- 20 Jul, 2021 6 commits
-
-
Change-Id: Ica90f7ddb25c8d9504a5c250eb040b436d7ae9ec Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69997 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
When having the debug logging activated for the authentication process, sensitive data is not being logged anymore. This change * removes password from being logged * hashes the cookie value processed for logging Resolves: #93925 Releases: master, 11.3, 10.4, 9.5 Change-Id: I8c610a72014de571ef52b4430c43f8d149b273d9 Security-Bulletin: CORE-SA-2021-012 Security-References: CVE-2021-32767 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69986 Tested-by:
-
The column names, defined in backend layouts, were not properly encoded at some places and therefore led to a XSS vulnerability. The issue is addressed by properly encoding user input. Resolves: #93683 Releases: master, 11.3, 10.4, 9.5, 8.7 Change-Id: I787cee9f56a30aeaf69294412c8d5198a144e31c Security-Bulletin: CORE-SA-2021-011 Security-References: CVE-2021-32669 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69985 Tested-by:
-
Properly encodes error messages to be used in HTML output in Query View component. Resolves: #93868 Releases: master, 11.3, 10.4, 9.5 Change-Id: I05812ac7c1cded39edbf10d50bb4dc0fd8faf577 Security-Bulletin: CORE-SA-2021-010 Security-References: CVE-2021-32668 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69984 Tested-by:
-
The `viewpage` module contains a preset selection, where users can select different browser viewports. Since the corresponding preset labels, configurable via TSconfig, had not been encoded properly, is was vulnerable to XSS. The issue is addressed by properly encoding the labels. Resolves: #93702 Releases: master, 11.3, 10.4, 9.5 Change-Id: Ia22c5ab4332816614dd07a93d7e739d9fc1d8bac Security-Bulletin: CORE-SA-2021-009 Security-References: CVE-2021-32667 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69983 Tested-by:
-
* uses stream filter to enclose multi-line content * adds three choosable strategies dealing with control literals + TYPE_REMOVE_CONTROLS - removes control literals (default) + TYPE_PREFIX_CONTROLS - prefixes control literal sequence with `'` + TYPE_PASSTHROUGH - nothing, passthrough data The default strategy is `TYPE_REMOVE_CONTROLS` when invoking `\TYPO3\CMS\Core\Utility\CsvUtility::csvValues`. Resolves: #94271 Releases: master, 11.3, 10.4, 9.5 Change-Id: I2568a0c2dfa6d4636e211e97d66a513984532cc9 Security-Bulletin: TYPO3-PSA-2021-002 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69972 Tested-by:
-
- 19 Jul, 2021 3 commits
-
-
Prevent a possible TypeError in TableController by casting the input argument to string. Resolves: #94446 Releases: master, 10.4 Change-Id: I208123f542ca6cf34db51889138fb626da0deb41 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69939 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by:
-
Upgrade JavaScript packages chart.js, codemirror and ckeditor4 addressing known and disclosed vulnerabilities. * chart.js: Prototype Pollution https://app.snyk.io/vuln/SNYK-JS-CHARTJS-1018716 * codemirror: Regular Expression DoS (ReDoS) https://app.snyk.io/vuln/SNYK-JS-CODEMIRROR-1016937 * ckeditor4: Cross-Site Scripting https://app.snyk.io/vuln/SNYK-JS-CKEDITOR4-1303090 Executed command: ``` cd Build; nvm use; yarn upgrade chart.js codemirror ckeditor4 ``` Resolves: #94583 Releases: master, 10.4, 9.5 Change-Id: I56c1948f5785f4ecf9f51998f006825a952280bd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69957 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
A second test is marked skipped until an upstream patch is merged and released. Resolves: #94582 Related: #94565 Related: #94492 Releases: master, 10.4, 9.5 Change-Id: Ia899c47a80bba60840f011766b816af90e160498 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69937 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 16 Jul, 2021 1 commit
-
-
SVG sanitizer test dataset entity.svg is causing segmentation fault in certain scenarios - which might be related to libxml2 before version 2.9.12. Unfortunately, investigations did not reveal any further details other than libxml2. As a result `entity.svg` test dataset, which is causing this problem is skipped until https://github.com/darylldoyle/svg-sanitizer/pull/53 is merged and released in the upstream library. Resolves: #94565 Releases: master, 10.4, 9.5 Change-Id: I8375954dad64e3955f88122fa51dca7f796d077b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69895 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 15 Jul, 2021 1 commit
-
-
Originally introduced with #93453, this patch backports the method `stripHtml()` from the `SecurityUtility` TypeScript module for easier backports of patches using this method. Resolves: #94561 Related: #93453 Releases: 10.4, 9.5 Change-Id: I57df703672c8dc20eb2c192678f7e9035359a1ac Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69855 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by:
-
- 13 Jul, 2021 4 commits
-
-
Resolves: #94556 Releases: master, 10.4, 9.5 Change-Id: I0a0515ec84408c4914a93d704e635f40ce90b22e Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69828 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
