolink syntax 21/59321/2
Benni Mack [Wed, 26 Dec 2018 23:21:34 +0000 (00:21 +0100)]
[BUGFIX] Allow to add type=0 to typolink syntax

In previous versions, it was possible to link
to type=0 via "4,0,&param=2" where this was
stripped away, as the old syntax with the third
parameter was not supported anymore.

The patch changes the "empty()" to "isset()"
and explicitly sets the type parameter again.

Resolves: #81226
Releases: master, 9.5, 8.7
Change-Id: I5d19c38c90571f6686e7121dac638342783237ec
Reviewed-on: https://review.typo3.org/59321
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
2 months ago[BUGFIX] Streamline tree markup 89/59289/2
Andreas Fernandez [Sun, 23 Dec 2018 08:29:30 +0000 (09:29 +0100)]
[BUGFIX] Streamline tree markup

The trees used in TSOB and in the configuration module have a different
markup than the tree of the Link Browser (and the rest), causing the
regression introduced with #86790. The markup of the trees is now changed
to have a consistent structure.

Resolves: #87280
Related: #86790
Releases: master, 9.5, 8.7
Change-Id: I00c6b93c760a725e1ee771651f26c53573e0a6e2
Reviewed-on: https://review.typo3.org/59289
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 months ago[TASK] Add filter for be_users and be_groups 22/59122/2
Guido Schmechel [Sun, 9 Dec 2018 20:26:34 +0000 (21:26 +0100)]
[TASK] Add filter for be_users and be_groups

Add textfield filter for select fields from type
"selectMultipleSideBySide" for system tables.

Affected system tables: be_groups, be_users

Resolves: #87112
Releases: master, 8.7
Change-Id: Iba8b837a9fc5f2ec64be7e5ad313b454c4373feb
Reviewed-on: https://review.typo3.org/59122
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
3 months ago[TASK] Do not show error when copying a record was successful 35/59235/2
Christoph Lehmann [Tue, 18 Dec 2018 22:23:52 +0000 (23:23 +0100)]
[TASK] Do not show error when copying a record was successful

https://review.typo3.org/#/c/32356/ introduced the log message

The change was about skipping the direct copyRecord() call for
records that will be processed inside another copyRecord() call
for the record of the default language

Due to https://review.typo3.org/#/c/51070/ $overrideValues contains

['l10n_source' => 0]

When an element is copied inside an earlier copyRecord() call
the error log message is generated which leads to an error
flash message editors see when copying a page, but everything
(copying the records once) went fine.

A earlier call of copyRecord() can occur when using extension like
gridelements when copying a content element laying inside a
grid container element.

Resolves: #82032
Releases: master, 9.5, 8.7
Change-Id: I0d5be8e8920852a0e0c5a5ee93a67f9a6426e941
Reviewed-on: https://review.typo3.org/59235
Reviewed-by: Christoph Lehmann <christoph.lehmann@networkteam.com>
Tested-by: Christoph Lehmann <christoph.lehmann@networkteam.com>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Tested-by: Mathias Brodala <mbrodala@pagemachine.de>
3 months ago[TASK] Revert test change and disable unit tests completely on Travis CI 10/59110/3
Markus Klein [Tue, 11 Dec 2018 12:24:13 +0000 (13:24 +0100)]
[TASK] Revert test change and disable unit tests completely on Travis CI

Resolves: #87119
Releases: 8.7
Change-Id: I28f7fb93dfdf8b6759abb4242b7131d4a4b63ccd
Reviewed-on: https://review.typo3.org/59110
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 months ago[BUGFIX] Disable extension updates in Composer mode 72/59172/3
Nicole Cordes [Tue, 20 Nov 2018 22:17:15 +0000 (23:17 +0100)]
[BUGFIX] Disable extension updates in Composer mode

Resolves: #86958
Releases: master, 8.7
Change-Id: Ib0f51088d42ab3dba014efcbd4c702447d75f984
Reviewed-on: https://review.typo3.org/59172
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Jörg Bösche <typo3@joergboesche.de>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 months ago[BUGFIX] Do not try to delete already remove file 92/59192/2
Helmut Hummel [Mon, 17 Dec 2018 21:33:23 +0000 (22:33 +0100)]
[BUGFIX] Do not try to delete already remove file

When using the FAL API to add a file to a folder,
the local file is deleted by default already.

Thus the attempt to remove the file again results in a warning.

Therefore remove the obsolete unlink to avoid the warning.

