Skip to content
Permalink
Branch: master
Commits on Oct 18, 2019
  1. [TASK] Upgrade typo3/phar-stream-wrapper to v3.1.3 (PHP 7.4)

    ohader committed Oct 18, 2019
    Ensure PHP 7.4 compatibility by using recent release of the package.
    
    composer require typo3/phar-stream-wrapper:^3.1.3
    
    Resolves: #89453
    Releases: master, 9.5, 8.7
    Change-Id: I025bf2efae45b731e1f068afc5fa1d56e1e59a56
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62017
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Commits on Oct 11, 2019
  1. [TASK] Adjust composer.json declarations of system extensions

    ohader committed Oct 10, 2019
    In order to compatible with https://getcomposer.org/doc/04-schema.md
    composer.json declarations had to be adjusted and dropped previous
    replace statements like this:
    
    "replace": {
        "core": "*"
    }
    
    Resolves: #89392
    Releases: master, 9.5, 8.7
    Change-Id: I4d530fe90551b16c54462a81a457d0bff9f2de8b
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61944
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Georg Ringer <georg.ringer@gmail.com>
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Simon Gilli <typo3@gilbertsoft.org>
    Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
    Reviewed-by: Jörg Bösche <typo3@joergboesche.de>
    Reviewed-by: Felix P. <f.pachowsky@neusta.de>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Commits on Oct 8, 2019
  1. Revert "[TASK] Keep old value on confirmation modal close"

    ohader authored and d3pendent committed Oct 7, 2019
    This reverts commit c529dea.
    
    The patch only addressed a single use-case. In favour of a more
    generic approach mentioned change has been reverted.
    
    Reverts: #89220
    Resolves: #89362
    Releases: master, 9.5
    Change-Id: I30900d1b80268b263a47ba1c261904f7caa63710
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61913
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Sascha Rademacher <sascha.rademacher+typo3@gmail.com>
    Tested-by: Tobi Kretschmann <tobi@tobishome.de>
    Reviewed-by: Sascha Rademacher <sascha.rademacher+typo3@gmail.com>
    Reviewed-by: Tobi Kretschmann <tobi@tobishome.de>
Commits on Oct 1, 2019
  1. [TASK] Set TYPO3 version to 10.2.0-dev

    ohader committed Oct 1, 2019
    Change-Id: I81e89208e45b689b32f5c8df2392e8c2b24b8392
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61870
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
  2. [RELEASE] Release of TYPO3 10.1.0

    ohader committed Oct 1, 2019
    Change-Id: I6491f0abe1148a2fbea8b37709dd16b071657b35
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61869
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Commits on Sep 30, 2019
  1. [BUGFIX] Streamline site configuration import in distribution packages

    ohader committed Sep 30, 2019
    Site configuration shipped in distribution packages had a couple of flaws
    during import process which are tackled with this change:
    
    * existing site configurations for same identifier are not overridden on
      the file system level anymore (according warning is logged)
    * site configuration is now updated and mapped to for imported pages,
      which did not work before due to hard-coded rootPageId in config.yaml
      (warning is logged in case root page id cannot be mapped)
    
    Resolves: #89314
    Releases: master
    Change-Id: I856024afb50186eb9f6cc73ef13f1961c948c784
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61864
    Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
Commits on Sep 28, 2019
  1. [BUGFIX] Correctly unpack CorrelationId version

    ohader committed Sep 28, 2019
    Resolves: #89299
    Releases: master
    Change-Id: Ib4e63b7baadb604ca77469e66af5bc060f79a8f6
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61856
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Tested-by: TYPO3com <noreply@typo3.com>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
  2. [TASK] Introduce CorrelationId model

    ohader committed Sep 28, 2019
    Resolves: #89298
    Releases: master
    Change-Id: Icb2d406d8ba3759c8f999966fc68b8e31b046c01
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61855
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Frank Nägler <frank.naegler@typo3.org>
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Frank Nägler <frank.naegler@typo3.org>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Commits on Sep 25, 2019
  1. [BUGFIX] Provide error messages in install tool mail settings test

    ohader authored and maddy2101 committed Sep 24, 2019
    In order to identify problems with sending out mails, more specific
    error messages than "Something went wrong" are used.
    
