TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692023-09-28T10:21:50ZTYPO3 Forge
Redmine TYPO3 Core - Bug #102058 (New): Meta tags rendered as XHTMLhttp://forge.typo3.org/issues/1020582023-09-28T10:21:50ZOliver Haderoliver.hader@typo3.org
<pre>
<meta name="generator" content="TYPO3 CMS" />
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
<meta name="robots" content="index,follow" />
...
<meta property="og:image:type" content="image/png" />
<meta property="og:title" content="IN.DIE.musik e.V." />
<meta name="twitter:card" content="summary" />
<meta name="twitter:site" content="@InDieMusik" />
</pre>
<p><a class="external" href="https://github.com/TYPO3/typo3/blob/main/typo3/sysext/core/Classes/MetaTag/AbstractMetaTagManager.php#L226-L239">https://github.com/TYPO3/typo3/blob/main/typo3/sysext/core/Classes/MetaTag/AbstractMetaTagManager.php#L226-L239</a></p>
<pre>
$metaTags[] = '<meta ' .
htmlspecialchars($nameAttribute) . '="' . htmlspecialchars($property) . '" ' .
htmlspecialchars($contentAttribute) . '="' . htmlspecialchars($propertyItem['content']) . '" />';
</pre> TYPO3 Core - Bug #101415 (New): Cannot localize page in backendhttp://forge.typo3.org/issues/1014152023-07-22T17:59:04ZOliver Haderoliver.hader@typo3.org
<p>(Actions performed as admin user)</p>
<p>Error message in JavaScript console:</p>
<pre>
Uncaught TypeError: Cannot convert undefined or null to object
at Function.keys (<anonymous>)
at InputTransformer.flattenObject (input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:641)
at input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:770
at Array.reduce (<anonymous>)
at InputTransformer.flattenObject (input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:649)
at InputTransformer.toSearchParams (input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:481)
at AjaxRequest.withQueryArguments (ajax-request.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:352)
at Localization.localizeRecords (localization.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:6623)
at Object.callback (localization.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:5597)
at Wizard.runSlideCallback (wizard.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:3552)
flattenObject @ input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
(anonymous) @ input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
flattenObject @ input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
toSearchParams @ input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
withQueryArguments @ ajax-request.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
localizeRecords @ localization.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
(anonymous) @ localization.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
runSlideCallback @ wizard.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
</pre>
<p>The reason is, that in <code>localization.ts</code>, the corresponding <code>action</code> is still <code>null, since there are two @availableLocalizationModes</code> (<code>copy</code> and <code>translate</code>), but the handling just expects to have one...</p>
<pre>
<a href="#" class="btn btn-default btn-sm t3js-localize" title=""
data-page="[Translate to Dansk:] 404" data-has-elements="0"
data-allow-copy="1" data-allow-translate="1" data-table="tt_content"
data-page-id="6" data-language-id="1" data-language-name="Dansk">
...
Translate
</a>
</pre> TYPO3 Core - Task #100906 (New): Handle CSP violations in browser extensionshttp://forge.typo3.org/issues/1009062023-05-20T11:55:08ZOliver Haderoliver.hader@typo3.org
<a name="General"></a>
<h3 >General<a href="#General" class="wiki-anchor">¶</a></h3>
<ul>
<li><a class="external" href="https://csper.io/blog/csp-report-filtering">https://csper.io/blog/csp-report-filtering</a></li>
<li><a class="external" href="https://dropbox.tech/security/on-csp-reporting-and-filtering">https://dropbox.tech/security/on-csp-reporting-and-filtering</a></li>
<li><a class="external" href="https://github.com/nico3333fr/CSP-useful/tree/master/csp-wtf">https://github.com/nico3333fr/CSP-useful/tree/master/csp-wtf</a></li>
<li><a class="external" href="https://github.com/getsentry/sentry/blob/master/src/sentry/interfaces/security.py#L20">https://github.com/getsentry/sentry/blob/master/src/sentry/interfaces/security.py#L20</a></li>
<li><a class="external" href="https://github.com/jacobbednarz/go-csp-collector/blob/b3a8ff39e3835b3b9452898beb20677cee680dd0/csp_collector.go#L59">https://github.com/jacobbednarz/go-csp-collector/blob/b3a8ff39e3835b3b9452898beb20677cee680dd0/csp_collector.go#L59</a></li>
