- 16 Aug, 2021 5 commits
-
-
Change-Id: I877dc31a0588bf52f65604e4041149133f1c16d1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70638 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Change-Id: I783afddc3fb0281b3e22ea5373e191b148a540bf Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70637 Tested-by:
-
composer req typo3/html-sanitizer:^2.0.9 composer req typo3/html-sanitizer:^2.0.9 \ -d typo3/sysext/core --no-update Resolves: #94883 Releases: master, 11.3, 10.4, 9.5 Change-Id: I997ddc423ffcb216927e3ba807e303e604174ee8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70615 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
As a result of TYPO3-CORE-SA-2021-013, new `htmlSanitize` behavior - when invoking `ContentObjectRenderer::parseFunc` - is enabled per default, in case it was not declared otherwise. That also happened when no processing configuration was given (or could be resolved). Without having any configuration, it was obviously not possible to disable `htmlSanitize`. Fluid's `HtmlViewHelper` can be used with an empty `parseFuncTSPath` (e.g. `<f:format.html parseFuncTSPath="">`) - due to missing (empty) configuration, sanitization was enabled per default in `parseFunc`. With this change, property `htmlSanitize` either needs to be enabled or disabled explicitly - otherwise deprecation logs will be generated, if not given, the fall-back behavior is inferred from new feature flag `security.frontend.htmlSanitizeParseFuncDefault`. Invoking `ContentObjectRenderer::parseFunc` without any configuration behaves like before TYPO3-CORE-SA-2021-013 was applied - it just does not process anything. Resolves: #94786 Releases: master, 11.3, 10.4, 9.5 Change-Id: I4aee54d712ce4758f6c9c2e64a43f80b6c076406 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70612 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org> Reviewed-by:
-
`ContentObjectRenderer` and `AbstractMenuContentObject` are still relying HTML event attribute `onclick` to open new client window instances, which were (correctly) removed by HTML sanitizer. In order to keep the functionality, exceptional declarations have been added, and `vHWin=window.open(...)` substituted by `openPic(...)`. Resolves: #94866 Releases: master, 11.3, 10.4, 9.5 Change-Id: I961746b3776d12f302933ebb775ab215bdcd85ab Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70577 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 13 Aug, 2021 2 commits
-
-
New `<f:sanitize.html build="default">` view-helper is introduced which directly invokes processing of `typo3/html-sanitize` package. An optional view-helper argument `build` allows using a defined preset, or a fully qualified class name of a builder instance as alternative, which has to implement `\TYPO3\HtmlSanitizer\Builder\BuilderInterface`. In contrast to `<f:format.html>`, this does NOT invoke `lib.parseFunc`, and does NOT rely on TypoScript configuration being loaded and parsed. Resolves: #94825 Releases: master, 11.3, 10.4, 9.5 Change-Id: Id0720120fea7d5d517a8c61d10bdbb6b03658adf Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70525 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
Skip a real check of the file system for SVG files in advance in the SvgFilesSanitization wizard to avoid timeouts in e.g. the reports module. Resolves: #94801 Releases: master, 11.3, 10.4, 9.5 Change-Id: I4ed52d357effec4a8e698d5b117f024150a01beb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70448 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl> Tested-by:
-
- 12 Aug, 2021 3 commits
-
-
Resolves: #94857 Releases: master, 11.3, 10.4, 9.5 Change-Id: I7654fb4cec38d38044441e885a21676dcacf9a8f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70519 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
A new `SanitizerInitiator` is added and forwarded to `typo3/html-sanitizer`. This allows getting a full stack-trace when HTML nodes have been sanitized/modified and to debug the actual cause (initiator) much better. To receive corresponding initiator stack-traces * logging for TYPO3.HtmlSanitizer namespace needs to be enabled * TypoScript `config.debug = 1` must be set, or as a fall-back `$GLOBALS['TYPO3_CONF_VARS']['FE']['debug'] = true;` must be set * HTML sanitizer must have found and modified invalid tags/attributes Resolves: #94837 Releases: master, 11.3, 10.4, 9.5 Change-Id: I0239785d347d2c4ad6153ccb26130556399949d8 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70509 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
https://github.com/TYPO3/html-sanitizer/releases/tag/v2.0.8 composer req typo3/html-sanitizer:^2.0.8 Resolves: #94849 Releases: master, 11.3, 10.4, 9.5 Change-Id: I367343abe5b18445ddc28023ef45c65bc6d0de23 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70500 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 11 Aug, 2021 2 commits
-
-