Resolves: #87192
Releases: 8.7, 9.5, master
Change-Id: I23f3192e2760cd705429337464c8a5506cf41205
Reviewed-on: https://review.typo3.org/59192
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 months ago[BUGFIX] Mark form as changed after using the image cropper 78/59178/2
Andreas Fernandez [Sun, 16 Dec 2018 11:24:45 +0000 (12:24 +0100)]
[BUGFIX] Mark form as changed after using the image cropper

The image cropper now marks the form as "changed" after saving new
cropping information.

Change-Id: Icc387f0458c0dca9205b87fe58ed66190a4f869c
Resolves: #86998
Releases: master, 9.5, 8.7
Reviewed-on: https://review.typo3.org/59178
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 months ago[TASK] Declare compatible with PHP 7.3 48/59148/2
Mathias Brodala [Fri, 14 Dec 2018 08:36:36 +0000 (09:36 +0100)]
[TASK] Declare compatible with PHP 7.3

The tests have been running just fine with this PHP version for a
while so it is safe to claim basic compatibility.

Resolves: #87157
Releases: 8.7
Change-Id: I5cc502375a05eb37f9c1af91c65b688f5ac99c47
Reviewed-on: https://review.typo3.org/59148
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Josef Glatz <josef.glatz@typo3.org>
Tested-by: Josef Glatz <josef.glatz@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 months ago[TASK] Streamline dependencies in package.json 80/59180/2
Benni Mack [Mon, 17 Dec 2018 12:18:14 +0000 (13:18 +0100)]
[TASK] Streamline dependencies in package.json

Several changes to Build/package.json are
adapted:
- define compatible node/yarn versions
- adapt version and URL to typo3.org

Resolves: #87177
Releases: master, 9.5, 8.7
Change-Id: Ie812cd69913e2969dc88db8e8c52edbb6d482243
Reviewed-on: https://review.typo3.org/59180
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 months ago[BUGFIX] Fix positioning of arrows in Element Browser 43/59143/5
Andreas Fernandez [Thu, 13 Dec 2018 16:18:09 +0000 (17:18 +0100)]
[BUGFIX] Fix positioning of arrows in Element Browser

The positioning of the collapse/expand arrows is changed to fix the break
in trees with very deep nesting.

Resolves: #86790
Releases: master, 8.7
Change-Id: Ie1a916da8220468c6fbb4034c1668675f379f588
Reviewed-on: https://review.typo3.org/59143
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 months ago[TASK] bamboo sends nightly build messages to intercept 70/59170/2
Christian Kuhn [Sun, 16 Dec 2018 14:46:54 +0000 (15:46 +0100)]
[TASK] bamboo sends nightly build messages to intercept

Resolves: #87171
Releases: master, 9.5, 8.7
Change-Id: Ia71eb5ce2824ff3c39dbc526ec3a3d93b4990eca
Reviewed-on: https://review.typo3.org/59170
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 months ago[BUGFIX] Support DateTimeInterface in DebuggerUtility 19/59019/3
Andreas Wolf [Mon, 26 Nov 2018 08:38:34 +0000 (09:38 +0100)]
[BUGFIX] Support DateTimeInterface in DebuggerUtility

Change-Id: Ib38107456acd0f0535dc51083006ee77c5a81c17
Resolves: #87002
Releases: master, 8.7
Reviewed-on: https://review.typo3.org/59019
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 months ago[TASK] Set TYPO3 version to 8.7.23-dev 47/59147/2
Oliver Hader [Fri, 14 Dec 2018 07:45:00 +0000 (08:45 +0100)]
[TASK] Set TYPO3 version to 8.7.23-dev

Change-Id: Ie8c2a514c0832934d589547fad7cb83f987725f6
Reviewed-on: https://review.typo3.org/59147
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 months ago[RELEASE] Release of TYPO3 8.7.22 46/59146/2 8.7.22 TYPO3_8-7-22 v8.7.22
Oliver Hader [Fri, 14 Dec 2018 07:43:33 +0000 (08:43 +0100)]
[RELEASE] Release of TYPO3 8.7.22

Change-Id: I7402a9db4d4d0d0ab760107b6df0c4263081ea8c
Reviewed-on: https://review.typo3.org/59146
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 months ago[BUGFIX] Properly separate markup for modal windows in extension manager 41/59141/2
Oliver Hader [Thu, 13 Dec 2018 15:41:12 +0000 (16:41 +0100)]
[BUGFIX] Properly separate markup for modal windows in extension manager

Due to recent security releases and fixes against cross-site scripting
in central modal window component, templates are separated in order to
distinguish between (secure) HTML and attribute or text nodes.

