Commits · 0893b6933df3090f50485e39f451c208a2cb7323 · accessibility / TYPO3.CMS

This project is mirrored from https://git.typo3.org/typo3/typo3.git. Pull mirroring failed Feb 20, 2022.
Repository mirroring has been paused due to too many failed attempts. It can be resumed by a project maintainer or owner.
Last successful update Feb 18, 2022.

26 Jul, 2021 1 commit

[BUGFIX] Fix page layout grid columns · 0893b693

Oliver Bartsch authored Jul 20, 2021

This fixes inconsistency in the display of the grid columns
between the fluid based page module and PageLayoutView.

* Proper distinction between unassigned and unused columns
* State describing classes, such as "restricted" and "hidden"
  are now added correctly
* Access restricted columns do not longer display elements
  previously added to this column
* Column titles are now correct
* TSconfig option "hideRestrictedCols" is respected
* TSconfig option "colPosList" does now work correctly
* All used labels are now translatable
* No more cross dependencies for labels

Resolves: #94602
Related: #93829
Related: #93313
Releases: master
Change-Id: I1d1e641722d57657169e16e92ddd501aab04bc72
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70013


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

0893b693

25 Jul, 2021 1 commit

[BUGFIX] Use correct maximum width/height for media preview · c9e22a8f

Georg Ringer authored Jul 18, 2021 and

Anja Leichsenring committed Jul 25, 2021

Smaller images must not be blown up in visual size if smaller than
400x590px.

Resolves: #94475
Releases: master, 10.4
Change-Id: I8ef7e084a55d41778d6a71ff50cdc3125bcb176f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69909


Tested-by: core-ci <typo3@b13.com>
Tested-by: Guido Schmechel <guido.schmechel@brandung.de>
Tested-by: Daniel Haupt <mail@danielhaupt.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Guido Schmechel <guido.schmechel@brandung.de>
Reviewed-by: Daniel Haupt <mail@danielhaupt.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

c9e22a8f

23 Jul, 2021 2 commits

[TASK] Deprecate extbase ObjectManager · 5c8d0397

Christian Kuhn authored Jul 22, 2021

With all non-legacy usages of ObjectManager being gone,
this final patch adds a series of @deprecation annotations
throughout the core, adapts some comments, and finally
adds a trigger_error() to ObjectManager->get().

Resolves: #94619
Related: #90803
Releases: master
Change-Id: Iaa65f7dee4e5aa9eb4e2c217e76105b0263dc6dc
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70054


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

5c8d0397

[BUFIX] Set fallback for undefined array keys in PHP8 · 6e75da76

Jochen Roth authored Jul 22, 2021 and

Benni Mack committed Jul 23, 2021

Fix undefined array keys in form, core and
indexed_search for the frontend and in
extensionmanager.

Resolves: #94613
Releases: master
Change-Id: I96230feb46f33c9a606a72f765bc79e19d8b28dd
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70024


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

6e75da76

22 Jul, 2021 13 commits

[BUGFIX] Do not encode password reset link in plain text · f155250f

Oliver Bartsch authored Jul 19, 2021 and

Christian Kuhn committed Jul 22, 2021

The reset link, sent in the plain text version of the
PasswordReset functionality is not longer be encoded
as this makes the link unusable.

Resolves: #94589
Releases: master, 10.4
Change-Id: Ie464140bb68f5ac703540d1eba094f19cf2ee299
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69967


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

f155250f

[FEATURE] Use https by default when autolinking in RTE · 8cff525a

Benni Mack authored Jul 19, 2021 and

Christian Kuhn committed Jul 22, 2021

When using CKEditor with autolinking plugin enabled
(e.g. simply typing www.typo3.org in the RTE) https:// is
now used by default when a link is generated.

This change reflects the "secure-first" approach by
using https:// by default, however users can still manually
change this to http://.

More than 90% of the web now serve via HTTPS
(also see https://transparencyreport.google.com/https)

Resolves: #90336
Releases: master
Change-Id: I38e4034915f66fd1f169bc96f27026a6427de156
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69923


Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

8cff525a

[BUGFIX] Correctly resolve arrays in log messages · bcb50908

Oliver Bartsch authored Jul 20, 2021 and

Christian Kuhn committed Jul 22, 2021

When using an array as data for a log entry placeholder,
it must be imploded as otherwise the placeholder would
not be resolved by AbstractWriter->interpolate().

Additionally, the exception is now correctly added to the
log message string in PhpErrorLogWriter again.