When TYPO3 is configured to spam protect email addresses using an offset, then the HTML sanitizer introduced in #94375 will remove the generated JavaScript in the href link attribute. This change makes the HTML sanitizer aware of the `javascript:linkTo_UnCryptMailto` pattern for href attribute. Resolves: #94776 Releases: master, 11.3, 10.4, 9.5 Change-Id: If5f4ab22a686274401390a66b580a24e6d5a8f0c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70416 Tested-by:
core-ci <typo3@b13.com>
Reviewed-by: -
* remove superfluous `}` literal from PHP example * add "Troubleshooting" section of reported side-effects * add "Logging" section, supporting to spot those side-effects Resolves: #94797 Releases: master, 11.3, 10.4, 9.5 Change-Id: I4b154c849b158d920b380f40d1415762d227ae6d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70417 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 10 Aug, 2021 6 commits
-
-
This reverts commit b8a9db75. Not defining replaced version of `t3g/svg-sanitizer` leads to problems with `roave/security-advisories`. Overall it seems to be better, to completely revert previous change. Resolves: #94782 Reverts: #94719 Releases: master, 11.3, 10.4, 9.5 Change-Id: I43c2ea986ffec72bc0c8eb740a84daad33e9257f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70434 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
Change-Id: I0438870130ee9be5eb1e359c922fb9b62c23d9c4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70351 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
Change-Id: Iaa6a0153c2be08d0d7c21a660e821983bf99bb92 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70350 Tested-by:
-
Due to missing internal handling of provided RTE configuration, it was possible to directly persist XSS in database fields. Unless full blown backend RTE tag configuration is available, this patch still allows persisting potentially malicious data - which is not reflected in the backend user interface - but to be sanitized during frontend rendering (see below). Corresponding configuration directives (`removeTags`, `allowedAttribs`) are now considered again. Besides that a new, but simplified sequential HTML parser ensures that runaway node-boundaries are detected & denied. To sanitize and purge XSS from markup during frontend rendering, new custom HTML sanitizer has been introduced, based on `masterminds/html5`. Both `DefaultBuilder` and `CommonVisitor` provide common configuration which is in line with expected tags that are allowed in backend RTE. Using a custom builder instance, it is possible to adjust for individual demands - however, configuration possibilities cannot be modified using TypoScript - basically since the existing syntax does not cover all necessary scenarios. Resolves: #94375 Related: #83027 Related: #94484 Releases: master, 11.3, 10.4, 9.5 Change-Id: I5f8de43faab57b00052614ad37bd10ea9e384dc0 Security-Bulletin: TYPO3-CORE-SA-2021-013 Security-References: CVE-2021-32768 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70344 Tested-by:
-
Functionality of package t3g/svg-sanitizer has been integrated into the TYPO3 core. Resolves: #94719 Releases: master, 11.3, 10.4, 9.5 Change-Id: I9bef46af0b76275844aa4acb2b54214f37936ecc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70337 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
Addresses work-around of issues #94565 and #94582 concerning libxml2 segmentation faults. https://github.com/darylldoyle/svg-sanitizer/compare/0.14.0...0.14.1 Resolves: #94768 Releases: master, 11.3, 10.4, 9.5 Change-Id: I10f6386f0986f514a1387fb1153bbfc36f9c9dcc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70335 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 09 Aug, 2021 4 commits
-
-
Oliver Bartsch authoredSince #82489 the "enabledControls['new']" option did not longer hide the "New record" button of inline containers as this was considered a misuse and led to some misbehaviour. This option should only affect the action buttons of each inline record. However since this can be considered a breaking change, especially because there is currently no option available to only hide the "New record" button, the whole change is reverted now and will only be fixed in a separate patch for v11. This will be done by introducing a dedicated option for the "new record" button and by deprecating the "none" value of the "levelLinksPosition" option. Resolves: #94764 Related: #82489 Related: #92397 Releases: master, 11.3, 10.4 Change-Id: I2d108da41c02dea4958e8d39e47dcee24d2343e3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70316 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Jo Hasenau <info@cybercraft.de> Tested-by:
Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de> -
