1. 23 Sep, 2014 1 commit
  2. 20 Sep, 2014 2 commits
  3. 23 Aug, 2014 1 commit
  4. 08 Jul, 2014 3 commits
  5. 29 Jun, 2014 2 commits
    • Helmut Hummel's avatar
      [TASK] Improve travis notifications to channels · 021526a7
      Helmut Hummel authored
      By default travis notifies on each build when
      posting to channels (irc, slack)
      We can reduce the number of notifications by only
      posting successful builds when it previously failed.
      Additionally encrypt the API token for posting to slack.
      
      Releases: 6.3, 6.2, 6.1, 6.0, 4.7, 4.5
      Change-Id: I882d34903c972201454e6cc5b9041393e3bd3661
      Reviewed-on: https://review.typo3.org/31226
      Reviewed-by: Helmut Hummel
      Tested-by: Helmut Hummel
      021526a7
    • Michael Stucki's avatar
      [TASK] Update Travis CI notification settings · 4f13b3a3
      Michael Stucki authored
      Notify on Slack and IRC, remove email notification.
      
      Resolves: #59838
      Releases: 6.3, 6.2, 4.5
      Change-Id: Ic4dacd5c7b6b4e6e2b8cfa92ae7976b666209747
      Reviewed-on: https://review.typo3.org/31209
      Reviewed-by: Nicole Cordes
      Reviewed-by: Michael Stucki
      Tested-by: Michael Stucki
      4f13b3a3
  6. 23 Jun, 2014 1 commit
    • Markus Klein's avatar
      [BUGFIX] AbstractBackendViewHelper uses namespaces · 64a43cae
      Markus Klein authored
      Namespaces are not supported in PHP 5.2.x, hence one must not
      prefix a class name with backslash.
      
      Regression fix to #54748.
      
      Resolves: #59825
      Releases: 4.5
      Change-Id: Ideb2cef1c5e2ec0d2ac3328ebd4f318a161d368a
      Reviewed-on: https://review.typo3.org/31084
      Tested-by: Sebastian Sommer
      Tested-by: Steffen Mächtel
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      64a43cae
  7. 05 Jun, 2014 1 commit
  8. 03 Jun, 2014 1 commit
    • Markus Klein's avatar
      [BUGFIX] Fix double ? in eID url for encryption key · 4fbb2504
      Markus Klein authored
      The AJAX url for retrieving a new encryption key contains
      two question marks. This causes the request to fail.
      
      Fix this by removing the superflous ? from the parameters.
      
      Resolves: #59034
      Releases: 6.1, 4.7, 4.5
      Change-Id: Iab3833f50a48b71b25cf0205f7eb8d6b57dd859a
      Reviewed-on: https://review.typo3.org/30543
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      4fbb2504
  9. 22 May, 2014 12 commits
    • Markus Klein's avatar
      [BUGFIX] Wrong HTML in locallang_csh_pages.xlf · 418e3130
      Markus Klein authored and Christian Kuhn's avatar Christian Kuhn committed
      lang/4.5/locallang_csh_pages.xlf contains invalid
      HTML structure a <p> tag should actually be a <b> tag.
      
      Resolves: #58936
      Releases: 6.2, 6.1, 4.5
      Change-Id: Id37d424296628202d8d434e0cf9cafd8529da2c3
      Reviewed-on: https://review.typo3.org/30331
      Reviewed-by: Christian Kuhn
      Tested-by: Christian Kuhn
      418e3130
    • Marc Bastian Heinrichs's avatar
      [BUGFIX] SoftReferenceIndex support for more values in class attribute · 81e31f18
      Marc Bastian Heinrichs authored
      The SoftReferenceIndex parses and rebuilds typolink tags, but the
      support for more than one value in class attribute is missing, because
      the values don't get enclosed with quotes on rebuilding.
      This leads to lost classes in typolinks in exports from impexp.
      