For legacy reasons storage resolving in file abstraction layer still supports using identifiers like `/fileadmin/img.png` instead of `1:/img.png` (given, that `1:` corresponds to `fileadmin/` storage). To resolve the "best matching storage", existing storage paths are analyzed - however this did not work in the following cases: + identifier like `/fileadmin/img.png` on storage using relative base-path like `fileadmin/` + identifier using absolute path on storage with relative base-path + identifier using relative path on storage with absolute base-path Resolves: #94519 Releases: master, 10.4, 9.5 Change-Id: Id8663b3e7fc40d777288bd498d2250e528f4f4af Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69795 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
Resolves: #94554 Releases: master, 10.4, 9.5 Change-Id: I30ad916b71adaa7db97b40584f7d65453936ec87 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69780 Tested-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by:
-
This change introduces behavior of extension `t3g/svg-sanitizer` into the TYPO3 core. Sanitizing SVG data is actually done by external package `enshrined/svg-sanitize` by Daryll Doyle. The following aspects are introduced: + handle `GeneralUtility::upload_copy_move` invocations + handle FAL action events `file-add`, `file-replace`, `set-content` + provide upgrade wizard, sanitizing all SVG files in storages that are using `LocalDriver` Custom usage: ``` $sanitizer = new \TYPO3\CMS\Core\Resource\Security\SvgSanitizer(); $sanitizer->sanitizeFile($sourcePath, $targetPath); $svg = $sanitizer->sanitizeContent($svg); ``` Basically this change enforces following public service announcements concerning SVG files, to enhance these security aspects per default: + https://typo3.org/security/advisory/typo3-psa-2020-003 + https://typo3.org/security/advisory/typo3-psa-2019-010 Resolves: #94492 Releases: master, 10.4, 9.5 Change-Id: I42c206190d8a335ebaf77b7e5d57b383e3bcbae1 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69817 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 12 Jul, 2021 6 commits
-
-
Oliver Bartsch authored
When fetching available shortcuts for a user, also permissions are checked by the ShortcutRepository. However previously a lot of use-cases were missed and the implemented checks were more or less faulty, especially when it comes to non-admin users. Therefore, three main topics are now handled properly: * Evaluation of record edit permissions for shortcuts, targeting the record_edit route * Evaluation of page access permissions for every shortcut not targeting the file list * Proper distinction between shortcuts for file list and the ones for other modules, since both use the "id" argument, while for the file list, this is a string (combined identifier), and for the rest, this is an integer (the requested page id or the records' pid) Resolves: #89530 Resolves: #93516 Releases: master, 10.4 Change-Id: Ib18eaf506886627360c58857f0160d008e130368 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69765 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Peter Kraume <peter.kraume@gmx.de> Tested-by:
Jochen <rothjochen@gmail.com>
Tested-by: 
Oliver Bartsch <bo@cedev.de>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de> -
Oliver Bartsch authored
The Extbase ImageService contains a helper method `getImage()`. This method tries to find an image in a couple of different ways, depending on the given input arguments. To improve the usability, the exception messages are now dedicated to their corresponding try. As a side effect, the method is now also more readable as it now uses guard clauses and also contains a couple of code comments. Resolves: #94518 Releases: master, 10.4 Change-Id: I31d94eb89dd58a01d7911907ca82a256a0ba7cf3 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69816 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de> -
Oliver Bartsch authored
The custom ContextMenu ItemProviders for sys_filemounts and sys_file_storage are removed as they never worked, because they extended the FileProvider, which uses the combined identifier as record identifier instead of the records uid. Also their $itemsConfiguration does not make any sense. In the end, there is no reason to treat those record types differently than the rest. Resolves: #90921 Releases: master, 10.4 Change-Id: Ifd24755455d75d781a7caefa808a8b87318ca487 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69778 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de> -
This patch fixes several small bugs regarding DataHandler range validation: 1. The strict comparison of the value against the default value might compare floats with integer values. This causes the condition to be always true. Besides of that, it's not smart to skip range validation if the value equals the default value as the default value itself can be out of range due to user error. 2. The TCA option "checkbox" for fields of type "input" is not used anymore since TYPO3 4.5. This can be safely removed as the todo stated. 3. The tests for range validation with values evaluated as type double used an incorrect eval value: "double". The correct value is "double2". Tests are fixed according to that. Resolves: #94527 Releases: master, 10.4 Change-Id: I9cdf836272b4cce64f9e35a09107499d25fc955f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69776 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org> Reviewed-by:
-
Under certain conditions closing divs were missing: 1. When all fieldControls are disabled. 2. If the field itself is disabled. This fixes these cases, so we have correct html at all times. Resolves: #94535 Releases: master, 10.4 Change-Id: Ieb7670666b6a927e80eb7377770d7f54189bc093 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69777 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
Since the page title field is labeled by "Page X:", instead of the field label (as it's the case for the doktype), a placeholder is now added, making the expected value clear to the user. Resolves: #94525 Releases: master, 10.4 Change-Id: I1c10a0ca5e0954aa5584561e1e4247003a61e61d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69775 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 09 Jul, 2021 5 commits
-
-
Andreas Fernandez authored
An administrator is now able to abort the confirmation of an selected upgrade wizard without the need to close and re-open the modal. Resolves: #94515 Releases: master, 10.4 Change-Id: I0c7d63a13a4f0f63844ee28be09dec203dd9c5ac Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69796 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
Andreas Fernandez authored
Documents the fact that bundled jQuery v3.4.1 actually has been patched to reflect security changes for jQuery v3.5.1 - but besides that still behaves like v3.4.1 in terms of backward compatibility. Resolves: #94337 Releases: 10.4, 9.5 Change-Id: I00395f9307d16ee5d740a975017242587546f516 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69488 Tested-by:
core-ci <typo3@b13.com>
Tested-by: 
Simon Gilli <typo3@gilbertsoft.org>
Tested-by: Simon Gilli <typo3@gilbertsoft.org>
Reviewed-by: -
The check that the file is in one of the temporary folders has been removed, as this check is already done in the unlink method of the GeneralUtility. This patch specifically addresses composer based installations. Resolves: #94500 Releases: master, 10.4, 9.5 Change-Id: I0a38f5ef3da3494ca38310033f63cc591931fb63 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69773 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
Oliver Bartsch authored
The ImageService->getImageFromSourceString() tries to retrieve a FileInterface from a given source string, e.g. with the "EXT:" prefix. However, because the used ResourceFactory->retrieveFileOrFolderObject() method can also return a FolderInterface or NULL, this must be handled to prevent a TypeError. Therefore, the final $image value is now checked for being a FileInterface. Otherwise NULL is returned, which is then handled with a custom exception in the calling `getImage()` method. Resolves: #94495 Releases: master, 10.4 Change-Id: I95836fd3c1701cc8c9b9e07c5b8e10a7fb9ee9cc Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69772 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de> -
Page Module partial `PageLayout/Record/Preview` tries to render optional `PageLayout/Record/{item.record.CType}/Preview` and falls back to a raw representation if that custom partial does not exist. In case `CType` is empty, this resolves to `PageLayout/Record//Preview` which is actually using `PageLayout/Record/Preview.html` again - that's the partial again that initiated the process - which will after some seconds crash due to an endless loop of that partial. In order to make things explicit, the defaults are now located in their dedicated namespace `RecordDefault` to avoid ambiguity. * `PageLayout/Record/Preview` -> `PageLayout/RecordDefault/Preview` * `PageLayout/Record/Header` -> `PageLayout/RecordDefault/Header` * `PageLayout/Record/Footer` -> `PageLayout/RecordDefault/Footer` Resolves: #94343 Releases: 10.4, master Change-Id: I0c0385a9d89561de2395fc81124e471ee9fed8dd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69769 Tested-by:core-ci <typo3@b13.com>
Reviewed-by:
-
- 07 Jul, 2021 1 commit
-
-
Add missing pagination example to feature rst. Only paginator is not enough to actually create a new pagination. Relates: #89603 Releases: master, 10.4 Change-Id: Ie6852b76fb79f131d3b8553640ef29ab60e072de Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69693 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 06 Jul, 2021 1 commit
-
-
In the install tool the flash message is not visible when a user scrolls down. This has been solved by setting position to fixed. Resolves: #94479 Releases: master, 10.4 Change-Id: Id86c54bd7286567bd6fe95bb1aea21a9b4558fd6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69725 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
-
- 01 Jul, 2021 2 commits
-
-
Resolves: #94458 Releases: master, 10.4 Change-Id: Ief3e5f9ee91a15629f6254e4d56bd9050b642730 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69692 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de> -
Resolves: #94455 Releases: master, 10.4 Change-Id: I0a7009482c0797ebb0f138cc209d98d88d830654 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69683 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
