Skip to content
GitLab
  1. 10 Dec, 2014 1 commit
  3. 27 Nov, 2014 2 commits
  5. 22 Oct, 2014 2 commits
  7. 23 Sep, 2014 2 commits
  9. 08 Jul, 2014 2 commits
  11. 22 May, 2014 3 commits
    • TYPO3 Release Team's avatar
      [TASK] Set TYPO3 version to 4.5.35-dev · dd2d0ad3
      TYPO3 Release Team authored 
      Change-Id: Iffabf254620824d1d0b7a42e239576bd3aa73791
Reviewed-on: https://review.typo3.org/30309
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team
      dd2d0ad3
    • TYPO3 Release Team's avatar
      [RELEASE] Release of TYPO3 4.5.34 · 67deb70e
      TYPO3 Release Team authored 
      Change-Id: I296aa228d3d9ffda43cf99a41d3ac36d8b93f439
Reviewed-on: https://review.typo3.org/30308
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team
      67deb70e
    • Helmut Hummel's avatar
      [SECURITY] Add trusted HTTP_HOST configuration · 55d5f385
      Helmut Hummel authored and Oliver Hader's avatar Oliver Hader committed 
      TYPO3 uses the values of HTTP_HOST in several
places without validating them. This could
lead to a situation where links are generated
using the host part from HTTP_HOST.
Since HTTP_HOST headers are user input and
can be spoofed by an attacker, it leads
into several potential and actual security issues.
To address this, a configuration option for
trusted hosts is added, which is evaluated every
time getIndpEnv('HTTP_HOST') is called.
The configuration option is
$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']
and can contain either a regular expression or the
value "SERVER_NAME"
To properly output the exception message in case
the trustedHostPattern does not match,
we need to adapt the exception handlers slightly
to not log information in this case and to actually
show the message even in production context to not
confuse admins on what is currently going wrong.
To not break all existing installations, the default
pattern is set to 'SERVER_NAME' which allows all
HTTP_HOST values matching the SERVER_NAME (and
optionally the SERVER_PORT if a port is specified
in the HTTP_HOST value).
This will secure all installation which use properly
configured name based virtual hosts, but leaves
installations where the web server is not bound
to a specific host name still in an insecure state.
Fixes: #30377
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Bulletin: TYPO3-CORE-SA-2014-001

Change-Id: Id210212e6fbd186a273f92b340d5060e9c6f900d
Reviewed-on: https://review.typo3.org/30275
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
      55d5f385
  13. 16 Apr, 2014 2 commits
  15. 10 Dec, 2013 2 commits
  17. 26 Nov, 2013 2 commits
  19. 12 Sep, 2013 2 commits
  21. 30 Jul, 2013 2 commits
  23. 23 Jul, 2013 2 commits
  25. 24 May, 2013 2 commits
  27. 03 May, 2013 2 commits
  29. 28 Apr, 2013 1 commit
  31. 22 Apr, 2013 2 commits
  33. 11 Apr, 2013 1 commit
    • Anja Leichsenring's avatar
      [BUGFIX] Allow Setting colorspace in the Install Tool. · b07277d5
      Anja Leichsenring authored 
      Some versions of Imagemagick (6.7.0 and above) use the sRGB colorspace
instead RGB as before. This results in darker images after processing,
because TYPO3 hardcoded the RGB colorspace in graphical functions.

This patch introduces a setting in the GFX part of the Install Tool,
lets the user choose the sufficient colorspace.
This selection is used in graphical functions.

Additionaly a hint on the setting was added to the Image Processing Test
'Read Images' in the Install Tool.

Fixes: #36597
Releases: 6.1, 6.0, 4.7, 4.5
Change-Id: I50a26c414705afa3177a2f12fc3bb4532c2d0f7f
Reviewed-on: https://review.typo3.org/19725
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Xavier Perseguers
Tested-by: Xavier Perseguers
Reviewed-by: Anja Leichsenring
Tested-by: Anja Leichsenring
      b07277d5
  35. 07 Mar, 2013 3 commits
  37. 06 Mar, 2013 2 commits
  39. 14 Feb, 2013 2 commits
  41. 23 Jan, 2013 1 commit