Oliver Hader authored Jun 14, 2022 and Oliver Hader committed Jun 15, 2022

The security fix TYPO3-CORE-SA-2022-005 introduced a synchronization
of backend user and admin tool sessions - without considering these
two documented aspects:

+ If no system maintainer is set up, then all administrators are
  assigned the system maintainer role.
+ In Development context, all administrators are system maintainers
  as well.

Resolves: #97768
Releases: main, 11.5, 10.4
Change-Id: I81dbfc5d07a41a4fa254e1fb50210c74f5e6f02c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74911


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Oliver Hader authored Jun 14, 2022 and Oliver Hader committed Jun 14, 2022

Admin tools sessions are revoked in case the initiatin backend user
does not have admin or system maintainer privileges anymore. Besides
that, revoking backend user interface sessions now also revokes access
to admin tools. Standalone install tool is not affected.

Resolves: #92019
Releases: main, 11.5, 10.4
Change-Id: I367098abd632fa34caa59e4e165f5ab1916894c5
Security-Bulletin: TYPO3-CORE-SA-2022-005
Security-References: CVE-2022-31050
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74901


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Daniel Goerz authored Jun 04, 2021 and Benni Mack committed Nov 17, 2021

EXT:impexp
EXT:indexed_search
EXT:info
EXT:install

Resolves: #94264
Releases: master
Change-Id: I0799fce1f3f316a4b6e0925f6813738a2c53f8a9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69394


Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Anja Leichsenring authored Nov 16, 2021 and Christian Kuhn committed Nov 16, 2021

The functionality the trait provides is never used for the
SessionService, so usage declaration is removed.

Resolves: #95990
Releases: master
Change-Id: I916daf559b74f1dd821870183bd7f3ebdf0320ba
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72186


Tested-by: core-ci <typo3@b13.com>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>

Simon Gilli authored Sep 17, 2021 and Christian Kuhn committed Nov 05, 2021

Add the missing samesite cookie option after the logout from the
install tool which leads to an error in the browser console.

Also, the missing direct dependency to symfony/http-foundation is
added properly with:

* composer require symfony/http-foundation:^5.3.0 -d typo3/sysext/install --no-update

Resolves: #95270
Releases: master, 10.4
Change-Id: I399e3db96bbaaeef7a79caa43ac221a3d5c30f0a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/71122


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Nikita Hovratov <nikita.h@live.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Nikita Hovratov <nikita.h@live.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Benni Mack authored Dec 05, 2020 and Benjamin Franzke committed Dec 07, 2020

TYPO3 v11 supports PHP 7.4 or higher, some workarounds
regarding same site functionality can be simplified
and removed.

Resolves: #92999
Releases: master
Change-Id: I6ab5e257cfbe595f81693fc60d824bb46e106594
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67009


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

Oliver Hader authored Nov 06, 2020 and Oliver Hader committed Nov 16, 2020

The session expiration time for the install tool is reduced from
60 to 15 minutes. When accessing the install tool via backend user
interface, currently logged in backend users have to confirm their
user password again in order to get access to the install tool.
This process is known as "sudo mode".

Standalone install tool is not affected by sudo mode confirmation.
This change enforces mitigation as mentioned in TYPO3-CORE-SA-2020-006,
see https://typo3.org/security/advisory/typo3-core-sa-2020-006.

Resolves: #92836
Releases: master, 10.4, 9.5
Change-Id: Ib4f0e92346610879347a48587ffd575429b98650
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66630


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Torben Hansen <derhansen@gmail.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Torben Hansen <derhansen@gmail.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Alexander Schnitzler authored May 11, 2020 and Benni Mack committed Sep 07, 2020

This patch fixes incompatible type usage in function arguments
and is preparatory work for introducing native type hints and
strict mode in all core files.