Resolves: #94594
Related: #94315
Releases: master
Change-Id: I0aa79e511fd164a75e974547057477479234c25b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69978


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

bcb50908

[TASK] Make runTests.sh compatible with docker-compose v2 · 7970143b

Jochen Roth authored Jul 21, 2021 and

Christian Kuhn committed Jul 22, 2021

docker-compose.yml is now working with v2.0.0beta.
Restored old behavior to retrieve the actual CORE_ROOT
path using "realpath" which also works on MacOS.

Resolves: #94612
Releases: master, 10.4, 9.5
Change-Id: I62ab40870e285b3533a259105dac241e3c4a6af2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70023


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

7970143b

[BUGFIX] Respect TCA type language in getProcessedValue · b9f25d92

Oliver Bartsch authored Jul 21, 2021 and

Christian Kuhn committed Jul 22, 2021

Since #57082 the language columns, typically
`sys_language_uid`, are defined with the new
TCA type "language" instead of type "select".

Since this was previously not properly handled,
BackendUtility::getProcessedValue() just returned
the records' field value instead of the language title.

This is now fixed by adding an additional "case" for
TCA type "language".

Resolves: #94610
Releases: master
Change-Id: I89297e679393cb8eb0765a51fb6a7eebc4e12f7c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70022


Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

b9f25d92

[TASK] Avoid ObjectManager in ext:extbase · d30ba9cf

Christian Kuhn authored Jun 30, 2021

This finishes removal of regular extbase ObjectManager
usages throughout the core: All left over places are
fallback situations if extensions don't provide proper
service definitions.

Most places are casual replacements, many of them have
been prepared with previous patches. Some places like
Query and QueryResult still need special handling: The
patch introduces some 'ForwardCompatible' interfaces
implemented by core to otherwise OM-fallback if extensions
didn't catch up yet. This avoids expensive runtime
reflection in potentially often-called areas.

When this patch is merged, a final patch can be done,
including a ReST with some dedicated transition tips
and the ultimate ObjectManager deprecation.

Resolves: #94451
Related: #90803
Related: #92238
Releases: master
Change-Id: Ic53f3bf6a04d15052680a953c76d19182a2e5e87
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69676


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

d30ba9cf

[TASK] ext:beuser BackendUser model does not extend extbase model · 129452ff

Christian Kuhn authored Jul 22, 2021

To further clean up ext:beuser and allow more refactoring
of the extension, the BackendUser model no longer extends
the ext:extbase base BackendUser model.
The patch is a straight merge of the lower class for now
and further patches will follow.

Resolves: #94614
Releases: master
Change-Id: I79978cdae8538ce04b15bc703ad0eefc415f6d27
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70025


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

129452ff

[TASK] https as default scheme in f:uri.external and f:link.external · e5bf0c14

Christian Kuhn authored Jul 22, 2021

When no scheme is given using f:uri.external or
f:link.external fluid view helpers, they now fall
back to https instead of http.

Resolves: #94615
Releases: master
Change-Id: I33ce251d4f38cd504d163dd91f70fbe753952f2d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70026


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

e5bf0c14

[BUGFIX] Properly mark QueryView as deprecated · 8972957a

Christian Kuhn authored Jul 19, 2021

The class logs a deprecation in __construct(),
but the @deprecated annotation is missing.

Unit and functional tests of QueryGenerator are
moved now and a PHP8 related patch that has been
done to core QueryGenerator is now merged into
lowlevel QueryGenerator, too.

Resolves: #94587
Related: #92129
Releases: master
Change-Id: Ibb59c6bf576c6589a1cbb654ebd4773065b3e8c2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69962


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

8972957a

[TASK] Replace fetchColumn with fetchOne for Doctrine DBAL · d6fa37ea

Benni Mack authored Jul 18, 2021 and

Oliver Bartsch committed Jul 22, 2021

This change replaces all query results from the
database from fetchColumn() to fetchOne(), as this
is the new API used in Doctrine DBAL.

This change is one of a few to prepare for
Doctrine DBAL 3.0 compatibility.

Resolves: #94605
Releases: master
Change-Id: Ia9ca2bbb7b2c16a230c5946941cc3023203f494d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69917


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

d6fa37ea

[BUGFIX] Use ForwardResponse arguments if not null · b6c2a5ea

Alexander Schnitzler authored Jul 21, 2021 and

Christian Kuhn committed Jul 22, 2021

Issue #92815 introduced a regression which triggered an endless
recursion in case of a validation error.

