Packages/TYPO3.CMS.git
4 years ago[RELEASE] Release of TYPO3 4.5.39 30/35230/2 TYPO3_4-5-39
TYPO3 Release Team [Wed, 10 Dec 2014 10:52:17 +0000 (11:52 +0100)]
[RELEASE] Release of TYPO3 4.5.39

Change-Id: I5706e9296860dc95e0056a47d97fed6533ccc985
Reviewed-on: http://review.typo3.org/35230
Reviewed-by: TYPO3 Release Team <typo3v4@typo3.org>
Tested-by: TYPO3 Release Team <typo3v4@typo3.org>
4 years ago[!!!][SECURITY] Fix link spoofing in prefixLocalAnchors 22/35222/2
Helmut Hummel [Wed, 10 Dec 2014 10:07:53 +0000 (11:07 +0100)]
[!!!][SECURITY] Fix link spoofing in prefixLocalAnchors

Specially crafted request could lead to anchors prefixed
with URLs to domains controlled by the attacker on the
domain root page (home page). No other pages are affected!

Fix this by prefixing the anchors with a canonical URL
to the current request. This could lead to the situation
that the prefix does not match the current REQUEST_URI
which leads to a page reload instead of just "jumping" to the page section.

Additionally this change assures that REQUEST_URI always starts
with a slash, which mitigates similar attack vectors when using
getIndpEnv('REQUEST_URI')

To mitigate the impact of this breaking change, the REQUEST_URI
is used for anchor prefix if a backend user is logged in,
to not disturb the preview functionality of the home page.

In case prefixLocalAnchors is used in the HTML parser configuration
with prefixLocalAnchors = 2, always the canonical URL is used as prefix.

This change does *not* fix, that arbitrary (non functional) GET parameters
will be included in the generated prefix URL. To fix this it is recommended
to use absRefPrefix instead of baseUrl and prefixLocalAnchors.

Resolves: #62723
Releases: 4.5, 6.2, master
Security-Commit: 16003fd71982a9da3fde04c7cc298425d8b539dc
Security-Bulletin: TYPO3-CORE-SA-2014-003
Change-Id: I120f7a0fa32e48644c88d54d65863a6ac96acf4c
Reviewed-on: http://review.typo3.org/35222
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
4 years ago[BUGFIX] Exclude CDATA from t3lib_parsehtml->XHTML_clean 39/35039/2
Nicole Cordes [Thu, 4 Dec 2014 14:15:38 +0000 (15:15 +0100)]
[BUGFIX] Exclude CDATA from t3lib_parsehtml->XHTML_clean

Due to commit https://review.typo3.org/#/c/30240/ the comments from
javascript is removed and now the javascript is parsed with
config.xhtml_cleaning = all. This patch prevents any CDATA content from
being parsed.

Resolves: #62967
Releases: master, 6.2, 4.5
Change-Id: Ib024c5c8f2b056e47d9222b9767b7a5e6923af8c
Reviewed-on: http://review.typo3.org/35039
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
4 years ago[TASK] Set TYPO3 version to 4.5.39-dev 79/34679/2
TYPO3 Release Team [Thu, 27 Nov 2014 10:40:07 +0000 (11:40 +0100)]
[TASK] Set TYPO3 version to 4.5.39-dev

Change-Id: I1f43bd5fc9f1197ca7f6fdfd6f68c84f7f6214ff
Reviewed-on: http://review.typo3.org/34679
Reviewed-by: TYPO3 Release Team <typo3v4@typo3.org>
Tested-by: TYPO3 Release Team <typo3v4@typo3.org>
4 years ago[RELEASE] Release of TYPO3 4.5.38 77/34677/2 TYPO3_4-5-38
TYPO3 Release Team [Thu, 27 Nov 2014 10:39:36 +0000 (11:39 +0100)]
[RELEASE] Release of TYPO3 4.5.38

Change-Id: If2f6374021bd90046335888117ac5968405b9a40
Reviewed-on: http://review.typo3.org/34677
Reviewed-by: TYPO3 Release Team <typo3v4@typo3.org>
Tested-by: TYPO3 Release Team <typo3v4@typo3.org>
4 years ago[BUGFIX] Handle opacity for IE in prototype.js 31/34331/2
Jigal van Hemert [Sun, 20 Apr 2014 08:36:57 +0000 (10:36 +0200)]
[BUGFIX] Handle opacity for IE in prototype.js

The new prototype.js sometimes returns a string as opacity value
instead of a float. This causes problems with the starting
animation for dragging an item, making it completely hidden during
dragging.
Forcing the result to be a float results in a correct opacity.

Resolves: #58053
Releases: 6.2, 6.1, 4.7, 4.5
Change-Id: I7811dec578f5e3222fd8fc95145c1e0cdbedb21f
Reviewed-on: http://review.typo3.org/34331
Reviewed-by: Jigal van Hemert <jigal.van.hemert@typo3.org>
Tested-by: Jigal van Hemert <jigal.van.hemert@typo3.org>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
4 years ago[BUGFIX] PHP warning on saving TypoScript with t3editor 03/34203/2
Oliver Hader [Sat, 15 Nov 2014 12:52:50 +0000 (13:52 +0100)]
[BUGFIX] PHP warning on saving TypoScript with t3editor

On saving TypoScript data in the accordant backend module
using t3editor, the AJAX call issues a PHP warning
"Creating default object from empty value". This only
happens if at least PHP 5.4 is used. The reason is,
that an uninitialized and empty variable is used for
object access.

Resolves: #62984
Releasses: 4.5
Change-Id: I7567d61f0a16379db58760dd963f0330dc8ca6c8
Reviewed-on: http://review.typo3.org/34203
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
4 years ago[BUGFIX] Fix PHP warning with date function in FormEngine 65/33665/2
Oliver Hader [Fri, 31 Oct 2014 09:51:19 +0000 (10:51 +0100)]
[BUGFIX] Fix PHP warning with date function in FormEngine

The timestamp handed to the date function must be of type int
otherwise a warning is issued. Cast the value to int before
passing it to the date function. The important scenarios are
when the timestamp is "0" or "" (blank string).

Add unit test for formatValue function and the possible format
configurations.

Resolves: #62032
Releases: master, 6.2, 6.1, 4.5
Change-Id: I5207ef5b562dd70b9b5e574eef1b9ee59fa836f0
Reviewed-on: http://review.typo3.org/33665
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
4 years ago[BUGFIX] Ensure PHP 5.2 compatibility in php-openid 37/33737/4
Michael Stucki [Mon, 3 Nov 2014 08:37:37 +0000 (09:37 +0100)]
[BUGFIX] Ensure PHP 5.2 compatibility in php-openid

The backport #62357 introduced a regression with PHP 5.2,
which still is officially supported by TYPO3 CMS 4.5

Adapt the code to be PHP 5.2 compatible

Resolves: #62391
Releases: 4.5
Change-Id: I72895592e10d963f2777c4659cc1f0a10e69a1c1
Reviewed-on: http://review.typo3.org/33737
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
4 years ago[BUGFIX] Too many tags by identifier in CacheBackends 92/33592/2
Michael Stucki [Fri, 24 Oct 2014 09:38:52 +0000 (11:38 +0200)]
[BUGFIX] Too many tags by identifier in CacheBackends

This patch is a backport of 3d93017022a8ef03842d75f2d7bd3912365c95be.

Applies to Apc/Memcached backends.

After an array_merge the values aren't unique. This leads to duplicate
tags per identifier. This patch changes that and also moves the
findTagsByIdentifier call out of the foreach loop.

Resolves: #62513
Releases: 4.5
Change-Id: Ia4713eeb399a4770b2c23e5738e076a91afe2a64
Reviewed-on: http://review.typo3.org/33592
Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Reviewed-by: Michael Stucki <michael.stucki@typo3.org>
Tested-by: Michael Stucki <michael.stucki@typo3.org>
4 years ago[BUGFIX] softrefproc typolink lacks support for separation by line feed 81/33481/2
Marc Bastian Heinrichs [Mon, 17 Mar 2014 22:11:20 +0000 (23:11 +0100)]
[BUGFIX] softrefproc typolink lacks support for separation by line feed

Since #24121 the field content in "image_link" is separated by line
feeds instead of commas. Since then the soft reference processor
for "typolink[linkList]" is broken for this field. This results in broken
image links in imports and exports and possible unchecked links in
linkvalidator extension. In 4.7 this applies also for the field
"longdescURL".

