Helmut Hummel authored Jan 19, 2015 and Christian Kuhn committed Jan 19, 2015

Change-Id: I4cd242dd7ae34b4d179acd494d4e84b10e37c6e6
Reviewed-on: http://review.typo3.org/36116


Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

The security fix for #62723 missed an edge case were the
TypoScriptFrontendController main cObj property is not yet initialized.

Check for this case and create it.

Resolves: #63896
Releases: 4.5, 6.2, master
Change-Id: Ief9338453517e095d120007d8d13ba6405d6fbb8
Reviewed-on: http://review.typo3.org/36030


Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>

Releases: master, 6.2, 4.5
Resolves: #59186
Change-Id: Iaa973faf5b3f287320fb187c3db2d8e30a486735
Reviewed-on: http://review.typo3.org/35484


Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Tested-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Tested-by: Markus Klein <klein.t3@reelworx.at>

Change-Id: Ie043fa8d8cfaf633ac496ca306339f2ba8e663ea
Reviewed-on: http://review.typo3.org/35231


Reviewed-by: TYPO3 Release Team <typo3v4@typo3.org>
Tested-by: TYPO3 Release Team <typo3v4@typo3.org>

Change-Id: I5706e9296860dc95e0056a47d97fed6533ccc985
Reviewed-on: http://review.typo3.org/35230


Reviewed-by: TYPO3 Release Team <typo3v4@typo3.org>
Tested-by: TYPO3 Release Team <typo3v4@typo3.org>

Helmut Hummel authored Dec 10, 2014 and Oliver Hader committed Dec 10, 2014

Specially crafted request could lead to anchors prefixed
with URLs to domains controlled by the attacker on the
domain root page (home page). No other pages are affected!

Fix this by prefixing the anchors with a canonical URL
to the current request. This could lead to the situation
that the prefix does not match the current REQUEST_URI
which leads to a page reload instead of just "jumping" to the page section.

Additionally this change assures that REQUEST_URI always starts
with a slash, which mitigates similar attack vectors when using
getIndpEnv('REQUEST_URI')

To mitigate the impact of this breaking change, the REQUEST_URI
is used for anchor prefix if a backend user is logged in,
to not disturb the preview functionality of the home page.

In case prefixLocalAnchors is used in the HTML parser configuration
with prefixLocalAnchors = 2, always the canonical URL is used as prefix.

This change does *not* fix, that arbitrary (non functional) GET parameters
will be included in the generated prefix URL. To fix this it is recommended
to use absRefPrefix instead of baseUrl and prefixLocalAnchors.

Resolves: #62723
Releases: 4.5, 6.2, master
Security-Commit: 16003fd71982a9da3fde04c7cc298425d8b539dc
Security-Bulletin: TYPO3-CORE-SA-2014-003
Change-Id: I120f7a0fa32e48644c88d54d65863a6ac96acf4c
Reviewed-on: http://review.typo3.org/35222


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Nicole Cordes authored Dec 04, 2014 and Oliver Hader committed Dec 08, 2014

Due to commit https://review.typo3.org/#/c/30240/ the comments from
javascript is removed and now the javascript is parsed with
config.xhtml_cleaning = all. This patch prevents any CDATA content from
being parsed.

Resolves: #62967
Releases: master, 6.2, 4.5
Change-Id: Ib024c5c8f2b056e47d9222b9767b7a5e6923af8c
Reviewed-on: http://review.typo3.org/35039


Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Change-Id: I1f43bd5fc9f1197ca7f6fdfd6f68c84f7f6214ff
Reviewed-on: http://review.typo3.org/34679


Reviewed-by: TYPO3 Release Team <typo3v4@typo3.org>
Tested-by: TYPO3 Release Team <typo3v4@typo3.org>

Change-Id: If2f6374021bd90046335888117ac5968405b9a40
Reviewed-on: http://review.typo3.org/34677


Reviewed-by: TYPO3 Release Team <typo3v4@typo3.org>
Tested-by: TYPO3 Release Team <typo3v4@typo3.org>

The new prototype.js sometimes returns a string as opacity value
instead of a float. This causes problems with the starting
animation for dragging an item, making it completely hidden during
dragging.
Forcing the result to be a float results in a correct opacity.