This patch fixes a regression originally introduced in #94103. The problem there was simply an erroneous strict comparison, which further got completely removed in #94527 due to a misconception. The mentioned condition is important for date type fields with a lower range set in TCA. If the user doesn't provide a value for that date field, the range validation should be skipped. Otherwise this empty value would always be interpreted as 0, resulting the validation to change it to the lower range value. As this is a special case, the condition was extracted and rewritten, to only apply for this exact scenario. Other than that the validation should not be skipped. An acceptance test and a unit test are added to ensure this behavior can't break anymore. Resolves: #94621 Related: #94103 Related: #94527 Releases: master, 11.3, 10.4 Change-Id: I54c1a815077e48064f9f6eeba9584184c5f760d7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70232 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
Similar to styleguide's backend TCA data generator, the extension can now generate a demo frontend to render a page tree with menu having examples of the default core content elements and demos for ext:felogin and ext:form. The generator is accessible through the existing backend styleguide module below the '?' help button in the toolbar. The FE data will be used for core acceptance tests soon. The raise also brings a minor TCA change for a pending core regression patch. composer req --dev typo3/cms-styleguide:~11.4.0 composer req --dev typo3/cms-styleguide:~11.4.0 -d typo3/sysext/core --no-update Change-Id: Ie1ef73400cda2b82c6379401341e69ff9e78645e Resolves: #94658 Related: #94621 Releases: master, 11.3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70314 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
After query filers for file storages have been used, those settings have to be reset. `StorageRepository::$storageInstances` actually applies an implicit singleton pattern to file storage objects. Resolves: #94714 Releases: master, 11.3, 10.4, 9.5 Change-Id: I353b782f8e98c55df6f9cb2e14a0745d83bfdc70 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70295 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 20 Jul, 2021 10 commits
-
-
Change-Id: I9a7a0c93943ef9b2da90c8d3c7d41a2bc0505380 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70000 Tested-by:
-
Change-Id: I1e23f7c28e2e827d136a41b2894f1946efa0c744 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69999 Tested-by:
-
When having the debug logging activated for the authentication process, sensitive data is not being logged anymore. This change * removes password from being logged * hashes the cookie value processed for logging Resolves: #93925 Releases: master, 11.3, 10.4, 9.5 Change-Id: I8c610a72014de571ef52b4430c43f8d149b273d9 Security-Bulletin: CORE-SA-2021-012 Security-References: CVE-2021-32767 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69990 Tested-by:
-
The column names, defined in backend layouts, were not properly encoded at some places and therefore led to a XSS vulnerability. The issue is addressed by properly encoding user input. Resolves: #93683 Releases: master, 11.3, 10.4, 9.5, 8.7 Change-Id: I787cee9f56a30aeaf69294412c8d5198a144e31c Security-Bulletin: CORE-SA-2021-011 Security-References: CVE-2021-32669 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69989 Tested-by:
-
Properly encodes error messages to be used in HTML output in "EXT:lowlevel" Query Generator and Query View components. Resolves: #93868 Releases: master, 11.3, 10.4, 9.5 Change-Id: I05812ac7c1cded39edbf10d50bb4dc0fd8faf577 Security-Bulletin: CORE-SA-2021-010 Security-References: CVE-2021-32668 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69988 Tested-by:
-
The `viewpage` module contains a preset selection, where users can select different browser viewports. Since the corresponding preset labels, configurable via TSconfig, had not been encoded properly, is was vulnerable to XSS. The issue is addressed by properly encoding the labels. Resolves: #93702 Releases: master, 11.3, 10.4, 9.5 Change-Id: Ia22c5ab4332816614dd07a93d7e739d9fc1d8bac Security-Bulletin: CORE-SA-2021-009 Security-References: CVE-2021-32667 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69987 Tested-by:
-
A second test is marked skipped until an upstream patch is merged and released. Resolves: #94582 Related: #94565 Related: #94492 Releases: master, 10.4, 9.5 Change-Id: Ia899c47a80bba60840f011766b816af90e160498 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69976 Tested-by:
-
SVG sanitizer test dataset entity.svg is causing segmentation fault in certain scenarios - which might be related to libxml2 before version 2.9.12. Unfortunately, investigations did not reveal any further details other than libxml2. As a result `entity.svg` test dataset, which is causing this problem is skipped until https://github.com/darylldoyle/svg-sanitizer/pull/53 is merged and released in the upstream library. Resolves: #94565 Releases: master, 10.4, 9.5 Change-Id: I8375954dad64e3955f88122fa51dca7f796d077b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69975 Tested-by:
-
