Oliver Hader authored Jun 03, 2020 and Oliver Hader committed Jun 04, 2020

This is a preparation for starting with RIPS scanner.

Resolves: #91566
Releases: master, 10.4, 9.5
Change-Id: I6f994cec9c977242c278963c8aa55cb138bdabe2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64794


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Oliver Hader authored May 10, 2020 and Oliver Hader committed May 12, 2020

In order to evaluate potential server misconfigurations and to reduce
the potential of security implications in general, a new HTTP response
check is integrated to "Environment Status" and the "Security" section
in the reports module.

It is evaluated whether non-standard file extensions lead to unexpected
handling on the server-side, such as `test.php.wrong` being evaluated
as PHP or `test.html.wrong` being served with `text/html` content type.

Resolves: #91354
Releases: master, 9.5
Change-Id: Ie6584692f39706aad2a25bad27bb201f4c1045e9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64450


Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Alexander Schnitzler authored Apr 17, 2020 and Georg Ringer committed Apr 17, 2020

This patch has been created with rector and php-cs-fixer

Releases: master
Resolves: #91092
Change-Id: I80956bc210237169034acd86ef26c1e8f9725ddb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64212


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

Alexander Schnitzler authored Apr 14, 2020 and Benni Mack committed Apr 15, 2020

With this patch, the header comment of php files is
automatically added by the php-cs-fixer, which guarantees
that its format and place of occurrence remain the same
in all files.

Files that are copied over from other projects are excluded.

Furthermore, files that are kind of inspired by other
projects also get the same header comment but may have
a second, additional comment explaining its origin.

Used command:

    bin/php-cs-fixer fix --config=Build/php-cs-fixer/header-comment.php

Releases: master
Resolves: #91024
Change-Id: I5a040517e0fbde6e5a27d589bf2f222078326dc8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64159


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Benni Mack <benni@typo3.org>

Benni Mack authored Apr 14, 2020 and Andreas Fernandez committed Apr 14, 2020

This change adds two changes
        'blank_line_after_opening_tag' => true,
        'single_trait_insert_per_statement' => true,

to our PHP-CS Fixer configuration, adopting more rules related
to PSR-12.

Resolves: #91020
Releases: master
Change-Id: I180b2cbceb077911bddeb42d9f131e5b32244ed2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64158


Tested-by: Josef Glatz <josefglatz@gmail.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Alexander Schnitzler <git@alexanderschnitzler.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Josef Glatz <josefglatz@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Alexander Schnitzler <git@alexanderschnitzler.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Christian Eßl authored Sep 26, 2019 and Daniel Goerz committed Oct 07, 2019

Make spelling in TYPO3 great again.

Resolves: #89290
Releases: master
Change-Id: I520840dd0774aa5d658ce6a45811aa6282c9e461
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61845


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Jörg Bösche <typo3@joergboesche.de>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Jörg Bösche <typo3@joergboesche.de>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

Mathias Brodala authored Jul 18, 2019 and Benjamin Franzke committed Jul 22, 2019

Also output a report message in case of unsupported hash algorithm.

Resolves: #88794
Releases: master, 9.5
Change-Id: I1ba4efd321f4d2d5bc35b65bb7caac0581fe0a39
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61318


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Susanne Moog <look@susi.dev>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Susanne Moog <look@susi.dev>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

Benni Mack authored Jan 29, 2019 and Andreas Wolf committed Feb 01, 2019

TYPO3 uses $GLOBALS['LANG'] directly in some places, but since
TYPO3 v7, new code started to use a short hand protected method
"getLanguageService" in order to get IDE code completion and better
analysis of code.

This patch replaces all left-over places of $GLOBALS['LANG']
and encapsulates this into a short-hand method to streamline
TYPO3 Core's code base.