Resolves: #58053
Releases: 6.2, 6.1, 4.7, 4.5
Change-Id: I7811dec578f5e3222fd8fc95145c1e0cdbedb21f
Reviewed-on: http://review.typo3.org/34331


Reviewed-by: Jigal van Hemert <jigal.van.hemert@typo3.org>
Tested-by: Jigal van Hemert <jigal.van.hemert@typo3.org>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>

Oliver Hader authored Nov 15, 2014 and Oliver Hader committed Nov 15, 2014

On saving TypoScript data in the accordant backend module
using t3editor, the AJAX call issues a PHP warning
"Creating default object from empty value". This only
happens if at least PHP 5.4 is used. The reason is,
that an uninitialized and empty variable is used for
object access.

Resolves: #62984
Releasses: 4.5
Change-Id: I7567d61f0a16379db58760dd963f0330dc8ca6c8
Reviewed-on: http://review.typo3.org/34203


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Oliver Hader authored Oct 31, 2014 and Oliver Hader committed Nov 13, 2014

The timestamp handed to the date function must be of type int
otherwise a warning is issued. Cast the value to int before
passing it to the date function. The important scenarios are
when the timestamp is "0" or "" (blank string).

Add unit test for formatValue function and the possible format
configurations.

Resolves: #62032
Releases: master, 6.2, 6.1, 4.5
Change-Id: I5207ef5b562dd70b9b5e574eef1b9ee59fa836f0
Reviewed-on: http://review.typo3.org/33665


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

The backport #62357 introduced a regression with PHP 5.2,
which still is officially supported by TYPO3 CMS 4.5

Adapt the code to be PHP 5.2 compatible

Resolves: #62391
Releases: 4.5
Change-Id: I72895592e10d963f2777c4659cc1f0a10e69a1c1
Reviewed-on: http://review.typo3.org/33737


Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>

This patch is a backport of 3d930170.

Applies to Apc/Memcached backends.

After an array_merge the values aren't unique. This leads to duplicate
tags per identifier. This patch changes that and also moves the
findTagsByIdentifier call out of the foreach loop.

Resolves: #62513
Releases: 4.5
Change-Id: Ia4713eeb399a4770b2c23e5738e076a91afe2a64
Reviewed-on: http://review.typo3.org/33592


Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Reviewed-by: Michael Stucki <michael.stucki@typo3.org>
Tested-by: Michael Stucki <michael.stucki@typo3.org>

Marc Bastian Heinrichs authored Mar 17, 2014 and Wouter Wolters committed Oct 23, 2014

Since #24121 the field content in "image_link" is separated by line
feeds instead of commas. Since then the soft reference processor
for "typolink[linkList]" is broken for this field. This results in broken
image links in imports and exports and possible unchecked links in
linkvalidator extension. In 4.7 this applies also for the field
"longdescURL".

This have not to be fixed for versions later than 4.7, because since 6.0
the fields "image_link" and "longdescURL" aren't used anymore.

Resolves: #57006
Releases: 4.7, 4.5
Change-Id: I3a070d4d6e24b60a0658ec5bb6cc77d26a3e2f2d
Reviewed-on: http://review.typo3.org/33481


Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Tested-by: Markus Klein <klein.t3@reelworx.at>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>

The backport #53682 introduced a regression with PHP 5.2, 
which still is officially supported by TYPO3 CMS 4.5

Adapt the code to be PHP 5.2 compatible

Resolves: #62391
Releases: 4.5
Change-Id: Ie9d6c3175d02424e0d2329cc07ff99e09cccc040
Reviewed-on: http://review.typo3.org/33470


Reviewed-by: Christian Hernmarck <ch_t3@hernmarck.ch>
Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Tested-by: Markus Klein <klein.t3@reelworx.at>

Change-Id: Ie90485ebcb8da9859020a18cabc19a17e504737c
Reviewed-on: http://review.typo3.org/33462


Reviewed-by: TYPO3 Release Team <typo3v4@typo3.org>
Tested-by: TYPO3 Release Team <typo3v4@typo3.org>

Change-Id: I2156d74111b5594f5bf18d8cd274877b563b73c7
Reviewed-on: http://review.typo3.org/33461


Reviewed-by: TYPO3 Release Team <typo3v4@typo3.org>
Tested-by: TYPO3 Release Team <typo3v4@typo3.org>

Markus Klein authored Oct 22, 2014 and Oliver Hader committed Oct 22, 2014

Upgrade openid to latest upstream version.
This includes the sec fix already.