Resolves: #87146
Releases: master, 8.7
Change-Id: I1264cbe9005e54d1fe30eaba23efbbad07937cb1
Reviewed-on: https://review.typo3.org/59141
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 months ago[BUGFIX] Fix HTML in modal of OnlineMedia.js 40/59140/3
Benni Mack [Thu, 13 Dec 2018 20:57:13 +0000 (21:57 +0100)]
[BUGFIX] Fix HTML in modal of OnlineMedia.js

Allows to call the OnlineMedia modal box again.

This change also adapts the buttons within
a Modal to be text-only.

Resolves: #87144
Releases: master, 8.7
Change-Id: Id08356aad3eb319c59af1411a14131715c8159d0
Reviewed-on: https://review.typo3.org/59140
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 months ago[BUGFIX] getTreeList inserts duplicate keys in cache_treelist 39/59139/2
Alexander Schnitzler [Wed, 12 Dec 2018 21:53:07 +0000 (22:53 +0100)]
[BUGFIX] getTreeList inserts duplicate keys in cache_treelist

Unfortunately https://review.typo3.org/58951/ did not actually
solve issues #86028 and #86491 for good.

There are two issues concerning the former approach:

1) The expiration time of all created caches was 0, which resulted
   in a permanent creation and deletion of cache entries. This
   behaviour cannot be called caching.

2) Number 1) increases the chance for race conditions where several
   parallel requests tried to create the same cache entry.

To fix this, the check for an existing cache entry will be reverted
to behave like before the regression, i.e. cache entries with an
expiration timestamp of 0 are considered valid again.

Also, new caches are created within a transaction, which prevents
duplicate key errors.

Releases: master, 8.7
Resolves: #87139
Change-Id: If9470f6e0f875c0ec4fe3c092c9bd0dfc059de2d
Reviewed-on: https://review.typo3.org/59139
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 months ago[BUGFIX] Revert bugfix Remove surrounding &nsbp; in the tables with ol or ul in CKEditor 38/59138/2
Benni Mack [Thu, 13 Dec 2018 16:58:39 +0000 (17:58 +0100)]
[BUGFIX] Revert bugfix Remove surrounding &nsbp; in the tables with ol or ul in CKEditor

This reverts commit c23b1e1970d44cb3fc836db697650be568788218
as now frontend rendering is different from 8.7.19 and 8.7.20.

Resolves: #86819
Reverts: #83795
Releases: master, 8.7
Change-Id: Ifd264779f2d0a678781fcf5761a81982023f3056
Reviewed-on: https://review.typo3.org/59138
Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Tested-by: Mathias Brodala <mbrodala@pagemachine.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 months ago[BUGFIX] Do not rewind Generator in DebuggerUtility::var_dump() 34/59134/2
Mathias Brodala [Thu, 13 Dec 2018 14:21:15 +0000 (15:21 +0100)]
[BUGFIX] Do not rewind Generator in DebuggerUtility::var_dump()

Resolves: #87149
Releases: master, 8.7
Change-Id: I8cf2cfab94634276a67fd3d0dd36215c12ae5490
Reviewed-on: https://review.typo3.org/59134
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Tested-by: Mathias Brodala <mbrodala@pagemachine.de>
3 months ago[TASK] Silence composer install progress in bamboo 26/59126/2
Christian Kuhn [Wed, 12 Dec 2018 19:43:07 +0000 (20:43 +0100)]
[TASK] Silence composer install progress in bamboo

Resolves: #87136
Releases: master, 8.7
Change-Id: Idbac64bf44b8f79ccd8a169f4abade462873e17d
Reviewed-on: https://review.typo3.org/59126
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 months ago[TASK] Set TYPO3 version to 8.7.22-dev 14/59114/2
Oliver Hader [Tue, 11 Dec 2018 12:41:13 +0000 (13:41 +0100)]
[TASK] Set TYPO3 version to 8.7.22-dev

Change-Id: Id49459f0df2d7dbb04e5cfa1fcae595de77cbecc
Reviewed-on: https://review.typo3.org/59114
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 months ago[RELEASE] Release of TYPO3 8.7.21 13/59113/2 8.7.21 TYPO3_8-7-21 v8.7.21
Oliver Hader [Tue, 11 Dec 2018 12:39:50 +0000 (13:39 +0100)]
[RELEASE] Release of TYPO3 8.7.21

Change-Id: I1ced38699bc6d545e871a36b76cc2aee0fd4ff7d
Reviewed-on: https://review.typo3.org/59113
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 months ago[BUGFIX] Adjust modal window processing 08/59108/4
Oliver Hader [Tue, 11 Dec 2018 11:47:39 +0000 (12:47 +0100)]
[BUGFIX] Adjust modal window processing

Resolves: #87123
Releases: master, 8.7, 7.6
Change-Id: Idceecb174682261b967ea284e12e1836bb7e7bea
Reviewed-on: https://review.typo3.org/59108
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 months ago[TASK] Skip IPv6 related dns resolution tests 81/59081/3
Markus Klein [Mon, 10 Dec 2018 19:04:08 +0000 (20:04 +0100)]
[TASK] Skip IPv6 related dns resolution tests

Skip those tests on systems which do not properly resolve ::1 to localhost.
Travis CI is one example.