Resolves: #87571
Releases: master
Change-Id: Ie15e320713fe65d40552a19e0a517d5739abbb41
Reviewed-on: https://review.typo3.org/59578


Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Mona Muzaffar <mona.muzaffar@gmx.de>
Tested-by: Mona Muzaffar <mona.muzaffar@gmx.de>
Reviewed-by: Andreas Wolf <andreas.wolf@typo3.org>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Andreas Wolf <andreas.wolf@typo3.org>

Benni Mack authored Oct 01, 2018 and Wouter Wolters committed Oct 01, 2018

All specific controllers for specific Backend actions, Backend-module related modules,
all hook implementations (where the core uses hooks by itself), and module-specific
ViewHelpers are now marked as @internal to ensure developers what is
part of the public TYPO3 Core API.

within
- EXT:core
- EXT:extensionmanager
- EXT:install

All @api annotations have been removed.

Resolves: #86517
Releases: master
Change-Id: I7869d8e3b6e8a4365529cc7c98b99cde7ca1495f
Reviewed-on: https://review.typo3.org/58532


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

Benni Mack authored Sep 30, 2018 and Frank Nägler committed Oct 01, 2018

This patch streamlines all deprecation messages and follow the
following rules.

1. All @deprecated should contain
@deprecated since TYPO3 xx, will be removed in TYPO3 v10.0 (not "core v10" or just "v10"

2. trigger_error()
- All trigger_error() messages MUST end with a "." (dot).
- Never use "This method" but the method name (enjoy the logs otherwise)
- "has been deprecated" can be spared - we KNOW it's deprecated once its in the deprecation log. Instead "Will be removed in TYPO3 v10.0" SHOULD be in the log file.
- Do not use "__METHOD__" or some other "magic".

Resolves: #86488
Releases: master
Change-Id: I6a34593ff89ecafe649366d60d725daa3aa6676c
Reviewed-on: https://review.typo3.org/58494


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: TYPO3com <no-reply@typo3.com>

Christian Kuhn authored Aug 13, 2018 and Georg Ringer committed Aug 14, 2018

Move all classes and other resources from EXT:saltedpasswords to
EXT:core.

Classes live in TYPO3\CMS\Core\Crypto\PasswordHashing. This namespace
will be clean in v10 when the classes that are currently only kept for
backwards compatibility are removed.

The documentation has been integrated into the "Core API" docs at
https://docs.typo3.org/typo3cms/CoreApiReference/stable/ApiOverview/PasswordHashing/

Resolves: #85833
Resolves: #85026
Releases: master
Change-Id: Ie6ac7fbf215fe61711f0acdd6dc5a318bce1ad35
Reviewed-on: https://review.typo3.org/57885


Reviewed-by: Stephan Großberndt <stephan.grossberndt@typo3.org>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>

With this change, the password hash code in salted passwords is
reduced to the SaltFactory with two methods and the single hash
classes that implement SaltInterface without further public
methods. Everything else including the utility classes is
deprecated.
The change moves the LocalConfiguration.php config options around,
adds a settings preset for hash mechanism selection, adds according
silent upgrades, adds 'best available' hash mechanism selection
at installation time and drops the last saltedpasswords
ext_conf_template.txt option.

Details:
* Remove the password hash selection from saltedpasswords config
  namespace and put to TYPO3_CONF_VARS/BE/passwordHashing/className
  and TYPO3_CONF_VARS/FE/passwordHashing/className
* Move available password hash registry from
  TYPO3_CONF_VARS/SC_OPTIONS/ext/saltedpasswords/saltMethods
  to TYPO3_CONF_VARS/SYS/availablePasswordHashAlgorithms
* Add a setting preset to select one of argon2i (preferred),
  bcrypt, pbkdf2 or phpass (last fallback)
* Use 'best matching preset' during installation to select a good
  salt mechanism by default
* Silently upgrade existing password hash selection and upgrade
  to one of the four hash algorithms above
* Allow algorithm specific options in
  TYPO3_CONF_VARS/BE/passwordHashing/options and
  TYPO3_CONF_VARS/FE/passwordHashing/options for admins who
  know what they are doing and need to fiddle with hash details.
* Simplify and refactor the single password hash classes. Deprecate
  a huge list of methods along the way.

Change-Id: I773e2ee27a121c9f0d5302695ebf4aa561170400
Resolves: #85804
Resolves: #83760
Releases: master
Reviewed-on: https://review.typo3.org/57850


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Christian Kuhn authored Aug 09, 2018 and Andreas Fernandez committed Aug 09, 2018

The patch deprecates static SaltFactory::getSaltingInstance()
and replaces it with the two new non-static methods.
The ->get() method returns a hash instance to check a given password
against a given hash, and ->getDefaultHashInstance() which returns
an instance of the configured default hash method to calculate
a hash for a new password.

