Commits · v9.5.19 · typo3 / typo3

09 Jun, 2020 2 commits

[RELEASE] Release of TYPO3 9.5.19 · 481259e2

Benni Mack authored Jun 09, 2020

Change-Id: I35387b2f33eb82cc443556e5209e16ef77416d60
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64844

Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

481259e2

[BUGFIX] Ensure only empty route requirements for aspects are defined · 99bc093a

Oliver Hader authored Jun 02, 2020 and

Oliver Hader committed Jun 09, 2020

Overriding route requirements with `.+` allows to have slashes in route
parameters. This is different to Symfony's default behavior not allowing
slashes here at all.

However, when having multiple route parameters it can lead to resolving
false-positive routes like shown in the following example:

    routePath: '{first}/{second}'
    URI: https://example.com/first/second/third
    resolves to parameters
    + first: 'first/second'
    + second: 'third'

This change passes existing TYPO3 route `requirements` and uses pattern
`.+` only for those parameters not having a definition - both applies to
parameters using `aspects` only.

Besides that tests in `EnhancerLinkGeneratorTest` mixed internal argument
values with URL parameters (`100` <=> `hundred`) are were "wrong" before.

Resolves: #91246
Releases: master, 10.4, 9.5
Change-Id: Ic1fe15790cc16dd52c624cd3be9ed060ae9b9d69
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64843

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

99bc093a

08 Jun, 2020 1 commit

[TASK] Use hash_equals when comparing cryptographic hash values · f3a4442d

Oliver Hader authored Jun 03, 2020 and

Oliver Hader committed Jun 08, 2020

Direct hash comparison is replaced by cryptographic-safe `hash_equals`.
Changes in this patch set basically don't have much impact regarding
security aspects. This is a preparation for starting with RIPS scanner.

Resolves: #91565
Releases: master, 10.4, 9.5
Change-Id: I5666e586b6b6b462f7864a597139763fd2cd2f98
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64777

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Tomas Norre Mikkelsen <tomasnorre@gmail.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

f3a4442d

05 Jun, 2020 4 commits

[TASK] Use more specific array type annotations in GeneralUtility · 4b378e4b

Oliver Klee authored Apr 16, 2020 and

Daniel Goerz committed Jun 05, 2020

Having PHPDoc parameter and return type annotations like "string[]"
instead of the generic "array" will help both static code analysers
as well as human readers.

Resolves: #91065
Releases: master, 9.5
Change-Id: I7d39241d81ce607e9ca6050cc82126420e1e756e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64146

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

4b378e4b

[BUGFIX] Allow multiline comments in SqlReader · 1c3b12f9

Christian Eßl authored Mar 27, 2020 and

Daniel Goerz committed Jun 05, 2020

When using c-style multiline comments in the ext_tables.sql of an
extension, the SchemaMigrator would then ignore the subsequent
"CREATE TABLE" statement, because the SqlReader also read the multiline
comments into the statement array.
This patch fixes this behaviour.
Now the following comments are possible inside ext_tables.sql:

/*
 Some comment text
 more text
*/

/* Same line c-style comment */

/* More multiline
 comments */

CREATE TABLE table1 (
    header varchar(255) DEFAULT '' NOT NULL,
    bodytext text
);

Resolves: #89714
Releases: master, 9.5
Change-Id: I49e687215d0b42d6ca5416c687fdbc19b44d237d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63911

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

1c3b12f9

[TASK] Harden internal state handling · 80782455

Oliver Hader authored Jun 03, 2020 and

Frank Nägler committed Jun 05, 2020

Internal components using `unserialize` are enforced to disallow
classes in their internal state representation. This is a preparation
for starting with RIPS scanner.