Resolves: #87119
Releases: 8.7, 7.6
Change-Id: I8d96f8da1c19f3d9924dcc048466b5f88d8f18dd
Reviewed-on: https://review.typo3.org/59081
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 months ago[SECURITY] Add feature toggle to disable record registration 98/59098/2
Benni Mack [Tue, 11 Dec 2018 09:56:43 +0000 (10:56 +0100)]
[SECURITY] Add feature toggle to disable record registration

The "recs" query parameter allows to write
arbitrary entries into a session, leading
to a possibility to create a reasonable amount
of frontend user sessions.

In order to prevent this situation, a new configuration
option $TYPO3_CONF_VARS[FE][enableRecordRegistration]
is added to disable the functionality completely.

The feature is disabled per default in order to apply
strong security defaults. Installations that rely on this
functionality have to manually enable the feauture and
its vulnerability by changing the according TYPO3_CONF_VARS
setting in the install tool.

A security report is added to display a warning
in the TYPO3 Backend.

Resolves: #80979
Releases: 8.7, 7.6
Security-Commit: 32762f9654fba3e8ddcf1f67d1c0fbf4967b5149
Security-Bulletin: TYPO3-CORE-SA-2018-012
Change-Id: I488bdf412361a0c56290deb842b16a3958501430
Reviewed-on: https://review.typo3.org/59098
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 months ago[SECURITY] Avoid DoS in Online Media Helper 97/59097/2
Oliver Hader [Tue, 11 Dec 2018 09:56:37 +0000 (10:56 +0100)]
[SECURITY] Avoid DoS in Online Media Helper

Using large media files (*.youtube, *.vimeo in the TYPO3 core)
might lead to denial of service scenarios. In order to avoid
that, media files are limited to have a content size of 2048
bytes as a maximum. Usually these files contain just the remote
identifier - thus, ~20 bytes should have been sufficient already.

Resolves: #85381
Releases: master, 8.7, 7.6
Security-Commit: 38eec2deace776ed34d30b8e1e5e95fffec5db8a
Security-Bulletin: TYPO3-CORE-SA-2018-011
Change-Id: I0af4f27e2de6db43c2801f1f3143c9cdb6e21867
Reviewed-on: https://review.typo3.org/59097
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 months ago[SECURITY] Remove TYPO3 version from installer 96/59096/2
Benni Mack [Tue, 11 Dec 2018 09:56:30 +0000 (10:56 +0100)]
[SECURITY] Remove TYPO3 version from installer

When installing TYPO3, the current version
is shown without any kind of authentication
provided (no FIRST_INSTALL). This information
disclosure is solved.

Resolves: #86254
Releases: master, 8.7, 7.6
Security-Commit: c7f8829609ac20081500ea486eb74a11428313dd
Security-Bulletin: TYPO3-CORE-SA-2018-010
Change-Id: I7358f181e5b93c596aa460040dee53a1485f3759
Reviewed-on: https://review.typo3.org/59096
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 months ago[SECURITY] Make InstallTool session cookie HTTP-only 95/59095/2
Oliver Hader [Tue, 11 Dec 2018 09:56:24 +0000 (10:56 +0100)]
[SECURITY] Make InstallTool session cookie HTTP-only

Resolves: #86955
Releases: master, 8.7, 7.6, 6.2
Security-Commit: c7326315b4c80d8563419be040c8a2435ed925ea
Security-Bulletin: TYPO3-CORE-SA-2018-009
Change-Id: I669fdd0de055554511c39de6c0f3f1efd19874b9
Reviewed-on: https://review.typo3.org/59095
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 months ago[SECURITY] Prevent XSS with fe_users data in felogin/TSFE 94/59094/2
Benni Mack [Tue, 11 Dec 2018 09:56:17 +0000 (10:56 +0100)]
[SECURITY] Prevent XSS with fe_users data in felogin/TSFE

Two occurrences allow to render data of the currently logged in
frontend user that is not sanitized and thus allow XSS attacks
by frontend users.