      Resolves: #58484
      Releases: 6.2, 6.1, 4.5
      Change-Id: I12ed3be7f5be36254bcee57fcb24bf2a10f92f46
      Reviewed-on: https://review.typo3.org/29853
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      81e31f18
    • TYPO3 Release Team's avatar
      [TASK] Set TYPO3 version to 4.5.35-dev · dd2d0ad3
      TYPO3 Release Team authored
      Change-Id: Iffabf254620824d1d0b7a42e239576bd3aa73791
      Reviewed-on: https://review.typo3.org/30309
      Reviewed-by: TYPO3 Release Team
      Tested-by: TYPO3 Release Team
      dd2d0ad3
    • TYPO3 Release Team's avatar
      [RELEASE] Release of TYPO3 4.5.34 · 67deb70e
      TYPO3 Release Team authored
      Change-Id: I296aa228d3d9ffda43cf99a41d3ac36d8b93f439
      Reviewed-on: https://review.typo3.org/30308
      Reviewed-by: TYPO3 Release Team
      Tested-by: TYPO3 Release Team
      67deb70e
    • Helmut Hummel's avatar
      [SECURITY] Add trusted HTTP_HOST configuration · 55d5f385
      Helmut Hummel authored and Oliver Hader's avatar Oliver Hader committed
      TYPO3 uses the values of HTTP_HOST in several
      places without validating them. This could
      lead to a situation where links are generated
      using the host part from HTTP_HOST.
      Since HTTP_HOST headers are user input and
      can be spoofed by an attacker, it leads
      into several potential and actual security issues.
      To address this, a configuration option for
      trusted hosts is added, which is evaluated every
      time getIndpEnv('HTTP_HOST') is called.
      The configuration option is
      $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']
      and can contain either a regular expression or the
      value "SERVER_NAME"
      To properly output the exception message in case
      the trustedHostPattern does not match,
      we need to adapt the exception handlers slightly
      to not log information in this case and to actually
      show the message even in production context to not
      confuse admins on what is currently going wrong.
      To not break all existing installations, the default
      pattern is set to 'SERVER_NAME' which allows all
      HTTP_HOST values matching the SERVER_NAME (and
      optionally the SERVER_PORT if a port is specified
      in the HTTP_HOST value).
      This will secure all installation which use properly
      configured name based virtual hosts, but leaves
      installations where the web server is not bound
      to a specific host name still in an insecure state.
      Fixes: #30377
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      
      Change-Id: Id210212e6fbd186a273f92b340d5060e9c6f900d
      Reviewed-on: https://review.typo3.org/30275
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      55d5f385
    • Marc Bastian Heinrichs's avatar
      [SECURITY] XSS in (old) extension manager information function · efb098b2
      Marc Bastian Heinrichs authored and Oliver Hader's avatar Oliver Hader committed
      Needs to be fixed also in 6.x, but the affected function is not
      used anymore.
      
      Change-Id: Iae077221a4a8ef8f3aacaeb9d679cc68e97799bd
      Fixes: #54111
      Fixes: #54113
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 6b746d50d9ee4fbf2eff3e3e4c0699100be983a2
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30274
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      efb098b2
    • Markus Klein's avatar
      [SECURITY] XSS in new content element wizard · 94011a3c
      Markus Klein authored and Oliver Hader's avatar Oliver Hader committed
      Sanitize user-input colPos in new content element wizard.
      
      Change-Id: I13ff938e7320c68c8ad3f88b0cb688bc4d43d839
      Fixes: #48695
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 582087ad27cee5365ea36387bba28c1b62212564
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30273
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      94011a3c
    • Marc Bastian Heinrichs's avatar
      [SECURITY] XSS in template tools on root page · b62651b0
      Marc Bastian Heinrichs authored and Oliver Hader's avatar Oliver Hader committed
      Change-Id: I6942457ce27ad22a33efd003ceaa96fa7460c0bf
      Fixes: #54109
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 9abedcf7dc0fd59b602a2221ffd9a998636b8092
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30272
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      b62651b0
    • Nicole Cordes's avatar
      [SECURITY] XSS in Backend Layout Wizard · a98ae3ca
      Nicole Cordes authored and Oliver Hader's avatar Oliver Hader committed
      Change-Id: I7e58e32a4d7146c2c341d756816c29f7c01ed31d
      Fixes: #57576
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 7493eb3ec56903b00923dcabf00a04f34529ad18
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30271
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      a98ae3ca
    • Markus Klein's avatar
      [SECURITY] Encode URL for use in JavaScript · 4f7258cf
      Markus Klein authored and Oliver Hader's avatar Oliver Hader committed
      The url for the Open in New Window button must be quoted for
      use in JavaScript to prevent XSS issues.
      
      Change-Id: If3600662e79fb0945ca62b3a25feaf001180b88d
      Fixes: #48693
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: 8a9c1615f82cf0a8c3449ae37f47338da132e505
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30270
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      4f7258cf
    • Helmut Hummel's avatar
      [SECURITY] Fix insecure unserialize in colorpicker · 742ad492
      Helmut Hummel authored and Oliver Hader's avatar Oliver Hader committed
      Change-Id: Iee9d2712ae3b489a89604cb7be8c2af27a924fe0
      Fixes: #56458
      Releases: 6.1, 6.0, 4.7, 4.5
      Security-Commit: 36eb11e44d7faca68b3d6fefb1633a463cc22fac
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30269
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      742ad492
    • Helmut Hummel's avatar
      [SECURITY] Remove charts.swf to get rid of XSS vulnerability · 9bd77764
      Helmut Hummel authored and Oliver Hader's avatar Oliver Hader committed
      The file charts.swf is vulnerable to XSS, is delivered
      by ExtJS but not used in TYPO3 CMS at all.
      