Resolves: #91571
Releases: master, 10.4, 9.5
Change-Id: I3a5026e34a381e79817b46025d81083b2bc5b290
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64780

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Frank Nägler <frank.naegler@typo3.org>
Reviewed-by: Frank Nägler <frank.naegler@typo3.org>

80782455

[BUGFIX] Search for site root only in default language pages · 412dbfd3

Christian Toffolo authored Jun 01, 2020 and

Benni Mack committed Jun 05, 2020

Resolves: #91550
Releases: master, 10.4, 9.5
Change-Id: I1de1eadbac4b4973250bba2dbf887efb19df872d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64798

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

412dbfd3

04 Jun, 2020 2 commits

[TASK] Compare hardcoded legacy password directly · 69afe130

Oliver Hader authored Jun 03, 2020 and

Oliver Hader committed Jun 04, 2020

This is a preparation for starting with RIPS scanner.

Resolves: #91566
Releases: master, 10.4, 9.5
Change-Id: I6f994cec9c977242c278963c8aa55cb138bdabe2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64795

Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

69afe130

[BUGFIX] Fix local path discovery for external files in indexed_search · b83f0c03

Henri Nathanson authored Jun 04, 2020 and

Benni Mack committed Jun 04, 2020

This fixes encoding issues in paths with URL-encoded spaces and other
characters when indexed_search translates indexable file URLs into local
paths.

Resolves: #91586
Releases: master, 10.4, 9.5
Change-Id: Id20034137556f5705ee34b3adcca6250c77d83f2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64793

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Jonas Eberle <flightvision@googlemail.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Jonas Eberle <flightvision@googlemail.com>
Reviewed-by: Benni Mack <benni@typo3.org>

b83f0c03

03 Jun, 2020 5 commits

[BUGFIX] Reintroduce filtering out non accessible pages on query time · 1ca53019

Tymoteusz Motylewski authored Apr 29, 2020 and

Richard Haeser committed Jun 03, 2020

Filter out pages user has no access to on query time in page tree.
This patch reintroduce a change which was reverted with
https://review.typo3.org/c/Packages/TYPO3.CMS/+/64369

Resolves: #91221
Related: #90880
Related: #91348
Releases: master, 10.4, 9.5
Change-Id: Id90752c331bc6fc12b0d3a7d047adacf08cb7804
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64640

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Richard Haeser <richard@maxserv.com>
Reviewed-by: Richard Haeser <richard@maxserv.com>

1ca53019

[TASK] Cover BackendUserAuthentication->returnWebmounts() with test · 967971f9

Tymoteusz Motylewski authored May 20, 2020

Also fix misleading comment about permissions.

Resolves: #91454
Releases: 9.5, master
Change-Id: I1a399f1be613f007440bf542441bee60f53e49e0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64540

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
Reviewed-by: Tymoteusz Motylewski <t.motylewski@gmail.com>

967971f9

[BUGFIX] Cast meta tag values to string in generateMetaTagHtml · f274ff3d

Nikita Hovratov authored Jun 02, 2020 and

Benni Mack committed Jun 03, 2020

It is possible for values returned by stdWrap to be of type int.
RequestHandler->generateMetaTagHtml() expects meta tag values to be
of type string. In order to avoid php errors, return values are now
casted to strings.

Resolves: #91533
Releases: master, 10.4, 9.5
Change-Id: I642d5fe0189955e26689a6cf65cdbe23255356a2
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64637

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

f274ff3d

[BUGFIX] Avoid additional SQL query in slug lookup for pages · be569e7d

Benni Mack authored Jun 03, 2020

PageRepository->fixVersioningPid() needs "t3ver_wsid" and "t3ver_oid"
to resolve a version, otherwise previewing in workspace context takes
another SQL query per page slug candidate.

Resolves: #91556
Releases: master, 10.4, 9.5
Change-Id: Ie95365fe76cd2e6e502324c5dbe145651795cff1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64659

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

be569e7d

[BUGFIX] Show hidden records that are unhidden in workspace · ef695e4f

Frank Nägler authored Jun 01, 2020 and

Benni Mack committed Jun 03, 2020

When a live record that is hidden, but gets unhidden in a
workspace version, the record should also be resolved within
move placeholder resolving.