A bit longer explanation:

Given there is an extbase controller action with an argument
whose properties have to validated, extbase maps the incoming
data of the request onto the internally handled arguments
object which then performs the validation on all given arguments.

In case of an error, extbase tries to redirect to the referring
request aka the current request with an updated set of arguments.
The idea is to remove all arguments of the current request to not
trigger the same validation error again on the next try.

There was a condition in the past which eventually led to the
overriding of current arguments which was refactored wrong.

The solution is to make the arguments of the ForwardResponse null
by default and have the same null check like before.

Releases: master
Resolves: #94457
Change-Id: I1701001ce0cf55df79b2ed896d69a08659a2902b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70020


Tested-by: core-ci <typo3@b13.com>
Tested-by: waldhacker <hello@waldhacker.dev>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: waldhacker <hello@waldhacker.dev>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

b6c2a5ea

[BUGFIX] Undefined array key with PHP8 in old services API · 29fb5f52

Devid Messner authored Jul 20, 2021 and

Georg Ringer committed Jul 22, 2021

Fix a PHP Warning on custom auth services that have
no service subtype "processLoginDataBE".

Resolves: #94599
Releases: master
Change-Id: I5046236b659674cebc761861ccf668c9bb226dc5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70012


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

29fb5f52

[BUGFIX] Another DataHandler PHP 8 fix · 637fb942

Christian Kuhn authored Jul 21, 2021 and

Oliver Bartsch committed Jul 22, 2021

A rather obvious TCA access scenario.

Resolves: #94611
Releases: master
Change-Id: Ie4ac8c7d1978e89de28076e0d036db1930c51149
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70021


Tested-by: core-ci <typo3@b13.com>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

637fb942

21 Jul, 2021 5 commits

[BUGFIX] Fix inactive languages in LanguagePack · b8d7cddb

Oliver Bartsch authored Jul 19, 2021 and

Christian Kuhn committed Jul 21, 2021

The "Manage Language Packs" modal now displays
the inactive languages correct. This was previously
overridden by bootstraps "table-striped" functionality.

Resolves: #94584
Releases: master
Change-Id: Ib464d9daaea8156fd9f80dca96fe50bee3f61992
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69966


Tested-by: core-ci <typo3@b13.com>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

b8d7cddb

[BUGFIX] Extbase ObjectManager can inject PSR ContainerInterface · db551e17

Christian Kuhn authored Jul 21, 2021

Legacy Extbase ObjectManager has a symfony DI compiler pass
that registers all DI registered "Foo"Interface aliases
via registerImplementation in Extbase container, too.

This however only works if the target is a class.
The Psr/Container/ContainerInterface is a magic
'service_container' alias, though. In turn, ObjectManager
fails to inject Psr/Container/ContainerInterface.

The patch adds this interface explicitly and adds a
functional test to make sure it works.

We target that patch to both v11 and v10 to simplify
the transition from ObjectManager to symfony based DI.

Resolves: #94608
Related: #90803
Related: #94453
Releases: master, 10.4
Change-Id: I282240548d8d8c571314dd433653dc30d1e0dad4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70017


Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

db551e17

[BUGFIX] Ensure folder tree highlights initially selected folder · f61bbff9

Benni Mack authored Jul 18, 2021 and

Christian Kuhn committed Jul 21, 2021

This change fixes a variable error to use "activeFolder" instead
of "selectedFolder".

Resolves: #94579
Releases: master
Change-Id: I855c89a51f080136f713c1df035e5882fe652910
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69918


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

f61bbff9

[BUGFIX] Add missing title tag for edit icon in page module. · 933edc91

Georg Ringer authored Jul 18, 2021 and

Lina Wolf committed Jul 21, 2021

Resolves: #94573
Releases: master, 10.4
Change-Id: I62c96e78accb7a10b0da384bdd9d92a1ecab58c1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69911


Tested-by: core-ci <typo3@b13.com>
Tested-by: Guido Schmechel <guido.schmechel@brandung.de>
Tested-by: Helmut Hummel <typo3@helhum.io>
Tested-by: Lina Wolf <112@linawolf.de>
Reviewed-by: Guido Schmechel <guido.schmechel@brandung.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Helmut Hummel <typo3@helhum.io>
Reviewed-by: Lina Wolf <112@linawolf.de>

933edc91

[BUGFIX] Fix several issues regarding Recordlist search · 507a3716

Oliver Bartsch authored Jul 13, 2021 and

Benni Mack committed Jul 21, 2021

Since #93892, clearing the search field did not longer
submit the form. This is now fixed by adding a dedicated
JS module, listening on the browsers "search" event.

