- 07 May, 2019 7 commits
-
-
Change-Id: I89f8d10d179828ab0a820fa799e33cedda0b0d6b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60706 Tested-by:
Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
-
In order to enclose and avoid type guessing done by ImageMagick based on mime-type and internal file content checks, new value object class ImageMagickFile has been introduced as guard for those invocations. Resolves: #87588 Releases: master, 9.5, 8.7 Security-Commit: ed781f1f9dc851299c4a1544695e3763e735731e Security-Bulletin: TYPO3-CORE-SA-2019-012 Change-Id: Id6457941acd062f52c4f809c6406a05f1c2ae6e6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60696 Tested-by:
-
On DataHandler update or when updating a users password via EXT:felogin, all existing sessions are destroyed except for the current session. Resolves: #87298 Releases: master, 9.5, 8.7 Security-Commit: ddc2d808998ab4556d68e7a148179d8d7d2da2ff Security-Bulletin: TYPO3-CORE-SA-2019-011 Change-Id: I0aa51665eb1cdb3e772f6c1c5584e99db76ab7b6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60695 Tested-by:
-
Benni Mack authored
Raise Fluid Standalone dependency to the next stable version which fixes an important XSS issue when escaping ternary operators. Used composer command: composer req typo3fluid/fluid:^2.5.5 --prefer-lowest As TYPO3 v8.7 tarballs already delivered 2.5.4, the minimum required version is now 2.5.5. In addition, EXT:core composer.json now explicitly requires Fluid Standalone as it was the case for v9+master already. Resolves: #88288 Releases: master, 9.5, 8.7 Security-Bulletin: TYPO3-CORE-SA-2019-013 Change-Id: Ib87bd7b8e064525b2204296e9be3a0bb7ee5cc78 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60691 Tested-by:
TYPO3com <noreply@typo3.com> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
-
The auto suggest feature of MacBook's touch bar shows information of just entered passwords when editing a record containing a password field in backend forms. The behavior only occurs when Safari is used as client and touch bar word completion is activated. Resolves: #88286 Releases: master, 9.5, 8.7 Change-Id: I588a6edcfc34c403dc9f042adbeca2c711512228 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60690 Reviewed-by:
Frank Naegler <frank.naegler@typo3.org> Reviewed-by:
Richard Haeser <richard@maxserv.com> Reviewed-by:
Andreas Fernandez <a.fernandez@scripting-base.de> Tested-by:
-
This reverts commit 3139b560. "[BUGFIX] Do not cache content with different status code than 200" At the same time we convert a plugin action to uncached, in case a redirect is issued. Resolves: #88178 Releases: 8.7, 9.5, master Change-Id: Icaa8038d1fa4bf1c74dfb505c2b8fc97963ca4be Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60687 Tested-by:
-
In case error occurred (due to missing permission) when editing content in page or list module, those messages have not been visualized to users. Resolves: #87971 Releases: 8.7 Change-Id: I331a1e82bc9282a53a4839947fa9cf4d4248b56c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60539 Tested-by:
Markus Klein <markus.klein@typo3.org> Tested-by:
Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by:
-
- 06 May, 2019 4 commits
-
-
Phar Stream Wrapper has been upgraded to version 3.1.1 in order to solve performance and alias resolving issues. The interceptor has been streamlined further. composer require typo3/phar-stream-wrapper:^3.1.1 Besides that typo3/testing-framework had to be upgraded to support fixtures that are not symlinked but actually copied in file system. composer require --dev typo3/testing-framework:~1.3.2 Resolves: #88277 Releases: master, 9.5, 8.7 Change-Id: Id6b08557ab507ef66e54d1f39992272fe4791405 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60674 Tested-by:
-
Benjamin Franzke authored
Instead of offloading the work to wait for the final page content, concurrent requests now wait for the real page content to be rendered (and deliver the content from cache once ready) instead of sending a 503 response code and the famous "Page is being generated" message. The logic to wait for the rendered page (lock and wait) is already there thanks to the page locking, but was deliberately circumvented by the temporary page cache content before to get rid of waiting requests in high-load situations. This approach to simply skip the temporary cache and wait for the renderer to finish has been tested using the skip_page_is_being_generated extension in wild for 3 years (for TYPO3 v6, v7, v8 and v9). Note: In case the increased number of waiting requests has a negative impact on sites with high server load, a additional proxy cache should be considered in front of the server to make sure clients are served a valid response without waiting until new content is ready. The motivation for this change: The 503 status code together with the "Page is being generated message" does not only occur for slow or high traffic sites. It will be displayed even for two concurrent requests, no matter how fast the page rendered or how low the current traffic is. The requests only need to (nearly) arrive at the same time. This can easily be reproduced using two parallel curl requests: for i in {1..2}; do curl -sv https://doma.in/foo |& grep '^< HTTP'& done There would be one "503 Service unavailable" response when /foo has not yet been rendered to the cache before. An explanation for the releaseLock('pagesection') addition in TSFE::getFromCache(): This has been added as the pagesection lock – which is acquired in TemplateService::start() – was implicitly released in setPageCacheContent() before. Now this would block concurrent rendering for pages with $_GET-aware plugins, therefore we release the pagesection lock early, after the pagesection cache has been generated. Releases: master, 9.5, 8.7 Resolves: #87980 Change-Id: I034f410335b3035c5863b26e3e689ca29b5f3f80 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60660 Tested-by:Jonas Eberle <flightvision@googlemail.com> Tested-by:
Benjamin Franzke <bfr@qbus.de> Reviewed-by:
-
Resolves: #86675 Releases: 8.7 Change-Id: Ife47f1fe8c78899785fbad73e21e2a2bf9b8441a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60429 Tested-by:
Helmut Hummel <typo3@helhum.io> Tested-by:
Georg Ringer <georg.ringer@gmail.com> Reviewed-by:
Jörg Bösche <typo3@joergboesche.de> Reviewed-by:
Guido Schmechel <guido.schmechel@brandung.de> Reviewed-by:
-
Change-Id: Ic1e1d0f8fd1a128e542e7cada389d681ac41e10f Resolves: #88265 Releases: master, 9.5, 8.7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60672 Tested-by:
Susanne Moog <look@susi.dev> Reviewed-by:
-
- 02 May, 2019 1 commit
-
-
The touch command raises a PHP WARNING if the test file can not be created, but the next line would already skip the test if this happens. So the warning is useless and gets silenced. Resolves: #88255 Releases: master, 9.5, 8.7 Change-Id: Id9685b6e7da8665609fa7df7f25867ab4d19a6a9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60642 Reviewed-by:
-
- 30 Apr, 2019 1 commit
-
-
Resolves: #88246 Releases: master, 9.5, 8.7 Change-Id: Iad8558cbe22caaefd659fef1681452a962b5cdf7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60624 Tested-by:
-
- 29 Apr, 2019 1 commit
-
-
Benni Mack authored
The Install Tool ships bootstrap on its own, which doesn't make much sense right now, since other components get used from EXT:core as well. For now, the separated bootstrap gets removed and the one of EXT:core is used instead. Resolves: #88219 Related: #88213 Releases: master, 9.5, 8.7 Change-Id: I53425f56a44fa9782d7f3776175ac08bc746e5ab Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60619 Tested-by:
-
- 26 Apr, 2019 3 commits
-
-
When acquiring a lock via the FileLockStrategy it is very important to close the underlying file handle again, if the acquire action failed. The same instance of the FileLockStrategy might be reused later (e.g. in TSFE) again, whereas the (still open) file could have been deleted meanwhile. The file handle would be invalid and another try to open the same file again - with fopen() - may fail. The behaviour of PHP's fopen() is different depending on the actual file storage. Currently things fail on host-mounted drives in containers in Docker for Windows. Resolves: #88197 Releases: master, 9.5, 8.7 Change-Id: If802c670b617119d28aca09fcd5acef95f0ae678 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60562 Tested-by:
-
Andreas Fernandez authored
To ensure that we incorporate the latest known vulnerabilities and issues in Twitter Bootstrap 3.x, the dependency is updated. Executed tasks: cd Build yarn add bootstrap-sass@^3.4.1 --dev yarn exec grunt Then copying the contents of Build/node_modules/bootstrap-sass/assets/javascripts/bootstrap.min.js into typo3/sysext/core/Resources/Public/JavaScript/Contrib/bootstrap/bootstrap.js adding the AMD factory wrapper. Resolves: #88213 Releases: master, 9.5, 8.7 Change-Id: Iae1274b1ca557f6337eea090e39292938b9571f2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60564 Tested-by:
-
Andreas Fernandez authored
This commit introduces live-patching of node_modules, which applies patch files to specific modules (similar to composer-patches). Patch files for fixing jQuery's prototype pollution issue are provided and applied after installing the modules via `yarn install`. http://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ The patches are based on https://github.com/DanielRuf/snyk-js-jquery-174006. Resolves: #88214 Releases: master, 9.5, 8.7 Change-Id: I8c8eed08b0dcec7fe6762dbc70b62064a60c1e73 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60563 Tested-by:
-
- 23 Apr, 2019 1 commit
-
-
Stephan Großberndt authored
Add the missing documentation of the hooks * `password_changed` added in TYPO3 4.3 * `login_error` added in TYPO3 6.0 Releases: master, 9.5, 8.7 Resolves: #88131 Related: #87726, #29698 Change-Id: I0dc875a399da58e13b15225e173392565c64bb03 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60527 Tested-by:
Stephan Großberndt <stephan.grossberndt@typo3.org>
Tested-by: Tobi Kretschmann <tobi@tobishome.de> Tested-by:
Stephan Großberndt <stephan.grossberndt@typo3.org>
Reviewed-by:
-
- 11 Apr, 2019 1 commit
-
-
Thorsten Griebenow authored
Releases: master, 9.5, 8.7 Resolves: #88115 Change-Id: Ia1ab566ef3ebeff69a680b750b8e2ab4e8c9aba6 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60438 Tested-by:
Steffen Frese <steffenf14@gmail.com> Tested-by:
Julian Geils <j_geils@web.de> Tested-by:
Henning Liebe <h.liebe@neusta.de> Tested-by:
Jan Stockfisch <typo3@jan-stockfisch.de> Tested-by:
-
- 05 Apr, 2019 1 commit
-
-
The property lastModifiedDate was removed by some browsers. With this change its existence will be checked and the proper property is used to parse the timestamp in the replace dialog. Resolves: #88081 Releases: master, 9.5, 8.7 Change-Id: I4ae812267ef81c4db5c86d2d6dd814f83bebeb00 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60393 Tested-by:
-
- 03 Apr, 2019 1 commit
-
-
