1. 22 May, 2014 12 commits
    • Markus Klein's avatar
      [BUGFIX] Wrong HTML in locallang_csh_pages.xlf · 418e3130
      Markus Klein authored and Christian Kuhn's avatar Christian Kuhn committed
      lang/4.5/locallang_csh_pages.xlf contains invalid
      HTML structure a <p> tag should actually be a <b> tag.
      
      Resolves: #58936
      Releases: 6.2, 6.1, 4.5
      Change-Id: Id37d424296628202d8d434e0cf9cafd8529da2c3
      Reviewed-on: https://review.typo3.org/30331
      Reviewed-by: Christian Kuhn
      Tested-by: Christian Kuhn
      418e3130
    • Marc Bastian Heinrichs's avatar
      [BUGFIX] SoftReferenceIndex support for more values in class attribute · 81e31f18
      Marc Bastian Heinrichs authored
      The SoftReferenceIndex parses and rebuilds typolink tags, but the
      support for more than one value in class attribute is missing, because
      the values don't get enclosed with quotes on rebuilding.
      This leads to lost classes in typolinks in exports from impexp.
      
      Resolves: #58484
      Releases: 6.2, 6.1, 4.5
      Change-Id: I12ed3be7f5be36254bcee57fcb24bf2a10f92f46
      Reviewed-on: https://review.typo3.org/29853
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      81e31f18
    • TYPO3 Release Team's avatar
      [TASK] Set TYPO3 version to 4.5.35-dev · dd2d0ad3
      TYPO3 Release Team authored
      Change-Id: Iffabf254620824d1d0b7a42e239576bd3aa73791
      Reviewed-on: https://review.typo3.org/30309
      Reviewed-by: TYPO3 Release Team
      Tested-by: TYPO3 Release Team
      dd2d0ad3
    • TYPO3 Release Team's avatar
      [RELEASE] Release of TYPO3 4.5.34 · 67deb70e
      TYPO3 Release Team authored
      Change-Id: I296aa228d3d9ffda43cf99a41d3ac36d8b93f439
      Reviewed-on: https://review.typo3.org/30308
      Reviewed-by: TYPO3 Release Team
      Tested-by: TYPO3 Release Team
      67deb70e
    • Helmut Hummel's avatar
      [SECURITY] Add trusted HTTP_HOST configuration · 55d5f385
      Helmut Hummel authored and Oliver Hader's avatar Oliver Hader committed
      TYPO3 uses the values of HTTP_HOST in several
      places without validating them. This could
      lead to a situation where links are generated
      using the host part from HTTP_HOST.
      Since HTTP_HOST headers are user input and
      can be spoofed by an attacker, it leads
      into several potential and actual security issues.
      To address this, a configuration option for
      trusted hosts is added, which is evaluated every
      time getIndpEnv('HTTP_HOST') is called.
      The configuration option is
      $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']
      and can contain either a regular expression or the
      value "SERVER_NAME"
      To properly output the exception message in case
      the trustedHostPattern does not match,
      we need to adapt the exception handlers slightly
      to not log information in this case and to actually
      show the message even in production context to not
      confuse admins on what is currently going wrong.
      To not break all existing installations, the default
      pattern is set to 'SERVER_NAME' which allows all
      HTTP_HOST values matching the SERVER_NAME (and
      optionally the SERVER_PORT if a port is specified
      in the HTTP_HOST value).
      This will secure all installation which use properly
      configured name based virtual hosts, but leaves
      installations where the web server is not bound
      to a specific host name still in an insecure state.
      Fixes: #30377
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      
      Change-Id: Id210212e6fbd186a273f92b340d5060e9c6f900d
      Reviewed-on: https://review.typo3.org/30275
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      55d5f385
    • Marc Bastian Heinrichs's avatar
      [SECURITY] XSS in (old) extension manager information function · efb098b2
      Marc Bastian Heinrichs authored and Oliver Hader's avatar Oliver Hader committed
      Needs to be fixed also in 6.x, but the affected function is not
      used anymore.
      
      Change-Id: Iae077221a4a8ef8f3aacaeb9d679cc68e97799bd
      Fixes: #54111
      Fixes: #54113
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 6b746d50d9ee4fbf2eff3e3e4c0699100be983a2
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30274
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      efb098b2
    • Markus Klein's avatar
      [SECURITY] XSS in new content element wizard · 94011a3c
      Markus Klein authored and Oliver Hader's avatar Oliver Hader committed
      Sanitize user-input colPos in new content element wizard.
      
