TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692024-03-14T17:36:06ZTYPO3 Forge
Redmine TYPO3 Core - Bug #103400 (Under Review): Avoid mapping route values that are out of scopehttp://forge.typo3.org/issues/1034002024-03-14T17:36:06ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Bug #101809 (Resolved): Ensure minimal dependency order in PackageManagerhttp://forge.typo3.org/issues/1018092023-08-31T10:23:22ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Bug #101753 (Closed): DDEV & Traefic substitute semi-colon to ampersand in URLshttp://forge.typo3.org/issues/1017532023-08-25T13:23:39ZOliver Haderoliver.hader@typo3.org
<p>With v1.22+ DDEV recently started to use Traefic as routing service - and Traefic has an issue with substituting ";" to "&" in URLs:</p>
<ul>
<li><a class="external" href="https://ddev.readthedocs.io/en/stable/users/extend/traefik-router/">https://ddev.readthedocs.io/en/stable/users/extend/traefik-router/</a></li>
<li><a class="external" href="https://github.com/traefik/traefik/issues/9164">https://github.com/traefik/traefik/issues/9164</a></li>
<li><a class="external" href="https://github.com/traefik/traefik/pull/9131/files#diff-f7d7f0e8fef165ce3ca78be8f4d887b323d564a29b25d416a6a7d2b0e9ff7df7R50">https://github.com/traefik/traefik/pull/9131/files#diff-f7d7f0e8fef165ce3ca78be8f4d887b323d564a29b25d416a6a7d2b0e9ff7df7R50</a></li>
</ul>
<p>Traeffic offers the option <a href="https://doc.traefik.io/traefik/routing/entrypoints/#encodequerysemicolons" class="external"><code>encodeQuerySemicolons</code></a> to actually control the behavior, however I was not able to adjust the corresponding configuration in DDEV.</p>
<p>For the time being, Traeffic can be disabled in general, by using <code>ddev poweroff && ddev config global --router=nginx-proxy</code>.</p>
<p>This affects how URLs in the TYPO3 backend scope are handled, e.g (this list is probably not complete, yet):</p>
<ul>
<li>/typo3/wizard/record/browse?token=[...]&mode=file&bparams=|||allowed=gif,jpg,jpeg,tif,tiff,bmp,pcx,tga,png,pdf,ai,svg <code>;</code> disallowed=|data-138-tt_content-1850-background_image-sys_file_reference&contentOnly=1&expandFolder=1%3A%2Ft3con23%2Fimages%2F
<ul>
<li>will be interpreted as<br /> /typo3/wizard/record/browse?token=[...]&mode=file&bparams=|||allowed=gif,jpg,jpeg,tif,tiff,bmp,pcx,tga,png,pdf,ai,svg <code>&</code> disallowed=|data-138-tt_content-1850-background_image-sys_file_reference&contentOnly=1&expandFolder=1%3A%2Ft3con23%2Fimages%2F</li>
<li>causes a failure in <code>\TYPO3\CMS\Filelist\ElementBrowser\FileBrowser::initialize</code></li>
</ul></li>
</ul>
<hr />
<p>Long-term, these URLs (especially the semi-colon "&") should be correctly URL-encoded.</p> TYPO3 Core - Bug #101705 (Resolved): Update composer.lock for typo3/html-sanitizer:2.1.3http://forge.typo3.org/issues/1017052023-08-17T11:03:20ZOliver Haderoliver.hader@typo3.org
<p>see <a class="external" href="https://stackoverflow.com/questions/76920144/typo3-11-5-30-error-after-bootstrap-update-undefined-function-mb-split">https://stackoverflow.com/questions/76920144/typo3-11-5-30-error-after-bootstrap-update-undefined-function-mb-split</a></p> TYPO3 Core - Bug #101460 (Resolved): Allow strict-dynamic only for applicable CSP directiveshttp://forge.typo3.org/issues/1014602023-07-27T10:56:06ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Bug #101253 (Resolved): Normalize filename of uploaded fileshttp://forge.typo3.org/issues/1012532023-07-05T18:12:07ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Bug #100012 (Closed): Skip numeric cookie names in RequestTokenMiddlewarehttp://forge.typo3.org/issues/1000122023-02-22T10:08:57ZOliver Haderoliver.hader@typo3.org
<p>Using an HTTP header like <code>Cookie: 1=string</code> results in having a numeric key in the super-global <code>$_COOKIE</code> array.</p> TYPO3 Core - Bug #99358 (Closed): Provide signed storage folders for legacy frontend loginhttp://forge.typo3.org/issues/993582022-12-13T14:07:15ZOliver Haderoliver.hader@typo3.org