When using the search in the Record selector, the search
options dropdown is now not longer cut off, in case no
search results are present.

Additionally, the functionality to toggle the search field
in the recordlist module is now moved into the Recordlist
JS module, as it does not belong to EXT:backend and
furthermore does not require a dedicated JS module.

Resolves: #94463
Resolves: #94557
Releases: master
Change-Id: I504a27fc6cb3d3689555169ac3e39813e2029544
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69830


Tested-by: core-ci <typo3@b13.com>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Guido Schmechel <guido.schmechel@brandung.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>

507a3716

20 Jul, 2021 8 commits

[BUGFIX] Check whether tt_content parent page is accessible · 3b3321ba

Oliver Bartsch authored Jul 19, 2021

Both, DatabaseRecordList as well as the ContextMenu feature the
"Show" button to preview a content element on its parent page.
However, in case the parent page is a "no view doktype" (e.g. sys
folder), those buttons lead to a 404 error.

This is now fixed by properly checking whether a content elements'
parent page can be viewed. If not, the button is no longer shown.

Resolves: #93718
Releases: master, 10.4
Change-Id: I2ad48ee7e44d06f569496c4bed2bbd172791b86c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69959


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

3b3321ba

[SECURITY] Do not log sensitive data in authentication process · 678dfccb

Benni Mack authored Jul 20, 2021 and

Oliver Hader committed Jul 20, 2021

When having the debug logging activated for the
authentication process, sensitive data is not being
logged anymore.

This change
* removes password from being logged
* hashes the cookie value processed for logging

Resolves: #93925
Releases: master, 11.3, 10.4, 9.5
Change-Id: I8c610a72014de571ef52b4430c43f8d149b273d9
Security-Bulletin: CORE-SA-2021-012
Security-References: CVE-2021-32767
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69994


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

678dfccb

[SECURITY] Mitigate XSS related to column names · 02789b5b

Oliver Bartsch authored Jul 20, 2021 and

Oliver Hader committed Jul 20, 2021

The column names, defined in backend layouts, were not
properly encoded at some places and therefore led to a
XSS vulnerability.

The issue is addressed by properly encoding user input.

Resolves: #93683
Releases: master, 11.3, 10.4, 9.5, 8.7
Change-Id: I787cee9f56a30aeaf69294412c8d5198a144e31c
Security-Bulletin: CORE-SA-2021-011
Security-References: CVE-2021-32669
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69993


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

02789b5b

[SECURITY] Encode error messages in Query Generatory & Query View · a976a18a

Oliver Hader authored Jul 20, 2021 and

Oliver Hader committed Jul 20, 2021

Properly encodes error messages to be used in HTML output in
"EXT:lowlevel" Query Generator and Query View components.

Resolves: #93868
Releases: master, 11.3, 10.4, 9.5
Change-Id: I05812ac7c1cded39edbf10d50bb4dc0fd8faf577
Security-Bulletin: CORE-SA-2021-010
Security-References: CVE-2021-32668
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69992


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

a976a18a

[SECURITY] Mitigate XSS in viewpage · 39c5a432

Oliver Bartsch authored Jul 20, 2021 and

Oliver Hader committed Jul 20, 2021

The `viewpage` module contains a preset selection, where
users can select different browser viewports. Since the
corresponding preset labels, configurable via TSconfig,
had not been encoded properly, is was vulnerable to XSS.

The issue is addressed by properly encoding the labels.

Resolves: #93702
Releases: master, 11.3, 10.4, 9.5
Change-Id: Ia22c5ab4332816614dd07a93d7e739d9fc1d8bac
Security-Bulletin: CORE-SA-2021-009
Security-References: CVE-2021-32667
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69991


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

39c5a432

[TASK] Mitigate downstream CSV code injection · 7fbe487a

Oliver Hader authored Jul 20, 2021 and

Oliver Hader committed Jul 20, 2021

* uses stream filter to enclose multi-line content
* adds three choosable strategies dealing with control literals
  + TYPE_REMOVE_CONTROLS - removes control literals (default)
  + TYPE_PREFIX_CONTROLS - prefixes control literal sequence with `'`
  + TYPE_PASSTHROUGH - nothing, passthrough data

The default strategy is `TYPE_REMOVE_CONTROLS` when
invoking `\TYPO3\CMS\Core\Utility\CsvUtility::csvValues`.