      Change-Id: I13ff938e7320c68c8ad3f88b0cb688bc4d43d839
      Fixes: #48695
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 582087ad27cee5365ea36387bba28c1b62212564
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30273
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      94011a3c
    • Marc Bastian Heinrichs's avatar
      [SECURITY] XSS in template tools on root page · b62651b0
      Marc Bastian Heinrichs authored and Oliver Hader's avatar Oliver Hader committed
      Change-Id: I6942457ce27ad22a33efd003ceaa96fa7460c0bf
      Fixes: #54109
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 9abedcf7dc0fd59b602a2221ffd9a998636b8092
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30272
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      b62651b0
    • Nicole Cordes's avatar
      [SECURITY] XSS in Backend Layout Wizard · a98ae3ca
      Nicole Cordes authored and Oliver Hader's avatar Oliver Hader committed
      Change-Id: I7e58e32a4d7146c2c341d756816c29f7c01ed31d
      Fixes: #57576
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 7493eb3ec56903b00923dcabf00a04f34529ad18
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30271
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      a98ae3ca
    • Markus Klein's avatar
      [SECURITY] Encode URL for use in JavaScript · 4f7258cf
      Markus Klein authored and Oliver Hader's avatar Oliver Hader committed
      The url for the Open in New Window button must be quoted for
      use in JavaScript to prevent XSS issues.
      
      Change-Id: If3600662e79fb0945ca62b3a25feaf001180b88d
      Fixes: #48693
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 8a9c1615f82cf0a8c3449ae37f47338da132e505
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30270
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      4f7258cf
    • Helmut Hummel's avatar
      [SECURITY] Fix insecure unserialize in colorpicker · 742ad492
      Helmut Hummel authored and Oliver Hader's avatar Oliver Hader committed
      Change-Id: Iee9d2712ae3b489a89604cb7be8c2af27a924fe0
      Fixes: #56458
      Releases: 6.1, 6.0, 4.7, 4.5
      Security-Commit: 36eb11e44d7faca68b3d6fefb1633a463cc22fac
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30269
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      742ad492
    • Helmut Hummel's avatar
      [SECURITY] Remove charts.swf to get rid of XSS vulnerability · 9bd77764
      Helmut Hummel authored and Oliver Hader's avatar Oliver Hader committed
      The file charts.swf is vulnerable to XSS, is delivered
      by ExtJS but not used in TYPO3 CMS at all.
      
      Since the vendor of ExtJS did not fix this vulnerability,
      we decided to remove it from TYPO3 sources.
      
      Change-Id: I7d81fc44294473d041c8910e04c815d91efb409f
      Fixes: #54526
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: fef11509739f8bddfeba0fc6f752ac93feb16f03
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30268
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      9bd77764
  2. 08 May, 2014 1 commit
    • Jigal van Hemert's avatar
      [BUGFIX] Solve stackoverflow in prototype in IE8 · 6ffdceeb
      Jigal van Hemert authored and Oliver Hader's avatar Oliver Hader committed
      The reason for this behaviour is the combination of prototype.js
      and ExtJS. The ExtJS defer() method takes precedence. Calling the
      defer() method without any arguments would have resulted in using
      a default value of "0.01" seconds in standalone prototype.js, but
      results in directly calling the submitted function.
      
      The stack overflow is caused by not delaying the function call
      and thus ending in a recursive endless loop.
      
      Resolves: #58187
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Change-Id: I6db191ff67a3e869072877936d949fc733cda74f
      Reviewed-on: https://review.typo3.org/29908
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      6ffdceeb
  3. 16 Apr, 2014 2 commits
  4. 15 Apr, 2014 3 commits
  5. 04 Apr, 2014 2 commits
    • Oliver Hader's avatar
      [TASK] Integrate default README.txt · 4316e98d
      Oliver Hader authored and Oliver Hader's avatar Oliver Hader committed
      This file is a modified and updated version like it has been
      releases with every package in the past. Since these files have
      been taken from git.typo3.org/TYPO3CMS/Distributions/Base.git,
      which is target to be cleaned up, the file is explicitely put
      to old branches as well.
      
      Resolves: #57656
      Releases: 6.1, 6.0, 4.7, 4.6, 4.5
      Change-Id: I3b696895deaf03b2f630e12f1bd7b17b649b985c
      Reviewed-on: https://review.typo3.org/29175
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      4316e98d
    • Nicole Cordes's avatar
      [SECURITY] Prevent XSS in scheduler form · 9d365152
      Nicole Cordes authored
      The class name is submitted in a hidden form and is susceptible to XSS.
      The patch introduced htmlspecialchars to prevent XSS possibility.
      