This patch ensures the default charset for the database connection is set to "utf8". The charset would normally be set by the SilentConfigurationUpgradeService but it might be unset when $GLOBALS['TYPO3_CONF_VARS']['DB'] is overwritten in AdditionalConfiguration.php. Releases: 8.7 Resolves: #87827 Related: #85524 Change-Id: Ifc630d479866889959fe69ceb213439b8ce734f7 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/59835 Tested-by:
Nicole Cordes <typo3@cordes.co> Tested-by:
Sascha Egerer <sascha@sascha-egerer.de> Reviewed-by:
-
- 02 Apr, 2019 1 commit
-
-
The link must be prefixed with www, else the request will just show an error. Releases: master, 9.5, 8.7 Resolves: #88044 Change-Id: I2a7e5f34a741e92fdc1174d8be73204c19c197eb Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60359 Tested-by:
-
- 15 Mar, 2019 1 commit
-
-
This patch updates ckeditor to the latest version 4.11.3. Used command: yarn upgrade ckeditor List of changes: https://github.com/ckeditor/ckeditor-releases/compare/4.11.1...4.11.3 Resolves: #87905 Releases: master, 9.5, 8.7 Change-Id: Iafbde59625de902774997ca0acffc9a92ba36534 Reviewed-on: https://review.typo3.org/c/60253 Tested-by:
-
- 11 Mar, 2019 1 commit
-
-
Use 1 instead of true as default value. Resolves: #87873 Releases: master, 9.5, 8.7 Change-Id: I6665ebd5b59336a00ea3019cf30ba5c98123a4f6 Reviewed-on: https://review.typo3.org/c/60072 Tested-by:
-
- 09 Mar, 2019 1 commit
-
-
When combining image files with gifbuilder, the hash to identify the resulting file is now stable with respect to the fact whether the files are cropped or scaled in the current request or already cropped before. That leads to stable hashes whenever the same images are processed with the same configuration, and allows reuse as intended. Also ensure that fileInfo returned from ContentObjectRenderer contains width and height information as int, when they are returned from database as that may lead to different serialized representations of the configuration Resolves: #44518 Resolves: #86947 Resolves: #87224 Releases: 8.7, 9.5, master Change-Id: I833585034cacaf5a0ad66ba3ff04ac3920421085 Reviewed-on: https://review.typo3.org/c/59959 Reviewed-by:
-
- 08 Mar, 2019 1 commit
-
-
When creating a file with a disallowed file extension an exception was thrown as on creation the redirect to edit interface on a non-existing file was called. Though the better fix might be to prevent the request for an invalid file to be sent at all this fix ensures a working file list module in a more "surgical" way to allow secure backporting. Resolves: #87527 Releases: master, 9.5, 8.7 Change-Id: I35a054c05b37c09acab83a7aa9eca89cf9ebf6b9 Reviewed-on: https://review.typo3.org/c/59926 Tested-by:
-
- 07 Mar, 2019 2 commits
-
-
Files like "file.pl.txt" cannot be uploaded anymore since ".pl" is considered as executable Perl file. In multilingual scenarios "pl" is used as reference for Polish content. Since required modules mod_perl or mod_cgid are not enabled by default, and limited to be executable only when invoked in location "/cgi-bin/", now only files ending with ".pl" (e.g. "file.pl") are denied. Resolves: #87733 Releases: master, 9.5, 8.7 Change-Id: Ib9a69fd3ec04f51653857d2f7309e30b78932653 Reviewed-on: https://review.typo3.org/c/59914 Tested-by:
-
Despite $resultArray['additionalHiddenFields'] being properly set by the elements, this section is never evaluated in InlineRecordContainer. Evaluate content in this property and render the fields in the HTML output. Resolves: #87614 Releases: master, 9.5, 8.7 Change-Id: Idb45a906d3cb019e915c94df59fa215405cb1af3 Reviewed-on: https://review.typo3.org/c/59899 Tested-by:
-
- 06 Mar, 2019 1 commit
-
-
Benni Mack authored
Composer commands: composer remove mso/idna-convert composer require algo26-matthias/idna-convert:^1.1.0 Resolves: #87779 Releases: master, 9.5, 8.7 Change-Id: Id7cb8dda54f356479a72bfc0718b1b9256382fb3 Reviewed-on: https://review.typo3.org/c/59885 Tested-by:
-
- 04 Mar, 2019 2 commits
-
-
Resolves: #87762 Releases: master, 9.5, 8.7 Change-Id: I2e7b8b7bee6d69b3e1ae4458257be802d0d97d14 Reviewed-on: https://review.typo3.org/c/59844 Reviewed-by:
-
Unlike all the other link viewhelpers (based on tagbuilder), the PageViewHelper does not force the closing tag which results in an invalid tag when there is no content available. Resolves: #87804 Releases: master, 9.5, 8.7 Change-Id: Ia49aaf1f2f80be4fa3febee08f5285bebd2c0189 Reviewed-on: https://review.typo3.org/c/59843 Tested-by:
-
- 01 Mar, 2019 3 commits
-
-
The eID handler in frontend context had a wrong method name. Besides that generating according <script src="requirejs-loader.js"> tag had flaws in path resolving. Resolves: #87570 Releases: master, 9.5, 8.7 Change-Id: Ic5a3b824e8ae5aa776fd0e6502682aba6ae282b8 Reviewed-on: https://review.typo3.org/c/59827 Tested-by:
Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by:
-
Anja Leichsenring authored
Ignore FullyScanned|PartiallyScanned|NotScanned when looking for valid keywords on rst files and update existing Changelog files accordingly. Resolves: #87774 Relates: #87772 Releases: master, 9.5, 8.7 Change-Id: I5e9a9c690ddb55ef11c52bde074d4e0175b17837 Reviewed-on: https://review.typo3.org/c/59821 Tested-by:
-
When looking for FullyScanned|PartiallyScanned|NotScanned ignore Feature and Important rst files from any version as well as all rst files from 7.x and 8.x Resolves: #87772 Releases: master, 9.5, 8.7 Change-Id: I7bf2a6068f95603a8ac3e6df4cb336d66963f145 Reviewed-on: https://review.typo3.org/c/59819 Tested-by:
-
- 28 Feb, 2019 2 commits
-
-
Resolves: #87803 Releases: master, 9.5, 8.7 Change-Id: I1d99aa132208d5db14eb3aed49308e95998a0f0e Reviewed-on: https://review.typo3.org/c/59813 Tested-by:
-
Page names that end with 'rc' return 403 if using apache with the default core delivered .htaccess. The directive should match '.rc$' instead of only 'rc$'. Resolves: #87783 Releases: master, 9.5, 8.7 Change-Id: I59fd6b2a0d87556209713a0beedae0c6624d866f Reviewed-on: https://review.typo3.org/c/59805 Tested-by:
-
- 24 Feb, 2019 1 commit
-
-
Previously the HiddenRestriction::class applied the hidden restriction to both tables, with this change only the hidden field of sys_language will be checked, which was also the case before the DBAL migration. Change-Id: Icec2c5c0f0e821933379dfa72ff9686cbf414deb Resolves: #87768 Releases: 8.7 Reviewed-on: https://review.typo3.org/c/59783 Reviewed-by:
Claus Due <claus@phpmind.net> Reviewed-by:
Joerg Kummer <typo3@enobe.de> Reviewed-by:
-
- 23 Feb, 2019 1 commit
-
-
The character set must be set based on the configured value to prevent an exception #1389697515 to be thrown Related: #71454 Resolves: #85524 Releases: 8.7 Change-Id: I34701429083b4ab7fc568fa1ee94756a49b45da6 Reviewed-on: https://review.typo3.org/c/59323 Tested-by:
-
- 17 Feb, 2019 1 commit
-
-
Remove reference to irc as it is not used anymore. Linking to Slack instead. Resolves: #87720 Releases: master, 9.5, 8.7 Change-Id: I7dea0d62329e8e361b8ac37a1d18b9f9f8603943 Reviewed-on: https://review.typo3.org/c/59713 Tested-by:
-
- 15 Feb, 2019 1 commit
-
-
Lists in reStructuredText must be seperated by the rest of a text a newline. If not, the text is not rendered correctly. This patch fixes incorrectly formatted lists in the .rst files of the Changelog. Resolves: #85995 Releases: master,8.7 Change-Id: Icc390862f77ee99a5f96373e85ef5e09ac4272d5 Reviewed-on: https://review.typo3.org/59702 Tested-by:
Sybille Peters <sypets@gmx.de>
Reviewed-by: Björn Jacob <bjoern.jacob@tritum.de> Tested-by:
Sybille Peters <sypets@gmx.de>
Reviewed-by: Tymoteusz Motylewski <t.motylewski@gmail.com> Tested-by:
-
