Commits · 63e4c54ab8798dc94e113c34f755e287d5157403 · typo3 / typo3

20 Sep, 2021 2 commits

[TASK] Upgrade to typo3/phar-stream-wrapper v3.1.7 · 63e4c54a

Oliver Hader authored Sep 20, 2021 and

Oliver Hader committed Sep 20, 2021

https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.7

composer req typo3/phar-stream-wrapper:^3.1.7; \
composer req typo3/phar-stream-wrapper:^3.1.7 \
  -d typo3/sysext/core --no-update

Resolves: #95286
Releases: master, 10.4, 9.5
Change-Id: I077aca99a5fbcf44c957a808c072b69906e02cf9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/71131


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

63e4c54a

[BUGFIX] Bump symfony/polyfill-mbstring to ^1.16 · bbcf81a4

Simon Gilli authored Sep 20, 2021 and

Benni Mack committed Sep 20, 2021

ext:frontend uses the function mb_ord which is available since
symfony/polyfill-mbstring v1.16 and to avoid issue this dependency is
properly increased and also added to ext:frontend.

Composer commands used:
* composer require "symfony/polyfill-mbstring:^1.16"
* composer require --no-update -d typo3/sysext/core "symfony/polyfill-mbstring:^1.16"
* composer require --no-update -d typo3/sysext/frontend "symfony/polyfill-mbstring:^1.16"

Resolves: #95279
Releases: master, 10.4, 9.5
Change-Id: I31aa9affa936ae96d5a02ad846aa011fb89af75d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/71062


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

bbcf81a4

13 Sep, 2021 1 commit

[TASK] Better checks in Build/Script/checkFilePermissions.sh · 5565d0dc

Jonas Eberle authored Sep 12, 2021 and

Christian Kuhn committed Sep 13, 2021

git stores files either 0664 or 0775. Script
checkFilePermissions.sh is improved to deal with that.

Resolves: #95203
Releases: master
Change-Id: I49ede03ac7e1180621c497081e463d8c617250b3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/71053


Tested-by: Jonas Eberle <flightvision@googlemail.com>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Jonas Eberle <flightvision@googlemail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

5565d0dc

12 Sep, 2021 1 commit

[TASK] gitlab-ci: Activate check permissions script · d6ed6058

Christian Kuhn authored Sep 12, 2021

Since moving to gitlab, script checkFilePermissions.sh
was inactive due to a gitlab detail that leads to
funny permissions of cloned files.

This can be suppressed with a gitlab feature toggle.

The patch activates that toggle, activates the test
script and fixes a couple of files that slipped in
with broken permissions meanwhile.

Change-Id: I2b0fdca282dbc39fe230b33910a690118a21b74e
Resolves: #95194
Releases: master, 10.4, 9.5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/71035


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

d6ed6058

06 Sep, 2021 1 commit

[TASK] Update CKEditor to v4.16.2 · d0557514

Oliver Hader authored Sep 06, 2021 and

Oliver Hader committed Sep 06, 2021

Update to CKEditor v4.16.2 which addressed browser compatibility
issues and known security vulnerabilities:

https://ckeditor.com/blog/ckeditor-4.16.2-with-browser-improvements-and-security-fixes/

Commands:
  cd Build
  yarn add 'ckeditor4@^4.16.2'
  yarn build

Resolves: #95128
Releases: master, 10.4, 9.5
Change-Id: Ic0c10f2d72bb7d107f53c58dbc0668d19275914b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70918


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

d0557514

04 Sep, 2021 1 commit

[TASK] Add support for class-string annotation and provide meta file · 365436f4

Andreas Fernandez authored Sep 04, 2021

PhpStorm has basic support for generics since version 2021.2 which comes
in handy as since the same version the "Dynamic Return Type" plugin is broken.

Providing the class-string annotation and a proper return generic
supersedes this and recovers the built-in autocompletion.

