Commits · 34fdd74e28843aab1513edfa798f89a169fa19b4 · typo3 / typo3

10 Aug, 2021 4 commits

Revert "[TASK] Declare core as replacement for t3g/svg-sanitizer" · 34fdd74e

Oliver Hader authored Aug 10, 2021 and

Oliver Hader committed Aug 10, 2021

This reverts commit 3bae5925.

Not defining replaced version of `t3g/svg-sanitizer` leads to
problems with `roave/security-advisories`. Overall it seems to
be better, to completely revert previous change.

Resolves: #94782
Reverts: #94719
Releases: master, 11.3, 10.4, 9.5
Change-Id: I43c2ea986ffec72bc0c8eb740a84daad33e9257f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70436


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

34fdd74e

[SECURITY] Ensure XSS-safe rich text rendering · ac8f1fc3

Oliver Hader authored Aug 10, 2021 and

Oliver Hader committed Aug 10, 2021

Due to missing internal handling of provided RTE configuration, it
was possible to directly persist XSS in database fields. Unless full
blown backend RTE tag configuration is available, this patch still
allows persisting potentially malicious data - which is not reflected
in the backend user interface - but to be sanitized during frontend
rendering (see below).

Corresponding configuration directives (`removeTags`, `allowedAttribs`)
are now considered again. Besides that a new, but simplified sequential
HTML parser ensures that runaway node-boundaries are detected & denied.

To sanitize and purge XSS from markup during frontend rendering, new
custom HTML sanitizer has been introduced, based on `masterminds/html5`.
Both `DefaultBuilder` and `CommonVisitor` provide common configuration
which is in line with expected tags that are allowed in backend RTE.
Using a custom builder instance, it is possible to adjust for individual
demands - however, configuration possibilities cannot be modified using
TypoScript - basically since the existing syntax does not cover all
necessary scenarios.

Resolves: #94375
Related: #83027
Related: #94484
Releases: master, 11.3, 10.4, 9.5
Change-Id: I5f8de43faab57b00052614ad37bd10ea9e384dc0
Security-Bulletin: TYPO3-CORE-SA-2021-013
Security-References: CVE-2021-32768
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70342


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

ac8f1fc3

[TASK] Declare core as replacement for t3g/svg-sanitizer · 3bae5925

Oliver Hader authored Aug 05, 2021 and

Oliver Hader committed Aug 10, 2021

Functionality of package t3g/svg-sanitizer has been
integrated into the TYPO3 core.

Resolves: #94719
Releases: master, 11.3, 10.4, 9.5
Change-Id: I9bef46af0b76275844aa4acb2b54214f37936ecc
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70339


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

3bae5925

[TASK] Update enshrined/svg-sanitize to v0.14.1 · 95b571c5

Oliver Hader authored Aug 10, 2021 and

Oliver Hader committed Aug 10, 2021

Addresses work-around of issues #94565 and #94582
concerning libxml2 segmentation faults.

https://github.com/darylldoyle/svg-sanitizer/compare/0.14.0...0.14.1

Resolves: #94768
Releases: master, 11.3, 10.4, 9.5
Change-Id: I10f6386f0986f514a1387fb1153bbfc36f9c9dcc
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70336


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

95b571c5

06 Aug, 2021 1 commit

[TASK] Raise typo3/testing-framework:^4.15.5 · 1bac9f91

Christian Kuhn authored Aug 06, 2021

A couple of minor testing-framework patches
are worth to be pulled into core v9.

composer req --dev typo3/testing-framework:^4.15.5
composer req --dev typo3/testing-framework:^4.15.5 -d typo3/sysext/core/ --no-update

Change-Id: I1a4de0ac8b93bd2373db28180ea5642785af54c4
Resolves: #94732
Releases: 9.5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70274


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

1bac9f91

13 Jul, 2021 1 commit

[TASK] Introduce SVG Sanitizer · 0443b664

Oliver Hader authored Jul 11, 2021 and

Oliver Hader committed Jul 13, 2021

This change introduces behavior of extension `t3g/svg-sanitizer` into
the TYPO3 core. Sanitizing SVG data is actually done by external package
`enshrined/svg-sanitize` by Daryll Doyle.