1. EXT:fe_login adds ###FEUSER_{fieldname}### for each
field that exists in the fe_users DB table, which CAN be processed
by TypoScript but is insecure by default.

2. config.USERNAME_substToken = <!--###USERNAME###-->
sets the username dynamically, which is then insecure.

Adding htmlspecialchars as a default configuration
solves this problem.

Resolves: #87053
Releases: master, 8.7, 7.6
Security-Commit: 3ef6a5c97381742eb6699923e9ed44224ab1e72e
Security-Bulletin: TYPO3-CORE-SA-2018-008
Change-Id: Ic0a48a36d1e5b394b6e829c5e209bdd2321b654e
Reviewed-on: https://review.typo3.org/59094
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 months ago[SECURITY] Prevent XSS in modal component 93/59093/2
Frank Naegler [Tue, 11 Dec 2018 09:56:10 +0000 (10:56 +0100)]
[SECURITY] Prevent XSS in modal component

Resolves: #84190
Releases: master, 8.7, 7.6
Security-Commit: e991d9ac10b78f360bff386d9a822f0caa7c781d
Security-Bulletin: TYPO3-CORE-SA-2018-007
Change-Id: I41f0d6bdb5e06b6f08b19feaf59ea47e3a197549
Reviewed-on: https://review.typo3.org/59093
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 months ago[SECURITY] Properly escape videoId for YouTube/Vimeo 92/59092/2
Susanne Moog [Tue, 11 Dec 2018 09:56:04 +0000 (10:56 +0100)]
[SECURITY] Properly escape videoId for YouTube/Vimeo

Resolves: #83184
Releases: master, 8.7, 7.6
Security-Commit: 20b6cff301205505b620bffb5be4807636b014e7
Security-Bulletin: TYPO3-CORE-SA-2018-006
Change-Id: Ifb6b7588c7a06ca29a7c2a6382f95bbfb52f392e
Reviewed-on: https://review.typo3.org/59092
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 months ago[SECURITY] Update library CKEditor to 4.11.1 91/59091/2
Benni Mack [Tue, 11 Dec 2018 09:55:49 +0000 (10:55 +0100)]
[SECURITY] Update library CKEditor to 4.11.1

CKEditor 4.11 was released including a XSS fix where
an attacker could add invalid HTML markup by switching
to the Source mode of CKEditor and back.

Latest CKEditor version 4.11.1 is used automatically per
default. In TYPO3 v8 it is possible to select previous and
insecure version 4.7.1 due to backaward compatibility reasons.
This can be configured in Extension Manager for cke_editor.

Used commands:
  cp -r typo3/sysext/rte_ckeditor/Resources/Public/JavaScript/Contrib/ \
        typo3/sysext/rte_ckeditor/Resources/Public/JavaScript/Contrib-47
  cd Build/
  yarn add ckeditor#4.11.1 --dev
  grunt build

Resolves: #84800
Releases: master, 8.7
Security-Commit: 1c44c5ef1753b03ebff2a83b5bf1bc43cf187dff
Security-Bulletin: TYPO3-CORE-SA-2018-005
Change-Id: I1abe5639f82e42b9c12453d1b301e5c4ca1f2aa7
Reviewed-on: https://review.typo3.org/59091
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
3 months ago[BUGFIX] Backport essential features into TypoLinkViewHelper classes 33/58933/3
Andreas Fernandez [Thu, 22 Nov 2018 14:48:18 +0000 (15:48 +0100)]
[BUGFIX] Backport essential features into TypoLinkViewHelper classes

This patch backports essential support for `forceAbsoluteUrl` and
`addQueryString` to the TypoLinkViewHelper classes.

Resolves: #86977
Related: #84120
Related: #81358
Releases: 8.7
Change-Id: Iab4d1c49a2be46108d6e7578ba418eb89d24b532
Reviewed-on: https://review.typo3.org/58933
Tested-by: TYPO3com <no-reply@typo3.com>
Tested-by: Jonas Eberle <flightvision@googlemail.com>
Reviewed-by: Helmut Hummel <typo3@helhum.io>
Reviewed-by: Josef Glatz <josef.glatz@typo3.org>
Tested-by: Mona Muzaffar <mona.muzaffar@gmx.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 months ago[TASK] bamboo 8.7 nightly supports paches on-top 67/59067/2
Christian Kuhn [Sat, 8 Dec 2018 17:52:22 +0000 (18:52 +0100)]
[TASK] bamboo 8.7 nightly supports paches on-top

Change-Id: I1830314fa79a218429f6210d7bc12a17a51daa8a
Resolves: #87110
Releases: 8.7
Reviewed-on: https://review.typo3.org/59067
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 months ago[TASK] Simplify bamboo variable to label handling 64/59064/3
Christian Kuhn [Sat, 8 Dec 2018 13:52:56 +0000 (14:52 +0100)]
[TASK] Simplify bamboo variable to label handling

Intercept has been adapted, the variable to label handing
can be simplified a bit.