Resolves: #88054
Releases: master, 10.4, 9.5
Change-Id: Ia5396c6d0cc6b6a915ac8af21008ff5c592c1fe1
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64630

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Frank Nägler <frank.naegler@typo3.org>
Tested-by: Danilo Caccialanza <supercaccia@bluewin.ch>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Frank Nägler <frank.naegler@typo3.org>
Reviewed-by: Danilo Caccialanza <supercaccia@bluewin.ch>
Reviewed-by: Benni Mack <benni@typo3.org>

ef695e4f

02 Jun, 2020 1 commit

[TASK] Switch to json_encode for file folder tree · 583fe026

Oliver Hader authored May 31, 2020 and

Andreas Fernandez committed Jun 02, 2020

Scalar values sent via HTTP query parameters to
FileSystemNavigationFrameController are using `json_encode` instead
of `unserialize`. The parameter stream is still secured with an HMAC
before being deserialized.

Resolves: #91548
Releases: master, 10.4, 9.5
Change-Id: I57be68aac1787bdc27f2bbae40f8d71b1b33f79f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64626

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>

583fe026

30 May, 2020 2 commits

[BUGFIX] Only send no_cache parameter if not disabled · 15dbf20a

Benni Mack authored May 26, 2020 and

Georg Ringer committed May 30, 2020

If $TYPO3_CONF_VARS[FE][disableNoCacheParameter] is
set, then the backend view button in FormEngine should
not add the no_cache GET parameter.

Resolves: #91492
Releases: 9.5
Change-Id: I0df44b948abdc7ce1c72fb6926d2eaa1a7c85524
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64587

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Josef Glatz <josefglatz@gmail.com>
Reviewed-by: Daniel Haupt <mail@danielhaupt.de>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>

15dbf20a

[TASK] Switch to json_encode for tx_cms_showpic parameters · 7c89b343

Oliver Hader authored May 27, 2020 and

Oliver Hader committed May 30, 2020

Scalar values sent via HTTP query parameters to ShowImageController
are using `json_encode` instead of `unserialize`. The parameter
stream is still secured with an HMAC before being deserialized.

Resolves: #91509
Releases: master, 10.4, 9.5
Change-Id: I81b8d5a10a79536592b105c838470238e14b7dca
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64609

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

7c89b343

29 May, 2020 2 commits

[BUGFIX] Use hash_equals when comparing cryptographic hash values · 44e8b54b

Andreas Fernandez authored May 29, 2020

Resolves: #91510
Releases: master, 10.4, 9.5
Change-Id: I5bfda8310342718dc696b182fd87b1954a6cdc39
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64601

Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>

44e8b54b

[BUGFIX] Fix typo in exception of TcaRadioItems · 8a24c013

Georg Ringer authored May 28, 2020 and

Benni Mack committed May 29, 2020

Resolves: #91501
Releases: master, 10.4, 9.5
Change-Id: I7b77a3ee8aceac2cbdb6f3d4e0a02930b66eb863
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64548

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Benni Mack <benni@typo3.org>

8a24c013

26 May, 2020 1 commit

[BUGFIX] Add FIRST_INSTALL to .gitignore · d73681a6

Thomas Pronold authored Apr 18, 2020 and

Benni Mack committed May 26, 2020

In order to avoid accidentally committing a FIRST_INSTALL
for developers starting to contribute to TYPO3 Core
and using Core git repository for its basis local development
setup, the FIRST_INSTALL file is ignored from git.

Resolves: #91119
Releases: master, 10.4, 9.5
Change-Id: Iad459240bbc8a68892f03adf547373bc608f6a90
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64545

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

d73681a6

25 May, 2020 3 commits

[BUGFIX] Use proper version range in Git hook · e20883e6

Oliver Hader authored May 25, 2020 and

Benni Mack committed May 25, 2020

Resolves: #91471
Releases: master, 10.4, 9.5
Change-Id: Ib008a46cc2edb368fed3fc937858f1f3870938b5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64543

Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

e20883e6

[BUGFIX] Disallow deleting extensions in Composer mode · d1c9e409

Andreas Fernandez authored May 24, 2020 and

Benjamin Franzke committed May 25, 2020

Deleting an extension in Extension Manager doesn't make much sense in a
Composer-based installation. For this reason, the removal of extensions
is prohibited now.