This have not to be fixed for versions later than 4.7, because since 6.0
the fields "image_link" and "longdescURL" aren't used anymore.

Resolves: #57006
Releases: 4.7, 4.5
Change-Id: I3a070d4d6e24b60a0658ec5bb6cc77d26a3e2f2d
Reviewed-on: http://review.typo3.org/33481
Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Tested-by: Markus Klein <klein.t3@reelworx.at>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
4 years ago[BUGFIX] Ensure PHP 5.2 compatibility in makeInstance 70/33470/4
Helmut Hummel [Wed, 22 Oct 2014 10:38:11 +0000 (12:38 +0200)]
[BUGFIX] Ensure PHP 5.2 compatibility in makeInstance

The backport #53682 introduced a regression with PHP 5.2,
which still is officially supported by TYPO3 CMS 4.5

Adapt the code to be PHP 5.2 compatible

Resolves: #62391
Releases: 4.5
Change-Id: Ie9d6c3175d02424e0d2329cc07ff99e09cccc040
Reviewed-on: http://review.typo3.org/33470
Reviewed-by: Christian Hernmarck <ch_t3@hernmarck.ch>
Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Tested-by: Markus Klein <klein.t3@reelworx.at>
4 years ago[TASK] Set TYPO3 version to 4.5.38-dev 62/33462/2
TYPO3 Release Team [Wed, 22 Oct 2014 08:42:52 +0000 (10:42 +0200)]
[TASK] Set TYPO3 version to 4.5.38-dev

Change-Id: Ie90485ebcb8da9859020a18cabc19a17e504737c
Reviewed-on: http://review.typo3.org/33462
Reviewed-by: TYPO3 Release Team <typo3v4@typo3.org>
Tested-by: TYPO3 Release Team <typo3v4@typo3.org>
4 years ago[RELEASE] Release of TYPO3 4.5.37 61/33461/2 TYPO3_4-5-37
TYPO3 Release Team [Wed, 22 Oct 2014 08:42:22 +0000 (10:42 +0200)]
[RELEASE] Release of TYPO3 4.5.37

Change-Id: I2156d74111b5594f5bf18d8cd274877b563b73c7
Reviewed-on: http://review.typo3.org/33461
Reviewed-by: TYPO3 Release Team <typo3v4@typo3.org>
Tested-by: TYPO3 Release Team <typo3v4@typo3.org>
4 years ago[SECURITY] Fix DoS in openid 49/33449/2
Markus Klein [Wed, 22 Oct 2014 08:13:56 +0000 (10:13 +0200)]
[SECURITY] Fix DoS in openid

Upgrade openid to latest upstream version.
This includes the sec fix already.

Change-Id: I5bf8375ee1a71c34363d265db3c268444c0e9428
Resolves: #62357
Releases: master, 6.2, 6.1, 6.0, 4.7, 4.6, 4.5
Security-Commit: 436560afcf84c3575a81f1733bb5253c90787733
Security-Bulletin: TYPO3-CORE-SA-2014-002
Reviewed-on: http://review.typo3.org/33449
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
4 years ago[SECURITY] Fix RCE in swiftmailer 48/33448/2
Helmut Hummel [Wed, 22 Oct 2014 08:13:48 +0000 (10:13 +0200)]
[SECURITY] Fix RCE in swiftmailer

A remote code execution vulnerability was fixed upstream
which is now also fixed in the code we deliver with TYPO3.

This is not a full upgrade of the library but a backport
of the security fix.

Change-Id: I17c960e0c087b011032754839a2dafb0e2e57b50
Resolves: #59573
Releases: 4.5, 4.6, 4.7, 6.0, 6.1, 6.2
Security-Commit: 59331a6bfbcba0f7f0683a3bd0726670f2e1c7b5
Security-Bulletin: TYPO3-CORE-SA-2014-002
Reviewed-on: http://review.typo3.org/33448
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
4 years ago[TASK] Optimize speed for instantiating class with arguments 08/33308/2
Helmut Hummel [Sat, 14 Dec 2013 22:35:02 +0000 (23:35 +0100)]
[TASK] Optimize speed for instantiating class with arguments

PHP reflection has quite an overhead in performance.
Use a switch construct like in Flow instead to
instantiate classes with up to 8 arguments without
reflection.

Resolves: #53682
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I8ab21fa5ae609fc4653205f4b53c51ed61618ea7
Reviewed-on: http://review.typo3.org/33308
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
4 years ago[TASK] Set TYPO3 version to 4.5.37-dev 36/32936/2
TYPO3 Release Team [Tue, 23 Sep 2014 13:03:37 +0000 (15:03 +0200)]
[TASK] Set TYPO3 version to 4.5.37-dev

Change-Id: Ib1d17b43dce8d0abd1c56494495f62863cb3d18d
Reviewed-on: http://review.typo3.org/32936
Reviewed-by: TYPO3 Release Team <typo3v4@typo3.org>
Tested-by: TYPO3 Release Team <typo3v4@typo3.org>
4 years ago[RELEASE] Release of TYPO3 4.5.36 35/32935/2 TYPO3_4-5-36
TYPO3 Release Team [Tue, 23 Sep 2014 13:03:10 +0000 (15:03 +0200)]
[RELEASE] Release of TYPO3 4.5.36

Change-Id: Iea9655ddd56df9fbba3d4f769eab1c2fbd8c4f68
Reviewed-on: http://review.typo3.org/32935
Reviewed-by: TYPO3 Release Team <typo3v4@typo3.org>
Tested-by: TYPO3 Release Team <typo3v4@typo3.org>
4 years ago[BUGFIX] Check if TER dump exists before modify time check 76/21776/4
Jigal van Hemert [Mon, 1 Jul 2013 18:15:46 +0000 (20:15 +0200)]
[BUGFIX] Check if TER dump exists before modify time check

The modify time of the extensions.xml.gz file is used to display the last
update of the extension list. Checking if the file exists will prevent a
PHP warning.

Change-Id: Ic8cae6c591f0b6ff955fb01c192df9b17876fe68
Releases: 4.5
Resolves: #37946
Reviewed-on: http://review.typo3.org/21776
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
4 years ago[BUGFIX] RTE on first new IRRE record keeps loading in IE 40/30240/2
Stanislas Rolland [Tue, 20 May 2014 17:08:57 +0000 (13:08 -0400)]
[BUGFIX] RTE on first new IRRE record keeps loading in IE

Problem: IE raises a syntax error when it encounters html comments in
the JavaScript code. The html comments are added by the page renderer.
Solution: There is no need for the page renderer to wrap inline
javascript as html comments.

Resolves: #55457
Releases: 6.2, 6.1, 4.5
Change-Id: Iae180a73778ca3bb1c9934c887315b969888b10d
Reviewed-on: http://review.typo3.org/30240
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
4 years ago[BUGFIX] Collect correct information on elements in page 30/32330/2
Jigal van Hemert [Sat, 23 Aug 2014 12:36:36 +0000 (14:36 +0200)]
[BUGFIX] Collect correct information on elements in page

In the page module information on neighboring content elements is
collected while building the page layout. This information must be
remembered for other elements on the page instead of generated new when
rendering each element. This makes sure the move buttons and edit
buttons have the correct URLs.