To have the same effect for both, 3rd party code not being under our
control or methods having complex returns based on their input, a
`.phpstorm.meta.php` file is provided extending PhpStorms code awareness
capabilities.
Tons of kudos to Alexander Schnitzler providing a boilerplate
configuration here:
https://github.com/alexanderschnitzler/phpstorm.meta.php-typo3

For more information about capability extension consult
https://www.jetbrains.com/help/phpstorm/ide-advanced-metadata.html

Resolves: #95064
Releases: master, 10.4, 9.5
Change-Id: I4ea5115550ce7070de01c42c19ac3b93bf6ab4b6
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70895


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

365436f4

02 Sep, 2021 1 commit

[TASK] runTest.sh: Version check docker-compose v2 · 7cb81a31

Jochen Roth authored Aug 31, 2021 and

Christian Kuhn committed Sep 02, 2021

Docker for Mac (and Windows?) currently misuses their
users as canary testers by actively activating an
"experimental" feature toggle which then ships
a docker-compose v2 rc release.

docker-composer v2's yaml parsing however is broken
(you had ONE job!): It does not properly detect strings
as strings and mumbles about this, and worse, it transforms
shell "don't linebreak!" '\' operator into linebreaks. This
breaks our carefully crafted and formatted testing related
docker-compose.yml configuration.

The situation persists for weeks already, there is no
solution except manually disabling this docker for mac
experimental feature toggle.

The patch makes runTests.sh detect docker-composer v2,
exits out with an error message telling the version
is not supported and how to disable it. ddev went with
a similar approach recently.

Resolves: #95057
Releases: master, 10.4, 9.5
Change-Id: Iee1e6fd28d876262f00aba769a7e047c14db903c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70778


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

7cb81a31

01 Sep, 2021 1 commit

[DOCS] Fix incorrect code block syntax in some rst files · 1f0ab7fb

Georg Ringer authored Sep 01, 2021

Resolves: #94909
Releases: master, 10.4, 9.5
Change-Id: I68b5f28f761e5eb096d8580e7c7291b479f144b5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70857


Tested-by: core-ci <typo3@b13.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

1f0ab7fb

30 Aug, 2021 1 commit

[BUGFIX] Render "Update now" button for every community release · 007b8892

Andreas Fernandez authored Aug 26, 2021

The Core Updater available in the Install Tool now offers the
"Update now" button on every community-driven update.
Previously, the button was set only in case an ELTS release is available,
rendering the Core Updater broken until then.

Resolves: #95006
Related: #94745
Releases: master, 10.4, 9.5
Change-Id: I7008e9ee98b07b7e10198890afa51554cd919fd3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70776


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

007b8892

26 Aug, 2021 1 commit

[TASK] Upgrade to typo3/html-sanitizer v2.0.10 · ff1cb5d6

Oliver Hader authored Aug 26, 2021 and

Andreas Fernandez committed Aug 26, 2021

composer req typo3/html-sanitizer:^2.0.10;\
composer req typo3/html-sanitizer:^2.0.10 \
  -d typo3/sysext/core --no-update

Resolves: #95000
Releases: master, 11.3, 10.4, 9.5
Change-Id: Ia2170f6bd6f3bace862fac124ef8cc2966d35171
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70765


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

ff1cb5d6

25 Aug, 2021 1 commit

[BUGFIX] Correctly resolve nested arguments in SimpleEnhancer · 417246a0

Oliver Hader authored May 21, 2021 and

Oliver Hader committed Aug 25, 2021

Having `additionalParams = &simple[id]=okay&simple[other]=other`
with the following route enhancer configuration lead to some flaws:

    routeEnhancers:
      TestSimple:
        type: Simple
        routePath: '/simple/{simple_id}'
        _arguments:
          simple_id: 'simple/id'

* generated URI contained `simple__other`, not resolving nesting
  (`/simple/okay?simple__other=other&cHash=...`)
* `PageArguments::$staticArguments` contained parameter `simple_id`
  (unresolved to actual query parameter, incorrectly marked static)
* other `PageArguments` properties contained `simple__other`
  (unresolved to actual query parameter, ignored nesting)

Resolves: #91447
Releases: master, 10.4, 9.5
Change-Id: If96a6245f44a12d6e666d0ead8b1cc9cbbb43170
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70755


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

417246a0

24 Aug, 2021 1 commit

[BUGFIX] Revert "Remove prefixed scriptName from urlPath in PageRouter" · 62e2e23a

Benni Mack authored Aug 24, 2021

This reverts commit e2e59fb3 due
to certain incompatibilities with direct "index.php" calls in
certain server setups.

Resolves: #94968
Reverts: #94537
Releases: master, 10.4, 9.5
Change-Id: I558c4764e1e0399b7d92da9be0da83cb36c85cba
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70698


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

62e2e23a

16 Aug, 2021 5 commits

[TASK] Set TYPO3 version to 9.5.31-dev · a09c6a8e

Oliver Hader authored Aug 16, 2021 and

Oliver Hader committed Aug 16, 2021

Change-Id: I0c6b55a4d4027bf2c381ec0914f386cc5090599c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70634


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

a09c6a8e

[RELEASE] Release of TYPO3 9.5.30 · 322b262c

Oliver Hader authored Aug 16, 2021 and

Oliver Hader committed Aug 16, 2021

Change-Id: I7632848019be704a039ba1820d927d4cffb1d589
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70633


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

322b262c

[TASK] Upgrade to typo3/html-sanitizer v2.0.9 · aa851616

Oliver Hader authored Aug 16, 2021 and

Oliver Hader committed Aug 16, 2021

composer req typo3/html-sanitizer:^2.0.9
composer req typo3/html-sanitizer:^2.0.9 \
  -d typo3/sysext/core --no-update

Resolves: #94883
Releases: master, 11.3, 10.4, 9.5
Change-Id: I997ddc423ffcb216927e3ba807e303e604174ee8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70617


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

aa851616

[BUGFIX] Adjust default behavior of HTML sanitization in parseFunc · 9d2ce55e

Oliver Hader authored Aug 10, 2021 and

Benni Mack committed Aug 16, 2021

As a result of TYPO3-CORE-SA-2021-013, new `htmlSanitize` behavior -
when invoking `ContentObjectRenderer::parseFunc` - is enabled per
default, in case it was not declared otherwise. That also happened
when no processing configuration was given (or could be resolved).
Without having any configuration, it was obviously not possible to
disable `htmlSanitize`.

Fluid's `HtmlViewHelper` can be used with an empty `parseFuncTSPath`
(e.g. `<f:format.html parseFuncTSPath="">`) - due to missing (empty)
configuration, sanitization was enabled per default in `parseFunc`.

With this change, property `htmlSanitize` either needs to be enabled
or disabled explicitly - otherwise deprecation logs will be generated,
if not given, the fall-back behavior is inferred from new feature flag
`security.frontend.htmlSanitizeParseFuncDefault`.

Invoking `ContentObjectRenderer::parseFunc` without any configuration
behaves like before TYPO3-CORE-SA-2021-013 was applied - it just does
not process anything.

Resolves: #94786
Releases: master, 11.3, 10.4, 9.5
Change-Id: I4aee54d712ce4758f6c9c2e64a43f80b6c076406
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70588


Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benni Mack <benni@typo3.org>

9d2ce55e

[BUGFIX] Allow HTML node onclick events in generated frontend markup · 73f3f102

Oliver Hader authored Aug 13, 2021 and

Oliver Hader committed Aug 16, 2021

`ContentObjectRenderer` and `AbstractMenuContentObject` are still relying
HTML event attribute `onclick` to open new client window instances,
which were (correctly) removed by HTML sanitizer.

In order to keep the functionality, exceptional declarations have been
added, and `vHWin=window.open(...)` substituted by `openPic(...)`.

Resolves: #94866
Releases: master, 11.3, 10.4, 9.5
Change-Id: I961746b3776d12f302933ebb775ab215bdcd85ab
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70584


Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

73f3f102

13 Aug, 2021 3 commits

[FEATURE] Introduce explicit f:sanitize.html view-helper · 5697363a

Oliver Hader authored Aug 11, 2021 and

Benni Mack committed Aug 13, 2021

New `<f:sanitize.html build="default">` view-helper is introduced
which directly invokes processing of `typo3/html-sanitize` package. An
optional view-helper argument `build` allows using a defined preset,
or a fully qualified class name of a builder instance as alternative,
which has to implement `\TYPO3\HtmlSanitizer\Builder\BuilderInterface`.

In contrast to `<f:format.html>`, this does NOT invoke `lib.parseFunc`,
and does NOT rely on TypoScript configuration being loaded and parsed.

Resolves: #94825
Releases: master, 11.3, 10.4, 9.5
Change-Id: Id0720120fea7d5d517a8c61d10bdbb6b03658adf
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70526


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

5697363a

[BUGFIX] Remove prefixed scriptName from urlPath in PageRouter · c0c50920

Stefan Bürk authored Jul 14, 2021 and

Benni Mack committed Aug 13, 2021

Remove resolved scriptName with leading slash from url in
PageRouter matchRequest method.