      Resolves: #57603
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Change-Id: I4979e66f28a581e168c56d91327a1bbe2672448d
      Reviewed-on: https://review.typo3.org/29155
      Reviewed-by: Nicole Cordes
      Tested-by: Nicole Cordes
      9d365152
  6. 27 Feb, 2014 1 commit
  7. 25 Feb, 2014 1 commit
    • Jigal van Hemert's avatar
      [BUGFIX] felogin reset password links not clickable · 5c4554be
      Jigal van Hemert authored
      Encoding a few extra character besides the ones according to RFC3986
      makes password reset links working again in various mail clients which
      do not comply to this RFC (and which do not have plans to fix this in
      the near future).
      
      Change-Id: I0b42bef6cb732c5fc6cc2d900407271cb606e301
      Fixes: #23984
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Reviewed-on: https://review.typo3.org/27830
      Reviewed-by: Oliver Klee
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      5c4554be
  8. 09 Feb, 2014 1 commit
  9. 08 Feb, 2014 1 commit
  10. 30 Jan, 2014 1 commit
  11. 28 Jan, 2014 1 commit
    • Tim Lochmüller's avatar
      [BUGFIX] Invalid constant in the domain redirect function · b867b04f
      Tim Lochmüller authored and Wouter Wolters's avatar Wouter Wolters committed
      There is a "copy-and-paste" mistake in the domain redirect mechanism.
      The function HttpUtility::redirect should call with a valid HTTP
      status code (the const value) and not with the name of the constant.
      
      Resolves: #55350
      Releases: 6.2, 6.1, 6.0, 4.5
      Change-Id: I97f55ac8df1688011198666da1fd322a5c3bd323
      Reviewed-on: https://review.typo3.org/27105
      Reviewed-by: Tim Lochmüller
      Tested-by: Tim Lochmüller
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      b867b04f
  12. 17 Jan, 2014 2 commits
  13. 16 Jan, 2014 1 commit
  14. 09 Jan, 2014 1 commit
    • Sascha Egerer's avatar
      [TASK] Change list view delete icon if record is deleted in WS · e6643e11
      Sascha Egerer authored
      If a record is deleted in a workspace the delete icon is still
      displayed but the function is different. If you click on
      the delete icon of a deleted record you will "restore"
      the record (remove the deleted flag).
      The icon should change if record is marked as deleted.
      
      Resolves: #52554
      Releases: 6.2, 6.1, 6.0, 4.5
      Change-Id: I9bccc076d06525fad16f9f5ca4b3413e217f32f6
      Reviewed-on: https://review.typo3.org/24746
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      e6643e11
  15. 08 Jan, 2014 1 commit
    • Stefan Froemken's avatar
      [BUGFIX] Display relations' titles when TCA label field is type inline · 765882ed
      Stefan Froemken authored
      This change adds a case to treat "inline" TCA types the same way
      "select" is treated when building the record's label value.
      
      Before, if record used field of type "inline" as TCA label field, TYPO3
      would display fx "3" (number of related records as stored in field
      on parent record).
      
      After, TYPO3 will display fx "Record1, Record2, Record2" if "inline"
      field contains three related records named thusly.
      
      Fixes: #52133
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Change-Id: Ie06f09368e81505cb1e5989b61ae98add54b05ba
      Reviewed-on: https://review.typo3.org/23914
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      765882ed
  16. 12 Dec, 2013 1 commit
    • Stefan Neufeind's avatar
      [BUGFIX] Cleanly unset cookies on login in cookie-check · d3e94945
      Stefan Neufeind authored
      Needed to workaround a login-problem with IE11.
      
      ExtJS tries to clear a cookie with different settings than when
      setting the cookie. In IE11 this leads to problems with the cookie
      being set twice on the next call to set(). The get() however
      would return the first (empty) cookie.
      
      Using set() with a date in the past also clears the cookie but
      will correctly use the same path-settings.
      
      Change-Id: Ieff22129895cd89ca2e1429703daf1636596ecb6
      Resolves: #53818
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Reviewed-on: https://review.typo3.org/25871
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      Reviewed-by: Steffen Ritter
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      d3e94945
  17. 10 Dec, 2013 8 commits
    • TYPO3 Release Team's avatar
      [TASK] Set TYPO3 version to 4.5.33-dev · beec43fe
      TYPO3 Release Team authored
      Change-Id: I3073c38f3df08f909e9d29b58acbd8f1671272c9
      Reviewed-on: https://review.typo3.org/26227
      Reviewed-by: TYPO3 Release Team
      Tested-by: TYPO3 Release Team
      beec43fe
    • TYPO3 Release Team's avatar
      [RELEASE] Release of TYPO3 4.5.32 · 17341dff
      TYPO3 Release Team authored
      Change-Id: Ied61f0997ee99da6866d4c3d43fd46ed213c6c83
      Reviewed-on: https://review.typo3.org/26226
      Reviewed-by: TYPO3 Release Team
      Tested-by: TYPO3 Release Team
      17341dff
    • Anja Leichsenring's avatar
      [SECURITY] XSS in header link of all content elements · 60576d14
      Anja Leichsenring authored and Oliver Hader's avatar Oliver Hader committed
      The second typolink parameter, that is the target, can be abused to
      introduce XSS code into the generated link. Escaping the parameter
      with quoteJSvalue solves the problem.
      