Resolves: #91456
Releases: master, 9.5
Change-Id: Ia96cf2741fd749d9f50540366351c8b576cac96b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64539

Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

d1c9e409

[BUGFIX] Avoid PHP 7.4 notices with nikic/php-parser · de26b0b1

Benni Mack authored May 25, 2020

TYPO3 v9 is loaded with nikic/php-parser 4.2.2, however
only 4.3.0 or higher fixed some PHP 7.4 compatibility
issues. For this reason, the dependency is now raised
to use at least v4.3.0.

  composer req nikic/php-parser:^4.3.0

Resolves: #91444
Releases: 9.5
Change-Id: I8a133b9e4c49cb615a463f4d0f26866fa875a03c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64563

Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>

de26b0b1

23 May, 2020 1 commit

[BUGFIX] Correctly evaluate PageTS in TemplateModule · f2b9dacb

Helmut Hummel authored May 19, 2020

Set the current page id early, so that PageTS is fetched
from the correct page instead of id 0.

Releases: 9.5, master
Resolves: #91445
Change-Id: I95a50b6c9d45be54291f27828d9f35cb62b3b4dd
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64556

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Helmut Hummel <typo3@helhum.io>
Reviewed-by: Helmut Hummel <typo3@helhum.io>

f2b9dacb

22 May, 2020 2 commits

[TASK] Convert ckeditor4 sources from CRLF to LF in grunt npmcopy · 27709fd5

Benjamin Franzke authored May 12, 2020 and

Susanne Moog committed May 22, 2020

Git converts CRLF to LF when plaintext files are staged. The existing
copies of the rte_ckeditor Contrib/* sources have therefore already been
converted to LF by git [1]. Initially these files had been copied as CRLF
from the ckeditor4 sources in node_modules by grunt npmcopy.

Now, when `yarn build` is executed, the copy operation is performed again,
which means the files are reverted back to CRLF. Git therefore needs to
perform the CRLF to LF conversion again. (Which itself needs to be
triggered by the developer by staging the changed files)

We do now mimic git`s autocrlf behaviour and replace CRLF by LF in the
files copied from ckeditor Contrib/* folders to prevent the files
from clobbering the `git status` or `git diff` output.

By passing `encoding: null` to the grunt.file.copy options we ensure
that binary files will be copied as is.

Also configure *.svg files to be checked out as LF on all platforms
(namely windows) like we do for other plaintext files as well.
This ensures svg files do not show up (in windows) as changed because
their original from node_modules was stored as LF.
*.patch is added as patching jquery on windows would fail otherwise.

[1] https://git-scm.com/docs/gitattributes#_end_of_line_conversion

Resolves: #91374
Releases: master, 9.5
Change-Id: I2977a6d44f96f6593152bfe698ba5d35f32b131f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64538

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Susanne Moog <look@susi.dev>
Reviewed-by: Susanne Moog <look@susi.dev>

27709fd5

[BUGFIX] Respect showHiddenFiles in filelist module · 4055defe

Stefan Froemken authored May 06, 2020 and

Susanne Moog committed May 22, 2020

Activating "showHiddenFilesAndFolders" in BE User
settings shows hidden files and folders also when
navigating through the files in filelist module.

Resolves: #91309
Releases: master, 9.5
Change-Id: I8f04b43a2cc0df93b6e77290caed2b33c6951e44
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64537

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Susanne Moog <look@susi.dev>
Reviewed-by: Susanne Moog <look@susi.dev>

4055defe

21 May, 2020 1 commit

[TASK] Improve descriptions of the rootline related methods · fc4b3afd

Tymoteusz Motylewski authored May 20, 2020 and

Richard Haeser committed May 22, 2020

To highlight difference between BackendUtility::BEgetRootLine()
and RootlineUtility->get()

Resolves: #91455
Releases: 9.5, master
Change-Id: I63d7ca395d5a052d29d718316474b69d6519ebc9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64536