The new methods are now strict, non-static and throw exceptions if
something goes wrong. This simplifies mocking in tests and sanitizes
password hash handling in the core.

Change-Id: I186576593202cb6d052bc7c1ca6f81314eddbaf2
Resolves: #85796
Releases: master
Reviewed-on: https://review.typo3.org/57847


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Christian Kuhn authored Jun 15, 2018 and Benni Mack committed Jun 15, 2018

Resolves: #85280
Releases: master
Change-Id: Id8330e1fda17557284ab5ffd6081433226c74083
Reviewed-on: https://review.typo3.org/57237


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Jan Helke <typo3@helke.de>
Tested-by: Jan Helke <typo3@helke.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

Wouter Wolters authored Mar 05, 2018 and Andreas Fernandez committed Apr 25, 2018

This commit moves any language file of EXT:lang into a proper
destination, which renders EXT:lang obsolete.
This change requires an update of typo3/testing-framework, done with this
command:

composer update typo3/testing-framework

Resolves: #84680
Releases: master
Change-Id: I7ba59c1a10015121ed444a9c98082bad0348e03d
Reviewed-on: https://review.typo3.org/56017


Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Riny van Tiggelen <info@online-gamer.nl>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>

Benni Mack authored Nov 24, 2017 and Susanne Moog committed Nov 30, 2017

The new PSR-7-based solution since TYPO3 v7 should be used everywhere
instead of "BackendUtility::getModuleUrl()". This is possible because
modules can be addressed via the "route" GET parameter instead of the
"M" parameter since a few months.

The patch changes all occurrences within TYPO3 Core to use the new API.

Resolves: #83172
Releases: master
Change-Id: Iec40e8ae00f1d900d7479b84a3a62827ddba653b
Reviewed-on: https://review.typo3.org/54755


Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>

Matthias Vogel authored Sep 08, 2017 and Christian Kuhn committed Sep 09, 2017

Resolves: #82393
Releases: master
Change-Id: I0782af0fa9dc36f7a1e54caec8b7ff24334e63c7
Reviewed-on: https://review.typo3.org/54046


Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Christian Kuhn authored Aug 22, 2017 and Wouter Wolters committed Aug 23, 2017

Change a series of cgl details after update of php-cs-fixer
from 1.0 to 1.4.

Change-Id: Iba289f530e2df2c6fc73e5f5b705a673b4b3db0f
Resolves: #82171
Related: #82164
Releases: master, 8.7
Reviewed-on: https://review.typo3.org/53776


Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

Frans Saris authored Aug 21, 2017 and Benni Mack committed Aug 22, 2017

To completely disable the Install Tool you can just leave the 
`installToolPassword` value empty in your LocalConfiguration. 
Problem here is that not all password hashing methods can handle an 
empty value without giving PHP warnings.

This patch changes the password check in reporting to skip the install 
password hashing/check when there is no password.

Releases: master, 8.7
Resolves: #82147
Change-Id: I399a505544203fc40435f8e82b3baa5b6abd0da5
Reviewed-on: https://review.typo3.org/53757


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Wolfgang Klinger <wolfgang@wazum.com>
Reviewed-by: Joerg Boesche <typo3@joergboesche.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Sebastian Fischer <typo3@evoweb.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

Wouter Wolters authored Feb 14, 2017 and Benni Mack committed Mar 28, 2017

The TYPO3 Core currently has no guidline how to handle phpdoc
comments regarding @return annoations related to "void" and "null".

In practice, these annotations have no additional value if no additional
documentation is given.

With this change, the php-cs-fixer will remove any unnecessary linebreaks
within the comments above the @return annotation, as well as remove completely
empty phpdoc comments because the @return annotation is removed.

Please be aware, that once PSR-5 is accepted, this coding standard
within the TYPO3 Core will change again, where there are currently
some further proposal details like inheritance information.