* uses stream filter to enclose multi-line content * adds three choosable strategies dealing with control literals + TYPE_REMOVE_CONTROLS - removes control literals (default) + TYPE_PREFIX_CONTROLS - prefixes control literal sequence with `'` + TYPE_PASSTHROUGH - nothing, passthrough data The default strategy is `TYPE_REMOVE_CONTROLS` when invoking `\TYPO3\CMS\Core\Utility\CsvUtility::csvValues`. Resolves: #94271 Releases: master, 11.3, 10.4, 9.5 Change-Id: I2568a0c2dfa6d4636e211e97d66a513984532cc9 Security-Bulletin: TYPO3-PSA-2021-002 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69973 Tested-by:
-
Helmut Hummel authored
Releases: master Resolves: #94592 Change-Id: I0616e362b598beb49859f5e78a3f2636f6cdf73f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69940 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Helmut Hummel <typo3@helhum.io> Reviewed-by:
-
- 19 Jul, 2021 2 commits
-
-
Upgrade JavaScript packages chart.js, codemirror and ckeditor4 addressing known and disclosed vulnerabilities. * chart.js: Prototype Pollution https://app.snyk.io/vuln/SNYK-JS-CHARTJS-1018716 * codemirror: Regular Expression DoS (ReDoS) https://app.snyk.io/vuln/SNYK-JS-CODEMIRROR-1016937 * ckeditor4: Cross-Site Scripting https://app.snyk.io/vuln/SNYK-JS-CKEDITOR4-1303090 Executed command: ``` cd Build; nvm use; yarn upgrade chart.js codemirror ckeditor4 ``` Resolves: #94583 Releases: master, 11.3, 10.4, 9.5 Change-Id: I56c1948f5785f4ecf9f51998f006825a952280bd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69963 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
Resolves: #94556 Releases: master, 11.3, 10.4, 9.5 Change-Id: I0a0515ec84408c4914a93d704e635f40ce90b22e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69964 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 16 Jul, 2021 1 commit
-
-
Releases: 11.3 Change-Id: If4cb72de5097fcbfc3b670fdfb6328523b4e2e6e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69898 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch> Tested-by:
-
- 13 Jul, 2021 3 commits
-
-
Benni Mack authored
Change-Id: Icc6e6e01c230ea991a44c49908dd687cd54a867e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69820 Tested-by:
-
Benni Mack authored
This reverts commit 5932bdbd. from https://review.typo3.org/c/Packages/TYPO3.CMS/+/69680 This change breaks regular forwarding of actions where the original request actually had arguments, which are now lost. See https://review.typo3.org/c/Packages/TYPO3.CMS/+/69680 Change-Id: I1e671bb1c61ed37c82f5cda513c2699c39280ad7 Resolves: #94547 Reverts: #94457 Releases: master Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69779 Tested-by:
Oliver Bartsch <bo@cedev.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: -
The menu was removed because it contained only already existing buttons (clear clipboard) or buttons that do not belong to the clipboard (delete, export) which made the clipboard overly complicated. Removed red color (danger) from clear all button, because this is a non destructive operation and added width/height for preview images so SVG images are displayed as expected in the clipboard. In addition, the "move/copy" selector is now a radio button, which finally works properly again. Resolves: #94507 Releases: master Change-Id: Ie9d98b13fa3075f6f8d297754576e3c20fd69b85 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69798 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by:
-
- 12 Jul, 2021 2 commits
-
-
This change introduces behavior of extension `t3g/svg-sanitizer` into the TYPO3 core. Sanitizing SVG data is actually done by external package `enshrined/svg-sanitize` by Daryll Doyle. The following aspects are introduced: + handle `GeneralUtility::upload_copy_move` invocations + handle FAL action events `file-add`, `file-replace`, `set-content` + provide upgrade wizard, sanitizing all SVG files in storages that are using `LocalDriver` Custom usage: ``` $sanitizer = new \TYPO3\CMS\Core\Resource\Security\SvgSanitizer(); $sanitizer->sanitizeFile($sourcePath, $targetPath); $svg = $sanitizer->sanitizeContent($svg); ``` Basically this change enforces following public service announcements concerning SVG files, to enhance these security aspects per default: + https://typo3.org/security/advisory/typo3-psa-2020-003 + https://typo3.org/security/advisory/typo3-psa-2019-010 Resolves: #94492 Releases: master, 10.4, 9.5 Change-Id: I42c206190d8a335ebaf77b7e5d57b383e3bcbae1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69809 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: -
For legacy reasons storage resolving in file abstraction layer still supports using identifiers like `/fileadmin/img.png` instead of `1:/img.png` (given, that `1:` corresponds to `fileadmin/` storage). To resolve the "best matching storage", existing storage paths are analyzed - however this did not work in the following cases: + identifier like `/fileadmin/img.png` on storage using relative base-path like `fileadmin/` + identifier using absolute path on storage with relative base-path + identifier using relative path on storage with absolute base-path Resolves: #94519 Releases: master, 10.4, 9.5 Change-Id: Id8663b3e7fc40d777288bd498d2250e528f4f4af Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69793 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by:
-