Change-Id: I5bf8375ee1a71c34363d265db3c268444c0e9428
Resolves: #62357
Releases: master, 6.2, 6.1, 6.0, 4.7, 4.6, 4.5
Security-Commit: 436560afcf84c3575a81f1733bb5253c90787733
Security-Bulletin: TYPO3-CORE-SA-2014-002
Reviewed-on: http://review.typo3.org/33449


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Helmut Hummel authored Oct 22, 2014 and Oliver Hader committed Oct 22, 2014

A remote code execution vulnerability was fixed upstream
which is now also fixed in the code we deliver with TYPO3.

This is not a full upgrade of the library but a backport
of the security fix.

Change-Id: I17c960e0c087b011032754839a2dafb0e2e57b50
Resolves: #59573
Releases: 4.5, 4.6, 4.7, 6.0, 6.1, 6.2
Security-Commit: 59331a6bfbcba0f7f0683a3bd0726670f2e1c7b5
Security-Bulletin: TYPO3-CORE-SA-2014-002
Reviewed-on: http://review.typo3.org/33448


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

PHP reflection has quite an overhead in performance.
Use a switch construct like in Flow instead to
instantiate classes with up to 8 arguments without
reflection.

Resolves: #53682
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I8ab21fa5ae609fc4653205f4b53c51ed61618ea7
Reviewed-on: http://review.typo3.org/33308


Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>

Change-Id: Ib1d17b43dce8d0abd1c56494495f62863cb3d18d
Reviewed-on: http://review.typo3.org/32936


Reviewed-by: TYPO3 Release Team <typo3v4@typo3.org>
Tested-by: TYPO3 Release Team <typo3v4@typo3.org>

Change-Id: Iea9655ddd56df9fbba3d4f769eab1c2fbd8c4f68
Reviewed-on: http://review.typo3.org/32935


Reviewed-by: TYPO3 Release Team <typo3v4@typo3.org>
Tested-by: TYPO3 Release Team <typo3v4@typo3.org>

Jigal van Hemert authored Jul 01, 2013 and Oliver Hader committed Sep 20, 2014

The modify time of the extensions.xml.gz file is used to display the last
update of the extension list. Checking if the file exists will prevent a
PHP warning.

Change-Id: Ic8cae6c591f0b6ff955fb01c192df9b17876fe68
Releases: 4.5
Resolves: #37946
Reviewed-on: http://review.typo3.org/21776


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Stanislas Rolland authored May 20, 2014 and Oliver Hader committed Sep 20, 2014

Problem: IE raises a syntax error when it encounters html comments in
the JavaScript code. The html comments are added by the page renderer.
Solution: There is no need for the page renderer to wrap inline
javascript as html comments.

Resolves: #55457
Releases: 6.2, 6.1, 4.5
Change-Id: Iae180a73778ca3bb1c9934c887315b969888b10d
Reviewed-on: http://review.typo3.org/30240


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

In the page module information on neighboring content elements is
collected while building the page layout. This information must be
remembered for other elements on the page instead of generated new when
rendering each element. This makes sure the move buttons and edit
buttons have the correct URLs.

Resolves: #60199
Releases: 6.3, 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I9fec256b145fe8aba229d8b026fba73871942347
Reviewed-on: http://review.typo3.org/32330


Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Tested-by: Markus Klein <klein.t3@reelworx.at>

Change-Id: I29de73b589d2adf8a66f08455048f5b709ad5d02
Reviewed-on: https://review.typo3.org/31509
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

Change-Id: Ic994e542cd4bab39a88fd1426d718b9174867783
Reviewed-on: https://review.typo3.org/31508
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

Nicole Cordes authored Jul 08, 2014 and Oliver Hader committed Jul 08, 2014

Due to commit I148ca1b023226f2f99417b3baf238b72346e721f the information
concerning previous and next content elements in one row is messed up.
This patch helps to build information which depends on colPos again and
prevents records being moved to another column.

Resolves: #48939
Resolves: #49055
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I3a15321ee11a1f7d96b58b8b7a5ab14098664b22
Reviewed-on: https://review.typo3.org/31494
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

By default travis notifies on each build when
posting to channels (irc, slack)
We can reduce the number of notifications by only
posting successful builds when it previously failed.
Additionally encrypt the API token for posting to slack.

Releases: 6.3, 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I882d34903c972201454e6cc5b9041393e3bd3661
Reviewed-on: https://review.typo3.org/31226
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel

Notify on Slack and IRC, remove email notification.