This prevent to change the url to a invalid url if
PageTypeSuffix Decorator with .php is used and a page slugs
ends in index.

Resolves: #94537
Releases: master, 10.4, 9.5
Change-Id: I5057bb6888c228a4ca5b53d363ecf1bc7a6af1c6
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70554


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

c0c50920

[BUGFIX] Avoid timeout issues through SvgFilesSanitization · d416cff0

Georg Ringer authored Aug 11, 2021 and

Oliver Hader committed Aug 13, 2021

Skip a real check of the file system for SVG files in advance
in the SvgFilesSanitization wizard to avoid timeouts in e.g. the reports
module.

Resolves: #94801
Releases: master, 11.3, 10.4, 9.5
Change-Id: I4ed52d357effec4a8e698d5b117f024150a01beb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70448


Tested-by: core-ci <typo3@b13.com>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70534

d416cff0

12 Aug, 2021 5 commits

[TASK] Add status quo tests for f:format.html · 6c634fc7

Oliver Hader authored Aug 12, 2021 and

Oliver Hader committed Aug 12, 2021

Resolves: #94857
Releases: master, 11.3, 10.4, 9.5
Change-Id: I7654fb4cec38d38044441e885a21676dcacf9a8f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70523


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

6c634fc7

[TASK] Forward initiator to typo3/html-sanitizer · 10bdc758

Oliver Hader authored Aug 12, 2021 and

Oliver Hader committed Aug 12, 2021

A new `SanitizerInitiator` is added and forwarded to
`typo3/html-sanitizer`. This allows getting a full stack-trace
when HTML nodes have been sanitized/modified and to debug the
actual cause (initiator) much better.

To receive corresponding initiator stack-traces

* logging for TYPO3.HtmlSanitizer namespace needs to be enabled
* TypoScript `config.debug = 1` must be set, or as a fall-back
  `$GLOBALS['TYPO3_CONF_VARS']['FE']['debug'] = true;` must be set
* HTML sanitizer must have found and modified invalid tags/attributes

Resolves: #94837
Releases: master, 11.3, 10.4, 9.5
Change-Id: I0239785d347d2c4ad6153ccb26130556399949d8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70510


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

10bdc758

[TASK] gitlab-ci: Backup TYPO3 logs of backend acceptance tests · 6f7c961a

Alexander Nitsche authored Aug 12, 2021 and

Christian Kuhn committed Aug 12, 2021

Sometimes acceptance tests fail due to a failed TYPO3 backend request,
which is recorded in the TYPO3 log file. Save this log file along with
the Acceptance Reports folder in the gitlab-ci job artifacts.

Resolves: #94843
Releases: master, 10.4, 9.5
Change-Id: I0b260c197a6a71dc23e6f9da547fc20a55fc4ce7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70508


Reviewed-by: Alexander Nitsche <typo3@alexandernitsche.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

6f7c961a

[TASK] Upgrade to typo3/html-sanitizer v2.0.8 · 4a60e97a

Oliver Hader authored Aug 12, 2021 and

Oliver Hader committed Aug 12, 2021

https://github.com/TYPO3/html-sanitizer/releases/tag/v2.0.8

composer req typo3/html-sanitizer:^2.0.8

Resolves: #94849
Releases: master, 11.3, 10.4, 9.5
Change-Id: I367343abe5b18445ddc28023ef45c65bc6d0de23
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70502


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

4a60e97a

[BUGFIX] Inform about extended support in reports module correctly · 9f87b2c7

Andreas Fernandez authored Aug 12, 2021

The Core Updater and Reports module were modified to render correct
information about non-community supported TYPO3 releases (aka ELTS) with
while no ELTS was released yet, in contrast to the Core Updater.

The missing case is added with this patch.

Resolves: #94827
Related: #94745
Releases: master, 10.4, 9.5
Change-Id: Ib4d8791478b89ad7e9b92930d882a98c76b809a3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70422


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

9f87b2c7

11 Aug, 2021 2 commits

[BUGFIX] Accept JS spam protected email addresses · c81483f4

Torben Hansen authored Aug 10, 2021 and

Oliver Hader committed Aug 11, 2021

When TYPO3 is configured to spam protect email
addresses using an offset, then the HTML sanitizer
introduced in #94375 will remove the generated
JavaScript in the href link attribute.