Resolves: #60199
Releases: 6.3, 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I9fec256b145fe8aba229d8b026fba73871942347
Reviewed-on: http://review.typo3.org/32330
Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Tested-by: Markus Klein <klein.t3@reelworx.at>
4 years ago[TASK] Set TYPO3 version to 4.5.36-dev 09/31509/2
TYPO3 Release Team [Tue, 8 Jul 2014 12:44:56 +0000 (14:44 +0200)]
[TASK] Set TYPO3 version to 4.5.36-dev

Change-Id: I29de73b589d2adf8a66f08455048f5b709ad5d02
Reviewed-on: https://review.typo3.org/31509
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team
4 years ago[RELEASE] Release of TYPO3 4.5.35 08/31508/2 TYPO3_4-5-35
TYPO3 Release Team [Tue, 8 Jul 2014 12:44:25 +0000 (14:44 +0200)]
[RELEASE] Release of TYPO3 4.5.35

Change-Id: Ic994e542cd4bab39a88fd1426d718b9174867783
Reviewed-on: https://review.typo3.org/31508
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team
4 years ago[BUGFIX] Movements pollute colPos value of content elements 94/31494/3
Nicole Cordes [Tue, 8 Jul 2014 09:08:58 +0000 (11:08 +0200)]
[BUGFIX] Movements pollute colPos value of content elements

Due to commit I148ca1b023226f2f99417b3baf238b72346e721f the information
concerning previous and next content elements in one row is messed up.
This patch helps to build information which depends on colPos again and
prevents records being moved to another column.

Resolves: #48939
Resolves: #49055
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I3a15321ee11a1f7d96b58b8b7a5ab14098664b22
Reviewed-on: https://review.typo3.org/31494
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
4 years ago[TASK] Improve travis notifications to channels 26/31226/2
Helmut Hummel [Sun, 29 Jun 2014 13:26:10 +0000 (15:26 +0200)]
[TASK] Improve travis notifications to channels

By default travis notifies on each build when
posting to channels (irc, slack)
We can reduce the number of notifications by only
posting successful builds when it previously failed.
Additionally encrypt the API token for posting to slack.

Releases: 6.3, 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I882d34903c972201454e6cc5b9041393e3bd3661
Reviewed-on: https://review.typo3.org/31226
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
4 years ago[TASK] Update Travis CI notification settings 09/31209/2
Michael Stucki [Tue, 24 Jun 2014 08:27:07 +0000 (10:27 +0200)]
[TASK] Update Travis CI notification settings

Notify on Slack and IRC, remove email notification.

Resolves: #59838
Releases: 6.3, 6.2, 4.5
Change-Id: Ic4dacd5c7b6b4e6e2b8cfa92ae7976b666209747
Reviewed-on: https://review.typo3.org/31209
Reviewed-by: Nicole Cordes
Reviewed-by: Michael Stucki
Tested-by: Michael Stucki
4 years ago[BUGFIX] AbstractBackendViewHelper uses namespaces 84/31084/2
Markus Klein [Mon, 23 Jun 2014 16:22:35 +0000 (18:22 +0200)]
[BUGFIX] AbstractBackendViewHelper uses namespaces

Namespaces are not supported in PHP 5.2.x, hence one must not
prefix a class name with backslash.

Regression fix to #54748.

Resolves: #59825
Releases: 4.5
Change-Id: Ideb2cef1c5e2ec0d2ac3328ebd4f318a161d368a
Reviewed-on: https://review.typo3.org/31084
Tested-by: Sebastian Sommer
Tested-by: Steffen Mächtel
Reviewed-by: Markus Klein
Tested-by: Markus Klein
4 years ago[BUGFIX] New content elements are always stored on pid 0 19/30419/2
Markus Klein [Mon, 26 May 2014 16:00:45 +0000 (18:00 +0200)]
[BUGFIX] New content elements are always stored on pid 0

Due to patch https://review.typo3.org/#/c/30305/ the string comparison
on colPos fails and new content elements are always stored on pid 0.
This patch corrects the check for an integer colPos type by setting the
unused variable to NULL.

Resolves: #59059
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: Iecd7f0cacf5c9315d882eebeb3893bcfa63ae7eb
Reviewed-on: https://review.typo3.org/30419
Tested-by: SITS Developer
Reviewed-by: Markus Klein
Tested-by: Markus Klein
4 years ago[BUGFIX] Fix double ? in eID url for encryption key 43/30543/2
Markus Klein [Sun, 25 May 2014 14:33:06 +0000 (16:33 +0200)]
[BUGFIX] Fix double ? in eID url for encryption key

The AJAX url for retrieving a new encryption key contains
two question marks. This causes the request to fail.

Fix this by removing the superflous ? from the parameters.

Resolves: #59034
Releases: 6.1, 4.7, 4.5
Change-Id: Iab3833f50a48b71b25cf0205f7eb8d6b57dd859a
Reviewed-on: https://review.typo3.org/30543
Reviewed-by: Markus Klein
Tested-by: Markus Klein
4 years ago[BUGFIX] Wrong HTML in locallang_csh_pages.xlf 31/30331/2
Markus Klein [Thu, 22 May 2014 14:15:12 +0000 (16:15 +0200)]
[BUGFIX] Wrong HTML in locallang_csh_pages.xlf

lang/4.5/locallang_csh_pages.xlf contains invalid
HTML structure a <p> tag should actually be a <b> tag.

Resolves: #58936
Releases: 6.2, 6.1, 4.5
Change-Id: Id37d424296628202d8d434e0cf9cafd8529da2c3
Reviewed-on: https://review.typo3.org/30331
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
4 years ago[BUGFIX] SoftReferenceIndex support for more values in class attribute 53/29853/2
Marc Bastian Heinrichs [Sun, 4 May 2014 15:01:55 +0000 (17:01 +0200)]
[BUGFIX] SoftReferenceIndex support for more values in class attribute

The SoftReferenceIndex parses and rebuilds typolink tags, but the
support for more than one value in class attribute is missing, because
the values don't get enclosed with quotes on rebuilding.
This leads to lost classes in typolinks in exports from impexp.

Resolves: #58484
Releases: 6.2, 6.1, 4.5
Change-Id: I12ed3be7f5be36254bcee57fcb24bf2a10f92f46
Reviewed-on: https://review.typo3.org/29853
Reviewed-by: Markus Klein
Tested-by: Markus Klein
4 years ago[TASK] Set TYPO3 version to 4.5.35-dev 09/30309/2
TYPO3 Release Team [Thu, 22 May 2014 07:53:37 +0000 (09:53 +0200)]
[TASK] Set TYPO3 version to 4.5.35-dev

Change-Id: Iffabf254620824d1d0b7a42e239576bd3aa73791
Reviewed-on: https://review.typo3.org/30309
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team
4 years ago[RELEASE] Release of TYPO3 4.5.34 08/30308/2 TYPO3_4-5-34
TYPO3 Release Team [Thu, 22 May 2014 07:53:09 +0000 (09:53 +0200)]
[RELEASE] Release of TYPO3 4.5.34

Change-Id: I296aa228d3d9ffda43cf99a41d3ac36d8b93f439
Reviewed-on: https://review.typo3.org/30308
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team
4 years ago[SECURITY] Add trusted HTTP_HOST configuration 75/30275/2
Helmut Hummel [Thu, 22 May 2014 07:31:31 +0000 (09:31 +0200)]
[SECURITY] Add trusted HTTP_HOST configuration

TYPO3 uses the values of HTTP_HOST in several
places without validating them. This could
lead to a situation where links are generated
using the host part from HTTP_HOST.
Since HTTP_HOST headers are user input and
can be spoofed by an attacker, it leads
into several potential and actual security issues.
To address this, a configuration option for
trusted hosts is added, which is evaluated every
time getIndpEnv('HTTP_HOST') is called.
The configuration option is
$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']
and can contain either a regular expression or the
value "SERVER_NAME"
To properly output the exception message in case
the trustedHostPattern does not match,
we need to adapt the exception handlers slightly
to not log information in this case and to actually
show the message even in production context to not
confuse admins on what is currently going wrong.
To not break all existing installations, the default
pattern is set to 'SERVER_NAME' which allows all
HTTP_HOST values matching the SERVER_NAME (and
optionally the SERVER_PORT if a port is specified
in the HTTP_HOST value).
This will secure all installation which use properly
configured name based virtual hosts, but leaves
installations where the web server is not bound
to a specific host name still in an insecure state.
Fixes: #30377
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Bulletin: TYPO3-CORE-SA-2014-001

Change-Id: Id210212e6fbd186a273f92b340d5060e9c6f900d
Reviewed-on: https://review.typo3.org/30275
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
4 years ago[SECURITY] XSS in (old) extension manager information function 74/30274/2
Marc Bastian Heinrichs [Thu, 22 May 2014 07:31:27 +0000 (09:31 +0200)]
[SECURITY] XSS in (old) extension manager information function

Needs to be fixed also in 6.x, but the affected function is not
used anymore.