Releases: master, 10.4
Resolves: #92108
Change-Id: I9aa59588a183ee3cb43091fadd6eab2491a7cbdb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65463


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Tested-by: Jörg Bösche <typo3@joergboesche.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Jörg Bösche <typo3@joergboesche.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Markus Klein authored Aug 17, 2020 and Benni Mack committed Sep 04, 2020

This change corrects the Install Tool cookie handling in various ways:

1.) It is ensured that the cookie is removed on log off
2.) Session files (var/session/*) are always removed
3.) No cookie is set until it is really needed (during login)
4.) Session expire calculation is centralized into a single method

This is done by adjusting the SessionService:
 - Move session_start() from the constructor to a dedicated method
 - Session existence check employs a cookie existence check
   before loading an existing session into memory and validating it
 - destroySession() now explicitly removes the cookie
 - renewSession() lets session_regenerate_id() deleted old session data

The Install Tool is adjusted to separate action treatment for actions
requiring session interaction and those not.

Resolves: #92035
Releases: master, 10.4
Change-Id: Ie666831c3eb97279fad7870638b028a577fb68f7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65358


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>

Oliver Hader authored May 12, 2020 and Oliver Hader committed May 12, 2020

Deserialization of objects could lead to arbitrary removal of resources
as well as sending out message via mail.

Resolves: #88573
Resolves: #90316
Releases: master, 9.5
Change-Id: I3f77928203f4929bc715f548fb9bfdc0cd749e93
Security-Bulletin: TYPO3-CORE-SA-2020-004
Security-References: CVE-2020-11066
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64468


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Alexander Schnitzler authored Apr 17, 2020 and Georg Ringer committed Apr 17, 2020

This patch has been created with rector and php-cs-fixer

Releases: master
Resolves: #91092
Change-Id: I80956bc210237169034acd86ef26c1e8f9725ddb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64212


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

Alexander Schnitzler authored Apr 14, 2020 and Benni Mack committed Apr 15, 2020

With this patch, the header comment of php files is
automatically added by the php-cs-fixer, which guarantees
that its format and place of occurrence remain the same
in all files.

Files that are copied over from other projects are excluded.

Furthermore, files that are kind of inspired by other
projects also get the same header comment but may have
a second, additional comment explaining its origin.

Used command:

    bin/php-cs-fixer fix --config=Build/php-cs-fixer/header-comment.php

Releases: master
Resolves: #91024
Change-Id: I5a040517e0fbde6e5a27d589bf2f222078326dc8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64159


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Benni Mack authored Mar 31, 2020 and Georg Ringer committed Apr 14, 2020

Use PHP's native \SessionHandlerInterface to allow further separation
of concerns and allow other packages to use a different implementation
(e.g. via redis).

Resolves: #90938
Releases: master
Change-Id: Ibc16efd0edd35df3f6673e3150929947ede5b500
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64034


Tested-by: Josef Glatz <josefglatz@gmail.com>
Tested-by: Jonas Eberle <flightvision@googlemail.com>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Josef Glatz <josefglatz@gmail.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

Benni Mack authored Apr 14, 2020 and Andreas Fernandez committed Apr 14, 2020

This change adds two changes
        'blank_line_after_opening_tag' => true,
        'single_trait_insert_per_statement' => true,

to our PHP-CS Fixer configuration, adopting more rules related
to PSR-12.

Resolves: #91020
Releases: master
Change-Id: I180b2cbceb077911bddeb42d9f131e5b32244ed2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64158


Tested-by: Josef Glatz <josefglatz@gmail.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Alexander Schnitzler <git@alexanderschnitzler.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Josef Glatz <josefglatz@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Alexander Schnitzler <git@alexanderschnitzler.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Oliver Hader authored Feb 15, 2020 and Oliver Hader committed Feb 17, 2020

Patch for issue #90351 in master branch was merged fast.
Some aspects were missing which are streamlined with this change.

- workspace preview "ADMCMD_prev" using backend user setting
  ("strict" by default)

Resolves: #90380
Releases: master
Change-Id: I8d244db64a438d7537310787934a49abe3ebf28d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63256


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Benni Mack authored Feb 10, 2020 and Georg Ringer committed Feb 13, 2020

This change introduces a new security option for setting the SameSite
option to all cookies sent by TYPO3 Core.