Resolves: #80454
Releases: master
Change-Id: Ie969d720684c0a75919fe5addd1c36ef5b12eb04
Reviewed-on: https://review.typo3.org/51686


Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

Wouter Wolters authored Nov 10, 2016 and Jan Helke committed Dec 01, 2016

Move languages files from the root of ext:lang to
Resources/Private/Language/

Resolves: #78647
Releases: master
Change-Id: I9271442c98f2fcf705a38a639a6d503caeba1759
Reviewed-on: https://review.typo3.org/50584


Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Jan Helke <typo3@helke.de>
Tested-by: Jan Helke <typo3@helke.de>

Wouter Wolters authored Aug 30, 2016 and Susanne Moog committed Aug 30, 2016

As decided during T3ACME we will use the short
array syntax in master. The 7.6 branch will also be done
to make backporting easier.

Resolves: #77692
Releases: master,7.6
Change-Id: I37e9484b1012fc9161148257a842054c24d162ba
Reviewed-on: https://review.typo3.org/49651


Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>

Georg Ringer authored May 24, 2016 and Jigal van Hemert committed May 25, 2016

By using the <code>-tag, the output of paths is improved:

- XCLASS usage
- Path to ENABLE_INSTALL_TOOL
- Path to deprecation log

Resolves: #76288
Releases: master, 7.6
Change-Id: I591009cd52ba1dec6d25ff135e76b7b536b84193
Reviewed-on: https://review.typo3.org/48282


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Jigal van Hemert <jigal.van.hemert@typo3.org>
Tested-by: Jigal van Hemert <jigal.van.hemert@typo3.org>

Wouter Wolters authored Apr 18, 2016 and Frans Saris committed Apr 18, 2016

Due to the removal of the extbase Install Tool module, some links to
the Install Tool aren't working anymore. Fix this by using the
new name for the module.

Resolves: #75654
Releases: master
Change-Id: I5edb11f877cab4ed4381ad1ab586c38ae1c7869f
Reviewed-on: https://review.typo3.org/47751


Reviewed-by: Richard Haeser <richardhaeser@gmail.com>
Tested-by: Richard Haeser <richardhaeser@gmail.com>
Reviewed-by: Christoph Kratz <ckr@rtp.ch>
Tested-by: Christoph Kratz <ckr@rtp.ch>
Reviewed-by: Frans Saris <franssaris@gmail.com>
Tested-by: Frans Saris <franssaris@gmail.com>

Wouter Wolters authored Nov 20, 2015 and Christian Kuhn committed Nov 20, 2015

Resolves: #71726
Releases: master
Change-Id: I4a356c8da668acee555149eee9cf56ccdb4dc0ee
Reviewed-on: https://review.typo3.org/44822


Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

In our efforts to achieve a better interoperability
with other PHP projects, the PHP code base of the
TYPO3 Core switches to the PHP coding guideline
standard PSR-2.

See http://www.php-fig.org/psr/psr-2/ for more
information.

Resolves: #70515
Releases: master
Change-Id: I734c0d838af157003decfeb5fc0a11dddcb87bf5
Reviewed-on: http://review.typo3.org/43918


Reviewed-by: TYPO3 Release Team <typo3cms@typo3.org>
Tested-by: TYPO3 Release Team <typo3cms@typo3.org>

Markus Klein authored Jul 15, 2015 and Christian Kuhn committed Jul 15, 2015

@author information can be found in version control.
Cluttering our code with these tags does not make much
sense and they are outdated by definition or would sum
up to impressive lists.

As decided on acme 2015, we drop them now.

Releases: master
Resolves: #68152
Change-Id: Iec1ea0f873b44ab6027c94ba8353a9fdb5477bdd
Reviewed-on: http://review.typo3.org/41264


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

Frederic Gaus authored Dec 20, 2014 and Benni Mack committed Jan 03, 2015

Decouple \TYPO3\CMS\Reports\Report\SecurityStatus from install tools. In
this status report several checks are made which are closely coupled to
the install tool. This patch decouples them by introducing a security
status check in the install tool extension

Change-Id: I50e26107a8fc249a3fbe7592a67751c5513388e6
Resolves: #64002
Releases: master
Reviewed-on: http://review.typo3.org/35611


Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Tested-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>