Resolves: #94271
Releases: master, 11.3, 10.4, 9.5
Change-Id: I2568a0c2dfa6d4636e211e97d66a513984532cc9
Security-Bulletin: TYPO3-PSA-2021-002
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69974


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

7fbe487a

[BUGFIX] Avoid PHP8 fatal errors in CommandLineUserAuthentication · 26198673

Helmut Hummel authored Jul 20, 2021

Releases: master
Resolves: #94592
Change-Id: I0616e362b598beb49859f5e78a3f2636f6cdf73f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69969


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Helmut Hummel <typo3@helhum.io>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Helmut Hummel <typo3@helhum.io>

26198673

[TASK] Clean up $coreExtensionsToLoad in functional tests · 5e676a21

Christian Kuhn authored Jul 19, 2021 and

Georg Ringer committed Jul 20, 2021

FunctionalTestCase loads these core extensions by default:
core, backend, frontend, extbase, install, recordlist, fluid

Functional tests do not need to set these explicitely in
$coreExtensionsToLoad. The patch cleans this up.

Resolves: #94591
Releases: master
Change-Id: I038cea486c20edc5262dc6a575ed965c876bdc88
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69968


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

5e676a21

19 Jul, 2021 6 commits

[BUGFIX] Prevent TypeError in TableController · 936bb29c

Oliver Bartsch authored Jul 13, 2021 and

Christian Kuhn committed Jul 19, 2021

Prevent a possible TypeError in TableController by
casting the input argument to string.

Resolves: #94446
Releases: master, 10.4
Change-Id: I208123f542ca6cf34db51889138fb626da0deb41
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69831


Tested-by: core-ci <typo3@b13.com>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

936bb29c

[BUGFIX] Upgrade packages chart.js, codemirror, ckeditor4 · 048d2957

Oliver Hader authored Jul 19, 2021 and

Oliver Hader committed Jul 19, 2021

Upgrade JavaScript packages chart.js, codemirror and ckeditor4
addressing known and disclosed vulnerabilities.

* chart.js: Prototype Pollution
  https://app.snyk.io/vuln/SNYK-JS-CHARTJS-1018716
* codemirror: Regular Expression DoS (ReDoS)
  https://app.snyk.io/vuln/SNYK-JS-CODEMIRROR-1016937
* ckeditor4: Cross-Site Scripting
  https://app.snyk.io/vuln/SNYK-JS-CKEDITOR4-1303090

Executed command:
```
cd Build; nvm use; yarn upgrade chart.js codemirror ckeditor4
```

Resolves: #94583
Releases: master, 10.4, 9.5
Change-Id: I56c1948f5785f4ecf9f51998f006825a952280bd
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69956


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

048d2957

[TASK] Refactor ViewHelper tests · ad3a216d

Christian Kuhn authored Jul 14, 2021

We have a decent test coverage of view helpers, especially
those within ext:fluid. This is an important asset and we're
sure all main functionality works.

Most of the tests rely on ViewHelperBaseTestcase from the
testing framework. This class prepares the main mocking
of view helper dependencies. Reading the code it becomes
obvious that this approach is kinda unfortunate: View
helpers are part of a bigger system - they have some
general dependencies like the rendering context, the
request and render children. This leads to a mocking
party in many unit tests, making the test goal hard to
understand and follow.
The mock preparations and assumptions of internal handling
actively block further separation of concern patches
within ext:fluid since the ViewHelperBaseTestcase breaks
all the time.

The patch refactors all unit tests that extend
ViewHelperBaseTestcase towards functional tests:
Most of them simply create a StandaloneView, feed a
template string for the specific view helper and
string compare the render result. Some FE related VH
tests additionally set up a full frontend and retrieve
a rendered fluid view as sub request.

This makes the tests much easier to read, follow and
understand. The functional tests are now good examples
to show the various features of single VH's.

Change-Id: I6c5d4eeb0c79ba66a18398a5623a591381a6d707
Resolves: #94580
Releases: master
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69857


Tested-by: core-ci <typo3@b13.com>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

ad3a216d

[TASK] Skip another SVG sanitizer test causing seg fault · 53bbf190

Christian Kuhn authored Jul 19, 2021

A second test is marked skipped until
an upstream patch is merged and released.