Resolves: #59838
Releases: 6.3, 6.2, 4.5
Change-Id: Ic4dacd5c7b6b4e6e2b8cfa92ae7976b666209747
Reviewed-on: https://review.typo3.org/31209
Reviewed-by: Nicole Cordes
Reviewed-by: Michael Stucki
Tested-by: Michael Stucki

Namespaces are not supported in PHP 5.2.x, hence one must not
prefix a class name with backslash.

Regression fix to #54748.

Resolves: #59825
Releases: 4.5
Change-Id: Ideb2cef1c5e2ec0d2ac3328ebd4f318a161d368a
Reviewed-on: https://review.typo3.org/31084
Tested-by: Sebastian Sommer
Tested-by: Steffen Mächtel
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Due to patch https://review.typo3.org/#/c/30305/ the string comparison
on colPos fails and new content elements are always stored on pid 0.
This patch corrects the check for an integer colPos type by setting the
unused variable to NULL.

Resolves: #59059
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: Iecd7f0cacf5c9315d882eebeb3893bcfa63ae7eb
Reviewed-on: https://review.typo3.org/30419
Tested-by: SITS Developer
Reviewed-by: Markus Klein
Tested-by: Markus Klein

The AJAX url for retrieving a new encryption key contains
two question marks. This causes the request to fail.

Fix this by removing the superflous ? from the parameters.

Resolves: #59034
Releases: 6.1, 4.7, 4.5
Change-Id: Iab3833f50a48b71b25cf0205f7eb8d6b57dd859a
Reviewed-on: https://review.typo3.org/30543
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Markus Klein authored May 22, 2014 and Christian Kuhn committed May 23, 2014

lang/4.5/locallang_csh_pages.xlf contains invalid
HTML structure a <p> tag should actually be a <b> tag.

Resolves: #58936
Releases: 6.2, 6.1, 4.5
Change-Id: Id37d424296628202d8d434e0cf9cafd8529da2c3
Reviewed-on: https://review.typo3.org/30331
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn

The SoftReferenceIndex parses and rebuilds typolink tags, but the
support for more than one value in class attribute is missing, because
the values don't get enclosed with quotes on rebuilding.
This leads to lost classes in typolinks in exports from impexp.

Resolves: #58484
Releases: 6.2, 6.1, 4.5
Change-Id: I12ed3be7f5be36254bcee57fcb24bf2a10f92f46
Reviewed-on: https://review.typo3.org/29853
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Change-Id: Iffabf254620824d1d0b7a42e239576bd3aa73791
Reviewed-on: https://review.typo3.org/30309
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

Change-Id: I296aa228d3d9ffda43cf99a41d3ac36d8b93f439
Reviewed-on: https://review.typo3.org/30308
Reviewed-by: TYPO3 Release Team
Tested-by: TYPO3 Release Team

Helmut Hummel authored May 22, 2014 and Oliver Hader committed May 22, 2014

TYPO3 uses the values of HTTP_HOST in several
places without validating them. This could
lead to a situation where links are generated
using the host part from HTTP_HOST.
Since HTTP_HOST headers are user input and
can be spoofed by an attacker, it leads
into several potential and actual security issues.
To address this, a configuration option for
trusted hosts is added, which is evaluated every
time getIndpEnv('HTTP_HOST') is called.
The configuration option is
$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']
and can contain either a regular expression or the
value "SERVER_NAME"
To properly output the exception message in case
the trustedHostPattern does not match,
we need to adapt the exception handlers slightly
to not log information in this case and to actually
show the message even in production context to not
confuse admins on what is currently going wrong.
To not break all existing installations, the default
pattern is set to 'SERVER_NAME' which allows all
HTTP_HOST values matching the SERVER_NAME (and
optionally the SERVER_PORT if a port is specified
in the HTTP_HOST value).
This will secure all installation which use properly
configured name based virtual hosts, but leaves
installations where the web server is not bound
to a specific host name still in an insecure state.
Fixes: #30377
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Bulletin: TYPO3-CORE-SA-2014-001

Change-Id: Id210212e6fbd186a273f92b340d5060e9c6f900d
Reviewed-on: https://review.typo3.org/30275
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

Marc Bastian Heinrichs authored May 22, 2014 and Oliver Hader committed May 22, 2014

Needs to be fixed also in 6.x, but the affected function is not
used anymore.

Change-Id: Iae077221a4a8ef8f3aacaeb9d679cc68e97799bd
Fixes: #54111
Fixes: #54113
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 6b746d50d9ee4fbf2eff3e3e4c0699100be983a2
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30274
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader