Skip to content
GitLab
  1. 23 Sep, 2014 1 commit
  3. 20 Sep, 2014 2 commits
  5. 23 Aug, 2014 1 commit
  7. 08 Jul, 2014 3 commits
  9. 29 Jun, 2014 2 commits
    • Helmut Hummel's avatar
      [TASK] Improve travis notifications to channels · 021526a7
      Helmut Hummel authored 
      By default travis notifies on each build when
posting to channels (irc, slack)
We can reduce the number of notifications by only
posting successful builds when it previously failed.
Additionally encrypt the API token for posting to slack.

Releases: 6.3, 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I882d34903c972201454e6cc5b9041393e3bd3661
Reviewed-on: https://review.typo3.org/31226
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
      021526a7
    • Michael Stucki's avatar
      [TASK] Update Travis CI notification settings · 4f13b3a3
      Michael Stucki authored 
      Notify on Slack and IRC, remove email notification.

Resolves: #59838
Releases: 6.3, 6.2, 4.5
Change-Id: Ic4dacd5c7b6b4e6e2b8cfa92ae7976b666209747
Reviewed-on: https://review.typo3.org/31209
Reviewed-by: Nicole Cordes
Reviewed-by: Michael Stucki
Tested-by: Michael Stucki
      4f13b3a3
  11. 23 Jun, 2014 1 commit
    • Markus Klein's avatar
      [BUGFIX] AbstractBackendViewHelper uses namespaces · 64a43cae
      Markus Klein authored 
      Namespaces are not supported in PHP 5.2.x, hence one must not
prefix a class name with backslash.

Regression fix to #54748.

Resolves: #59825
Releases: 4.5
Change-Id: Ideb2cef1c5e2ec0d2ac3328ebd4f318a161d368a
Reviewed-on: https://review.typo3.org/31084
Tested-by: Sebastian Sommer
Tested-by: Steffen Mächtel
Reviewed-by: Markus Klein
Tested-by: Markus Klein
      64a43cae
  13. 05 Jun, 2014 1 commit
  15. 03 Jun, 2014 1 commit
    • Markus Klein's avatar
      [BUGFIX] Fix double ? in eID url for encryption key · 4fbb2504
      Markus Klein authored 
      The AJAX url for retrieving a new encryption key contains
two question marks. This causes the request to fail.

Fix this by removing the superflous ? from the parameters.

Resolves: #59034
Releases: 6.1, 4.7, 4.5
Change-Id: Iab3833f50a48b71b25cf0205f7eb8d6b57dd859a
Reviewed-on: https://review.typo3.org/30543
Reviewed-by: Markus Klein
Tested-by: Markus Klein
      4fbb2504
  17. 22 May, 2014 12 commits
    • Markus Klein's avatar
      [BUGFIX] Wrong HTML in locallang_csh_pages.xlf · 418e3130
      Markus Klein authored and Christian Kuhn's avatar Christian Kuhn committed 
      lang/4.5/locallang_csh_pages.xlf contains invalid
HTML structure a <p> tag should actually be a <b> tag.

Resolves: #58936
Releases: 6.2, 6.1, 4.5
Change-Id: Id37d424296628202d8d434e0cf9cafd8529da2c3
Reviewed-on: https://review.typo3.org/30331
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
      418e3130
    • Marc Bastian Heinrichs's avatar
      [BUGFIX] SoftReferenceIndex support for more values in class attribute · 81e31f18
      Marc Bastian Heinrichs authored 
      The SoftReferenceIndex parses and rebuilds typolink tags, but the
support for more than one value in class attribute is missing, because
the values don't get enclosed with quotes on rebuilding.
This leads to lost classes in typolinks in exports from impexp.

Resolves: #58484
Releases: 6.2, 6.1, 4.5
Change-Id: I12ed3be7f5be36254bcee57fcb24bf2a10f92f46
Reviewed-on: https://review.typo3.org/29853
Reviewed-by: Markus Klein
Tested-by: Markus Klein
      81e31f18
    • TYPO3 Release Team's avatar
      [TASK] Set TYPO3 version to 4.5.35-dev · dd2d0ad3
      TYPO3 Release Team authored 
      Change-Id: Iffabf254620824d1d0b7a42e239576bd3aa73791
Reviewed-on: https://review.typo3.org/30309
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team
      dd2d0ad3
    • TYPO3 Release Team's avatar
      [RELEASE] Release of TYPO3 4.5.34 · 67deb70e
      TYPO3 Release Team authored 
      Change-Id: I296aa228d3d9ffda43cf99a41d3ac36d8b93f439
Reviewed-on: https://review.typo3.org/30308
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team
      67deb70e
    • Helmut Hummel's avatar
      [SECURITY] Add trusted HTTP_HOST configuration · 55d5f385
      Helmut Hummel authored and Oliver Hader's avatar Oliver Hader committed 
      TYPO3 uses the values of HTTP_HOST in several
places without validating them. This could
lead to a situation where links are generated
using the host part from HTTP_HOST.
Since HTTP_HOST headers are user input and
can be spoofed by an attacker, it leads
into several potential and actual security issues.
To address this, a configuration option for
trusted hosts is added, which is evaluated every
time getIndpEnv('HTTP_HOST') is called.
The configuration option is
$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']
and can contain either a regular expression or the
value "SERVER_NAME"
To properly output the exception message in case
the trustedHostPattern does not match,
we need to adapt the exception handlers slightly
to not log information in this case and to actually
show the message even in production context to not
confuse admins on what is currently going wrong.
To not break all existing installations, the default
pattern is set to 'SERVER_NAME' which allows all
HTTP_HOST values matching the SERVER_NAME (and
optionally the SERVER_PORT if a port is specified
in the HTTP_HOST value).
This will secure all installation which use properly
configured name based virtual hosts, but leaves
installations where the web server is not bound
to a specific host name still in an insecure state.
Fixes: #30377
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Bulletin: TYPO3-CORE-SA-2014-001

Change-Id: Id210212e6fbd186a273f92b340d5060e9c6f900d
Reviewed-on: https://review.typo3.org/30275
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
      55d5f385
    • Marc Bastian Heinrichs's avatar
      [SECURITY] XSS in (old) extension manager information function · efb098b2
      Marc Bastian Heinrichs authored and Oliver Hader's avatar Oliver Hader committed 
      Needs to be fixed also in 6.x, but the affected function is not
used anymore.

Change-Id: Iae077221a4a8ef8f3aacaeb9d679cc68e97799bd
Fixes: #54111
Fixes: #54113
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 6b746d50d9ee4fbf2eff3e3e4c0699100be983a2
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30274
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
      efb098b2
    • Markus Klein's avatar
      [SECURITY] XSS in new content element wizard · 94011a3c
      Markus Klein authored and Oliver Hader's avatar Oliver Hader committed 
      Sanitize user-input colPos in new content element wizard.

Change-Id: I13ff938e7320c68c8ad3f88b0cb688bc4d43d839
Fixes: #48695
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 582087ad27cee5365ea36387bba28c1b62212564
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30273
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
      94011a3c
    • Marc Bastian Heinrichs's avatar
      [SECURITY] XSS in template tools on root page · b62651b0
      Marc Bastian Heinrichs authored and Oliver Hader's avatar Oliver Hader committed 
      Change-Id: I6942457ce27ad22a33efd003ceaa96fa7460c0bf
Fixes: #54109
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 9abedcf7dc0fd59b602a2221ffd9a998636b8092
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30272
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
      b62651b0
    • Nicole Cordes's avatar
      [SECURITY] XSS in Backend Layout Wizard · a98ae3ca
      Nicole Cordes authored and Oliver Hader's avatar Oliver Hader committed 
      Change-Id: I7e58e32a4d7146c2c341d756816c29f7c01ed31d
Fixes: #57576
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 7493eb3ec56903b00923dcabf00a04f34529ad18
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30271
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
      a98ae3ca
    • Markus Klein's avatar
      [SECURITY] Encode URL for use in JavaScript · 4f7258cf
      Markus Klein authored and Oliver Hader's avatar Oliver Hader committed 
      The url for the Open in New Window button must be quoted for
use in JavaScript to prevent XSS issues.

Change-Id: If3600662e79fb0945ca62b3a25feaf001180b88d
Fixes: #48693
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 8a9c1615f82cf0a8c3449ae37f47338da132e505
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30270
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
      4f7258cf
    • Helmut Hummel's avatar
      [SECURITY] Fix insecure unserialize in colorpicker · 742ad492
      Helmut Hummel authored and Oliver Hader's avatar Oliver Hader committed 
      Change-Id: Iee9d2712ae3b489a89604cb7be8c2af27a924fe0
Fixes: #56458
Releases: 6.1, 6.0, 4.7, 4.5
Security-Commit: 36eb11e44d7faca68b3d6fefb1633a463cc22fac
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30269
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
      742ad492
    • Helmut Hummel's avatar
      [SECURITY] Remove charts.swf to get rid of XSS vulnerability · 9bd77764
      Helmut Hummel authored and Oliver Hader's avatar Oliver Hader committed 
      The file charts.swf is vulnerable to XSS, is delivered
by ExtJS but not used in TYPO3 CMS at all.

Since the vendor of ExtJS did not fix this vulnerability,
we decided to remove it from TYPO3 sources.

Change-Id: I7d81fc44294473d041c8910e04c815d91efb409f
Fixes: #54526
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: fef11509739f8bddfeba0fc6f752ac93feb16f03
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30268
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
      9bd77764
  19. 08 May, 2014 1 commit
    • Jigal van Hemert's avatar
      [BUGFIX] Solve stackoverflow in prototype in IE8 · 6ffdceeb
      Jigal van Hemert authored and Oliver Hader's avatar Oliver Hader committed 
      The reason for this behaviour is the combination of prototype.js
and ExtJS. The ExtJS defer() method takes precedence. Calling the
defer() method without any arguments would have resulted in using
a default value of "0.01" seconds in standalone prototype.js, but
results in directly calling the submitted function.

The stack overflow is caused by not delaying the function call
and thus ending in a recursive endless loop.

Resolves: #58187
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I6db191ff67a3e869072877936d949fc733cda74f
Reviewed-on: https://review.typo3.org/29908
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
      6ffdceeb
  21. 16 Apr, 2014 2 commits
  23. 15 Apr, 2014 3 commits
  25. 04 Apr, 2014 2 commits
    • Oliver Hader's avatar
      [TASK] Integrate default README.txt · 4316e98d
      Oliver Hader authored and Oliver Hader's avatar Oliver Hader committed 
      This file is a modified and updated version like it has been
releases with every package in the past. Since these files have
been taken from git.typo3.org/TYPO3CMS/Distributions/Base.git,
which is target to be cleaned up, the file is explicitely put
to old branches as well.

Resolves: #57656
Releases: 6.1, 6.0, 4.7, 4.6, 4.5
Change-Id: I3b696895deaf03b2f630e12f1bd7b17b649b985c
Reviewed-on: https://review.typo3.org/29175
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
      4316e98d
    • Nicole Cordes's avatar
      [SECURITY] Prevent XSS in scheduler form · 9d365152
      Nicole Cordes authored 
      The class name is submitted in a hidden form and is susceptible to XSS.
The patch introduced htmlspecialchars to prevent XSS possibility.

Resolves: #57603
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I4979e66f28a581e168c56d91327a1bbe2672448d
Reviewed-on: https://review.typo3.org/29155
Reviewed-by: Nicole Cordes
Tested-by: Nicole Cordes
      9d365152
  27. 27 Feb, 2014 1 commit
  29. 25 Feb, 2014 1 commit
    • Jigal van Hemert's avatar
      [BUGFIX] felogin reset password links not clickable · 5c4554be
      Jigal van Hemert authored 
      Encoding a few extra character besides the ones according to RFC3986
makes password reset links working again in various mail clients which
do not comply to this RFC (and which do not have plans to fix this in
the near future).

Change-Id: I0b42bef6cb732c5fc6cc2d900407271cb606e301
Fixes: #23984
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/27830
Reviewed-by: Oliver Klee
Reviewed-by: Markus Klein
Tested-by: Markus Klein
      5c4554be
  31. 09 Feb, 2014 1 commit
  33. 08 Feb, 2014 1 commit
  35. 30 Jan, 2014 1 commit
  37. 28 Jan, 2014 1 commit
    • Tim Lochmüller's avatar
      [BUGFIX] Invalid constant in the domain redirect function · b867b04f
      Tim Lochmüller authored and Wouter Wolters's avatar Wouter Wolters committed 
      There is a "copy-and-paste" mistake in the domain redirect mechanism.
The function HttpUtility::redirect should call with a valid HTTP
status code (the const value) and not with the name of the constant.

Resolves: #55350
Releases: 6.2, 6.1, 6.0, 4.5
Change-Id: I97f55ac8df1688011198666da1fd322a5c3bd323
Reviewed-on: https://review.typo3.org/27105
Reviewed-by: Tim Lochmüller
Tested-by: Tim Lochmüller
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
      b867b04f
  39. 17 Jan, 2014 2 commits