Namely:
- Frontend User Sessions ("lax" by default)
- Backend User Sessions ("strict" by default)
- Install Tool Sessions ("strict", none-configurable)
- Last Login Provider in Backend ("strict", non-configurable)

This means that these can only be accessed by scripts and requests
by the same site, and not by any third-party scripts.

Since we're talking about actual cookies for a user, and not
ads-related or third-party login-dependant cookies, the default
options fit just perfectly.

All modern browsers except Internet Explorer respect this option
to be set. Please note that Firefox and Chrome will have "SameSite=lax"
set in Q1/2020 by default if NO SameSite option is set at all. This change
allows to configure this.

Backend and Frontend User Cookies can be configured to "strict", "lax"
or "none" (= same as before), whereas "none" only works for secure
connections (= HTTPS).

If "strict" is in place, security via CSRF is not needed anymore, and can
be dropped in the future.

Resolves: #90351
Releases: master, 9.5, 8.7
Change-Id: I8095e2a552faa9d1fd4fa7855297302a9ec6a75f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63183


Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

Andreas Wolf authored Dec 11, 2018 and Oliver Hader committed Dec 11, 2018

Resolves: #86955
Releases: master, 8.7, 7.6
Security-Commit: d251175e031aaa9943f93f5e5297f5490b99e513
Security-Bulletin: TYPO3-CORE-SA-2018-009
Change-Id: Ia50cac61ee2d649e98cba2102162c1360487bb20
Reviewed-on: https://review.typo3.org/59103


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Benni Mack authored Oct 01, 2018 and Wouter Wolters committed Oct 01, 2018

All specific controllers for specific Backend actions, Backend-module related modules,
all hook implementations (where the core uses hooks by itself), and module-specific
ViewHelpers are now marked as @internal to ensure developers what is
part of the public TYPO3 Core API.

within
- EXT:core
- EXT:extensionmanager
- EXT:install

All @api annotations have been removed.

Resolves: #86517
Releases: master
Change-Id: I7869d8e3b6e8a4365529cc7c98b99cde7ca1495f
Reviewed-on: https://review.typo3.org/58532


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

Josef Glatz authored Jul 29, 2018 and Markus Klein committed Jul 30, 2018

This patch updates file templates from HTML 3.2
to HTML5 markup.

Resolves: #85682
Releases: master
Change-Id: I22fa9b6e4f0e84fbc94d8d282f82594ffd3d8be9
Reviewed-on: https://review.typo3.org/57723


Reviewed-by: Josef Glatz <josef.glatz@typo3.org>
Tested-by: Josef Glatz <josef.glatz@typo3.org>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Jörg Bösche <typo3@joergboesche.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

Benni Mack authored May 28, 2018 and Andreas Fernandez committed May 29, 2018

The utility class was thinned out in the last TYPO3
versions and now is only used in EXT:install.

The functionality can be moved into EXT:install,
and PhpOptionsUtility can be deprecated, marked
as deprecated and awaiting removal in TYPO3 v10.0.

Resolves: #85102
Releases: master
Change-Id: Ie45720ad70cd2bdd2949553c94fcec15806cb458
Reviewed-on: https://review.typo3.org/57071


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: TYPO3com <no-reply@typo3.com>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Joerg Boesche <typo3@joergboesche.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Benni Mack authored Mar 21, 2018 and Susanne Moog committed Mar 29, 2018

All TYPO3 Core areas where typo3temp/var/ was directly used,
the new Environment::getVarPath() API is now used.

When running via composer or setting the environment
variable "TYPO3_PATH_APP", the folder is $projectRootPath . /var
otherwise "typo3temp/var/" as before.