</ul>
<a name="Payloads"></a>
<h3 >Payloads<a href="#Payloads" class="wiki-anchor">¶</a></h3>
<code>{"blocked-uri":"inline","column-number":9,"disposition":"enforce","document-uri":"https:\/\/indiemusik-festival.de\/events\/festival-2023","effective-directive":"script-src-elem","line-number":33,"original-policy":"frame-src 'self' https:\/\/*.youtube-nocookie.com https:\/\/*.youtube.com https:\/\/*.vimeo.com https:\/\/instagram.com https:\/\/*.instagram.com; img-src 'self' https:\/\/*.ytimg.com https:\/\/*.vimeocdn.com data: https:\/\/instagram.com https:\/\/*.instagram.com; default-src 'self'; script-src 'self' 'nonce-XnDPuvTcc38QsmBT2aH5OLzK1Vv1G9l_HZZ-sioaqjJmVB2lpp7RXg' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; object-src 'none'; base-uri 'none'; style-src 'self' 'report-sample'; connect-src 'self' https:\/\/analytics.in-die-musik.de; script-src-elem 'self' 'nonce-XnDPuvTcc38QsmBT2aH5OLzK1Vv1G9l_HZZ-sioaqjJmVB2lpp7RXg' https:\/\/analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https:\/\/cloud.in-die-musik.de; report-uri https:\/\/indiemusik-festival.de\/@http-reporting?csp=report&requestTime=1684526938506325","referrer":"","script-sample":"(function (NAVIGATOR, OBJECT) {\n\n if \u2026","source-file":"moz-extension","status-code":200,"violated-directive":"script-src-elem"}
</code>
<p>→ <code>"source-file":"moz-extension"</code><br />→ payload <code>(function (NAVIGATOR, OBJECT) { if </code><br />→ trigger <a class="external" href="https://github.com/EFForg/privacybadger/blob/ef6a2b38b2550e8805076b072645367c4e044a79/src/js/contentscripts/dnt.js#L23">https://github.com/EFForg/privacybadger/blob/ef6a2b38b2550e8805076b072645367c4e044a79/src/js/contentscripts/dnt.js#L23</a></p>
<hr />
<p>...</p> TYPO3 Core - Task #99046 (New): DOCS: Routing Troubleshooting Sectionhttp://forge.typo3.org/issues/990462022-11-10T11:39:03ZOliver Haderoliver.hader@typo3.org
<ul>
<li><a class="external" href="https://forge.typo3.org/issues/91530">https://forge.typo3.org/issues/91530</a>
<ul>
<li>describe consequences of using <code>PageType</code> decorator</li>
<li>concerning optional route variables (using <code>defaults</code>)</li>
</ul>
</li>
<li><a class="external" href="https://forge.typo3.org/issues/94585">https://forge.typo3.org/issues/94585</a>
<ul>
<li>describe consequences of using route without specific segment, e.g. <code>/{variable}</code></li>
<li>suggest to use specific segment, e.g. <code>/show/{variable}</code></li>
</ul>
</li>
<li><a class="external" href="https://forge.typo3.org/issues/90959#note-3">https://forge.typo3.org/issues/90959#note-3</a>
<ul>
<li>describe consequences of ambiguity</li>
</ul></li>
</ul> TYPO3 Core - Bug #96435 (New): Apply rate limiter to mail formshttp://forge.typo3.org/issues/964352021-12-27T18:09:10ZOliver Haderoliver.hader@typo3.org
<p>In order to limit sending forms again and again (which can be automated e.g. by using Selenium or similar techniques), sending out a particular form should be rate-limited (available since TYPO3 v11).</p> TYPO3 Core - Bug #95725 (New): Title shown twice with pdfinfo using PDF/X fileshttp://forge.typo3.org/issues/957252021-10-21T18:44:48ZOliver Haderoliver.hader@typo3.org
<p>The following report has been sent to me via mail by Josef Sigritz, I'm just dumping it here:</p>
<hr />
<p>wir haben ein Problem mit dem FileContentParser der Indexed_Search: pdfinfo gibt bei PDF/X-Dateien zweimal den Title aus. Dadurch wird der eigentliche Title überschrieben.</p>
<p>Beispiel:<br />pdfinfo test.pdf</p>
<pre>
*Title: BAA010718_Broschüre_Chancen_bieten_V2.indd*
Creator: Adobe InDesign CC 13.0 (Macintosh)
Producer: Adobe PDF Library 15.0
CreationDate: Thu Feb 22 15:51:27 2018 CET
ModDate: Mon Mar 12 12:12:12 2018 CET
Tagged: no
UserProperties: no
Suspects: no
Form: none
JavaScript: no
Pages: 20
Encrypted: no
Page size: 595.276 x 841.89 pts (A4)
Page rot: 0
File size: 2292621 bytes
Optimized: yes
PDF version: 1.3
PDF subtype: PDF/X-3:2002
*Title: ISO 15930 - Electronic document file format for prepress digital data exchange (PDF/X)*
Abbreviation: PDF/X-3:2002
Subtitle: Part 3: Complete exchange suitable for colour-managed workflows (PDF/X-3)
Standard: ISO 15930-3
</pre>
<p>Verbesserungsvorschlag:<br />Klasse: typo3/typo3/sysext/indexed_search/Classes/FileContentParser.php, function splitPdfInfo</p>
<pre>
public function splitPdfInfo($pdfInfoArray)
{
$res = [];
if (is_array($pdfInfoArray)) {