This change makes the HTML sanitizer aware of the
`javascript:linkTo_UnCryptMailto` pattern for href
attribute.

Resolves: #94776
Releases: master, 11.3, 10.4, 9.5
Change-Id: If5f4ab22a686274401390a66b580a24e6d5a8f0c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70415


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

c81483f4

[TASK] Enhance documentation for integration of html-sanitizer · 988de489

Tomas Norre Mikkelsen authored Aug 11, 2021 and

Oliver Hader committed Aug 11, 2021

* remove superfluous `}` literal from PHP example
* add "Troubleshooting" section of reported side-effects
* add "Logging" section, supporting to spot those side-effects

Resolves: #94797
Releases: master, 11.3, 10.4, 9.5
Change-Id: I4b154c849b158d920b380f40d1415762d227ae6d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70419


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

988de489

10 Aug, 2021 6 commits

Revert "[TASK] Declare core as replacement for t3g/svg-sanitizer" · 34fdd74e

Oliver Hader authored Aug 10, 2021 and

Oliver Hader committed Aug 10, 2021

This reverts commit 3bae5925.

Not defining replaced version of `t3g/svg-sanitizer` leads to
problems with `roave/security-advisories`. Overall it seems to
be better, to completely revert previous change.

Resolves: #94782
Reverts: #94719
Releases: master, 11.3, 10.4, 9.5
Change-Id: I43c2ea986ffec72bc0c8eb740a84daad33e9257f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70436


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

34fdd74e

[TASK] Set TYPO3 version to 9.5.30-dev · a9390366

Oliver Hader authored Aug 10, 2021 and

Benni Mack committed Aug 10, 2021

Change-Id: Idef500cdaaf791fd9d03c5668233312ca2e89bc4
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70347


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

a9390366

[RELEASE] Release of TYPO3 9.5.29 · bf181a75

Oliver Hader authored Aug 10, 2021 and

Oliver Hader committed Aug 10, 2021

Change-Id: I2d1a435c3d3a221a6a8d523f105d2b9f052e8513
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70346


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

bf181a75

[SECURITY] Ensure XSS-safe rich text rendering · ac8f1fc3

Oliver Hader authored Aug 10, 2021 and

Oliver Hader committed Aug 10, 2021

Due to missing internal handling of provided RTE configuration, it
was possible to directly persist XSS in database fields. Unless full
blown backend RTE tag configuration is available, this patch still
allows persisting potentially malicious data - which is not reflected
in the backend user interface - but to be sanitized during frontend
rendering (see below).

Corresponding configuration directives (`removeTags`, `allowedAttribs`)
are now considered again. Besides that a new, but simplified sequential
HTML parser ensures that runaway node-boundaries are detected & denied.

To sanitize and purge XSS from markup during frontend rendering, new
custom HTML sanitizer has been introduced, based on `masterminds/html5`.
Both `DefaultBuilder` and `CommonVisitor` provide common configuration
which is in line with expected tags that are allowed in backend RTE.
Using a custom builder instance, it is possible to adjust for individual
demands - however, configuration possibilities cannot be modified using
TypoScript - basically since the existing syntax does not cover all
necessary scenarios.

Resolves: #94375
Related: #83027
Related: #94484
Releases: master, 11.3, 10.4, 9.5
Change-Id: I5f8de43faab57b00052614ad37bd10ea9e384dc0
Security-Bulletin: TYPO3-CORE-SA-2021-013
Security-References: CVE-2021-32768
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70342


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

ac8f1fc3

[TASK] Declare core as replacement for t3g/svg-sanitizer · 3bae5925

Oliver Hader authored Aug 05, 2021 and

Oliver Hader committed Aug 10, 2021

Functionality of package t3g/svg-sanitizer has been
integrated into the TYPO3 core.