    Resolves: #89254
    Releases: master, 9.5
    Change-Id: I61d8b122f7af764cfd5be0b08b27c99cd4fd56e0
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61802
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Frank Nägler <frank.naegler@typo3.org>
    Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
    Reviewed-by: Frank Nägler <frank.naegler@typo3.org>
    Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
  2. [FEATURE] Introduce Broadcast Messaging

    ohader authored and andreasfernandez committed Sep 23, 2019
    This change introduces BroadcastChannel in order to communicate between
    frames. Messages are converted to according CustomEvents that can be
    handled individually. Event handling happens in the most specific scope
    on client side.
    
    A polyfill to support Edge has been installed, executed command:
    
      yarn add broadcastchannel-polyfill
    
    Resolves: #89244
    Releases: master
    Change-Id: Iab55bf78ff9324d19d115022464c24eea1b8b78e
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61788
    Reviewed-by: Benni Mack <benni@typo3.org>
    Reviewed-by: Frank Nägler <frank.naegler@typo3.org>
    Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Frank Nägler <frank.naegler@typo3.org>
    Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Commits on Sep 13, 2019
  1. [BUGFIX] Keep workspace ID when discarding versioned records

    ohader committed Sep 12, 2019
    When a record was modified in a workspace, and then discarded, TYPO3 previously
    set the t3ver_wsid to "0", which basically meant "we release it to live workspace
    as a offline version with pid=-1".
    
    However, this turns out to be ugly, as this information is then floating in live workspace,
    without any information where this record was from.
    
    Instead, "discarding versioned records" now keeps the t3ver_wsid=X, and just marks
    the versioned record as "deleted" - or removes it completely if the database table
    does not support to mark records as deleted.
    
    As a result, there will be no records in live workspace anymore with "pid=-1" in the future
    anymore. To remove any "old" discarded records, an upgrade wizard will follow
    in a followup patch.
    
    Resolves: #89166
    Releases: master
    Change-Id: I8ccab3cd2053c27d9b0ecd9f171a83b9097f29dd
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61671
    Tested-by: Benni Mack <benni@typo3.org>
    Tested-by: Daniel Gorges <daniel.gorges@b13.com>
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Benni Mack <benni@typo3.org>
    Reviewed-by: Daniel Gorges <daniel.gorges@b13.com>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Commits on Sep 11, 2019
  1. [BUGFIX] Fix assertion ordering in test cases

    ohader authored and bmack committed Sep 11, 2019
    * use assertEqualsCanonicalizing instead of assertSame
      on array values to ignore ordering
    * apply sorting order for localizations retrieved in
      Clipboard (drive-by fix)
    * properly tearDown left-over instances of previous
      test execution
    
    Resolves: #89149
    Releases: master
    Change-Id: I369509bae1f58b7eeabe522c3a00af3ef86bb66f
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61666
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Benni Mack <benni@typo3.org>
    Reviewed-by: Benni Mack <benni@typo3.org>
  2. [BUGFIX] Correctly retrieve workspace versions

    ohader authored and bmack committed Sep 10, 2019
    * Clipboard now correctly resolves record localizations of a workspace
    * PageLayoutController new correctly determines sub-pages that are new
      in a particular workspace
    * SlugHelper & TypoScriptTemplateModuleController can be simplified
      by using WorkspaceRestriction directly
    * common function test scenario tree (based on YAML) is introduced
      for ext:backend in order to be used as structure for other tests
    * required testing framework changes support version and language
      variants and combination much better now
    
    Resolves: #89138
    Releases: master
    Change-Id: Ia4b412d48dd3ea92adc60c729ad6feb27c22b812
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61663
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Daniel Gorges <daniel.gorges@b13.com>
    Tested-by: Benni Mack <benni@typo3.org>
    Reviewed-by: Daniel Gorges <daniel.gorges@b13.com>
    Reviewed-by: Benni Mack <benni@typo3.org>
    Reviewed-by: Achim Fritz <af@achimfritz.de>
Commits on Aug 15, 2019
  1. [BUGFIX] Process t3:// link resources correctly

    ohader authored and NeoBlack committed Aug 14, 2019
    * t3://email?email=oliver@typo3.org (be greedy about missing mailto:)
    * t3://file?identifier=1:/logo.png (not implemented since no integer)
    
    Besides that according test cases are added in order to ensure the
    basic behavior of link handling in a TypoScript frontend rendering
    scenario using t3:// link resources.
    