Change-Id: Iae077221a4a8ef8f3aacaeb9d679cc68e97799bd
Fixes: #54111
Fixes: #54113
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 6b746d50d9ee4fbf2eff3e3e4c0699100be983a2
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30274
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
4 years ago[SECURITY] XSS in new content element wizard 73/30273/2
Markus Klein [Thu, 22 May 2014 07:31:22 +0000 (09:31 +0200)]
[SECURITY] XSS in new content element wizard

Sanitize user-input colPos in new content element wizard.

Change-Id: I13ff938e7320c68c8ad3f88b0cb688bc4d43d839
Fixes: #48695
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 582087ad27cee5365ea36387bba28c1b62212564
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30273
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
4 years ago[SECURITY] XSS in template tools on root page 72/30272/2
Marc Bastian Heinrichs [Thu, 22 May 2014 07:31:18 +0000 (09:31 +0200)]
[SECURITY] XSS in template tools on root page

Change-Id: I6942457ce27ad22a33efd003ceaa96fa7460c0bf
Fixes: #54109
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 9abedcf7dc0fd59b602a2221ffd9a998636b8092
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30272
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
4 years ago[SECURITY] XSS in Backend Layout Wizard 71/30271/2
Nicole Cordes [Thu, 22 May 2014 07:31:13 +0000 (09:31 +0200)]
[SECURITY] XSS in Backend Layout Wizard

Change-Id: I7e58e32a4d7146c2c341d756816c29f7c01ed31d
Fixes: #57576
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 7493eb3ec56903b00923dcabf00a04f34529ad18
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30271
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
4 years ago[SECURITY] Encode URL for use in JavaScript 70/30270/2
Markus Klein [Thu, 22 May 2014 07:31:08 +0000 (09:31 +0200)]
[SECURITY] Encode URL for use in JavaScript

The url for the Open in New Window button must be quoted for
use in JavaScript to prevent XSS issues.

Change-Id: If3600662e79fb0945ca62b3a25feaf001180b88d
Fixes: #48693
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 8a9c1615f82cf0a8c3449ae37f47338da132e505
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30270
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
4 years ago[SECURITY] Fix insecure unserialize in colorpicker 69/30269/2
Helmut Hummel [Thu, 22 May 2014 07:31:03 +0000 (09:31 +0200)]
[SECURITY] Fix insecure unserialize in colorpicker

Change-Id: Iee9d2712ae3b489a89604cb7be8c2af27a924fe0
Fixes: #56458
Releases: 6.1, 6.0, 4.7, 4.5
Security-Commit: 36eb11e44d7faca68b3d6fefb1633a463cc22fac
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30269
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
4 years ago[SECURITY] Remove charts.swf to get rid of XSS vulnerability 68/30268/2
Helmut Hummel [Thu, 22 May 2014 07:30:56 +0000 (09:30 +0200)]
[SECURITY] Remove charts.swf to get rid of XSS vulnerability

The file charts.swf is vulnerable to XSS, is delivered
by ExtJS but not used in TYPO3 CMS at all.

Since the vendor of ExtJS did not fix this vulnerability,
we decided to remove it from TYPO3 sources.

Change-Id: I7d81fc44294473d041c8910e04c815d91efb409f
Fixes: #54526
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: fef11509739f8bddfeba0fc6f752ac93feb16f03
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30268
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
4 years ago[BUGFIX] Solve stackoverflow in prototype in IE8 08/29908/2
Jigal van Hemert [Fri, 25 Apr 2014 10:39:59 +0000 (12:39 +0200)]
[BUGFIX] Solve stackoverflow in prototype in IE8

The reason for this behaviour is the combination of prototype.js
and ExtJS. The ExtJS defer() method takes precedence. Calling the
defer() method without any arguments would have resulted in using
a default value of "0.01" seconds in standalone prototype.js, but
results in directly calling the submitted function.

The stack overflow is caused by not delaying the function call
and thus ending in a recursive endless loop.

Resolves: #58187
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I6db191ff67a3e869072877936d949fc733cda74f
Reviewed-on: https://review.typo3.org/29908
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
4 years ago[TASK] Set TYPO3 version to 4.5.34-dev 15/29515/2
TYPO3 Release Team [Wed, 16 Apr 2014 20:02:05 +0000 (22:02 +0200)]
[TASK] Set TYPO3 version to 4.5.34-dev

Change-Id: I5bb6b9f459f7f22157a917a8e77ddbe111fd60d1
Reviewed-on: https://review.typo3.org/29515
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team
4 years ago[RELEASE] Release of TYPO3 4.5.33 14/29514/2 TYPO3_4-5-33
TYPO3 Release Team [Wed, 16 Apr 2014 20:01:37 +0000 (22:01 +0200)]
[RELEASE] Release of TYPO3 4.5.33

Change-Id: Iaba6bc222c65a196239ad222bb6335fb5ffa6e3a
Reviewed-on: https://review.typo3.org/29514
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team
4 years ago[TASK] Updates prototype and scriptaculous, fixing IE9+ issues 74/29474/2
Ernesto Baschny [Tue, 28 Jan 2014 11:15:10 +0000 (12:15 +0100)]
[TASK] Updates prototype and scriptaculous, fixing IE9+ issues

Upgrades prototype from 1.6.0.3 to 1.7.1 and scriptaculous
from 1.8.2 to 1.9.0.

Solves the problem with sorting IRRE elements in IE9+, for example.

Resolves: #51768
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I5ea11b2e926ae0f23d1c6d85a0ff5ba24995eebb
Reviewed-on: https://review.typo3.org/29474
Reviewed-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
4 years ago[BUGFIX] Use validEmail() instead of deprecated checkEmail() 89/29489/2
Stefan Neufeind [Tue, 15 Apr 2014 09:51:36 +0000 (11:51 +0200)]
[BUGFIX] Use validEmail() instead of deprecated checkEmail()

Change-Id: I72aa69adc75820cf513bb87cf2af6ea1b50a2fc7
Resolves: #57934
Releases: 4.5
Reviewed-on: https://review.typo3.org/29489
Reviewed-by: Oliver Klee
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
4 years ago[BUGFIX] SoftReferenceIndex typolink lacks support for title attributes 71/28171/2
Marc Bastian Heinrichs [Fri, 7 Mar 2014 16:51:11 +0000 (17:51 +0100)]
[BUGFIX] SoftReferenceIndex typolink lacks support for title attributes

The SoftReferenceIndex parses and rebuilds typolink tags, but the
support for the title attributes was missing.
This leads to lost title attributes on typolinks in exports from impexp.

Resolves: #56580
Releases: 6.2, 6.1, 6.0, 4.5
Change-Id: I9bf5c02b79ae4c9024322f0da99dcca37b678daa
Reviewed-on: https://review.typo3.org/28171
Reviewed-by: Wouter Wolters
Reviewed-by: Marc Bastian Heinrichs
Tested-by: Marc Bastian Heinrichs
4 years ago[TASK] Integrate default README.txt 75/29175/2
Oliver Hader [Fri, 4 Apr 2014 14:19:28 +0000 (16:19 +0200)]
[TASK] Integrate default README.txt

This file is a modified and updated version like it has been
releases with every package in the past. Since these files have
been taken from git.typo3.org/TYPO3CMS/Distributions/Base.git,
which is target to be cleaned up, the file is explicitely put
to old branches as well.

Resolves: #57656
Releases: 6.1, 6.0, 4.7, 4.6, 4.5
Change-Id: I3b696895deaf03b2f630e12f1bd7b17b649b985c
Reviewed-on: https://review.typo3.org/29175
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
4 years ago[SECURITY] Prevent XSS in scheduler form 55/29155/2
Nicole Cordes [Fri, 4 Apr 2014 11:12:25 +0000 (13:12 +0200)]
[SECURITY] Prevent XSS in scheduler form

The class name is submitted in a hidden form and is susceptible to XSS.
The patch introduced htmlspecialchars to prevent XSS possibility.