      Since the vendor of ExtJS did not fix this vulnerability,
      we decided to remove it from TYPO3 sources.
      
      Change-Id: I7d81fc44294473d041c8910e04c815d91efb409f
      Fixes: #54526
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Security-Commit: fef11509739f8bddfeba0fc6f752ac93feb16f03
      Security-Bulletin: TYPO3-CORE-SA-2014-001
      Reviewed-on: https://review.typo3.org/30268
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      9bd77764
  10. 08 May, 2014 1 commit
    • Jigal van Hemert's avatar
      [BUGFIX] Solve stackoverflow in prototype in IE8 · 6ffdceeb
      Jigal van Hemert authored and Oliver Hader's avatar Oliver Hader committed
      The reason for this behaviour is the combination of prototype.js
      and ExtJS. The ExtJS defer() method takes precedence. Calling the
      defer() method without any arguments would have resulted in using
      a default value of "0.01" seconds in standalone prototype.js, but
      results in directly calling the submitted function.
      
      The stack overflow is caused by not delaying the function call
      and thus ending in a recursive endless loop.
      
      Resolves: #58187
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Change-Id: I6db191ff67a3e869072877936d949fc733cda74f
      Reviewed-on: https://review.typo3.org/29908
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      6ffdceeb
  11. 16 Apr, 2014 2 commits
  12. 15 Apr, 2014 3 commits
  13. 04 Apr, 2014 2 commits
    • Oliver Hader's avatar
      [TASK] Integrate default README.txt · 4316e98d
      Oliver Hader authored and Oliver Hader's avatar Oliver Hader committed
      This file is a modified and updated version like it has been
      releases with every package in the past. Since these files have
      been taken from git.typo3.org/TYPO3CMS/Distributions/Base.git,
      which is target to be cleaned up, the file is explicitely put
      to old branches as well.
      
      Resolves: #57656
      Releases: 6.1, 6.0, 4.7, 4.6, 4.5
      Change-Id: I3b696895deaf03b2f630e12f1bd7b17b649b985c
      Reviewed-on: https://review.typo3.org/29175
      Reviewed-by: Oliver Hader
      Tested-by: Oliver Hader
      4316e98d
    • Nicole Cordes's avatar
      [SECURITY] Prevent XSS in scheduler form · 9d365152
      Nicole Cordes authored
      The class name is submitted in a hidden form and is susceptible to XSS.
      The patch introduced htmlspecialchars to prevent XSS possibility.
      
      Resolves: #57603
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Change-Id: I4979e66f28a581e168c56d91327a1bbe2672448d
      Reviewed-on: https://review.typo3.org/29155
      Reviewed-by: Nicole Cordes
      Tested-by: Nicole Cordes
      9d365152
  14. 27 Feb, 2014 1 commit
  15. 25 Feb, 2014 1 commit
    • Jigal van Hemert's avatar
      [BUGFIX] felogin reset password links not clickable · 5c4554be
      Jigal van Hemert authored
      Encoding a few extra character besides the ones according to RFC3986
      makes password reset links working again in various mail clients which
      do not comply to this RFC (and which do not have plans to fix this in
      the near future).
      
      Change-Id: I0b42bef6cb732c5fc6cc2d900407271cb606e301
      Fixes: #23984
      Releases: 6.2, 6.1, 6.0, 4.7, 4.5
      Reviewed-on: https://review.typo3.org/27830
      Reviewed-by: Oliver Klee
      Reviewed-by: Markus Klein
      Tested-by: Markus Klein
      5c4554be
  16. 09 Feb, 2014 1 commit
  17. 08 Feb, 2014 1 commit
  18. 30 Jan, 2014 1 commit
  19. 28 Jan, 2014 1 commit
    • Tim Lochmüller's avatar
      [BUGFIX] Invalid constant in the domain redirect function · b867b04f
      Tim Lochmüller authored and Wouter Wolters's avatar Wouter Wolters committed
      There is a "copy-and-paste" mistake in the domain redirect mechanism.
      The function HttpUtility::redirect should call with a valid HTTP
      status code (the const value) and not with the name of the constant.
      
      Resolves: #55350
      Releases: 6.2, 6.1, 6.0, 4.5
      Change-Id: I97f55ac8df1688011198666da1fd322a5c3bd323
      Reviewed-on: https://review.typo3.org/27105
      Reviewed-by: Tim Lochmüller
      Tested-by: Tim Lochmüller
      Reviewed-by: Wouter Wolters
      Tested-by: Wouter Wolters
      b867b04f
  20. 17 Jan, 2014 2 commits