1. 14 Jun, 2022 1 commit
    • Torben Hansen's avatar
      [SECURITY] Restrict export functionality to allowed users · 7447a3d1
      Torben Hansen authored and Oliver Hader's avatar Oliver Hader committed
      The import functionality of the import/export module is already
      restricted to admin users or users, who explicitly have access through
      the user TSConfig setting "options.impexp.enableImportForNonAdminUser".
      
      The export functionality has the following security drawbacks:
      
      * Export for editors is not limited on field level
      * The "Save to filename" functionality saves to a shared folder, which
        other editors with different access rights may have access to.
      
      Both issues are not easy to resolve and also the target audience for
      the Import/Export functionality are mainly TYPO3 admins.
      
      Therefore, now also the export functionality is restricted to TYPO3
      admin users and to users, who explicitly have access through the new
      user TSConfig setting "options.impexp.enableExportForNonAdminUser".
      
      Additionally, the contents of the temporary "importexport" folder in
      file storages is now only visible to users who have access to the
      export functionality.
      
      In general, it is recommended to only install the Import/Export
      extension when the functionality is required.
      
      Resolves: #94951
      Releases: main, 11.5, 10.4
      Change-Id: Iae020baf051aeec0613366687aa8ebcbf9b3d8b2
      Security-Bulletin: TYPO3-CORE-SA-2022-001
      Security-References: CVE-2022-31046
      Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74902
      
      
      Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
      Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
      7447a3d1
  2. 07 Jun, 2022 1 commit
  3. 28 May, 2022 1 commit
  4. 11 Apr, 2022 1 commit
  5. 05 Feb, 2022 1 commit
  6. 28 Jan, 2022 1 commit
  7. 02 Dec, 2021 1 commit
  8. 17 Oct, 2021 1 commit
  9. 13 Oct, 2021 1 commit
  10. 12 Oct, 2021 2 commits
  11. 24 Sep, 2021 1 commit
  12. 23 Sep, 2021 1 commit
    • Benni Mack's avatar
      [TASK] Do not use custom "getInstance()" methods on Singleton interfaces · cb355fa5
      Benni Mack authored
      There was a time when new code for TYPO3 Core was introduced
      by using "MyClass::getInstance()" to act as a factory for this
      class, which _would_ be OK if these classes are actually prototypes
      and not services (or singleton services), as GeneralUtility::makeInstance()
      or DI via Services.yaml works as well.
      
      This change deprecates all getInstance methods around such code
      with GeneralUtility::makeInstance() calls. At a later point, proper DI
      can be introduced in these cases.
      
      * TYPO3\CMS\Core\Resource\Index\ExtractorRegistry::getInstance()
      * TYPO3\CMS\Core\Resource\Index\FileIndexRepository::getInstance()
      * TYPO3\CMS\Core\Resource\Index\MetaDataRepository::getInstance()
      * TYPO3\CMS\Core\Resource\OnlineMedia\Helpers\OnlineMediaHelperRegistry::getInstance()
      * TYPO3\CMS\Core\Resource\Rendering\RendererRegistry::getInstance()
      * TYPO3\CMS\Core\Resource\TextExtraction\TextExtractorRegistry::getInstance()
      * TYPO3\CMS\Form\Service\TranslationService::getInstance()
      * TYPO3\CMS\T3editor\Registry\AddonRegistry::getInstance()
      * TYPO3\CMS\T3editor\Registry\ModeRegistry::getInstance()
      
      Resolves: #95326
      Releases: master
      Change-Id: Ie3160c67792e115cf5488dc800bd717c0b913ab9
      Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/71178
      
      
      Tested-by: core-ci's avatarcore-ci <typo3@b13.com>
      Tested-by: Wouter Wolters's avatarWouter Wolters <typo3@wouterwolters.nl>
      Tested-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
      Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
      Reviewed-by: Wouter Wolters's avatarWouter Wolters <typo3@wouterwolters.nl>
      Reviewed-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
      Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
      cb355fa5
  13. 29 Jul, 2021 1 commit
  14. 26 May, 2021 1 commit
  15. 24 Mar, 2021 1 commit
  16. 12 Mar, 2021 1 commit
  17. 19 Jan, 2021 1 commit
  18. 30 Nov, 2020 1 commit
  19. 28 Oct, 2020 1 commit
  20. 06 Oct, 2020 1 commit
  21. 30 Sep, 2020 1 commit
  22. 04 Sep, 2020 1 commit
  23. 30 May, 2020 1 commit
  24. 22 May, 2020 1 commit
  25. 16 Apr, 2020 1 commit
  26. 15 Apr, 2020 1 commit
  27. 14 Apr, 2020 1 commit
  28. 08 Apr, 2020 1 commit
  29. 23 Mar, 2020 1 commit
  30. 30 Jan, 2020 1 commit
  31. 30 Dec, 2019 1 commit
  32. 22 Nov, 2019 1 commit
  33. 15 Nov, 2019 1 commit
  34. 09 Nov, 2019 1 commit
  35. 07 Oct, 2019 1 commit
  36. 28 Aug, 2019 1 commit
  37. 27 Aug, 2019 1 commit
  38. 21 Jul, 2019 1 commit
  39. 07 May, 2019 1 commit