Resolves: #57603
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I4979e66f28a581e168c56d91327a1bbe2672448d
Reviewed-on: https://review.typo3.org/29155
Reviewed-by: Nicole Cordes
Tested-by: Nicole Cordes
5 years ago[BUGFIX] Revert "[TASK] Use a 401 header if login is not successful" 00/27900/2
Markus Klein [Thu, 27 Feb 2014 13:30:52 +0000 (14:30 +0100)]
[BUGFIX] Revert "[TASK] Use a 401 header if login is not successful"

This reverts commit 70ce5402ad9f1a8a98c7014e6ce5af79d9b7a4de.

The 401 header code is used with HTTP based authentication schemes,
based on RFC 2617.

This is not the case here.

Resolves: #55966
Reverts: #51803
Releases: 6.2, 6.1, 6.0, 4.5
Change-Id: Id283069003542ea5b44fdd72b7abda88a2b6762d
Reviewed-on: https://review.typo3.org/27900
Reviewed-by: Markus Klein
Tested-by: Markus Klein
5 years ago[BUGFIX] felogin reset password links not clickable 30/27830/2
Jigal van Hemert [Tue, 25 Feb 2014 08:55:10 +0000 (09:55 +0100)]
[BUGFIX] felogin reset password links not clickable

Encoding a few extra character besides the ones according to RFC3986
makes password reset links working again in various mail clients which
do not comply to this RFC (and which do not have plans to fix this in
the near future).

Change-Id: I0b42bef6cb732c5fc6cc2d900407271cb606e301
Fixes: #23984
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/27830
Reviewed-by: Oliver Klee
Reviewed-by: Markus Klein
Tested-by: Markus Klein
5 years ago[BUGFIX] Namespace usage in test 14/27514/2
Christian Kuhn [Sun, 9 Feb 2014 13:23:43 +0000 (14:23 +0100)]
[BUGFIX] Namespace usage in test

Patch for issue #31998 introduced a namespace in unit test,
the test suite now fails after patch for issue #53682. Use
old class name instead.

Change-Id: I83e7cd33787364c1f531c51406f09884aff418c6
Resolves: #55811
Related: #53682
Related: #31998
Releases: 4.7, 4.5
Reviewed-on: https://review.typo3.org/27513
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
(cherry picked from commit df8e21b7e727d7ec709ed9f92e3069d77db0be04)
Reviewed-on: https://review.typo3.org/27514

5 years ago[BUGFIX] CSV-Download not working in IE and HTTPS backend 81/27481/2
Christian Kuhn [Sat, 8 Feb 2014 18:48:00 +0000 (19:48 +0100)]
[BUGFIX] CSV-Download not working in IE and HTTPS backend

When using a HTTPS backend the download of CSV is not
working in Internet Explorer browser versions lower then 9.
Add the needed header to fix this problem.

Change-Id: Iefa63fb37d57491fb73bfd504b6caed5b76c8cac
Resolves: #16491
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/27481
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
5 years ago[BUGFIX] DocumentTemplate class inserts inDocStyles twice 50/27150/3
Stefan Neufeind [Thu, 30 Jan 2014 13:59:55 +0000 (14:59 +0100)]
[BUGFIX] DocumentTemplate class inserts inDocStyles twice

Change-Id: I252da74973c3dc4157717139c95ad0605e16fce1
Releases: 6.2, 6.1, 4.5
Resolves: #55458
Reviewed-on: https://review.typo3.org/27150
Reviewed-by: Wouter Wolters
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
5 years ago[BUGFIX] Invalid constant in the domain redirect function 05/27105/2
Tim Lochmueller [Mon, 27 Jan 2014 08:44:14 +0000 (09:44 +0100)]
[BUGFIX] Invalid constant in the domain redirect function

There is a "copy-and-paste" mistake in the domain redirect mechanism.
The function HttpUtility::redirect should call with a valid HTTP
status code (the const value) and not with the name of the constant.

Resolves: #55350
Releases: 6.2, 6.1, 6.0, 4.5
Change-Id: I97f55ac8df1688011198666da1fd322a5c3bd323
Reviewed-on: https://review.typo3.org/27105
Reviewed-by: Tim Lochmüller
Tested-by: Tim Lochmüller
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
5 years agoRevert "[TASK] Optimize speed for instantiating class with arguments" 10/26910/2
Ernesto Baschny [Fri, 17 Jan 2014 19:18:26 +0000 (20:18 +0100)]
Revert "[TASK] Optimize speed for instantiating class with arguments"

This reverts commit 2526bddb5b27ca832575fad809facfa39c7db225.

This is not PHP 5.2 compatible (static::*).

See also travis reporting on that:
https://travis-ci.org/TYPO3/TYPO3.CMS/jobs/17114327

Change-Id: Ia0dc0766dd73ce5343464afd1f71b1b2d8e27795
Reviewed-on: https://review.typo3.org/26910
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny
5 years ago[TASK] Optimize speed for instantiating class with arguments 43/26643/2
Helmut Hummel [Sat, 14 Dec 2013 22:35:02 +0000 (23:35 +0100)]
[TASK] Optimize speed for instantiating class with arguments

PHP reflection has quite an overhead in performance.
Use a switch construct like in Flow instead to
instantiate classes with up to 8 arguments without
reflection.

Resolves: #53682
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I82ecf0b1ea9a412a39b4429d7689f2bb6489f3df
Reviewed-on: https://review.typo3.org/26643
Reviewed-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
5 years ago[BUGFIX] Fix PHP fatal error in be.tableList view helper 90/26890/2
Marc Bastian Heinrichs [Mon, 6 Jan 2014 18:03:15 +0000 (19:03 +0100)]
[BUGFIX] Fix PHP fatal error in be.tableList view helper

The be.tableList view helper uses the class localRecordList
which relies on a available $GLOBALS['SOBE']->doc object.
Since https://review.typo3.org/19000/ the doc instance
in SOBE does not get instantiated in any case, which
results in a PHP fatal error using this view helper.

For 6.x this was fixed with https://review.typo3.org/15007/

Fixes: #54748
Releases: 4.7, 4.5
Change-Id: I4ac4a1718ec6c8e0a02723802bf73dbabd1648ab
Reviewed-on: https://review.typo3.org/26890
Reviewed-by: Markus Klein
Tested-by: Markus Klein
5 years ago[TASK] Change list view delete icon if record is deleted in WS 46/24746/5
Sascha Egerer [Tue, 15 Oct 2013 08:57:36 +0000 (10:57 +0200)]
[TASK] Change list view delete icon if record is deleted in WS

If a record is deleted in a workspace the delete icon is still
displayed but the function is different. If you click on
the delete icon of a deleted record you will "restore"
the record (remove the deleted flag).
The icon should change if record is marked as deleted.

Resolves: #52554
Releases: 6.2, 6.1, 6.0, 4.5
Change-Id: I9bccc076d06525fad16f9f5ca4b3413e217f32f6
Reviewed-on: https://review.typo3.org/24746
Reviewed-by: Markus Klein
Tested-by: Markus Klein
5 years ago[BUGFIX] Display relations' titles when TCA label field is type inline 14/23914/2
Stefan Froemken [Thu, 19 Sep 2013 13:55:06 +0000 (15:55 +0200)]
[BUGFIX] Display relations' titles when TCA label field is type inline

This change adds a case to treat "inline" TCA types the same way
"select" is treated when building the record's label value.

Before, if record used field of type "inline" as TCA label field, TYPO3
would display fx "3" (number of related records as stored in field
on parent record).

After, TYPO3 will display fx "Record1, Record2, Record2" if "inline"
field contains three related records named thusly.

Fixes: #52133
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: Ie06f09368e81505cb1e5989b61ae98add54b05ba
Reviewed-on: https://review.typo3.org/23914
Reviewed-by: Markus Klein
Tested-by: Markus Klein
5 years ago[BUGFIX] Cleanly unset cookies on login in cookie-check 71/25871/2
Stefan Neufeind [Sun, 1 Dec 2013 17:53:08 +0000 (18:53 +0100)]
[BUGFIX] Cleanly unset cookies on login in cookie-check

Needed to workaround a login-problem with IE11.