Resolves: #87109
Releases: master, 8.7, 7.6
Change-Id: I27255ef9f5eb515c89f5d89e7061fc473e2abec1
Reviewed-on: https://review.typo3.org/59064
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 months ago[BUGFIX] Simplify test setup to avoid double exception codes 61/59061/5
Anja Leichsenring [Sat, 8 Dec 2018 10:50:46 +0000 (11:50 +0100)]
[BUGFIX] Simplify test setup to avoid double exception codes

The setup just needs to make sure the exception is expected.
More details are not required.

Change-Id: Id9c27078ddeb2817f3d34c4134c0eca4aa20589a
Resolves: #87108
Relates: #87103
Releases: 8.7
Reviewed-on: https://review.typo3.org/59061
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Joerg Kummer <typo3@enobe.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: Joerg Kummer <typo3@enobe.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 months ago[BUGFIX] Prevent double pointer parameter in record list 54/59054/2
Vladimir Falcon Piva [Mon, 26 Nov 2018 14:59:06 +0000 (15:59 +0100)]
[BUGFIX] Prevent double pointer parameter in record list

This fix makes sure that the pointer parameter is added just once into
the record list pagination urls

Resolves: #87007
Releases: master, 8.7
Change-Id: I6db00dd0af0d09277aa9a005e561330acb386809
Reviewed-on: https://review.typo3.org/59054
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Jan Helke <typo3@helke.de>
Tested-by: Jan Helke <typo3@helke.de>
3 months ago[BUGFIX] Set FE/loginSecurityLevel to normal for no ext:rsaauth loaded 58/59058/6
Florian Peters [Fri, 7 Dec 2018 19:44:04 +0000 (20:44 +0100)]
[BUGFIX] Set FE/loginSecurityLevel to normal for no ext:rsaauth loaded

Provide a silent upgrader the same way as for BE/loginSecurityLevel
to avoid FE login to fail after upgrade.

Resolves: #87103
Releases: 8.7
Related: #86417
Change-Id: Ie2cc2bfe9b542534de6d04259c1e5fc8bcd84fab
Reviewed-on: https://review.typo3.org/59058
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
3 months ago[BUGFIX] Mark changes in `selectMultipleSideBySide` 57/59057/2
Andreas Fernandez [Fri, 7 Dec 2018 18:50:39 +0000 (19:50 +0100)]
[BUGFIX] Mark changes in `selectMultipleSideBySide`

A `selectMultipleSideBySide` field is now marked as "changed" when either
the order of items has changed or when an item has been removed.

Resolves: #87082
Releases: master, 8.7
Change-Id: I9f50576270db667751c14e3513d1a7cd31c1135e
Reviewed-on: https://review.typo3.org/59057
Reviewed-by: Richard Haeser <richard@maxserv.com>
Reviewed-by: Josef Glatz <josef.glatz@typo3.org>
Tested-by: Josef Glatz <josef.glatz@typo3.org>
Tested-by: TYPO3com <no-reply@typo3.com>
Tested-by: Richard Haeser <richard@maxserv.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 months ago[BUGFIX] Send payload of image cropping wizard via POST 86/58786/3
Andreas Fernandez [Mon, 29 Oct 2018 22:17:55 +0000 (23:17 +0100)]
[BUGFIX] Send payload of image cropping wizard via POST

The image cropper wizard configuration can become very large, which
might break the wizard as the configuration is sent via query parameters
and "Request-URI Too Long" might kick in.

The payload is now sent via POST to bypass this issue. As our Modal API
is currently not capable of sending AJAX requests via POST, the logic
regarding the icon spinner is duplicated for the time being.

Resolves: #82225
Releases: master, 8.7
Change-Id: I7106b62fcc09101bc5147277225d1b8e89133d5c
Reviewed-on: https://review.typo3.org/58786
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Jörg Bösche <typo3@joergboesche.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 months ago[BUGFIX] Add missing translation value for Modals 53/59053/3
Anja Leichsenring [Fri, 7 Dec 2018 14:24:57 +0000 (15:24 +0100)]
[BUGFIX] Add missing translation value for Modals

Changes syntax for translation key and add default language value.