    Resolves: #88960
    Releases: master, 9.5, 8.7
    Change-Id: I9a1f47f2eaaacc4368a1ca3e1a4006a8248e654e
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61498
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
    Tested-by: Frank Naegler <frank.naegler@typo3.org>
    Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
    Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
    Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Commits on Aug 2, 2019
  1. [BUGFIX] Streamline routing redirects to default site language

    ohader authored and maddy2101 committed Jul 24, 2019
    Calling the frontend with an URL that does not contain a valid base
    URI for a configured language resulted in a temporary redirect (307)
    to the base URI of the default language. In order to allow detecting
    outdated links returning a page not found (404) is used.
    
    Example: https://example.org/en/ is the base URI of a valid language
    + https://example.org/ -> redirects to default language /en/ (307)
    + https://example.org/nothing/ -> responds a page not found  (404)
    
    Releases: master, 9.5
    Resolves: #88838
    Change-Id: I9a3eeb53da8e0bb92799d8e29404513699411078
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61346
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Chris Müller <typo3@krue.ml>
    Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
    Reviewed-by: Chris Müller <typo3@krue.ml>
    Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Commits on Jul 23, 2019
  1. [TASK] Set TYPO3 version to 10.1.0-dev

    ohader authored and bmack committed Jul 23, 2019
    Change-Id: Ic8975554d38eef468af5454152a0200e21eb962d
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61339
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Benni Mack <benni@typo3.org>
    Reviewed-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
    Reviewed-by: Benni Mack <benni@typo3.org>
Commits on Jul 21, 2019
  1. [!!!][TASK] Remove POST option from typolink.addQueryString.method

    ohader authored and andreasfernandez committed Jul 15, 2019
    Setting `addQueryString.method` of typolink could be used like shown
    below in order to transform HTTP POST parameters into according GET
    parameters.
    
        typolink {
            parameter = 123
            addQueryString = 1
            addQueryString.method = POST
        }
    
    In terms of correctly using HTTP verbs it's bad practise in general
    to treat GET and POST equally, besides that documentation already
    mentioned potential side-effects like accidentally exposing sensitive
    data submitted via POST to proxies or log files.
    
    That's why values POST, GET,POST and POST,GET are not allowed anymore
    for `typolink.addQueryString.method`. Maintaining functionality - if
    required at all - has to be done using domain specific logic in
    according controllers or middleware implementations.
    
    Resolves: #88755
    Releases: master
    Change-Id: I6ecfdd2ee98251b64093c1a13f9371beea862ddd
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61295
    Tested-by: Benjamin Franzke <bfr@qbus.de>
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
    Reviewed-by: Benjamin Franzke <bfr@qbus.de>
    Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Commits on Jul 17, 2019
  1. [BUGFIX] Use proper syntax for RST code-block

    ohader committed Jul 17, 2019
    codeblock -> code-block
    
    Resolves: #88790
    Releases: master, 9.5
    Change-Id: I51f30b30ef7344e1b66bd5ed354d3bfe60074a57
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61309
    Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Commits on Jul 15, 2019
  1. [BUGFIX] Avoid storing Extbase reflection in be_users.uc

    ohader authored and bnf committed Jun 21, 2019
    The backend users module (ext:beuser) persists previously defined
    filter combinations in be_users.uc fields of the according user. When
    a "user group" is defined in the filter, Extbase architecture internals
    get serialized and persisted as well which has performance impacts and
    most probably will exceed storage (16M) of be_users.uc field.
    
    It is enough to store the uid of the according be_groups entity.
    