      Change-Id: I1652e2f1e9fea660d2a5a9e74ace6317fe05ba3b
      Fixes: #31206
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 4a1a06ad0124defafb991639b19d81f81f7d5b95
      Security-Bulletin: TYPO3-CORE-SA-2013-004
      Reviewed-on: https://review.typo3.org/26184
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      60576d14
    • Anja Leichsenring's avatar
      [SECURITY] XSS in colorpicker wizard · 77dc1c4e
      Anja Leichsenring authored and Oliver Hader's avatar Oliver Hader committed
      Encode user-input in JavaScript context for colorpicker.
      
      Change-Id: Ia5d181bb74f3cbe2d2b7c75097655f9c7593b70d
      Fixes: #42772
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 9fba6ded6247aaa74b974daf1c9bba5eb4aaf028
      Security-Bulletin: TYPO3-CORE-SA-2013-004
      Reviewed-on: https://review.typo3.org/26183
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      77dc1c4e
    • Franz G. Jahn's avatar
      [SECURITY] Prevent editor controlled hmac content · 52d3bff4
      Franz G. Jahn authored and Oliver Hader's avatar Oliver Hader committed
      An hmac of the editor controlled auto respond message was used to verifiy
      the correctness of this message on submit. To prevent this, we add an
      additional secret.
      
      Fixes: #45043
      Releases: 4.5, 4.7, 6.0, 6.1, 6.2
      (cherry picked from commit 66013e46f09b38343ac22d9e231328966bff0c6e)
      Security-Commit: fa5bdd2ac518555f21ec857dc31d2991a1e937ad
      Security-Bulletin: TYPO3-CORE-SA-2013-004
      
      Change-Id: I66b1ddc379577fc3ed67012384a15c38a6b76a03
      Reviewed-on: https://review.typo3.org/26182
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      52d3bff4
    • Marcus Krause's avatar
      [SECURITY] XSS vulnerability in extension manager · cae8739c
      Marcus Krause authored and Oliver Hader's avatar Oliver Hader committed
      Add escaping on extension meta data when rendering.
      
      Change-Id: I64cb5f23281ddb6c63439bf33aaeac1b1fa803b4
      Fixes: #20811
      Releases: 4.7, 4.5
      Security-Commit: 647add5b8b668c173376ac45e4d227e4b25112d9
      Security-Bulletin: TYPO3-CORE-SA-2013-004
      Reviewed-on: https://review.typo3.org/26181
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      cae8739c
    • Anja Leichsenring's avatar
      [SECURITY] Information Disclosure in Wizards · ba92f0ab
      Anja Leichsenring authored and Oliver Hader's avatar Oliver Hader committed
      It has been possible for authenticated editors
      to show content of arbitrary tables and fields
      that are defined in TCA by manipulating
      GET parameters of the forms and table wizard.
      
      This change adds a check if the editor has access
      to the given record.
      
      Change-Id: I524ae9bd75a5cca9e37918e64f5c492c9fa3c36e
      Fixes: #41714
      Releases: 4.5, 4.7, 6.0, 6.1, 6.2
      Security-Commit: 9ee30833350405d003de206501118d1300998bee
      Security-Bulletin: TYPO3-CORE-SA-2013-004
      Reviewed-on: https://review.typo3.org/26180
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      ba92f0ab
    • Anja Leichsenring's avatar
      [SECURITY] Fix open redirection in openid extension · 63ff9109
      Anja Leichsenring authored and Oliver Hader's avatar Oliver Hader committed
      The eID script of the openid extension does not
      validate the given redirect url, leading to
      an open redirection vulnerability.
      Add and verify hmac of the redirect url.
      
      Change-Id: I0c446199504018cab6e4ad2f6bd9085458ca86f0
      Fixes: #54099
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 6be16f2ea6b135b6f7ab2dec17d126f3f1eb89c4
      Security-Bulletin: TYPO3-CORE-SA-2013-004
      Reviewed-on: https://review.typo3.org/26179
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      63ff9109