<p>Security fix for TYPO3-CORE-SA-2022-013 in <a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/77084">https://review.typo3.org/c/Packages/TYPO3.CMS/+/77084</a> did not consider legacy frontend login plugin.</p> TYPO3 Core - Bug #97724 (Closed): Incorrect usage of moment for unix timestamphttp://forge.typo3.org/issues/977242022-06-01T15:09:30ZOliver Haderoliver.hader@typo3.org
<p>Time values are incorrectly visualized using moment in a dialog trying to prevent overriding existing files in filelist module. Basically moment uses micro-timestamp, values resolved from server-side are regular timestamps.</p> TYPO3 Core - Bug #97723 (Closed): Raise to recent moment & moment-timezone versionshttp://forge.typo3.org/issues/977232022-06-01T14:31:54ZOliver Haderoliver.hader@typo3.org
<ul>
<li>npm package <code>moment</code> up to v2.29.2 contained a vulnerability (<a class="external" href="https://github.com/advisories/GHSA-8hfj-j24r-96c4">https://github.com/advisories/GHSA-8hfj-j24r-96c4</a>) which only affected npm server users - in order to avoid confusion concerning security aspects, the package version is raised</li>
<li>npm package <code>moment-timezone</code> was upgraded to recent timezone data <code>IANA TZDB 2021e</code></li>
</ul> TYPO3 Core - Bug #97722 (Closed): Raise to recent composer/composer 2.2 versionhttp://forge.typo3.org/issues/977222022-06-01T14:09:20ZOliver Haderoliver.hader@typo3.org
<p>Raise <code>composer/composer</code> dev-dependency to at least 2.2.12 to by-pass recent security advisory (<a class="external" href="https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6">https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6</a>). This helps to avoid confusion concerning security aspects.</p> TYPO3 Core - Bug #95573 (Closed): Ensure string is passed to f:sanitize.html view helperhttp://forge.typo3.org/issues/955732021-10-11T19:58:25ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Bug #95179 (Closed): Transform internal URIs in backend user interfacehttp://forge.typo3.org/issues/951792021-09-10T14:11:50ZOliver Haderoliver.hader@typo3.org
<p>This change allows using internal URIs (like <code>t3://</code>) in components of the backend user interface like</p>
<ul>
<li>system news show below the backend login form</li>
<li>rich text details of system reports</li>
</ul>
<p>HTML sanitization is applied to mentioned components as well.</p> TYPO3 Core - Bug #93335 (Closed): XSS in access permission modulehttp://forge.typo3.org/issues/933352021-01-21T09:33:22ZOliver Haderoliver.hader@typo3.org
<a name="Steps"></a>
<h2 >Steps<a href="#Steps" class="wiki-anchor">¶</a></h2>
<ul>
<li>having <code>be_groups.title</code> containing XSS</li>
</ul>
<pre>Group<img src="x" onerror="alert(1)"></pre>
<ul>
<li>open <code>System > Access</code> module for a particular page</li>
<li>click on groupname element</li>
<li>change to group containing XSS in title (prerequisite) & save</li>
<li>click on groupname element again</li>
<li>change to different group</li>
<li>click on "x" icon in order to revert change</li>
</ul>
<p>XSS is executed</p>
<a name="Reasons"></a>
<h2 >Reasons<a href="#Reasons" class="wiki-anchor">¶</a></h2>
<ul>
<li><a class="external" href="https://github.com/TYPO3/TYPO3.CMS/blob/master/Build/Sources/TypeScript/beuser/Resources/Public/TypeScript/Permissions.ts#L84">https://github.com/TYPO3/TYPO3.CMS/blob/master/Build/Sources/TypeScript/beuser/Resources/Public/TypeScript/Permissions.ts#L84</a></li>
</ul>
<pre>buttonSelector.innerHTML = groupnameHtml;</pre> TYPO3 Core - Bug #21726 (Closed): Updating translations from repository in extension manager fail...http://forge.typo3.org/issues/217262009-11-28T15:53:33ZOliver Haderoliver.hader@typo3.org
<p>Updating translations from repository in extension manager fails in Safari 4.0.4 on Mac OS X. Just a white page is shown - after a while, when all packages have been downloaded, suddenly the full status appears. Thus, showing the process dynamically does not work.</p>
<p>In Firefox everything works as expected.</p>
<p>(issue imported from #M12822)</p>