ExtJS tries to clear a cookie with different settings than when
setting the cookie. In IE11 this leads to problems with the cookie
being set twice on the next call to set(). The get() however
would return the first (empty) cookie.

Using set() with a date in the past also clears the cookie but
will correctly use the same path-settings.

Change-Id: Ieff22129895cd89ca2e1429703daf1636596ecb6
Resolves: #53818
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/25871
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Steffen Ritter
Reviewed-by: Markus Klein
Tested-by: Markus Klein
5 years ago[TASK] Set TYPO3 version to 4.5.33-dev 27/26227/2
TYPO3 Release Team [Tue, 10 Dec 2013 10:06:12 +0000 (11:06 +0100)]
[TASK] Set TYPO3 version to 4.5.33-dev

Change-Id: I3073c38f3df08f909e9d29b58acbd8f1671272c9
Reviewed-on: https://review.typo3.org/26227
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team
5 years ago[RELEASE] Release of TYPO3 4.5.32 26/26226/2 TYPO3_4-5-32
TYPO3 Release Team [Tue, 10 Dec 2013 10:05:45 +0000 (11:05 +0100)]
[RELEASE] Release of TYPO3 4.5.32

Change-Id: Ied61f0997ee99da6866d4c3d43fd46ed213c6c83
Reviewed-on: https://review.typo3.org/26226
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team
5 years ago[SECURITY] XSS in header link of all content elements 84/26184/2
Anja Leichsenring [Tue, 10 Dec 2013 09:51:29 +0000 (10:51 +0100)]
[SECURITY] XSS in header link of all content elements

The second typolink parameter, that is the target, can be abused to
introduce XSS code into the generated link. Escaping the parameter
with quoteJSvalue solves the problem.

Change-Id: I1652e2f1e9fea660d2a5a9e74ace6317fe05ba3b
Fixes: #31206
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 4a1a06ad0124defafb991639b19d81f81f7d5b95
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26184
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
5 years ago[SECURITY] XSS in colorpicker wizard 83/26183/2
Anja Leichsenring [Tue, 10 Dec 2013 09:51:23 +0000 (10:51 +0100)]
[SECURITY] XSS in colorpicker wizard

Encode user-input in JavaScript context for colorpicker.

Change-Id: Ia5d181bb74f3cbe2d2b7c75097655f9c7593b70d
Fixes: #42772
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 9fba6ded6247aaa74b974daf1c9bba5eb4aaf028
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26183
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
5 years ago[SECURITY] Prevent editor controlled hmac content 82/26182/2
Franz G. Jahn [Tue, 10 Dec 2013 09:51:17 +0000 (10:51 +0100)]
[SECURITY] Prevent editor controlled hmac content

An hmac of the editor controlled auto respond message was used to verifiy
the correctness of this message on submit. To prevent this, we add an
additional secret.

Fixes: #45043
Releases: 4.5, 4.7, 6.0, 6.1, 6.2
(cherry picked from commit 66013e46f09b38343ac22d9e231328966bff0c6e)
Security-Commit: fa5bdd2ac518555f21ec857dc31d2991a1e937ad
Security-Bulletin: TYPO3-CORE-SA-2013-004

Change-Id: I66b1ddc379577fc3ed67012384a15c38a6b76a03
Reviewed-on: https://review.typo3.org/26182
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
5 years ago[SECURITY] XSS vulnerability in extension manager 81/26181/2
Marcus Krause [Tue, 10 Dec 2013 09:51:10 +0000 (10:51 +0100)]
[SECURITY] XSS vulnerability in extension manager

Add escaping on extension meta data when rendering.

Change-Id: I64cb5f23281ddb6c63439bf33aaeac1b1fa803b4
Fixes: #20811
Releases: 4.7, 4.5
Security-Commit: 647add5b8b668c173376ac45e4d227e4b25112d9
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26181
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
5 years ago[SECURITY] Information Disclosure in Wizards 80/26180/2
Anja Leichsenring [Tue, 10 Dec 2013 09:51:05 +0000 (10:51 +0100)]
[SECURITY] Information Disclosure in Wizards

It has been possible for authenticated editors
to show content of arbitrary tables and fields
that are defined in TCA by manipulating
GET parameters of the forms and table wizard.

This change adds a check if the editor has access
to the given record.

Change-Id: I524ae9bd75a5cca9e37918e64f5c492c9fa3c36e
Fixes: #41714
Releases: 4.5, 4.7, 6.0, 6.1, 6.2
Security-Commit: 9ee30833350405d003de206501118d1300998bee
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26180
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
5 years ago[SECURITY] Fix open redirection in openid extension 79/26179/2
Anja Leichsenring [Tue, 10 Dec 2013 09:50:59 +0000 (10:50 +0100)]
[SECURITY] Fix open redirection in openid extension

The eID script of the openid extension does not
validate the given redirect url, leading to
an open redirection vulnerability.
Add and verify hmac of the redirect url.

Change-Id: I0c446199504018cab6e4ad2f6bd9085458ca86f0
Fixes: #54099
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 6be16f2ea6b135b6f7ab2dec17d126f3f1eb89c4
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26179
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
5 years ago[SECURITY] feuser_adminLib.inc allows to set arbitrary fields 78/26178/2
Steffen Ritter [Tue, 10 Dec 2013 09:50:53 +0000 (10:50 +0100)]
[SECURITY] feuser_adminLib.inc allows to set arbitrary fields

The CMS core ships a utility class helping extension authors
to create frontend-extension which need a mail-based opt-in.
This class is neither used by core nor really maintained.

In the opt-in process the fields which should be updated to
activate the user are put as URL parameter into the
activation link. In the default configuration this feature
set allows to set any values of any field to this record.

As a result a user could manipulate his activation link and
therefore extend his usergroups.

This patch ensures that all fields which are about to update
are added to the hash as well as only taking the values
from TypoScript so even if the fields match no harm can be
done.

Change-Id: Ie27fba37522f7f46894a962fbd9425c328ce0583
Fixes: #48187
Releases: 6.0, 4.7, 4.5
Security-Commit: 2c930f8f2a8d18b83bb9d2d49cbdbec839b47188
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26178
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
5 years ago[SECURITY] XSS in be_layout wizard 77/26177/2
Anja Leichsenring [Tue, 10 Dec 2013 09:50:48 +0000 (10:50 +0100)]
[SECURITY] XSS in be_layout wizard

Usage of unverified input parameters in wizard URL leads to a possible
XSS vulnerability in backend_layout wizard.
The solution is the introduction of a hmac validation of the parameters
used in JavaScript.

Change-Id: I6a9fcd43affa637fd6ac3cd08ae89212e52e6754
Fixes: #36768
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: bcc8a321517ad50bae3dec9366f76b4e886e74e9
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26177
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
5 years ago[SECURITY] Remove possible XSS from ActionController Error output 76/26176/2
Anja Leichsenring [Tue, 10 Dec 2013 09:50:43 +0000 (10:50 +0100)]
[SECURITY] Remove possible XSS from ActionController Error output

As parameters passed to an ErrorObject can be user input, the
output of those parameters in the ActionController::errorAction() method
could lead to a cross side scripting possibility.
The offending output has been removed without substitution.

Change-Id: Ide28a2af395a0a9558153ff6465dc8ae946a8b29
Fixes: #54074
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: f52d894b8adc385535ae0d3bc28700cd449e9f21
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26176
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
5 years ago[SECURITY] Unsafe unserialize of GET parameter in Add-Wizard 75/26175/2
Marcus Krause [Tue, 10 Dec 2013 09:50:36 +0000 (10:50 +0100)]
[SECURITY] Unsafe unserialize of GET parameter in Add-Wizard

If the TCEforms wizard "add" is used, the original opened document
is closed and a new one is created in which you then add a new
element to be related.
In order to "store" the originating document which has been
edited, the Wizard/AddController and EditDocumentController
exchange state data in an URL-parameter.
This state-array is serialized in the EditDocumentController
and again unserialized in the Wizard/AddController from that
GET parameter. Without any checks, every code can be injected
to be unserialized here - even though we just need an array
with some data.
This patch changes serialize/unserialize to json_encode and
json_decode. Since the GET parameter only is used in
conjunction of these two classes it is save to changes the
format how the URL parameters are serialized.