The following aspects are introduced:
+ handle `GeneralUtility::upload_copy_move` invocations
+ handle FAL action events `file-add`, `file-replace`, `set-content`
+ provide upgrade wizard, sanitizing all SVG files in storages that
  are using `LocalDriver`

Custom usage:
```
$sanitizer = new \TYPO3\CMS\Core\Resource\Security\SvgSanitizer();
$sanitizer->sanitizeFile($sourcePath, $targetPath);
$svg = $sanitizer->sanitizeContent($svg);
```

Basically this change enforces following public service announcements
concerning SVG files, to enhance these security aspects per default:
+ https://typo3.org/security/advisory/typo3-psa-2020-003
+ https://typo3.org/security/advisory/typo3-psa-2019-010

Resolves: #94492
Releases: master, 10.4, 9.5
Change-Id: I42c206190d8a335ebaf77b7e5d57b383e3bcbae1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69818


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

0443b664

30 Jun, 2021 1 commit

[BUGFIX] Declare guzzlehttp/psr7 dependency · 104383b8

Christian Kuhn authored Jun 30, 2021

guzzlehttp/psr7 is not only an indirect dependency
from guzzlehttp/guzzle, but also a direct core
dependency since we extend LazyOpenStream in
SelfEmittableLazyOpenStream. Declare that dependency
directly, which also blocks upcoming guzzlehttp/psr7:2.0
which is currently incompatible with our core use.

composer req guzzlehttp/psr7:^1.4.0 --no-update
composer req guzzlehttp/psr7:^1.4.0 -d typo3/sysext/core --no-update
composer update --lock

Change-Id: I4968bc854545262ce0230ea71647463f5a332f54
Resolves: #94422
Releases: master, 10.4, 9.5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69666


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: David Bruchmann <davidbruchmann@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

104383b8

10 Feb, 2021 1 commit

[TASK] Update typo3/testing-framework to latest bugfix releases · 4ea0adc4

Christian Kuhn authored Feb 10, 2021

6.6.1 for master & v10
4.15.3 for v9

Brings a bugfix to make the test splitter deterministic.

composer req --dev typo3/testing-framework:^4.15.3

Change-Id: Iec61eb2d6a62a0c344c712d0577aa82adf04e7f5
Resolves: #93485
Releases: master, 10.4, 9.5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67686


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

4ea0adc4

17 Nov, 2020 1 commit

[SECURITY] Upgrade typo3fluid/fluid to v2.6.10 · c23113e1

Oliver Hader authored Nov 17, 2020 and

Oliver Hader committed Nov 17, 2020

Change-Id: Ie2adfafff4ab57cac9426d9a5784b794f459ea7c
Resolves: #92829
Releases: master
Security-Bulletin: TYPO3-CORE-SA-2020-009
Security-References: CVE-2020-26216
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66655


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

c23113e1

07 Nov, 2020 2 commits

[TASK] Upgrade typo3/phar-stream-wrapper to v3.1.6 · 9d124ea8

Oliver Hader authored Nov 07, 2020 and

Oliver Hader committed Nov 07, 2020

PHP versions 8.0-RC1, 7.4.12, 7.3.24 introduced a different behavior
for `stream_wrapper_restore()` and would throw a PHP notice which is
mitigated with this phar stream wrapper release.

see https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.6

composer require typo3/phar-stream-wrapper:^3.1.6

Resolves: #92789
Releases: master, 10.4, 9.5
Change-Id: Ia2bc9b4fd7f568b9a4390205e1d332050904a15b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66562


Tested-by: Helmut Hummel <typo3@helhum.io>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Helmut Hummel <typo3@helhum.io>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

9d124ea8

[TASK] Enforce Composer 2 usage for TYPO3 development · 323bba65

Helmut Hummel authored Nov 02, 2020

To benefit from faster operations and cleaner updates
Composer 2 usage is now enforced by requiring ^2.0
of composer-runtime-api.

Although currently there is no real code dependency yet
to the runtime API introduced for Composer 2, this
requirement enforces usage of Composer 2 for all interactions
with this package (install/ update).