foreach ($pdfInfoArray as $line) {
$parts = explode(':', $line, 2);
if (count($parts) > 1 && trim($parts[0])) {
if (!array_key_exists(strtolower(trim($parts[0])), $res)){
$res[strtolower(trim($parts[0]))] = trim($parts[1]);
}
$res[strtolower(trim($parts[0]))] = trim($parts[1]);
}
}
}
return $res;
}
</pre> TYPO3 Core - Feature #91668 (New): Add system communication APIhttp://forge.typo3.org/issues/916682020-06-17T17:46:25ZOliver Haderoliver.hader@typo3.org
<p>A system communication API could be used to retrieve data from official typo3.org services or send back anonymous usage data in order to help understand TYPO3-use-cases much better.</p>
<a name="Scenarios"></a>
<h2 >Scenarios<a href="#Scenarios" class="wiki-anchor">¶</a></h2>
<ul>
<li>compare current TYPO3 version with latest TYPO3 version & warn about missing security updates</li>
<li>fetch and display vendor messages for selected topics - e.g. release updates, important security notifications, etc.</li>
<li>send anonymous usage data back to granted services (typo3.org or custom endpoints)</li>
</ul>
<a name="Requirements"></a>
<h2 >Requirements<a href="#Requirements" class="wiki-anchor">¶</a></h2>
<ul>
<li>non-blocking - most of the communication shall happen in the background or in the client only (AJAX)</li>
<li>HTTP requests need to provide as less information as possible (no referrers, no cookies, ...)</li>
<li>each used communication stream/channel must be opt-in - users or site admins have to subscribe</li>
</ul> TYPO3 Core - Task #89414 (New): Document new search behavior in filelist and suggest wizardhttp://forge.typo3.org/issues/894142019-10-14T22:00:44ZOliver Haderoliver.hader@typo3.org
<ul>
<li><a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/61927">https://review.typo3.org/c/Packages/TYPO3.CMS/+/61927</a></li>
<li><a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/61929">https://review.typo3.org/c/Packages/TYPO3.CMS/+/61929</a></li>
</ul>
<p>new search syntax is</p>
<pre>"first aspect" second "third"</pre> TYPO3 Core - Task #89347 (New): Provide strong defaults for anchor noreferred/noopener attributehttp://forge.typo3.org/issues/893472019-10-04T12:02:37ZOliver Haderoliver.hader@typo3.org
<p>Issue <a class="issue tracker-2 status-5 priority-4 priority-default closed child" title="Feature: Add rel="noopener noreferrer" to links when target is set to _blank (Closed)" href="http://forge.typo3.org/issues/78488">#78488</a> introduced norefferer & noopener per default for external links, see<br /><a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194">https://review.typo3.org/c/Packages/TYPO3.CMS/+/59194</a></p>
<p>However there are scenarios where this has to be seen in context and scope of the website project:</p>
<a name="General"></a>
<h2 >General<a href="#General" class="wiki-anchor">¶</a></h2>
<ul>
<li><code>noopener</code> only has an effect of "opened" window contexts (e.g. <code>target="_blank"</code>)</li>
<li><code>noreferrer</code> might contradict tracking & analyzation on websites
<ul>
<li>e.g. "which site is has similar information" - good use of referrer in a scope similar to "LOD"
<ul>
<li><code>Referrer: https://typo3-website.org/resources/car-engines/abc</code> when opening <code>https://remote-vendor.com/cars/xyz</code></li>
</ul>
</li>
<li>e.g. "which site has similar problems" - bad use of referrer, when e.g. sensitive areas point public resources
<ul>
<li><code>Referrer: https://typo3-website.org/user-restricted-internal/product-abc-sucks</code> pointing to <code>https://remote-vendor.com/prodct-abc</code></li>
</ul></li>
</ul></li>
</ul>
<a name="Suggestion"></a>
<h2 >Suggestion<a href="#Suggestion" class="wiki-anchor">¶</a></h2>
<ul>
<li>make settings configurable
<ul>
<li>TypoScript <code>typolink</code></li>
<li>Site Configuration anchor behavior</li>
</ul>
</li>
<li>default settings (when not having TypoScript or Site Configuration loaded - e.g. CLI context) should be strict <code>noopener noreferrer</code> (current scenario)</li>
<li>use <code>Referrer-Policy</code> HTTP header as site-wide default instead, use HTML attr to override the default behavior
<ul>
<li>different per site (frontend)</li>
<li>common for admin UI (backend)</li>
</ul></li>
</ul>
<a name="Side-note"></a>
<h2 >Side-note<a href="#Side-note" class="wiki-anchor">¶</a></h2>
There is a difference between TYPO3 backend and frontend as well. Basically
<ul>
<li>strict default for backend should be <code>noopener noreferrer</code></li>
<li>individual behavior for frontend as outlined in previous sections</li>