Resolves: #94719
Releases: master, 11.3, 10.4, 9.5
Change-Id: I9bef46af0b76275844aa4acb2b54214f37936ecc
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70339


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

3bae5925

[TASK] Update enshrined/svg-sanitize to v0.14.1 · 95b571c5

Oliver Hader authored Aug 10, 2021 and

Oliver Hader committed Aug 10, 2021

Addresses work-around of issues #94565 and #94582
concerning libxml2 segmentation faults.

https://github.com/darylldoyle/svg-sanitizer/compare/0.14.0...0.14.1

Resolves: #94768
Releases: master, 11.3, 10.4, 9.5
Change-Id: I10f6386f0986f514a1387fb1153bbfc36f9c9dcc
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70336


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

95b571c5

09 Aug, 2021 2 commits

[BUGFIX] Render correct version information in Core Updater and reports module · 4d4c37b3

Andreas Fernandez authored Aug 06, 2021

Currently, the TYPO3 backend shows incomplete version information
regarding updates in the Core Updater and the reports. Both take
community-supported releases into account only and ignore the fact that
certain versions are covered by the ELTS program and thus render messages
about unsupported or invalid versions, which are false statements.

We now use the full information from get.typo3.org, and added lengthy
tests to avoid any further issues. The internally used
CoreVersionService is now able to handle ELTS releases as well and give
proper information to admins.

Resolves: #94745
Releases: master, 10.4, 9.5
Change-Id: I6485d36ded943acba723d55e23275554484e4f82
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70311


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

4d4c37b3

[BUGFIX] Reset query filters for file storages · a02928f5

Pierrick Caillon authored Aug 05, 2021 and

Oliver Hader committed Aug 09, 2021

After query filers for file storages have been used, those settings
have to be reset. `StorageRepository::$storageInstances` actually
applies an implicit singleton pattern to file storage objects.

Resolves: #94714
Releases: master, 11.3, 10.4, 9.5
Change-Id: I353b782f8e98c55df6f9cb2e14a0745d83bfdc70
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70297


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

a02928f5

08 Aug, 2021 1 commit

[TASK] runTests.sh: Allow step debugging acceptance tests · d9fb666a

Christian Kuhn authored Mar 14, 2021

Honor -x option for acceptance tests: Both 'Tester' and
'System under test' allow break points with -s acceptance
and -s install.

Resolves: #93734
Releases: master, 10.4, 9.5
Change-Id: Ia3f5a518089be675e33ddc673ebd4c99b2dbfaf6
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70174


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

d9fb666a

06 Aug, 2021 1 commit

[TASK] Raise typo3/testing-framework:^4.15.5 · 1bac9f91

Christian Kuhn authored Aug 06, 2021

A couple of minor testing-framework patches
are worth to be pulled into core v9.

composer req --dev typo3/testing-framework:^4.15.5
composer req --dev typo3/testing-framework:^4.15.5 -d typo3/sysext/core/ --no-update

Change-Id: I1a4de0ac8b93bd2373db28180ea5642785af54c4
Resolves: #94732
Releases: 9.5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70274


Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

1bac9f91

02 Aug, 2021 1 commit

[BUGFIX] Support extra test arguments on acceptance tests · 1afa9607

crell authored May 24, 2021 and

Christian Kuhn committed Aug 02, 2021

Resolves: #94189
Releases: master, 10.4, 9.5
Change-Id: Idd70dda6b26c4e6462b351d61ac03e76b7fd9533
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70172


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: crell <larry@garfieldtech.com>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

1afa9607

29 Jul, 2021 2 commits

[TASK] Change indent for .rst in .editorconfig · 130422b3

Simon Gilli authored Jul 29, 2021 and

Christian Kuhn committed Jul 29, 2021

For the covenience when creating files with code snippets
the indent of .rst is changed to 4 spaces. This works for
all cases also for lists where normally 3 spaces are used.

Resolves: #94669
Releases: master, 10.4, 9.5
Change-Id: If1ed5927a1e5e17e56edf0696eb4c528599b788c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70160


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

130422b3

[BUGFIX] Fix sphinx warnings in previous changelog entries · 0e8d3464

Lina Wolf authored Jul 18, 2021 and

Christian Kuhn committed Jul 29, 2021

Fixes Layout problems: Malformed lists, malformed
headlines, non-working links to documentation or
other changelogs.
Directive `:ts:` and `.. code-block:: ts` is only
used for typescript, exchanged it into `:typoscript:`
for typoscript examples.

Resolves: #94534
Releases: master, 10.4, 9.5
Change-Id: I61e3c5910d6a5bc97f1ec887ce5b2c1e6d59a2db
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70158


Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

0e8d3464