The package is required as dev dependency to still
allow "manual" usage of this package for classic installs
and make the breaking impact low (composer install --no-dev
will still work with Composer 1)

For TYPO3 v11 this dependency will likely be a production
dependency as well.

composer up --lock
composer req --dev composer-runtime-api:^2.0

Resolves: #92753
Releases: master, 10.4, 9.5
Change-Id: Ie919c0cf36a0818eea2124bb9623485d3d642066
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66565


Tested-by: Helmut Hummel <typo3@helhum.io>
Reviewed-by: Helmut Hummel <typo3@helhum.io>

323bba65

30 Oct, 2020 1 commit

[TASK] Update build plans to support Composer 2 · ccdce819

Andreas Fernandez authored Oct 30, 2020

Executed commands:

  composer require --dev friendsofphp/php-cs-fixer:^2.16.7
  composer update typo3/class-alias-loader typo3/cms-composer-installers
  composer dump-autoload

Resolves: #92735
Releases: master, 10.4, 9.5
Change-Id: I569b5566745b966c23e3f14a943bae38c4b52ca3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66356


Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

ccdce819

22 Oct, 2020 1 commit

[BUGFIX] Limit doctrine/dbal to 2.10.x or 2.11.2+ · 5919fa96

Markus Klein authored Oct 08, 2020 and

Christian Kuhn committed Oct 22, 2020

Version 2.11.0 and 2.11.1 contain breaking changes.
In order to ensure smooth operation of Core and
extensions, the version is now limited to
2.10.x and 2.11.2+

composer req doctrine/dbal "~2.10.0 || ~2.11.2"

Resolves: #92376
Releases: 10.4, 9.5
Change-Id: I795561b13e0843fa7b46eb9383c99e8afd2ea153
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66253


Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

5919fa96

07 Sep, 2020 1 commit

[BUGFIX] Correctly show changes in current workspace in the page tree · 9338661a

Richard Haeser authored Aug 18, 2020 and

Benni Mack committed Sep 07, 2020

Pages that are deleted or moved in the current workspace are shown
correctly in the page tree now, especially when fetching
pages only on a specific level or when filtering.

Resolves: #92041
Resolves: #92057
Resolves: #92096
Resolves: #91652
Releases: master, 10.4, 9.5
Change-Id: Iaf966b7e85ba9b5c5771033db943e5a426de54e7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65553


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Richard Haeser <richard@richardhaeser.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Richard Haeser <richard@richardhaeser.com>
Reviewed-by: Benni Mack <benni@typo3.org>

9338661a

17 Aug, 2020 1 commit

[BUGFIX] Limit amount of data fetched by the page tree · d2650bff

Benni Mack authored Aug 10, 2020 and

Richard Haeser committed Aug 17, 2020

Page tree will fetch just 2 levels of pages plus pages which
are expanded on the initial load.
Next levels are fetched on demand via Ajax when expanding the node.
Search works server side now. To clear search, click on "x"
button.

Change-Id: I2691c531b419398325989070c375a9ec0d08ae82
Releases: master, 10.4, 9.5
Resolves: #88943
Resolves: #88098
Resolves: #88259
Resolves: #91884
Resolves: #91753
Resolves: #91916
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65355


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Richard Haeser <richard@richardhaeser.com>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Richard Haeser <richard@richardhaeser.com>

d2650bff

25 May, 2020 1 commit

[BUGFIX] Avoid PHP 7.4 notices with nikic/php-parser · de26b0b1

Benni Mack authored May 25, 2020

TYPO3 v9 is loaded with nikic/php-parser 4.2.2, however
only 4.3.0 or higher fixed some PHP 7.4 compatibility
issues. For this reason, the dependency is now raised
to use at least v4.3.0.

  composer req nikic/php-parser:^4.3.0

Resolves: #91444
Releases: 9.5
Change-Id: I8a133b9e4c49cb615a463f4d0f26866fa875a03c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64563