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Richard Haeser <richard@maxserv.com>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Richard Haeser <richard@maxserv.com>

fc4b3afd

20 May, 2020 2 commits

[BUGFIX][DOCS] Clarify lowlevel cleanup commands · 9da9ffa8

Benni Mack authored May 19, 2020

The documentation for lowlevel commands are optimized so they make
more sense:

* Nightly checks are run with a --dry-run command
* cleanup:versions info is removed (the command is gone)
* Checks have a --dry-run command

Resolves: #88874
Releases: master, 9.5
Change-Id: If82ab67f7aec48c1b533e84d70ecdadc94e528bd
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64535

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

9da9ffa8

[TASK] Consistent version restrictions for PSR packages · 1f5a5087

Aimeos authored Nov 09, 2019 and

Benni Mack committed May 20, 2020

    composer require "psr/http-message":"^1.0"
    composer require "psr/log":"^1.0"

Releases: master, 9.5
Resolves: #89626
Change-Id: Ieeceddba8ea49da1eac66f113f1c22623f479582
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64534

Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Simon Gilli <typo3@gilbertsoft.org>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Benni Mack <benni@typo3.org>

1f5a5087

19 May, 2020 5 commits

[TASK] Set TYPO3 version to 9.5.19-dev · b001e34a

Oliver Hader authored May 19, 2020 and

Oliver Hader committed May 19, 2020

Change-Id: I1b2efe8dc2ea1b559e5720984c9f9a8f7bf0fa4e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64527

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

b001e34a

[RELEASE] Release of TYPO3 9.5.18 · 257b8ad2

Oliver Hader authored May 19, 2020 and

Oliver Hader committed May 19, 2020

Change-Id: I0f60f14a729ee231f6faa9e8bb1aa56e742cca15
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64526

Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

257b8ad2

[BUGFIX] Loosen site check for records not stored in site context · 8eb29dd2

Helmut Hummel authored May 19, 2020 and

Oliver Hader committed May 19, 2020

When saving a record on a page that is not part of a site,
the slug field of this record, despite being set to "uniqueInSite"
is not checked for uniqueness, as it is assumed unique enough.

This assumption needs to be applied as well when resolving
the record, instead of assuming the resolved record is not part
of the current site.

Releases: master, 9.5
Resolves: #91438
Change-Id: I347909b9b4caa523de3ad8e5d84c465e5d57b052
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64525

Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

8eb29dd2

[BUGFIX] Re-add initialization of PageRepository::$where_groupAccess · 41f44495

Benni Mack authored May 19, 2020

Re-added `$this->where_groupAccess` to init method.

Resolves: #91429
Releases: master, 9.5
Change-Id: Ibd9b169e8d11e358023d8cfbd2085995769d16cc
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64523

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

41f44495

[BUGFIX] Fixed order-by while querying old realurl table for slugs · 5ccf6b21

Riny van Tiggelen authored Apr 06, 2020 and

Benni Mack committed May 19, 2020

The old tx_realurl_pathcache does not have a uid field, but uses the
field cache_id. The order-by now uses a different field depending on
the table.

Resolves: #90957
Releases: master, 9.5
Change-Id: I5efc62cb8a7cc1d96a503043d268fdacb3564e4b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64533

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

5ccf6b21

18 May, 2020 6 commits

[BUGFIX] Allow referrer refresh in install tool · 8a137310

Oliver Hader authored May 18, 2020 and

Oliver Hader committed May 19, 2020

With TYPO3-CORE-SA-2020-006 (SSRF via XSS) a strict referrer handling
has been introduced to avoid the install tool being called from other
non same-origin locations. In case a HTTP referrer header was empty
the system tried to refresh the view - otherwise the request was
denied completely.

Changes of issue #91396 using refresh-always are applied as well.