-
- 30 Jun, 2021 1 commit
-
-
Christian Kuhn authored
guzzlehttp/psr7 is not only an indirect dependency from guzzlehttp/guzzle, but also a direct core dependency since we extend LazyOpenStream in SelfEmittableLazyOpenStream. Declare that dependency directly, which also blocks upcoming guzzlehttp/psr7:2.0 which is currently incompatible with our core use. composer req guzzlehttp/psr7:^1.4.0 --no-update composer req guzzlehttp/psr7:^1.4.0 -d typo3/sysext/core --no-update composer update --lock Change-Id: I4968bc854545262ce0230ea71647463f5a332f54 Resolves: #94422 Releases: master, 10.4, 9.5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69667 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 28 Jun, 2021 1 commit
-
-
Since #27471 it's possible to hide all or specific tables within the recordlist. However, the special "page translations" table did not respect those settings, making it impossible to hide this table. This is now fixed by respecting the corresponding settings. Resolves: #94386 Releases: master, 10.4 Change-Id: I33575624ade9ecf840b6fde713a7d3214d6506be Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69540 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Jochen <rothjochen@gmail.com>
Reviewed-by:
-
- 27 Jun, 2021 1 commit
-
-
In order to help support upgrade paths, some key information is kept until TYPO3 v12 (= not yet removed), so this documented properly now. Resolves: #94412 Releases: master, 10.4 Change-Id: I5ce94d24dfd57008374272e48ee9132974f6a562 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69612 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 22 Jun, 2021 2 commits
-
-
In the select list in "Info > Page TSconfig" the technical representation of the terms (as they are used when setting TSconfig) is now shown in brackets, e.g. [RTE.]. This is consistent with showing the technical representation in other places in the backend, such as the page id in the page layout or page tree, the table fields and Flexform fields in the edit forms etc. Where there are descriptive terms, (such as "Module: Web>Page") a combination of the descriptive terms and the technical terms is used, such as "Module: Web>Page [mod.web_layout.]" The explanation "with overruling user settings" for mod is omitted. This would make the list more cluttered and visually distracting. If it is necessary to point this out, it might be added as a note in the results. Resolves: #94323 Related: #94322 Releases: master, 10.4 Change-Id: I728f3d6399f040356d7bee4e30c3f33baf9703d4 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69553 Tested-by:
core-ci <typo3@b13.com>
Tested-by: -
PHP Warning: array_key_exists() expects parameter 2 to be array, null given in ArrayUtility.php line 297, when an longer path than exists in given array is set. Releases: master, 10.4 Resolves: #94379 Change-Id: I9ef40d2cf82f777b3a289dfaa4f8cbfcc2a5bba5 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69552 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 18 Jun, 2021 2 commits
-
-
Oliver Bartsch authored
The FileProvider tries to retrieve the file / folder object on initialization. In case the requested folder or storage is temporarily offline, a ResourceDoesNotExistException is thrown. This is now fixed by catching the exception an setting the $record to NULL. This allows to still render the context menu with the remaining options, such as edit the storage record or display the records information. Resolves: #94372 Releases: master, 10.4 Change-Id: I2ef6437b0d6e22462d73c9536433d7dc1914f680 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69441 Tested-by:
core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de> -
Extracts TypoScript instruction handling to test trait, which enables to reuse corresponding methods. Resolves: #94354 Releases: master, 10.4, 9.5 Change-Id: I34f25070d926f1236b1f7bbd623e0060760b0819 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69503 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 17 Jun, 2021 1 commit
-
-
This will add a basic acceptance test for reports module because the page was not loaded using php 8.0 Resolves: #94358 Related: #94346 Releases: master, 10.4 Change-Id: I1d73e58c1f767799e0e9ecd71db8d41ecdada6b0 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69439 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 16 Jun, 2021 1 commit
-
-
Adds examples of how to override core templates. Resolves: #90566 Releases: master, 10.4 Change-Id: I09f7b89542cc7f22c56b6689b9e9b6d0d066fc74 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69438 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
- 15 Jun, 2021 1 commit
-
-
If a field has a '''double''' eval, '''upper''' and '''lower''' range checks don't work as expected as the value is always cast to an int before comparison. Switching to floor and ceil helps with these edge cases while retaining the casting to int behaviour. Resolves: #94103 Releases: master,10.4 Change-Id: I28b77e2360b86e27e0297a08c5b6d20e0637a0dd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69437 Tested-by:
core-ci <typo3@b13.com>
Tested-by:
-