Change-Id: I6bac68bb724ba185f66e3ffb07593120f96ccb17
Fixes: #54073
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 23d28d4899b658f6a0646ad5cbbc1a4d4d0c22bd
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26175
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
5 years ago[BUGFIX] Fix failing test 41/26041/3
Anja Leichsenring [Sun, 8 Dec 2013 12:35:17 +0000 (13:35 +0100)]
[BUGFIX] Fix failing test

Change-Id: I26b7697cdc4b40e007b89898491761105d0ba696
Resolves: #54282
Releases: 4.5
Reviewed-on: https://review.typo3.org/26041
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
5 years ago[BUGFIX] Fix failing test 40/26040/2
Anja Leichsenring [Sun, 8 Dec 2013 12:10:10 +0000 (13:10 +0100)]
[BUGFIX] Fix failing test

A superflous function was used, that does not exist in Extbase 1.3.

Change-Id: Ib25d21c53afc47a36fe44e4317abd78e736dc115
Resolves: #54280
Releases: 4.5
Reviewed-on: https://review.typo3.org/26040
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
5 years ago[BUGFIX] ClientUtility does not detect Internet Explorer 11 87/25887/2
Stefan Neufeind [Sun, 1 Dec 2013 14:33:13 +0000 (15:33 +0100)]
[BUGFIX] ClientUtility does not detect Internet Explorer 11

Since the Release of Microsoft IE 11 there is no "MSIE" hint in
its user agent header anymore. Therefore the existing patterns
fail and the browser is detected as unknown browser.

TYPO3 deactivates several features for unknown browser. As a
result f.e. the RTE does not load.

This change adds special treatment for IE11+ by introducing an
additional regular expression matching the new user agent format
and looking for the Trident engine to be present.

In addition unit tests for common IE 9-11 user agents are added.

Change-Id: I389f344a498ac77f3e6445656dd125fd5d236a98
Resolves: #54124
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/25887
Reviewed-by: Markus Klein
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
5 years agoRevert "[BUGFIX] Object passed to date()" 47/25847/2
Markus Klein [Sun, 1 Dec 2013 14:28:37 +0000 (15:28 +0100)]
Revert "[BUGFIX] Object passed to date()"

This reverts commit d361b2999c8ba8d1cdb218ead4f60ef1de9fe458

The change I6821bafa51372c50d8903c63d62ea44933bc12b3 does not
apply to 4.5 and 4.7, since $task is not an object in these
versions.

Change-Id: Ia2cd5287f3e128c90155c76fa360c58289d5a1ce
Releases: 4.5, 4.7
Resolves: #54120
Reviewed-on: https://review.typo3.org/25847
Reviewed-by: Philipp Gampe
Reviewed-by: Benny Schimmer
Tested-by: Benny Schimmer
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
5 years ago[BUGFIX] ext:adodb Restrict connection wizard to admins 60/25760/3
Christian Kuhn [Fri, 29 Nov 2013 15:11:04 +0000 (16:11 +0100)]
[BUGFIX] ext:adodb Restrict connection wizard to admins

In the unlikely case ext:datasources is used, there is a potential
information disclosure that content of this table is shown to
non-admin backend users. This is better sanitized with the patch.

Change-Id: I748a0e05b57ac8c6d9c37cdd86fdb093c380dea5
Resolves: #42651
Releases: 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/25760
Reviewed-by: Franz G. Jahn
Tested-by: Franz G. Jahn
Reviewed-by: Oliver Klee
Tested-by: Oliver Klee
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
5 years ago[BUGFIX] Distinguish unassigend columns and colPos 0 89/25389/3
Philipp Gampe [Wed, 13 Nov 2013 17:52:52 +0000 (18:52 +0100)]
[BUGFIX] Distinguish unassigend columns and colPos 0

When using backend layout columns without a colPos value they should be
just placeholders with the label "Not assigned". Currently they are
showing the content of the column 0 instead if there is such a column in
the backend layout.

The label "Not assigned" is used for columns without any
label, otherwise the label is used together with the suffix
"(Not assigned)".

Change-Id: I02c418eebdd9345c3066aa8c3eeec353d2cd9e58
Resolves: #25157
Resolves: #45550
Releases: 4.5, 4.7, 6.0, 6.1, 6.2
Reviewed-on: https://review.typo3.org/25389
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Markus Klein
Tested-by: Markus Klein
5 years ago[TASK] Set TYPO3 version to 4.5.32-dev 95/25695/2
TYPO3 Release Team [Tue, 26 Nov 2013 15:23:26 +0000 (16:23 +0100)]
[TASK] Set TYPO3 version to 4.5.32-dev

Change-Id: I0c80cd295e4146fb8c5c9ac2c9e3188d18f5959e
Reviewed-on: https://review.typo3.org/25695
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team
5 years ago[RELEASE] Release of TYPO3 4.5.31 94/25694/2 TYPO3_4-5-31
TYPO3 Release Team [Tue, 26 Nov 2013 15:22:57 +0000 (16:22 +0100)]
[RELEASE] Release of TYPO3 4.5.31

Change-Id: I3e7c742865cf45eb50918e3de4029fa60beea15d
Reviewed-on: https://review.typo3.org/25694
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team
5 years ago[BUGFIX] Table cache_imagesizes is defined twice 15/25515/2
Michiel Roos [Tue, 19 Nov 2013 15:20:53 +0000 (16:20 +0100)]
[BUGFIX] Table cache_imagesizes is defined twice

The table cache_imagesizes is defined in two files:
t3lib/stddb/tables.sql
typo3/sysext/cms/ext_tables.sql

This is the case for the 4.5 branch as well as the 4.7 branch.
It has been cleaned up in 6.x.

Change-Id: I02f7895ccd25a2404b7742f1706466328869cfce
Resolves: #53758
Releases: 4.7, 4.5
Reviewed-on: https://review.typo3.org/25515
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
5 years ago[BUGFIX] Scheduler extension sql file is invalid 08/25508/2
Michiel Roos [Tue, 19 Nov 2013 10:27:11 +0000 (11:27 +0100)]
[BUGFIX] Scheduler extension sql file is invalid

On import into MySQL an error is thrown and MySQL
refuses to create the table:

ERROR 1067 (42000) at line 4: Invalid default value for 'uid'

This is due to the fact that a default value is being set
for an auto_increment field.

Change-Id: Ic072d3ec21b4e8adbecf9ff88e6ac4a2919959ec
Resolves: #53750
Releases: 4.5, 4.7, 6.0, 6.1, 6.2
Reviewed-on: https://review.typo3.org/25508
Reviewed-by: Markus Klein
Tested-by: Markus Klein
5 years ago[BUGFIX] Fix broken edit icons on cType HTML 07/25407/2
Stefan Neufeind [Thu, 14 Nov 2013 17:31:15 +0000 (18:31 +0100)]
[BUGFIX] Fix broken edit icons on cType HTML

Fix the wrong Typoscript configuration for front-end edit icons
for cType HTML (for the traditional fe-editing).

Resolves: #17493
Releases: 6.2, 6.1, 6.0, 4.5
Change-Id: I743d8d8ee77bd76bd9ed2a12cd34817196d3719a
Reviewed-on: https://review.typo3.org/25407
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
5 years ago[BUGFIX] Correctly append additionalTreelistUpdateFields 79/25279/2
Bart Dubelaar [Mon, 11 Nov 2013 18:14:55 +0000 (19:14 +0100)]
[BUGFIX] Correctly append additionalTreelistUpdateFields

The list of additionalTreelistUpdateFields was not correctly
appended to the updateRequiringFields array.

Resolves: #37948
Releases: 6.2, 6.1, 6.0, 4.5
Change-Id: I7df514649203bf607a6ac3550c875c429e0f7328
Reviewed-on: https://review.typo3.org/25279
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
5 years ago[BUGFIX] Faulty check for missing SMTP port 18/23518/2
Stefan Neufeind [Sat, 31 Aug 2013 22:40:23 +0000 (00:40 +0200)]
[BUGFIX] Faulty check for missing SMTP port

Check also for null port to avoid a fatal error.