Resolves: #91433
Related: #91396
Releases: master, 9.5
Change-Id: I2a570da4f2a933e709d653b54f1d53d5055ef3f7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64518

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

8a137310

[BUGFIX] Use checksum of frontend groups in cache identifier · 234d8387

Andreas Fernandez authored May 18, 2020 and

Benjamin Franzke committed May 18, 2020

The generated cache identifier may get very long in case a page has many
frontend groups configured and may exceeds the limit of the caching
frontend (which is 250 characthers per definition in
FrontendInterface::PATTERN_ENTRYIDENTIFIER). To bypass this issue, the
group list is hashed now.

Resolves: #91413
Related: #91208
Releases: master, 9.5
Change-Id: Id44ae862eb5d45afbd49dc3f833c101c6acb5f5b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64517

Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

234d8387

[BUGFIX] Actually write cache for generated access field condition · cebeaf6c

Andreas Fernandez authored May 18, 2020 and

Benjamin Franzke committed May 18, 2020

The manual backport of #91208 missed to actually write the calculcated
condition into the cache.

This patch adds the missing ->set() call.

Resolves: #91428
Related: #91208
Releases: 9.5
Change-Id: I01fdb93fddd85e52bf6b4a92cdec2706514e7200
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64513

Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Susanne Moog <look@susi.dev>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Benjamin Franzke <bfr@qbus.de>

cebeaf6c

[BUGFIX] Allow multiple referrer types in backend main route · 6d9e803c

Oliver Hader authored May 14, 2020 and

Oliver Hader committed May 18, 2020

With TYPO3-CORE-SA-2020-006 (SSRF via XSS) a strict referrer handling
has been introduced to avoid the TYPO3 backend being called from other
non same-origin locations. In case a HTTP referrer header was empty
the system tried to refresh the view - otherwise the request was
denied completely.

It turned out that this scenario was probably too strict, disabling
feature `security.backend.enforceReferrer` was the only work-around
for site administrators.

This change adds new options for handling referrers in backend routes:
* refresh-empty (existed already): refresh in case referrer is empty
* refresh-same-site: refresh in case referrer is on same site, like
  `https://example.org/?eID=auth` calling `https://example.org/typo3/`
* refresh-always: refresh always in case there is not valid referrer

TYPO3's main backend route is using `refresh-always` now to be more
relaxed on handling same-site and cross-site referrers as well.

The term "refreshing" relates to trigger a reload in the browser to
get the referrer of the current location. This still block direct
CSRF/SSRF requests since the refreshing HTML instructions are
delivered back to the client. Besides that, cross-site requests are
covered by the `same-site` cookie policy, and existing CSRF tokens.

Resolves: #91396
Releases: master, 9.5
Change-Id: Ib3756671fa60c6f41ba992d0e645f03da1730d19
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64499

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

6d9e803c

[TASK] Add missing documentation for BackendUserConfigurationUpdate · b499cb83

Oliver Hader authored May 16, 2020 and

Oliver Hader committed May 18, 2020

Resolves: #91417
Releases: master, 9.5
Change-Id: I690cf19965310cdb8612dca3b34f751aafb4c550
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64514

Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

b499cb83

[BUGFIX] Properly (un)serialize ReflectionService · eda9a9a4

Alexander Schnitzler authored May 14, 2020 and

Benjamin Franzke committed May 18, 2020

The ReflectionService usually doesn't get serialized by users
directly but since Extbase has an unclean dependency chain, the
serialization of the ReflectionService is triggered in user land
code when serializing a LazyObjectStorage e.g.

Since it's no problem to implement a clean serialization and
unserialization of the ReflectionService it is implemented with
this patch and will no longer cause any troubles.

There is just one thing to mention. The ReflectionService usually
comes with a cache which cannot be restored during wakeup of the
serialized service. It's unlikely but it's possible that the
absense of the cache can cause a performance hit.

Releases: master, 9.5
Resolves: #91404
Change-Id: I8c64968f0f329528c9f578ba0ef76437ada40ac0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64532

Tested-by: Benjamin Franzke <bfr@qbus.de>
Tested-by: Alexander Schnitzler <git@alexanderschnitzler.de>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Alexander Schnitzler <git@alexanderschnitzler.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

eda9a9a4