InvalidHashException
now declares 400
as it's status code (not the inherited 500
it has now), as that is clearly a case of a "bad request".
- See: #3159
Upgrade instructions
This might need adjustment, if you rely on the InvalidHashException
throwing a status code of 500
somewhere.
- Packages:
Flow
BUGFIX: Return the expected result for `is_dir('resource://sha1') <#3226>`_
- Fixes: #3225
- Packages:
Flow
- Fixes: #3205
- Packages:
Flow
BUGFIX: Require collection packages as `self.version again <#3206>`_
- See: #3035 for the original change
- Packages:
Flow
Eel
FluidAdaptor
Kickstarter
F.e. Postgres has performance issues with large datasets and the DISTINCT clause. In a test this change reduced the query time of a count query for ~900.000 entities by >80%.
In a custom project this affected their Neos Media.UI in which the following results were found:
- Count all assets | 580ms -> 260ms
- Query 20 assets | 690ms -> 350ms
- Query 100 assets | 990ms -> 650ms
- Module load | 1900ms -> 1400ms
Review instructions
Everything should work the same, as #415 already sets the distinct flag where (possibly) necessary.
- Packages:
Flow
Adding an internal methods isSanitizingRequired
and sanitizeImportedFileContent
to the resourceManager. The import is adjusted to first determine the mediaType of an imported resource to decide wether sanitizing is needed which for now happens only for SVG files. If no sanitizing is needed the code will perform as before by passing streams or filenames around.
If suspicious content was removed from a warning is logged that mentions the remove data and line. The sanitizing is done using "enshrined/svg-sanitize" that is used by other cms aswell.
The initial implementation will only sanitize SVG files as those can contain malicious scripts. In future this should be expanded to a feature that allows registering of custom sanitizing functions.
The sanitizing logic itself ist basically the same as what is done by typo3 here: https://github.com/TYPO3/typo3/blob/`357b07064cf2c7f1735cfb8f73ac4a7248ab040e <https://github.com/neos/flow-development-collection/commit/357b07064cf2c7f1735cfb8f73ac4a7248ab040e>`_/typo3/sysext/core/Classes/Resource/Security/SvgSanitizer.php
This addresses the issue described here: https://nvd.nist.gov/vuln/detail/CVE-2023-37611
Review Instructions
The change adds quite a bit of complexity to the importResource method to avoid loading the file content into ram whenever possible. As this method accepts filenames and resources this leads to quite some nested checking. I consider this kindoff necessary as one does not want to read a full video file into php ram to check wether it may be an svg.
Better suggestions are welcome.
- Packages:
Utility.MediaTypes
PHP 5 is a thing of the past, but for PHP 8 the module is name just mod_php.c
, so that needs to be added.
Upgrade instructions
Depending in the way you deploy and whether you have that file even in version control, the change might need to be applied manually to your setup.
Review instructions
- Packages:
Flow
Correction of an erroneous path in routing documentation.
- Packages:
Flow
Prevents deprecation warnings for dynamic properties.
- Packages:
Flow
Eel
Whenever a new dump is written, check the existing dumps and remove those that are older than allowed or exceed the maximum count.
By default nothing is cleaned up.
- Resolves: #3158
Review instructions
Should remove old dump files as configured…
- Packages:
Flow
- See: #3035 for the original change
- Packages:
Flow
A test failed due to a missing return value from a method not being mocked (correctly),
- Packages:
Cache
… by pinning updated dependencies.
Review instructions
Best is to see if the builds succeed on RTD again with this merged…
- Packages:
Flow