- 12 Aug, 2021 3 commits
-
-
Sometimes acceptance tests fail due to a failed TYPO3 backend request, which is recorded in the TYPO3 log file. Save this log file along with the Acceptance Reports folder in the gitlab-ci job artifacts. Resolves: #94843 Releases: master, 10.4, 9.5 Change-Id: I0b260c197a6a71dc23e6f9da547fc20a55fc4ce7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70508 Reviewed-by:
Alexander Nitsche <typo3@alexandernitsche.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch> Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
https://github.com/TYPO3/html-sanitizer/releases/tag/v2.0.8 composer req typo3/html-sanitizer:^2.0.8 Resolves: #94849 Releases: master, 11.3, 10.4, 9.5 Change-Id: I367343abe5b18445ddc28023ef45c65bc6d0de23 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70502 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
Andreas Fernandez authored
The Core Updater and Reports module were modified to render correct information about non-community supported TYPO3 releases (aka ELTS) with while no ELTS was released yet, in contrast to the Core Updater. The missing case is added with this patch. Resolves: #94827 Related: #94745 Releases: master, 10.4, 9.5 Change-Id: Ib4d8791478b89ad7e9b92930d882a98c76b809a3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70422 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
-
- 11 Aug, 2021 2 commits
-
-
When TYPO3 is configured to spam protect email addresses using an offset, then the HTML sanitizer introduced in #94375 will remove the generated JavaScript in the href link attribute. This change makes the HTML sanitizer aware of the `javascript:linkTo_UnCryptMailto` pattern for href attribute. Resolves: #94776 Releases: master, 11.3, 10.4, 9.5 Change-Id: If5f4ab22a686274401390a66b580a24e6d5a8f0c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70415 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
* remove superfluous `}` literal from PHP example * add "Troubleshooting" section of reported side-effects * add "Logging" section, supporting to spot those side-effects Resolves: #94797 Releases: master, 11.3, 10.4, 9.5 Change-Id: I4b154c849b158d920b380f40d1415762d227ae6d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70419 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 10 Aug, 2021 6 commits
-
-
This reverts commit 3bae5925. Not defining replaced version of `t3g/svg-sanitizer` leads to problems with `roave/security-advisories`. Overall it seems to be better, to completely revert previous change. Resolves: #94782 Reverts: #94719 Releases: master, 11.3, 10.4, 9.5 Change-Id: I43c2ea986ffec72bc0c8eb740a84daad33e9257f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70436 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
Change-Id: Idef500cdaaf791fd9d03c5668233312ca2e89bc4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70347 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org> Reviewed-by:
-
Change-Id: I2d1a435c3d3a221a6a8d523f105d2b9f052e8513 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70346 Tested-by:
-
Due to missing internal handling of provided RTE configuration, it was possible to directly persist XSS in database fields. Unless full blown backend RTE tag configuration is available, this patch still allows persisting potentially malicious data - which is not reflected in the backend user interface - but to be sanitized during frontend rendering (see below). Corresponding configuration directives (`removeTags`, `allowedAttribs`) are now considered again. Besides that a new, but simplified sequential HTML parser ensures that runaway node-boundaries are detected & denied. To sanitize and purge XSS from markup during frontend rendering, new custom HTML sanitizer has been introduced, based on `masterminds/html5`. Both `DefaultBuilder` and `CommonVisitor` provide common configuration which is in line with expected tags that are allowed in backend RTE. Using a custom builder instance, it is possible to adjust for individual demands - however, configuration possibilities cannot be modified using TypoScript - basically since the existing syntax does not cover all necessary scenarios. Resolves: #94375 Related: #83027 Related: #94484 Releases: master, 11.3, 10.4, 9.5 Change-Id: I5f8de43faab57b00052614ad37bd10ea9e384dc0 Security-Bulletin: TYPO3-CORE-SA-2021-013 Security-References: CVE-2021-32768 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70342 Tested-by:
-
Functionality of package t3g/svg-sanitizer has been integrated into the TYPO3 core. Resolves: #94719 Releases: master, 11.3, 10.4, 9.5 Change-Id: I9bef46af0b76275844aa4acb2b54214f37936ecc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70339 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