    Resolves: #86361
    Releases: master, 9.5, 8.7
    Change-Id: I61ba4993d9594b1074546255e7d5c2d5506819fb
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61117
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Markus Klein <markus.klein@typo3.org>
    Tested-by: Alexander Schnitzler <review.typo3.org@alexanderschnitzler.de>
    Tested-by: Benjamin Franzke <bfr@qbus.de>
    Reviewed-by: Markus Klein <markus.klein@typo3.org>
    Reviewed-by: Julian Geils <j_geils@web.de>
    Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
    Reviewed-by: Alexander Schnitzler <review.typo3.org@alexanderschnitzler.de>
    Reviewed-by: Benjamin Franzke <bfr@qbus.de>
Commits on Jul 5, 2019
  1. [TASK] Switch to json_encode/json_decode for Extbase arguments

    ohader authored and Alexander Schnitzler committed Jul 3, 2019
    Extbase argument mapping and request building can be optimized
    by using json_encode instead of serialize which is a bit more
    "space-saving".
    
    Besides that information in [__referrer][arguments] is dropped
    which was supposed to have happened in TYPO3 v8 already.
    
    Resolves: #88682
    Releases: master
    Change-Id: Ifbb4192803378b1c1984405bdca04c282b8f4335
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61223
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
    Tested-by: Alexander Schnitzler <review.typo3.org@alexanderschnitzler.de>
    Tested-by: Johannes Seipelt <johannes.seipelt@3m5.de>
    Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
    Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
    Reviewed-by: Alexander Schnitzler <review.typo3.org@alexanderschnitzler.de>
    Reviewed-by: Johannes Seipelt <johannes.seipelt@3m5.de>
Commits on Jun 25, 2019
  1. [SECURITY] Disallow insecure deserialization for l18n_diffsource

    ohader committed Jun 25, 2019
    Serialized values in l18n_diffsource are vulnerable to insecure
    deserialization when being invoked in FormEngine or DataHandler.
    
    Resolves: #88323
    Releases: master, 9.5, 8.7
    Security-Commit: 215de3e52140dc69ccb0e5802ab4234922b1aa63
    Security-Bulletin: TYPO3-CORE-SA-2019-020
    Change-Id: I03704b35d94e2575e9231656977f3760e6f04e2b
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61146
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
  2. [SECURITY] Deny pages' TSconfig and tsconfig_includes for non-admins

    ohader committed Jun 25, 2019
    Fields `TSconfig` and `tsconfig_includes` of table `pages` can be
    misused by restricted users to contain malicious instructions and
    lead to cross-site scripting as well as arbitrary code execution.
    Since user input cannot be sanitized properly, the field is now
    available for admin users only. In addition directory traversal
    in TSconfig static includes has been mitigated.
    
    Resolves: #88565
    Releases: master, 9.5, 8.7
    Security-Commit: b4ab9cd1f0539b3af675b94aa01d26e5c4b3a1d9
    Security-Bulletin: TYPO3-CORE-SA-2019-019
    Change-Id: I712364fde6a76ad761a0b738756cb151dc5c22e1
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61145
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
  3. [!!!][SECURITY] Disallow session data transfer on frontend user logout

    ohader committed Jun 25, 2019
    When frontend users logged out their session data (e.g. shopping cart)
    was transfered into an anonymous session. This session could have been
    reused by a different user working with the very same browser.
    
    In order to enhance security aspects on this topic session data is
    purged when an according frontend user is logging out. Since this might
    be breaking for some scenarios a new feature toggle has been introduced
    which allows to keep the previous behavior:
    
    	boolean 'security.frontend.keepSessionDataOnLogout'
    	in $GLOBALS['TYPO3_CONF_VARS']['SYS']['features']
    
    Resolves: #88139
    Releases: master, 9.5, 8.7
    Security-Commit: 89c45f80388f24f08f827c474daa5ab8fda63da2
    Security-Bulletin: TYPO3-CORE-SA-2019-018
    Change-Id: I869f3bee7c6bf6e2ae51bcd86273b6abc15f09c5
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61144
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
  4. [SECURITY] Deny access to import module for non-admin users

    ohader committed Jun 25, 2019
    Due to an incomplete condition it was possible for regular
    backend users to make use of the import module - which only
    would be accessible to admin users or to those users have
    User TSconfig `options.impexp.enableImportForNonAdminUser`
    enabled.
    