Resolves: #31998
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: Ibf45b3c0783a70e5afba33f90d1d8e05f76834cf
Reviewed-on: https://review.typo3.org/23518
Reviewed-by: Markus Klein
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
5 years ago[BUGFIX] Escape title, extension, description of scheduler tasks 31/25231/2
Stefan Neufeind [Sat, 9 Nov 2013 15:41:41 +0000 (16:41 +0100)]
[BUGFIX] Escape title, extension, description of scheduler tasks

Properly escapes the title, description and extension of
displayed scheduler tasks

Resolves: #29179
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: Ie03383f694863e435bfb96341226f8c78be426e5
Reviewed-on: https://review.typo3.org/25231
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
5 years ago[BUGFIX] T3editor: Honour fileDenyPattern on saving included TS 60/25060/4
Stefan Neufeind [Tue, 29 Oct 2013 21:22:27 +0000 (22:22 +0100)]
[BUGFIX] T3editor: Honour fileDenyPattern on saving included TS

fileDenyPattern is only checked on loading so far.
Needs to be added for saving as well taken into account, since
otherwise an arbitrary file (including .php) can be overwritten.

Change-Id: Ia7edc83c8954942fb848746abc0980a304a1a6df
Resolves: #53195
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/25060
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
5 years ago[BUGFIX] Remove declare(encoding=) 57/25157/2
Josef Florian Glatz [Mon, 4 Nov 2013 15:59:10 +0000 (16:59 +0100)]
[BUGFIX] Remove declare(encoding=)

AbstractWidgetViewHelper can throw warnings about invalid
declare statements if zend.multibyte is off. Those lines
were also dropped in TYPO3.Fluid, TYPO3 6.0 & TYPO3 4.7.

Change-Id: I7f4efca526249034b74ba42b1103b58831b5a2ea
Resolves: #38055
Releases: 4.5
Reviewed-on: https://review.typo3.org/25157
Reviewed-by: Wouter Wolters
Reviewed-by: Ernesto Baschny
Reviewed-by: Marc Bastian Heinrichs
Tested-by: Marc Bastian Heinrichs
5 years ago[BUGFIX] Cannot auto-load SC_* classes 79/24979/2
Ernesto Baschny [Wed, 23 Oct 2013 12:24:46 +0000 (14:24 +0200)]
[BUGFIX] Cannot auto-load SC_* classes

These script files cannot be auto-loaded because they also include
runnable code.

Resolves: #53075
Releases: 4.7, 4.5
Change-Id: Ib3a956b69355466016099e996b6ca6c5f89978cd
Reviewed-on: https://review.typo3.org/24979
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny
5 years ago[TASK] Added missing core autoloaded files 27/23627/3
Ernesto Baschny [Wed, 4 Sep 2013 20:33:15 +0000 (22:33 +0200)]
[TASK] Added missing core autoloaded files

Adds lots of missing autoloading files in t3lib/core_autoload.php
and cms/ext_autoload.php and fixes some bugs.

These files were autogenerated by extdeveval and thus also change
the order of the entries to a natural sorting. Refer to the issue
in the tracker for details on what exactly changed.

Resolves: #50881
Releases: 4.7, 4.5
Change-Id: I6f571f31a70d94a0f1ab73513ebbec0bb1a9086a
Reviewed-on: https://review.typo3.org/23627
Reviewed-by: Dmitry Dulepov
Tested-by: Dmitry Dulepov
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
5 years ago[BUGFIX] Object passed to date() 13/24713/2
Philipp Gampe [Sun, 13 Oct 2013 20:08:46 +0000 (22:08 +0200)]
[BUGFIX] Object passed to date()

Function date() expects a timestamp as second parameter, not
an object.

Resolves: #52759
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I6821bafa51372c50d8903c63d62ea44933bc12b3
Reviewed-on: https://review.typo3.org/24713
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
5 years ago[BUGFIX] Wrong calculation of maximum value for checkbox fields 56/24656/2
Nicole Cordes [Sat, 12 Oct 2013 17:37:46 +0000 (19:37 +0200)]
[BUGFIX] Wrong calculation of maximum value for checkbox fields

This patch corrects the calculation of the maximum value for a group
of checkboxes which is stored as bit flag value in the database. The
formular for the maximum value is 2nd power of the item count minus one.

Resolves: #52104
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I0eb430b72a072838c6ac3bc3f5e339ff2509c455
Reviewed-on: https://review.typo3.org/24655
Reviewed-by: Nicole Cordes
Tested-by: Nicole Cordes
Reviewed-on: https://review.typo3.org/24656

5 years ago[BUGFIX] Select available page when changing WS 95/24595/3
Thorsten Kahler [Fri, 11 Oct 2013 15:57:22 +0000 (17:57 +0200)]
[BUGFIX] Select available page when changing WS

When changing to another workspaces the currently selected page is not
always available.
This change selects the next available page from the rootline for page
tree and submodules of web module when the current page does not exist
in the workspace.

Change-Id: I0502fea3c21515421586403a41f5c696ffc0d762
Fixes: #37611
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/24595
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
5 years ago[BUGFIX] Add workspace overlay for fetched records. 81/24581/2
Anja Leichsenring [Fri, 11 Oct 2013 14:40:54 +0000 (16:40 +0200)]
[BUGFIX] Add workspace overlay for fetched records.

Call workspace overlay to resolve the right uid for
move-placeholder.

Change-Id: I6af65fcda1b1fffe72dfbc314976e42f30120d71
Fixes: #36573
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/24581
Reviewed-by: Sascha Egerer
Tested-by: Sascha Egerer
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
5 years ago[BUGFIX] Don't show duplicates in workspace preview 75/24075/2
Timo Webler [Thu, 26 Sep 2013 16:04:02 +0000 (18:04 +0200)]
[BUGFIX] Don't show duplicates in workspace preview

Fixes workspace filter conditions in case of workspace preview in
t3lib_pageSelect::enableFields().

Additionally cleared up the corresponding comments.

Change-Id: I088928a88cb673f18f218ef691a6c528019317c0
Fixes: #37065
Releases: 6.2, 6.1, 6.0, 4.5
Reviewed-on: https://review.typo3.org/24075
Reviewed-by: Sascha Egerer
Tested-by: Sascha Egerer
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
5 years ago[BUGFIX] EmConfUtility accesses non-arrays 99/24099/2
Markus Klein [Thu, 26 Sep 2013 22:37:43 +0000 (00:37 +0200)]
[BUGFIX] EmConfUtility accesses non-arrays

Properly check for array-type before accessing
or counting the variable.

Resolves: #52045
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: Id161fddadbbcadd462de36e8227278107f2e7a3a
Reviewed-on: https://review.typo3.org/24099
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
5 years ago[BUGFIX] Check for string before using strlen 92/24092/3
Markus Klein [Thu, 26 Sep 2013 21:53:12 +0000 (23:53 +0200)]
[BUGFIX] Check for string before using strlen

If pi_flexform is converted to an array already, checking via strlen
produces a warning. An additional check via is_string suppresses the
warning.

Resolves: #52091
Resolves: #51684
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I97c41cdedb1afb28e2a9ca39e1d9cfb3921d9f47
Reviewed-on: https://review.typo3.org/24092
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
5 years ago[BUGFIX] CF FileBackend unlimited lifetime support 83/24083/2
Dominique Feyer [Thu, 26 Sep 2013 15:41:49 +0000 (17:41 +0200)]
[BUGFIX] CF FileBackend unlimited lifetime support

Backport of a bugfix that was part of #39430 in 6.0.

Change-Id: I2266ae12284a139a384854e3ff0bacf23f277859
Resolves: #34886
Related: #39430
Releases: 4.7, 4.5
Reviewed-on: https://review.typo3.org/24073
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
(cherry picked from commit e06f05a67c6c516f5970ce4d5785f8c9356e34ff)
Reviewed-on: https://review.typo3.org/24083