Addresses work-around of issues #94565 and #94582 concerning libxml2 segmentation faults. https://github.com/darylldoyle/svg-sanitizer/compare/0.14.0...0.14.1 Resolves: #94768 Releases: master, 11.3, 10.4, 9.5 Change-Id: I10f6386f0986f514a1387fb1153bbfc36f9c9dcc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70336 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 09 Aug, 2021 2 commits
-
-
Andreas Fernandez authored
Currently, the TYPO3 backend shows incomplete version information regarding updates in the Core Updater and the reports. Both take community-supported releases into account only and ignore the fact that certain versions are covered by the ELTS program and thus render messages about unsupported or invalid versions, which are false statements. We now use the full information from get.typo3.org, and added lengthy tests to avoid any further issues. The internally used CoreVersionService is now able to handle ELTS releases as well and give proper information to admins. Resolves: #94745 Releases: master, 10.4, 9.5 Change-Id: I6485d36ded943acba723d55e23275554484e4f82 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70311 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
After query filers for file storages have been used, those settings have to be reset. `StorageRepository::$storageInstances` actually applies an implicit singleton pattern to file storage objects. Resolves: #94714 Releases: master, 11.3, 10.4, 9.5 Change-Id: I353b782f8e98c55df6f9cb2e14a0745d83bfdc70 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70297 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 08 Aug, 2021 1 commit
-
-
Christian Kuhn authored
Honor -x option for acceptance tests: Both 'Tester' and 'System under test' allow break points with -s acceptance and -s install. Resolves: #93734 Releases: master, 10.4, 9.5 Change-Id: Ia3f5a518089be675e33ddc673ebd4c99b2dbfaf6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70174 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 06 Aug, 2021 1 commit
-
-
Christian Kuhn authored
A couple of minor testing-framework patches are worth to be pulled into core v9. composer req --dev typo3/testing-framework:^4.15.5 composer req --dev typo3/testing-framework:^4.15.5 -d typo3/sysext/core/ --no-update Change-Id: I1a4de0ac8b93bd2373db28180ea5642785af54c4 Resolves: #94732 Releases: 9.5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70274 Tested-by:
core-ci <typo3@b13.com>
Tested-by: 
Oliver Bartsch <bo@cedev.de>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by:
-
- 02 Aug, 2021 1 commit
-
-
Resolves: #94189 Releases: master, 10.4, 9.5 Change-Id: Idd70dda6b26c4e6462b351d61ac03e76b7fd9533 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70172 Tested-by:
core-ci <typo3@b13.com>
Tested-by: crell <larry@garfieldtech.com> Reviewed-by:
-
- 29 Jul, 2021 3 commits
-
-
For the covenience when creating files with code snippets the indent of .rst is changed to 4 spaces. This works for all cases also for lists where normally 3 spaces are used. Resolves: #94669 Releases: master, 10.4, 9.5 Change-Id: If1ed5927a1e5e17e56edf0696eb4c528599b788c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70160 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
Fixes Layout problems: Malformed lists, malformed headlines, non-working links to documentation or other changelogs. Directive `:ts:` and `.. code-block:: ts` is only used for typescript, exchanged it into `:typoscript:` for typoscript examples. Resolves: #94534 Releases: master, 10.4, 9.5 Change-Id: I61e3c5910d6a5bc97f1ec887ce5b2c1e6d59a2db Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70158 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
Christian Kuhn authored
The nifty ruleset for handling core changelog files described at https://docs.typo3.org/c/typo3/cms-core/10.4/en-us/Changelog/Howto.html sometimes gets violated by the one or the other patch. This happens, so we occassionally synchronize Changelog files between versions. Resolves: #94668 Releases: master, 10.4, 9.5 Change-Id: Ia02af5909687a6f200257b791fee098ced7f32b5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70156 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 27 Jul, 2021 1 commit
-
-
Oliver Bartsch authored#94612 introduced the realpath command for retrieving the "CORE_ROOT" path. This however leads to execution failures on MacOS systems, which did not manually install this command (as it's not installed by default). To prevent the script from failing on default MacOS systems, a check for the existence of the realpath command is added. If not installed, the previous behaviour is used while displaying a short information. Resolves: #94635 Related: #94612 Releases: master, 10.4, 9.5 Change-Id: I30792f1e5492b57adf7ff28a7fa2c415ac2e094c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70133 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