Resolves: #87001
Releases: master, 8.7
Change-Id: I5a634aff013f6d4af68f25b8288ed04bc340e823
Reviewed-on: https://review.typo3.org/59053
Reviewed-by: Richard Haeser <richard@maxserv.com>
Tested-by: Richard Haeser <richard@maxserv.com>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Joerg Kummer <typo3@enobe.de>
Tested-by: Joerg Kummer <typo3@enobe.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Jan Helke <typo3@helke.de>
Tested-by: Jan Helke <typo3@helke.de>
3 months ago[BUGFIX] Fix return type annotation in ResourceStorage::sanitizeFileName() 50/59050/2
Andreas Fernandez [Fri, 7 Dec 2018 10:53:08 +0000 (11:53 +0100)]
[BUGFIX] Fix return type annotation in ResourceStorage::sanitizeFileName()

Resolves: #87096
Releases: master, 8.7
Change-Id: I0a46420cb910d19223a8bb133d9e7457fbd29ee2
Reviewed-on: https://review.typo3.org/59050
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
3 months ago[BUGFIX] Upgrade linkhandler syntax to new link syntax 46/59046/2
Johannes Kasberger [Tue, 27 Nov 2018 16:24:56 +0000 (17:24 +0100)]
[BUGFIX] Upgrade linkhandler syntax to new link syntax

The \TYPO3\CMS\Core\LinkHandling\RecordLinkHandler::asString method
expects the parameters to hold the identifier and uid as top-level
array elements.
The legacy syntax converter now ensures that this nesting is correct.

Besides that we now also upgrade the very old linkhandler syntax
with no identifier.

Therefore we accept
 - record:<identifier>:<table>:<uid>
 - record:<table>:<uid>

Resolves: #80806
Releases: master, 8.7
Change-Id: I01c3d525de43a56d610dc882ef406de631a8762e
Reviewed-on: https://review.typo3.org/59046
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 months ago[BUGFIX] Get only valid template records in backend -> Template -> PID 0 72/58472/5
Ioulia Kondratovitch [Sat, 29 Sep 2018 18:41:01 +0000 (20:41 +0200)]
[BUGFIX] Get only valid template records in backend -> Template -> PID 0

Get only template records, where corresponding parent page really exists
in the database.

Resolves: #86453
Releases: 8.7
Change-Id: Ie9d403fd3979ae76d1192ccd39408310d8938e8d
Reviewed-on: https://review.typo3.org/58472
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Joerg Kummer <typo3@enobe.de>
Tested-by: Joerg Kummer <typo3@enobe.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 months ago[BUGFIX] Remove expired cache_treelist entries during runtime 31/59031/2
Alexander Schnitzler [Mon, 26 Nov 2018 09:58:48 +0000 (10:58 +0100)]
[BUGFIX] Remove expired cache_treelist entries during runtime

When \TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer::getTreeList
checked for an existing cache_treelist entry, the given md5hash and the
expiry timestamp had been compared. As caches do not expire at all by
default, there a very few cases when an entry is actually expired.

However, if a cache entry has been expired, the cache entry hasn't been
removed and therefore the creation of a new cache entry with the same
md5hash identifier resulted in a duplicate entry exception.

To solve this, the affected, expired entry will be removed during runtime.

Releases: master, 8.7
Resolves: #86028
Resolves: #86491
Change-Id: If1a907607db29f7edd0fa77a8bb47a69bdfc0df9
Reviewed-on: https://review.typo3.org/59031
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 months ago[BUGFIX] Add getter for tsfe->pageCacheTags 28/59028/2
Benni Mack [Tue, 4 Dec 2018 16:03:08 +0000 (17:03 +0100)]
[BUGFIX] Add getter for tsfe->pageCacheTags

Resolves: #87066
Releases: master, 8.7
Change-Id: I9ed1d82d03f3518018699402d5b3a93930e49457
Reviewed-on: https://review.typo3.org/59028
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 months ago[TASK] Log a warning if fluid-based preview template couldn't be rendered 66/58966/3
Josef Glatz [Wed, 28 Nov 2018 04:41:50 +0000 (05:41 +0100)]
[TASK] Log a warning if fluid-based preview template couldn't be rendered

A warning is logged if the fluid-based preview template for a
content element could not be rendered.