    Resolves: #88284
    Releases: master, 9.5
    Security-Commit: a3ca05df1e9e9269b45daf9dd79517df9d202604
    Security-Bulletin: TYPO3-CORE-SA-2019-017
    Change-Id: I9ac9a026d5715f9c03eda37f0ef84178640b2f1d
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61143
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
  5. [SECURITY] Disallow javascript & data scheme in URL link handler

    ohader committed Jun 25, 2019
    URLs defined using TYPO3's internal t3://url/?url=... notation are
    now hardened against using `javascript:` and`data:` URL schemes.
    
    Resolves: #88476
    Releases: master, 9.5, 8.7
    Security-Commit: 1a873c662524a62b192661da45d27e223e517d18
    Security-Bulletin: TYPO3-CORE-SA-2019-015
    Change-Id: Ia9ca8784a1779492762e5a36fcb1ada67bb6c56a
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61141
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Commits on Jun 19, 2019
  1. [BUGFIX] Remove "cache_" prefix from cache configuration keys

    ohader authored and andreasfernandez committed Jun 6, 2019
    With #88366 "cache_" prefix has been deprecated. However, when
    retrieving a deprecated cache like "cache_subject" its identifier
    gets transformed to just "subject" which is (probably) not available
    in cache configuration keys. That's why keys of cache configurations
    have to be transformed as well.
    
    Resolves: #88512
    Releases: master
    Change-Id: I224d55e71011a437ed2e990d13b1edbee08770b7
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60892
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Benni Mack <benni@typo3.org>
    Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
    Reviewed-by: Benni Mack <benni@typo3.org>
    Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Commits on Jun 6, 2019
  1. Revert "[TASK] Drop t3_origuid fields from functional tests"

    ohader committed Jun 6, 2019
    This reverts commit 55f7bea.
    
    Unfortunately it's not possible to get rid of t3_origuid completely
    without introducing new side-effects. Remaining test adjustments for
    #88494 have shown that non-translatable entities used as reference
    would rather be deleted & re-created instead of synchronized.
    
    t3_origuid did a good job there - dropping it would introduce the
    mentioned regression. Misusing l10n_source for a non-translatable
    table sounds as stupid as introducing a new field like sync_origuid.
    
    Related: #88494
    Reverts: #88495
    Resolves: #88501
    Releases: master
    Change-Id: I4de8a0cbac1b7c9825991794830efaa53f270709
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60888
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Commits on Jun 5, 2019
  1. [TASK] Drop t3_origuid fields from functional tests

    ohader authored and bmack committed Jun 5, 2019
    In order to drop t3_origuid semantics (see issue #88494) according
    usages should be purged from functional tests. This way functional
    changes are easier to spot having to dedicated change-sets.
    
    Resolves: #88495
    Releases: master
    Change-Id: Ic54efe30bb112b179a176681a3bb067de1791d44
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60880
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
    Tested-by: Benni Mack <benni@typo3.org>
    Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
    Reviewed-by: Benni Mack <benni@typo3.org>
Commits on May 15, 2019
  1. [TASK] Upgrade typo3/phar-stream-wrapper to v3.1.2

    ohader authored and bmack committed May 14, 2019
    https://github.com/TYPO3/phar-stream-wrapper/releases/tag/v3.1.2
    
    * #34: Normalize resolved Windows path to Unix-style
    * #42: Avoid analysing non-phar files on alias resolving
    * #40: Add Windows tests using AppVeyor
    * #33: Add alternative mime-type resolving (without ext-fileinfo)
    
    composer require typo3/phar-stream-wrapper:^3.1.2
    
    Resolves: #88354
    Releases: master, 9.5, 8.7
    Change-Id: I4560881006a6f9c48761161f0b96b78f02c0659d
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60754
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Benni Mack <benni@typo3.org>
    Reviewed-by: Benni Mack <benni@typo3.org>
  2. [BUGFIX] Avoid realpath resolving in PharStreamWrapperInterceptor

    ohader authored and andreasfernandez committed May 13, 2019
    Given that e.g. public/typo3conf/ext/my_extension is symlinked to
    packages/my_extension, PharStreamWrapper denies invocation since
    realpath is resolved.
    
    For the specific PharStreamWrapperInterceptor it is okay to avoid
    realpath resolving.
    