-
- 26 Jul, 2021 1 commit
-
-
Benni Mack authored
The GitHub main repository has been renamed from "TYPO3/TYPO3.CMS" to "typo3/typo3". The new URL is https://github.com/typo3/typo3 This change reflects all places in TYPO3 Core to adapt to this renaming. Resolves: #94639 Releases: master, 10.4, 9.5 Change-Id: Ia5c3136a48b8b4580283277da4b7b11768c32132 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70075 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Susanne Moog <look@susi.dev> Tested-by:
-
- 22 Jul, 2021 1 commit
-
-
docker-compose.yml is now working with v2.0.0beta. Restored old behavior to retrieve the actual CORE_ROOT path using "realpath" which also works on MacOS. Resolves: #94612 Releases: master, 10.4, 9.5 Change-Id: I62ab40870e285b3533a259105dac241e3c4a6af2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70053 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 20 Jul, 2021 7 commits
-
-
Change-Id: I06e6dfb94b03924457e918dd8ae8e767259370ea Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69996 Tested-by:
-
Change-Id: I5fa0c57b0498f4335546f1a7462ad41ae51f210c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69995 Tested-by:
-
When having the debug logging activated for the authentication process, sensitive data is not being logged anymore. This change * removes password from being logged * hashes the cookie value processed for logging Resolves: #93925 Releases: master, 11.3, 10.4, 9.5 Change-Id: I8c610a72014de571ef52b4430c43f8d149b273d9 Security-Bulletin: CORE-SA-2021-012 Security-References: CVE-2021-32767 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69982 Tested-by:
-
The column names, defined in backend layouts, were not properly encoded at some places and therefore led to a XSS vulnerability. The issue is addressed by properly encoding user input. Resolves: #93683 Releases: master, 11.3, 10.4, 9.5, 8.7 Change-Id: I787cee9f56a30aeaf69294412c8d5198a144e31c Security-Bulletin: CORE-SA-2021-011 Security-References: CVE-2021-32669 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69981 Tested-by:
-
Properly encodes error messages to be used in HTML output in Query View component. Resolves: #93868 Releases: master, 11.3, 10.4, 9.5 Change-Id: I05812ac7c1cded39edbf10d50bb4dc0fd8faf577 Security-Bulletin: CORE-SA-2021-010 Security-References: CVE-2021-32668 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69980 Tested-by:
-
The `viewpage` module contains a preset selection, where users can select different browser viewports. Since the corresponding preset labels, configurable via TSconfig, had not been encoded properly, is was vulnerable to XSS. The issue is addressed by properly encoding the labels. Resolves: #93702 Releases: master, 11.3, 10.4, 9.5 Change-Id: Ia22c5ab4332816614dd07a93d7e739d9fc1d8bac Security-Bulletin: CORE-SA-2021-009 Security-References: CVE-2021-32667 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69979 Tested-by:
-
* uses stream filter to enclose multi-line content * adds three choosable strategies dealing with control literals + TYPE_REMOVE_CONTROLS - removes control literals (default) + TYPE_PREFIX_CONTROLS - prefixes control literal sequence with `'` + TYPE_PASSTHROUGH - nothing, passthrough data The default strategy is `TYPE_REMOVE_CONTROLS` when invoking `\TYPO3\CMS\Core\Utility\CsvUtility::csvValues`. Resolves: #94271 Releases: master, 11.3, 10.4, 9.5 Change-Id: I2568a0c2dfa6d4636e211e97d66a513984532cc9 Security-Bulletin: TYPO3-PSA-2021-002 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69971 Tested-by:
-
- 19 Jul, 2021 2 commits
-
-
Upgrade JavaScript packages chart.js, codemirror and ckeditor4 addressing known and disclosed vulnerabilities. * chart.js: Prototype Pollution https://app.snyk.io/vuln/SNYK-JS-CHARTJS-1018716 * codemirror: Regular Expression DoS (ReDoS) https://app.snyk.io/vuln/SNYK-JS-CODEMIRROR-1016937 * ckeditor4: Cross-Site Scripting https://app.snyk.io/vuln/SNYK-JS-CKEDITOR4-1303090 Executed command: ``` cd Build; nvm use; yarn upgrade chart.js codemirror ckeditor4 ``` Resolves: #94583 Releases: master, 10.4, 9.5 Change-Id: I56c1948f5785f4ecf9f51998f006825a952280bd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69958 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
A second test is marked skipped until an upstream patch is merged and released. Resolves: #94582 Related: #94565 Related: #94492 Releases: master, 10.4, 9.5 Change-Id: Ia899c47a80bba60840f011766b816af90e160498 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69938 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 16 Jul, 2021 1 commit
-
-