The logged warning includes
- the UID of the content element
- the resulting path to the template file
- and the exception message

Resolves: #87015
Releases: master, 8.7
Change-Id: I2cd100a5140a07845145b16259b7cbe3e5eed852
Reviewed-on: https://review.typo3.org/58966
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
3 months ago[BUGFIX] Rename invalid file name of RST 07/59007/2
Benni Mack [Sat, 1 Dec 2018 21:39:36 +0000 (22:39 +0100)]
[BUGFIX] Rename invalid file name of RST

Due to a bug within Gerrit's editing interface, a file got renamed with a "\t"
filename at the end.

Resolves: #87054
Related: #65636
Releases: 8.7
Change-Id: Id9440309ef48000465e927fabe49a3d4a851e7ee
Reviewed-on: https://review.typo3.org/59007
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 months ago[BUGFIX] Make meta data editable for non-writable storages 78/58978/3
Nicole Cordes [Tue, 25 Aug 2015 16:29:28 +0000 (18:29 +0200)]
[BUGFIX] Make meta data editable for non-writable storages

Decouple check for writable files/storage from permission
to edit meta data. Permission to edit meta data is now
only denied when users have only access to the file
via a readonly file mount.

Resolves: #65636
Resolves: #66507
Releases: master, 8.7
Change-Id: I25a0fbc9cf761898dbdb95dec1d3d39bb2f4b7fd
Reviewed-on: https://review.typo3.org/58978
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 months ago[TASK] Update bamboo to gerrit notification url 71/58971/3
Christian Kuhn [Wed, 28 Nov 2018 15:21:23 +0000 (16:21 +0100)]
[TASK] Update bamboo to gerrit notification url

Resolves: #87026
Releases: master, 8.7, 7.6
Change-Id: Idfbf4bbf0bab8a6e4bedc37e92903ed2c85af494
Reviewed-on: https://review.typo3.org/58971
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
3 months ago[BUGFIX] Allow `<s>` tag in RTE processing in CSS styled content too 69/58969/2
Jigal van Hemert [Wed, 28 Nov 2018 10:37:39 +0000 (11:37 +0100)]
[BUGFIX] Allow `<s>` tag in RTE processing in CSS styled content too

Resolves: #87024
Relates: #87012
Releases: 8.7
Change-Id: Idcfbea18615ce89b47152ecee1220df42a39751e
Reviewed-on: https://review.typo3.org/58969
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Joerg Kummer <typo3@enobe.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Riccardo De Contardi <erredeco@gmail.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 months ago[BUGFIX] Allow `<s>` tag in RTE processing 58/58958/3
Andreas Fernandez [Tue, 27 Nov 2018 09:40:32 +0000 (10:40 +0100)]
[BUGFIX] Allow `<s>` tag in RTE processing

`lib.parseFunc` is now capable of handling the `<s>` tag by adding it to
`allowTags`. The list already contains `<strike>`, but this is a
non-valid tag in HTML5. For compatibility reasons, both tags exist now.

Resolves: #87012
Releases: master, 8.7
Change-Id: I113b7721c9483735dff0875f8c7bffb276f09e5b
Reviewed-on: https://review.typo3.org/58958
Reviewed-by: Jigal van Hemert <jigal.van.hemert@typo3.org>
Tested-by: Jigal van Hemert <jigal.van.hemert@typo3.org>
3 months ago[BUGFIX] Drop GROUP BY clause in Info > PageTS Config 65/58965/3
Andreas Fernandez [Tue, 27 Nov 2018 15:18:22 +0000 (16:18 +0100)]
[BUGFIX] Drop GROUP BY clause in Info > PageTS Config

The GROUP BY clause used in InfoPageTypoScriptConfigController's
`getOverviewOfPagesUsingTSConfig()` is dropped, as grouping by
a unique value doesn't make any sense.

Resolves: #87019
Related: #76484
Releases: master, 8.7
Change-Id: I0054064fb6f0bba9b65737bf323db364377bb4e6
Reviewed-on: https://review.typo3.org/58965
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
3 months ago[BUGFIX] Enlarge scheduler object DB field 55/58955/2
Benni Mack [Mon, 26 Nov 2018 14:51:45 +0000 (15:51 +0100)]
[BUGFIX] Enlarge scheduler object DB field

The serialized PHP object is stored within the database field
"serialized_task_object". When serializing this could lead to several
issues.

One particular issue is that the object has lots of data or dependencies,
it cannot be stored at all in this database field.

Although we know that this implementation detail of scheduler is a rather
bad idea, we can only fix this by enlarging the field from "blob" to
"mediumblob" for now.

Resolves: #87006
Releases: master, 8.7
Change-Id: I2b335f258fe18b494033bde28eff76f2e67d34bb
Reviewed-on: https://review.typo3.org/58955
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: TYPO3com <no-reply@typo3.com>