Resolves: #94582
Related: #94565
Related: #94492
Releases: master, 10.4, 9.5
Change-Id: Ia899c47a80bba60840f011766b816af90e160498
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69924


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

53bbf190

[BUGFIX] Add missing treeActions to RecordLinkHandler · bb8f1f05

Kevin Appelt authored Jul 19, 2021 and

Oliver Bartsch committed Jul 19, 2021

Resolves: #94581
Releases: master
Change-Id: Id0e4fdce83f04a0c5a5060fb62832f6e93409eb3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69921


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Henrik Elsner <helsner@dfau.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>

bb8f1f05

[TASK] Reduce invalid arguments mentioned by PHPStan · dc620aea

Benni Mack authored Jul 16, 2021 and

Georg Ringer committed Jul 19, 2021

Resolves: #94571
Releases: master
Change-Id: Ic84bf7ba69ef5b020f91661ff5387ef4b62f34f2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69905


Tested-by: core-ci <typo3@b13.com>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

dc620aea

16 Jul, 2021 4 commits

[BUGFIX] Fix undefined array key warnings for frontend in PHP8 · d418d600

Jochen Roth authored Jul 13, 2021 and

Benni Mack committed Jul 16, 2021

Add fallback for undefined array keys in EXT:frontend,
EXT:indexed_search, EXT:core.

This fixes frontend rendering of a basic site package
including all available content elements.

Resolves: #94546
Releases: master
Change-Id: I051f2d6d0b2278394e95af8eb26be11b3f4aa9a7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69819


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

d418d600

[FEATURE] Allow overriding fileFolder config with TSconfig · 2f0c2656

Oliver Bartsch authored Jul 14, 2021 and

Benni Mack committed Jul 16, 2021

The "fileFolder" configuration options, available for TCA
columns of type "select" are used to fill the select field
with predefined files (images / icons). Nowadays this is
frequently used to make a corporate icon set available for
editors. In multi site installations however, those icon sets
usually differ from site to site.

Therefore, the AbstractItemProvider is now extended to allow
overriding those settings with TSconfig (TCEFORM).

Furthermore, to streamline the TCA configuration and to be
in line with the corresponding overrides, the "fileFolder"
TCA configuration options are moved into a dedicated sub array
"fileFolderConfiguration" and the properties are renamed
to be consistent with other TCA options.

* fileFolder => folder
* fileFolder_extList => allowedExtensions
* fileFolder_recursions => depth

A TCA migration is in place.

Resolves: #94406
Releases: master
Change-Id: I621198523edfd328ad68d692d9194017c445406f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69832


Tested-by: core-ci <typo3@b13.com>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>

2f0c2656

[TASK] Clean up Permission controllers · 6d956e81

Oliver Bartsch authored Jul 15, 2021 and

Benni Mack committed Jul 16, 2021

The PermissionController was previously handled
via extbase, even though no pure Extbase-related
feature (validation, type-converting, persistence)
was used. Furthermore a combination of non-extbase
arguments and extbase-prefixed arguments was used,
leading to a couple of GeneralUtility::_GP() usages.

To clean up the controller, it is now not longer
registered as extbase module, while keeping
the module name "system_BeuserTxPermission"
for backwards-compatibility reasons.

Furthermore, is the PermissionAjaxController,
used for inline updates in the tree view,
moved into the PermissionController. This
allowed to streamline and clean up its only
endpoint.

Besides the clean up, some things got improved,
e.g. the shortcut button does now also take the
current action into account and all used labels
can now be translated.

Resolves: #94564
Releases: master
Change-Id: Ic03e341df5b69aa154be1a5b737df2eecc433e55
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69893


Tested-by: core-ci <typo3@b13.com>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>

6d956e81

[TASK] Remove empty h2 and margin in Scheduler module · 0de5ac09

Oliver Bartsch authored Jul 16, 2021 and

Benni Mack committed Jul 16, 2021

This patch removes an empty h2 tag in the scheduler
module and also removes an unnecessary margin-bottom
which visually looked like an empty table row.

Furthermore is the main template structure now also
rendered using the already existing standalone view
instance.

Resolves: #94567
Releases: master
Change-Id: I74b2ba00c52a4c92d506e8cde21493320b073e1e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69897


Tested-by: core-ci <typo3@b13.com>
Tested-by: Guido Schmechel <guido.schmechel@brandung.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Guido Schmechel <guido.schmechel@brandung.de>
Reviewed-by: Benni Mack <benni@typo3.org>

0de5ac09