SVG sanitizer test dataset entity.svg is causing segmentation fault in certain scenarios - which might be related to libxml2 before version 2.9.12. Unfortunately, investigations did not reveal any further details other than libxml2. As a result `entity.svg` test dataset, which is causing this problem is skipped until https://github.com/darylldoyle/svg-sanitizer/pull/53 is merged and released in the upstream library. Resolves: #94565 Releases: master, 10.4, 9.5 Change-Id: I8375954dad64e3955f88122fa51dca7f796d077b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69896 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 15 Jul, 2021 1 commit
-
-
Originally introduced with #93453, this patch backports the method `stripHtml()` from the `SecurityUtility` TypeScript module for easier backports of patches using this method. Resolves: #94561 Related: #93453 Releases: 10.4, 9.5 Change-Id: I57df703672c8dc20eb2c192678f7e9035359a1ac Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69856 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 13 Jul, 2021 4 commits
-
-
Resolves: #94556 Releases: master, 10.4, 9.5 Change-Id: I0a0515ec84408c4914a93d704e635f40ce90b22e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69829 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
For legacy reasons storage resolving in file abstraction layer still supports using identifiers like `/fileadmin/img.png` instead of `1:/img.png` (given, that `1:` corresponds to `fileadmin/` storage). To resolve the "best matching storage", existing storage paths are analyzed - however this did not work in the following cases: + identifier like `/fileadmin/img.png` on storage using relative base-path like `fileadmin/` + identifier using absolute path on storage with relative base-path + identifier using relative path on storage with absolute base-path Resolves: #94519 Releases: master, 10.4, 9.5 Change-Id: Id8663b3e7fc40d777288bd498d2250e528f4f4af Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69826 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
Resolves: #94554 Releases: master, 10.4, 9.5 Change-Id: I30ad916b71adaa7db97b40584f7d65453936ec87 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69781 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
This change introduces behavior of extension `t3g/svg-sanitizer` into the TYPO3 core. Sanitizing SVG data is actually done by external package `enshrined/svg-sanitize` by Daryll Doyle. The following aspects are introduced: + handle `GeneralUtility::upload_copy_move` invocations + handle FAL action events `file-add`, `file-replace`, `set-content` + provide upgrade wizard, sanitizing all SVG files in storages that are using `LocalDriver` Custom usage: ``` $sanitizer = new \TYPO3\CMS\Core\Resource\Security\SvgSanitizer(); $sanitizer->sanitizeFile($sourcePath, $targetPath); $svg = $sanitizer->sanitizeContent($svg); ``` Basically this change enforces following public service announcements concerning SVG files, to enhance these security aspects per default: + https://typo3.org/security/advisory/typo3-psa-2020-003 + https://typo3.org/security/advisory/typo3-psa-2019-010 Resolves: #94492 Releases: master, 10.4, 9.5 Change-Id: I42c206190d8a335ebaf77b7e5d57b383e3bcbae1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69818 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 09 Jul, 2021 2 commits
-
-
Documents the fact that bundled jQuery v3.3.1 actually has been patched to reflect security changes for jQuery v3.4.1 and v3.5.1 - but besides that still behaves like v3.3.1 in terms of backward compatibility. Resolves: #94337 Releases: 10.4, 9.5 Change-Id: I00395f9307d16ee5d740a975017242587546f516 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69483 Tested-by:
Simon Gilli <typo3@gilbertsoft.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Simon Gilli <typo3@gilbertsoft.org>
Reviewed-by: -
The check that the file is in one of the temporary folders has been removed, as this check is already done in the unlink method of the GeneralUtility. This patch specifically addresses composer based installations. Resolves: #94500 Releases: master, 10.4, 9.5 Change-Id: I0a38f5ef3da3494ca38310033f63cc591931fb63 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69774 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 30 Jun, 2021 1 commit
-
-
Christian Kuhn authored
guzzlehttp/psr7 is not only an indirect dependency from guzzlehttp/guzzle, but also a direct core dependency since we extend LazyOpenStream in SelfEmittableLazyOpenStream. Declare that dependency directly, which also blocks upcoming guzzlehttp/psr7:2.0 which is currently incompatible with our core use. composer req guzzlehttp/psr7:^1.4.0 --no-update composer req guzzlehttp/psr7:^1.4.0 -d typo3/sysext/core --no-update composer update --lock Change-Id: I4968bc854545262ce0230ea71647463f5a332f54 Resolves: #94422 Releases: master, 10.4, 9.5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69666 Tested-by:
core-ci <typo3@b13.com>
Tested-by: David Bruchmann <davidbruchmann@gmail.com> Reviewed-by:
-