Additional changes to the default naming scheme
- Cache folders are now named lower-case (Cache/Code becomes
cache/code). 
- Install tool session files are stored within "var/session" instead of
"var/InstallToolSessions".
- Extension Manager files are now within "var/extensionmanager"
in a lower-cased variant
- log files are now placed into "var/log" instead of "var/logs"
- lock files are now placed into "var/lock" instead of "var/locks"

Resolves: #84545
Releases: master
Change-Id: Ifa57413cd212243387532ffb3435cfca361a582b
Reviewed-on: https://review.typo3.org/56413


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>

Benjamin Kott authored Feb 09, 2018 and Christian Kuhn committed Feb 09, 2018

Resolves: #83826
Releases: master
Change-Id: I55d7141ffb26126215be029547e143ed2f777707
Reviewed-on: https://review.typo3.org/55629


Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Mathias Schreiber <mathias.schreiber@typo3.com>
Tested-by: Mathias Schreiber <mathias.schreiber@typo3.com>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Tested-by: TYPO3com <no-reply@typo3.com>

Christian Kuhn authored Sep 13, 2017 and Susanne Moog committed Sep 19, 2017

The install tool suffered from three main issues since 6.2 rewrite:
* The "step" installer was re-used for recovery and installation
* The routing logic was server based and threw lots of redirects
  which lead to redirect loops
* The Controller/Action class structure was weird and hard to
  understand

The patch solves this with a rather huge rewrite:
* There are two request handlers: One for the Installer, one for
  the install tool.
* A simple list of controllers. One InstallerController for the
  step installer, the others for the main module points of the
  install tool and a Login and a Layout controller.
* Single action code is moved into controllers.
* Both tool and installer first load only a <head> section that
  contain JS references. All other calls are ajax based and the
  routing is done JS side.
* Installer and install tool no longer share controller code
  or templates, the installer can potentially be fully extracted
  from ext:install in another step.
* Installer.js is the "walk through installation" module of the
  installer.
* Router.js is the routing module for the install tool, all tool
  ajax requests get specific urls from this module and hand over
  errors to the Router.
* Error handling is handled on JS side: If for instance
  the login session expires and user clicks elsewhere, a 403
  response is returned which is handled by JS to route to login.
  This is also the place where a recovery can hook in later.
* The silent configuration updater is executed again which was
  removed during one of the previous master patches.
* The template structure is much easier.
* Various card content which has been calculated when loading
  the card layout is moved to the ajax code for single card
  content. That increases the performance of the main module
  points and makes them pretty snappy.

Change-Id: Ib40f40acba17bb47142c0da1bcfb389ab9b4b3a1
Resolves: #82504
Releases: master
Reviewed-on: https://review.typo3.org/54128


Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Mona Muzaffar <mona.muzaffar@gmx.de>
Tested-by: Mona Muzaffar <mona.muzaffar@gmx.de>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>

Christian Kuhn authored Sep 11, 2017 and Benni Mack committed Sep 11, 2017

With recent routing changes the install tool "backend context" has
been switched to a "normal" backend module loaded directly from
within the backend application. The standalone is an own application
with its own bootstrap.
This leads to various issues in the install tool since the backend
and standalone requests lead to different bootstrap states, for
instance TCA is initialized in BE context, but isn't in standalone.
Within backend, this won't change until the backend application can
bootstrap to different states depending on a controller.
To solve install tool related issues for now, the BackendModuleController
of the install tool called from within backend now starts a casual
install tool session and marks this session as "initiated from a
valid system maintainer". It then redirects to the standalone
application which omits login and enable install tool file check if
the session is marked as backend user session.

Change-Id: I352e6d04e7a91c56ccf2383f784ae94464c9aacd
Resolves: #82448
Related: #82306
Releases: master
Reviewed-on: https://review.typo3.org/54111


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

Christian Kuhn authored Aug 30, 2017 and Benni Mack committed Aug 31, 2017

The install tool brought its own "status message" class
structure since the 6.2 refactoring. This is used at many
places in the install tool for message handling.

The core has a very similar class construct "Messaging"
with only little dependencies, too. To simplify a later
separation of 'install tool' and 'installer' the internal
status message class structure is removed and transitioned
to the core Messaging structure. to get rid of just
another special thing the install tool does.

The ext:core FlashMessage and FlashMessageQueue now both
implement the \JsonSerialize interface. This allows direct
json_encode() calls on these objects, helpful for instance
for ajax responses.