</ul> TYPO3 Core - Task #89252 (New): Enhance usability of Install Tool presetshttp://forge.typo3.org/issues/892522019-09-24T18:29:54ZOliver Haderoliver.hader@typo3.org
<ul>
<li>in Install Tool</li>
<li>all settings for instance allow to make use of dropdowns (using <code>allowedValues</code>)</li>
<li>this rendering possibility is not available in presets which makes it hard to select proper values</li>
<li>besides that, not description is rendered in presets</li>
</ul>
<p>This way, using presets and having to fill in settings is actually harder than doing that among all settings.</p>
<p><img src="http://forge.typo3.org/attachments/download/34574/89252.png" alt="" loading="lazy" /></p> TYPO3 Core - Bug #88613 (New): Replace ObjectStorage & LazyObjectStorage with symfony/collectionhttp://forge.typo3.org/issues/886132019-06-21T21:37:23ZOliver Haderoliver.hader@typo3.org
<p>For regular ObjectStorage deserialization most probably would work - however there are inconsitencies concerning object integrity due to ObjectStorage using spl_object_hash() internally. In a result it would not be possible to detach an object retrieved from repository from some deserialized ObjectStorage - basically uid should be used as identifier here which would turn ObjectStorage into EntityStorage. So, we could live with serialization of ObjectStorage.</p>
<p>For LazyObjectStorage things are getting more difficult since serialization of it would mean to serialize backreferences to parent object as well as DataMapper state, ObjectManager state and in the end class Reflection state - that turns out to be a massive collection of serialized data.</p>
<p>Thus, we experience most pain with LazyObjectStorage and its current implementation.</p> TYPO3 Core - Epic #87417 (New): Integrate proper Content Security Policy (CSP) handlinghttp://forge.typo3.org/issues/874172019-01-13T10:58:12ZOliver Haderoliver.hader@typo3.org
<p>In order to reduce risks of cross-site scripting in the TYPO3 backend proper CSP handling shall be integrated into the TYPO3 core. Just setting the headers is not enough since also reporting, management and adjustment of core components as well as 3rd party components (extensions) are required.</p>
<p>The functionality is outlined like this</p>
<ul>
<li>CSP management & configuration module (either on a site level or for whole TYPO3 installation)</li>
<li>CSP violation reporting endpoint in order to identify flaws and violations earlier (might be misconfiguration or vulnerability)</li>
<li>CSP manifest definition that allows 3rd party extensions to use resources of remote hosts (to be used in management module)</li>
<li>adjustment and refactoring of TYPO3 core components & guidelines for extension authors</li>
</ul> TYPO3 Core - Feature #87300 (New): Limit amount of concurrent user sessions for same userhttp://forge.typo3.org/issues/873002018-12-27T13:53:30ZOliver Haderoliver.hader@typo3.org
<p>TYPO3 allows to use multiple sessions per user which is a feature on the one hand, but could also be a security risk on the other. In order to enhance the scenario it should be possible to limit the amount of concurrent user sessions per user (or disable concurrent logins at all).</p>
<p>Behavior either can be configured for the whole system or (optionally) per user.</p> TYPO3 Core - Task #85640 (New): Use context object in database restrictionshttp://forge.typo3.org/issues/856402018-07-25T10:46:41ZOliver Haderoliver.hader@typo3.org
In order to apply the existing <code>Context</code> object, its aspects need to be applied when executing queries using DBAL. This has possibly an impact on
<ul>
<li>Extbase QuerySettings (has to be checked)</li>
<li>QueryBuilder and applying restrictions</li>
</ul>
<p>By using and adapter, the <code>Context</code> object can be upgraded to be a <code>ContextBasedRestrictionContainer</code> which implements <code>QueryRestrictionContainerInterface</code> which keeps a local reference to the originating <code>Context</code> object in order to retrieve its aspects.</p> TYPO3 Core - Task #69966 (New): Integrate localization and fallback resolving in PlainDataResolverhttp://forge.typo3.org/issues/699662015-09-19T10:53:29ZOliver Haderoliver.hader@typo3.org
<p>PlainDataResolver is targeted to resolve relations based on a given context (workspaces, localization). The currently implementation is used only for workspaces in the TYPO3 backend. However, the resolving pipe should consider localization and localization fallbacks as well.</p>