    Resolves: #88340
    Releases: master, 9.5, 8.7
    Change-Id: I46b7100547dd0e40d1d4d76a71047ef977d8ce63
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60739
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Mathias Brodala <mbrodala@pagemachine.de>
    Tested-by: tomalo.stuttgart <loeffler@spooner-web.de>
    Tested-by: Markus Klein <markus.klein@typo3.org>
    Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
    Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
    Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
    Reviewed-by: tomalo.stuttgart <loeffler@spooner-web.de>
    Reviewed-by: Rudy Gnodde <rgn@windinternet.nl>
    Reviewed-by: Kevin Meckl <kevin.meckl@zdrei.com>
    Reviewed-by: Richard Haeser <richard@maxserv.com>
    Reviewed-by: Markus Klein <markus.klein@typo3.org>
    Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Commits on May 7, 2019
  1. [SECURITY] Enclose file type scope when invoking ImageMagick

    ohader committed May 7, 2019
    In order to enclose and avoid type guessing done by ImageMagick based
    on mime-type and internal file content checks, new value object class
    ImageMagickFile has been introduced as guard for those invocations.
    
    Resolves: #87588
    Releases: master, 9.5, 8.7
    Security-Commit: d4f18684b2b2078b51cc7e93abdb251ea846984a
    Security-Bulletin: TYPO3-CORE-SA-2019-012
    Change-Id: I9a2dd74e8548530d7bc83bd18af2f4f0a8212019
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60705
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
  2. [SECURITY] Hide items in page tree a user does not have access to

    ohader committed May 7, 2019
    Due to a pass-by-reference error pages a user does not have access
    to were still visible in the page tree.
    
    Resolves: #87676
    Releases: master, 9.5
    Security-Commit: 5d2c69c00554ec64ea020ec803f593ae772fa367
    Security-Bulletin: TYPO3-CORE-SA-2019-009
    Change-Id: Ic8ba91b596e1589860bc28b746e551ac6bc47588
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60701
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
  3. [BUGFIX] Avoid showing password on MacBook touch bar in backend forms

    ohader authored and andreasfernandez committed Apr 4, 2018
    The auto suggest feature of MacBook's touch bar shows information of
    just entered passwords when editing a record containing a password
    field in backend forms. The behavior only occurs when Safari is used
    as client and touch bar word completion is activated.
    
    Resolves: #88286
    Releases: master, 9.5, 8.7
    Change-Id: I588a6edcfc34c403dc9f042adbeca2c711512228
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60678
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Benni Mack <benni@typo3.org>
    Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
    Reviewed-by: Benni Mack <benni@typo3.org>
    Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Commits on May 6, 2019
  1. [TASK] Upgrade and streamline typo3/phar-stream-wrapper to v3.1.1

    ohader committed May 5, 2019
    Phar Stream Wrapper has been upgraded to version 3.1.1 in order to
    solve performance and alias resolving issues. The interceptor has
    been streamlined further.
    
    composer require typo3/phar-stream-wrapper:^3.1.1
    
    Resolves: #88277
    Releases: master, 9.5, 8.7
    Change-Id: Id6b08557ab507ef66e54d1f39992272fe4791405
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60673
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Oliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Commits on Apr 24, 2019
  1. [BUGFIX] Sanitize undefined TCA columns required for data integrity

    ohader authored and georgringer committed Apr 18, 2019
    TCA's 'ctrl' section allows to define several database columns that
    shall be used to store according integrity information, such as the
    current language or pointers to ancestors used during localization.
    
    In case those names are not defined properly in TCA's 'columns'
    section, several commands (like copy of localize) are executed,
    but without actually maintaining these values in the database.
    
    In order to ensure integrity, missing columns that are defined in
    the 'ctrl' section but missing in the 'columns' section are applied
    with the TCA type 'passthrough'. This applies to 'ctrl' properties
    
    * origUid
    * languageField
    * translationSource
    * transOrigPointerField
    
    Resolves: #88057
    Releases: master, 9.5
    Change-Id: I39a28dc2e1eddafe6363b7dd633fd84968fc620f
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60511
    Tested-by: TYPO3com <noreply@typo3.com>
    Tested-by: Benni Mack <benni@typo3.org>
    Tested-by: Georg Ringer <georg.ringer@gmail.com>
    Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
    Reviewed-by: Benni Mack <benni@typo3.org>
    Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
    Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Older
You can’t perform that action at this time.