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

de26b0b1

20 May, 2020 1 commit

[TASK] Consistent version restrictions for PSR packages · 1f5a5087

Aimeos authored Nov 09, 2019 and

Benni Mack committed May 20, 2020

    composer require "psr/http-message":"^1.0"
    composer require "psr/log":"^1.0"

Releases: master, 9.5
Resolves: #89626
Change-Id: Ieeceddba8ea49da1eac66f113f1c22623f479582
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64534


Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Simon Gilli <typo3@gilbertsoft.org>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Benni Mack <benni@typo3.org>

1f5a5087

02 May, 2020 1 commit

[TASK] Ensure login module is completely loaded and processed · 3ca5e7b4

Oliver Hader authored May 02, 2020 and

Oliver Hader committed May 02, 2020

Resolves: #91265
Releases: master, 9.5
Change-Id: I5e413f91ae92ba666a74606767c4ecd081407f79
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64390


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

3ca5e7b4

15 Apr, 2020 2 commits

[TASK] Remove dependency to algo26-matthias/idna-convert · 31c81429

Benni Mack authored Mar 30, 2020

The third-party library algo26-matthias/idna-convert is not compatible
with PHP 7.4 (used for providing IDNA conversions for umlaut domains).

The classes from v1 are copied in order to have them still available, but we
maintain the code ourselves and reduce the usage to a minimum.

  composer remove "algo26-matthias/idna-convert:"

See https://idnaconv.net/docs.html for detailed upgrade
changes.

Resolves: #90911
Releases: 9.5
Change-Id: I7ac14348677b8b60f92cb8bfa26e26d16a01abee
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64011


Tested-by: Manuel Selbach <manuel_selbach@yahoo.de>
Tested-by: Frank Nägler <frank.naegler@typo3.org>
Reviewed-by: Manuel Selbach <manuel_selbach@yahoo.de>
Reviewed-by: Frank Nägler <frank.naegler@typo3.org>

31c81429

[TASK] Provide test for Page\TreeController · 98d21328

Tymoteusz Motylewski authored Mar 30, 2020

Add test for TreeController, so we're safe when refactoring
or doing performance optimizations.

Besides that moved pages in a workspace were not considered when
calculating permissions on the rootline due to missing workspace
overlays.

Resolves: #90831
Releases: 9.5, master
Change-Id: Ic3ab08d2502e8c9a3f08e737552c2e1d2a56a66c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64107


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Tymoteusz Motylewski <t.motylewski@gmail.com>

98d21328

30 Mar, 2020 1 commit

[TASK] Allow composer installers 3.0 and higher · ea2a3832

Benni Mack authored Mar 29, 2020

Allow installation of version 3.0 of composer installers,
which will be compatible with Composer 2.0.

composer req typo3/cms-composer-installers:"^2.0 || ^3.0"

Resolves: #90877
Releases: 9.5, master
Change-Id: I5200b64b0d6402617bb355da9c7d2c59cdd54b03
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63973


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>

ea2a3832

06 Mar, 2020 1 commit

[BUGFIX] Re-enable Guzzle versions > 6.5.0 · 97bdfad2

Benni Mack authored Mar 06, 2020

Guzzle 6.5.0 introduced an issue with umlaut domains
which was fixed in Guzzle 6.5.1 and Guzzle 6.5.2
respectively.

The conflict section in composer.json is now
updated, in order to allow composer-based TYPO3
installations to
a) allow TYPO3 updates to 10.3.x/9.5.14/8.7.31 even
if guzzle has been locked in composer.lock to 6.5.2 already
b) allow to use the latest Guzzle fixes again

Used composer command:
  composer update --lock

See https://github.com/guzzle/guzzle/issues/2448 which
was integrated in Guzzle 6.5.1 (which was released AFTER
our core release in December 2019)

Resolves: #90634
Releases: master, 9.5, 8.7
Change-Id: If6c2f3ef6529109148569f1af9472b0bcb44c9b9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63470


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

97bdfad2

27 Feb, 2020 1 commit

[BUGFIX] Raise minimum requirement of symfony/http-foundation · 981e85ba

Andreas Fernandez authored Feb 26, 2020 and

Benni Mack committed Feb 27, 2020

This patch raises the minimum requirement of symfony/http-foundation to
v4.2.9 as the required constant `Cookie::SAMESITE_NONE` has been added in
this very version.

Resolves: #90536
Releases: 9.5, 8.7
Change-Id: Ic012adcf1904d9861cf8c987abcb683dccb240d3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63435


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Susanne Moog <look@susi.dev>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>

981e85ba

16 Feb, 2020 1 commit

[FEATURE] Implement SameSite option for TYPO3 cookies · 2f415eae

Benni Mack authored Feb 13, 2020 and

Georg Ringer committed Feb 16, 2020

This change introduces a new security option for setting the SameSite
option to all cookies sent by TYPO3 Core.

Namely:
- Frontend User Sessions ("lax" by default)
- Backend User Sessions ("strict" by default)
- Install Tool Sessions ("strict", none-configurable)
- Last Login Provider in Backend ("strict", non-configurable)
- ext:rsaauth via native session handling (“strict”, non-configurable)
- workspace preview "ADMCMD_prev" using backend user setting
  ("strict" by default)

This means that these can only be accessed by scripts and requests
by the same site, and not by any third-party scripts.

Since we're talking about actual cookies for a user, and not
ads-related or third-party login-dependant cookies, the default
options fit just perfectly.

All modern browsers except Internet Explorer respect this option
to be set. Please note that Firefox and Chrome will have "SameSite=lax"
set in Q1/2020 by default if NO SameSite option is set at all. This change
allows to configure this.

Backend and Frontend User Cookies can be configured to "strict", "lax"
or "none" (= same as before), whereas "none" only works for secure
connections (= HTTPS).

If "strict" is in place, security via CSRF is not needed anymore, and can
be dropped in the future.

Resolves: #90351
Releases: master, 9.5, 8.7
Change-Id: I8095e2a552faa9d1fd4fa7855297302a9ec6a75f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63214


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Susanne Moog <look@susi.dev>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Susanne Moog <look@susi.dev>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

2f415eae

02 Feb, 2020 1 commit

[TASK] Raise typo3/testing-framework fixing DatabaseSnapshot issue · 104459cd

Oliver Hader authored Feb 02, 2020 and

Oliver Hader committed Feb 02, 2020

https://github.com/TYPO3/testing-framework/commit/2111db60e8e1391fabdac4f2253af553f291d460

Resolves: #90294
Releases: master, 9.5
Change-Id: I21d8ad233b753c4a56c2227b4d2fec6944340c81
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63145


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

104459cd

01 Feb, 2020 1 commit

[BUGFIX] Raise symfony/routing to ^4.3 in composer.json · 1c7aed76

Oliver Hader authored Feb 01, 2020 and

Andreas Fernandez committed Feb 01, 2020

To avoid failing nightly tests minimum version of symfony/routing
needs to be 4.3.0 (locked to 4.3.1 in composer.lock currently).

Resolves: #90290
Releases: 9.5
Change-Id: I81ea83640a8d3a0b50574d0722d9ac980008a4b1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63138


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

1c7aed76

17 Jan, 2020 1 commit

[BUGFIX] Remove dependency check on openSSL · cb1cc8a8

Benni Mack authored Jan 17, 2020

OpenSSL was only needed for EXT:rsaauth,
so a check in the installer / system maintenance
should be avoided. It is now rather a suggestion.

Resolves: #83643
Releases: master, 9.5
Change-Id: If62b7fc1ddc211083fa8b4f793019e61cf2046eb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62945


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

cb1cc8a8

13 Dec, 2019 1 commit

[BUGFIX] Mark guzzlehttp/guzzle >= 6.5.0 as conflict · 4a8e8001

Benni Mack authored Dec 12, 2019 and

Oliver Hader committed Dec 13, 2019

Due to the INTL/ICU bug, which we
have seen on various places, Guzzle, which
does not cover our edge cases yet, ran
in the same issue as our Core versions earlier
in 2019.

See
https://github.com/guzzle/guzzle/issues/2448
https://github.com/guzzle/guzzle/pull/2454

For the time being, lets mark guzzle as
incompatible until Guzzle has solved the issue
and released a new version, so we can loosen
the conflict constraint.

Related: #87953
Resolves: #89904
Releases: master, 9.5, 8.7
Change-Id: If64fb9472d046f020c850cd0551beeaf78796b60
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62612


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

4a8e8001

10 Dec, 2019 1 commit

[BUGFIX] Raise platform settings for tarball distributions · c45986e5

Benni Mack authored Dec 10, 2019 and

Oliver Hader committed Dec 10, 2019

In order to use the final LTS distributions from Symfony for
our latest stable, we need to set proper platform requirements
for the root composer.json.

Our packages rely on the settings so the base package
can properly raise dependencies.

Symfony has the requirements due to other PHP bugs (fixed
very early already), however using the tarballs in
7.2.0 / 7.0.0 would still work, as the symfony changes
only fix issues we dont rely on.

v10: 7.2.5
v9: 7.2.5
v8: 7.0.8

Used composer commands:

  composer config platform.php 7.2.5
  composer update --lock

Resolves: #89882
Releases: master, 9.5, 8.7
Change-Id: Ib51ec076e643581603fced3ed0daa0de0aadb12c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62587


Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

c45986e5

05 Dec, 2019 1 commit

[BUGFIX] Fix failing tests in 9.5 branch · aa2aaf17

Benni Mack authored Dec 03, 2019 and

Susanne Moog committed Dec 05, 2019

minor package updates:
	composer require typo3fluid/fluid:^2.6.8 -> 2.6.6 to 2.6.8
	composer update mikey179/vfsStream 1.6.5 to 1.6.8
	composer require typo3/testing-framework:^4.14

Resolves: #89855
Releases: 9.5
Change-Id: I43c2b040d6d511451f3904d743ffbde60b1a6022
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62529


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Susanne Moog <look@susi.dev>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Susanne Moog <look@susi.dev>

aa2aaf17

29 Nov, 2019 1 commit

[TASK] Update doctrine/annotations dependency · ca69da23

Benni Mack authored Nov 29, 2019

TYPO3 Core now requires at least doctrine/annotations
1.7, effectively helping to upgrade to PHP 7.4.

Composer command:
  composer require doctrine/annotations:"^1.7" --update-with-all-dependencies

Resolves: #89812
Releases: master, 9.5
Change-Id: I8ca951711bbcb19d935baad67ff69705d8e51aa2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62499


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

ca69da23

27 Nov, 2019 1 commit

[TASK] Update friendsofphp/php-cs-fixer to 2.16.1 · 7aa33662

Alexander Schnitzler authored Nov 26, 2019 and

Benni Mack committed Nov 27, 2019

composer require --dev friendsofphp/php-cs-fixer:"^2.16.1"

Raising the version brings support for running the fixer with
PHP 7.4.

Releases: master, 9.5, 8.7
Resolves: #89776
Change-Id: Ib065b38c606f17c8e58a684e819cc555e493a91f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62408


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Tobi Kretschmann <tobi@tobishome.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Tobi Kretschmann <tobi@tobishome.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Benni Mack <benni@typo3.org>

7aa33662

18 Nov, 2019 1 commit

[TASK] Update doctrine/dbal to 2.10.0 · 485fdc53

Manuel Selbach authored Nov 08, 2019 and

Oliver Hader committed Nov 18, 2019

With this change the new release of doctrine/dbal will be applied,
which will solve different bugfixes and introduce some new features.

For further information:

https://github.com/doctrine/dbal/releases/tag/v2.10.0

Resolves: #89592
Releases: master, 9.5
Change-Id: I30151e51372f1ecf349c28de78678924dc58dfc0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62246


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

485fdc53

30 Oct, 2019 1 commit

[TASK] Update Fluid Standalone to 2.6.6 · 23bd5482

Benni Mack authored Oct 30, 2019

A new fluid standalone version 2.6.6 reverted the changes
that had regressions in v2.6.5 and v2.6.4.

This patch updates the root composer.json to use latest fluid
standalone, and marks the affected versions as conflicting.

In addition, raising the requirements to 2.6.4 in the first place
was a mistake for this major version, which is why the main requirement
was lowered to the previous version again.

Composer: composer req typo3fluid/fluid:^2.6.1

Resolves: #89542
Releases: master, 9.5, 8.7
Change-Id: I30a29a3cc07a277bd4a72e83a67a6c3260adc5d7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62140


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Benni Mack <benni@typo3.org>

23bd5482

25 Oct, 2019 1 commit

[TASK] Upgrade typo3/phar-stream-wrapper to v3.1.3 (PHP 7.4) · d54a2030

Oliver Hader authored Oct 18, 2019 and

Oliver Hader committed Oct 25, 2019

Ensure PHP 7.4 compatibility by using recent release of the package.

composer require typo3/phar-stream-wrapper:^3.1.3

Resolves: #89453
Releases: master, 9.5, 8.7
Change-Id: I025bf2efae45b731e1f068afc5fa1d56e1e59a56
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62018


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

d54a2030

23 Oct, 2019 1 commit

[BUGFIX] Mark typo3fluid/fluid version 2.6.5 as conflicting · 7c0902b8

Anja Leichsenring authored Oct 23, 2019 and

Richard Haeser committed Oct 23, 2019

A failing nightly test is fixed by avoiding the fluid version
to be raised until the cause can be resolved.

Resolves: #89480
Releases: master, 9.5
Change-Id: I65329b1ea08c2fbf46766cb82365a7e4275b99c7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62077


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Richard Haeser <richard@maxserv.com>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Richard Haeser <richard@maxserv.com>

7c0902b8

24 Sep, 2019 1 commit

[TASK] Add functional tests for linkvalidator · 6337180c

Sybille Peters authored Sep 16, 2019 and

Anja Leichsenring committed Sep 24, 2019

Resolves: #82850
Releases: master, 9.5
Change-Id: I05dc5e83199d58b23a8da6e625d1b9557b5c57a2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61747


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Sybille Peters <sypets@gmx.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Sybille Peters <sypets@gmx.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

6337180c

23 Sep, 2019 1 commit

[TASK] Update Fluid engine to 2.6.4 · e6b75640

Anja Leichsenring authored Sep 23, 2019

Addresses the following issues:

* Fixes an annotation that makes phpdocumentor/reflection-docblock
  throw exceptions in TYPO3v10.
* Removes deprecation warning from composer due
  to incorrectly cased package name.
* Fixes issues with binary characters in compiled templates.
* Supports overloaded methods for variable extraction.
* Avoids signature issues with CompileWithRenderStatic.
* Works around PCRE regression issues on affected platforms.

Change-Id: I2b766ccc9bf3eaae77b1dfc1a73e9acc2a88d8a9
Resolves: #89110
Releases: master, 9.5, 8.7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61782


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

e6b75640

28 Aug, 2019 1 commit

[BUGFIX] Update friendsofphp/php-cs-fixer to 2.15.2 · 2e26138d

Andreas Fernandez authored Aug 28, 2019 and

Anja Leichsenring committed Aug 28, 2019

This patch updates friendsofphp/php-cs-fixer to version 2.15.2 and
applies fixes to the code.

Executed commands:

  composer require --dev "friendsofphp/php-cs-fixer:^2.15.2"
  ./bin/php-cs-fixer fix --config Build/.php_cs

Resolves: #89031
Releases: master, 9.5
Change-Id: I3761ab56f66b6bd3b0fadc2bfa354cf4010b5e43
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61565


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

2e26138d

05 Aug, 2019 1 commit

[TASK] Update nikic/php-parser to 4.2 · a19b55c3

Andreas Fernandez authored Aug 05, 2019

This patch updates nikic/php-parser to version 4.2.2, which brings
better support for PHP 7.3 and adds initial support for PHP 7.4.

Changelog: https://raw.githubusercontent.com/nikic/PHP-Parser/v4.2.2/CHANGELOG.md

Composer command:

  composer require nikic/php-parser:^4.2

Resolves: #88914
Releases: master, 9.5
Change-Id: I6d7feb8851be6e5565cb069fb33c279f916f4667
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61439


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

a19b55c3