In ext:install "Environment checks" suhosin specific checks
have been removed since the project is dead and only has a
pre-alpha php 7.0 fork, so probably nobody is using
that with the given core PHP constraints anymore.

Change-Id: Ifecd3cd4889d8db5aaf3e87f317c98be706ae82b
Resolves: #82257
Releases: master
Reviewed-on: https://review.typo3.org/53835


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

Wouter Wolters authored Aug 23, 2017 and Benni Mack committed Aug 23, 2017

Add 2 new rules

* no_superfluous_elseif
* no_useless_else

Both rules only apply if the if-statement contains a return. If this
is the case the obsolete else/elseif part is dropped.

Resolves: #82183
Releases: master,8.7
Change-Id: I94dfa6b5b96cbc3e350bd778f1796dda1a4d955a
Reviewed-on: https://review.typo3.org/53791


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

Wouter Wolters authored Feb 14, 2017 and Benni Mack committed Mar 28, 2017

The TYPO3 Core currently has no guidline how to handle phpdoc
comments regarding @return annoations related to "void" and "null".

In practice, these annotations have no additional value if no additional
documentation is given.

With this change, the php-cs-fixer will remove any unnecessary linebreaks
within the comments above the @return annotation, as well as remove completely
empty phpdoc comments because the @return annotation is removed.

Please be aware, that once PSR-5 is accepted, this coding standard
within the TYPO3 Core will change again, where there are currently
some further proposal details like inheritance information.

Resolves: #80454
Releases: master
Change-Id: Ie969d720684c0a75919fe5addd1c36ef5b12eb04
Reviewed-on: https://review.typo3.org/51686


Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

Timo Schmidt authored Feb 24, 2017 and Anja Leichsenring committed Feb 26, 2017

When the session information is fetched from the file system it can
happen that the session file is empty.

We should check for the file length and only read it, when the file
length is larger then 0.

Change-Id: I8857efc54f76c56984bc3486064b622b05e488b8
Resolves: #79955
Releases: master
Reviewed-on: https://review.typo3.org/51835


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>

Wouter Wolters authored Aug 30, 2016 and Andreas Fernandez committed Aug 30, 2016

Resolves: #77701
Releases: master
Change-Id: Id5f32eb76ac3adddd834160bc79828fefd0ce63c
Reviewed-on: https://review.typo3.org/49665


Tested-by: Bamboo TYPO3com <info@typo3.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>

Wouter Wolters authored Aug 30, 2016 and Susanne Moog committed Aug 30, 2016

As decided during T3ACME we will use the short
array syntax in master. The 7.6 branch will also be done
to make backporting easier.

Resolves: #77692
Releases: master,7.6
Change-Id: I37e9484b1012fc9161148257a842054c24d162ba
Reviewed-on: https://review.typo3.org/49651


Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>

Markus Klein authored Feb 18, 2016 and Frank Nägler committed Feb 19, 2016

Implement proper locking when accessing the session data file
to avoid race-conditions, which cause random logouts.

Resolves: #73531
Releases: master, 7.6
Change-Id: Ibc14ff771602601fd38af582c1b8a15e3f6dfb4b
Reviewed-on: https://review.typo3.org/46750


Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Alexander Opitz <opitz.alexander@googlemail.com>
Tested-by: Alexander Opitz <opitz.alexander@googlemail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>

Add a subdirectory typo3temp/var/ (by default) which
contains all files which should never be accessible
for the web user.

In the future, this option should be configurable so it can
be put outside of the document root (e.g. via an
environment variable).

Resolves: #72479
Releases: master
Change-Id: Ia2e425a2ff55deac91c02b829c73036478995b0b
Reviewed-on: https://review.typo3.org/45505


Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Tested-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Reviewed-by: Susanne Moog <typo3@susannemoog.de>
Tested-by: Susanne Moog <typo3@susannemoog.de>

In our efforts to achieve a better interoperability
with other PHP projects, the PHP code base of the
TYPO3 Core switches to the PHP coding guideline
standard PSR-2.

See http://www.php-fig.org/psr/psr-2/ for more
information.

Resolves: #70515
Releases: master
Change-Id: I734c0d838af157003decfeb5fc0a11dddcb87bf5
Reviewed-on: http://review.typo3.org/43918


Reviewed-by: TYPO3 Release Team <typo3cms@typo3.org>
Tested-by: TYPO3 Release Team <typo3cms@typo3.org>

Markus Klein authored Jul 15, 2015 and Christian Kuhn committed Jul 15, 2015

@author information can be found in version control.
Cluttering our code with these tags does not make much
sense and they are outdated by definition or would sum
up to impressive lists.

As decided on acme 2015, we drop them now.

Releases: master
Resolves: #68152
Change-Id: Iec1ea0f873b44ab6027c94ba8353a9fdb5477bdd
Reviewed-on: http://review.typo3.org/41264


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Andreas Fernandez authored May 04, 2015 and Markus Klein committed Jul 01, 2015

Improve the example .htaccess file by adding rules for caching,
MIME types and CORS. Also, the rewrite rules are extended to block
access to certain files and folders.

Additionally all rules are made compatible for Apache 2.4 as well.

Resolves: #23078
Resolves: #66235
Releases: master, 6.2
Change-Id: I629f524b5a209769601f04a74bb7434736058ab8
Reviewed-on: http://review.typo3.org/39254


Reviewed-by: Stephan Großberndt <stephan@grossberndt.de>
Tested-by: Stephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>

Christian Kuhn authored Feb 19, 2015 and Wouter Wolters committed Feb 19, 2015

In a rare case it may happen that the install tool created a session
file in typo3temp/InstallToolSessions and later those files can not
be written or updated due to permission problems.
The install tool then fails silently without error message.
Since write out of session data happens in __destruct() a proper
error message can not be created at this point anymore. Solution
is to "test write" the session file after opening it and throw
an exception if that fails.

Resolves: #65014
Releases: master, 6.2
Change-Id: I9478f0cfb58a047842d48350b7005e64f50f52ff
Reviewed-on: http://review.typo3.org/37025


Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Tested-by: Markus Klein <klein.t3@reelworx.at>
Reviewed-by: Frank Nägler <typo3@naegler.net>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

Roland Waldner authored Dec 16, 2014 and Christian Kuhn committed Dec 17, 2014

Most of TYPO3's PHP files have an empty line before a class' closing curly
brace. This commit adds this empty line (if it is missing) before a class'
closing curly brace.

This is not part of the TYPO3 CMS CGL but increases consistency in this
area.

This regular expression was used to add the empty lines:

Search:
(}\n)(})

Replace:
$1\n$2

Resolves: #63942
Release: master
Change-Id: Icd6547322ac8b7310956d347fd73c90bde2bbfa7
Reviewed-on: http://review.typo3.org/35527


Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Roland Waldner authored Dec 06, 2014 and Christian Kuhn committed Dec 13, 2014

This regular expression was used to replace PHPDoc style comments
with ordinary comments:

Search:
/\*\*(\n \* This file is part of the TYPO3 CMS project.)

Replace with:
/*$1

Resolves: #63328
Releases: master
Change-Id: Ic8f11dbfefee94a19657c8fe8426c81d1cb435d8
Reviewed-on: http://review.typo3.org/35103


Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>

Resolves: #62664
Releases: master
Change-Id: Ib8e0695fc234ab67a2f73a65737e07cf9a2d19c6
Reviewed-on: http://review.typo3.org/33757


Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Tested-by: Markus Klein <klein.t3@reelworx.at>

Use "int" or "bool" in @var notation instead of
"interger" or "boolean".

Resolves: #62571
Releases: master
Change-Id: Icc17d2a7806a4632da2c4684c57f1f6d619878a3
Reviewed-on: http://review.typo3.org/33632


Reviewed-by: Frank Nägler <typo3@naegler.net>
Tested-by: Frank Nägler <typo3@naegler.net>
Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Tested-by: Markus Klein <klein.t3@reelworx.at>