TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692023-10-26T08:30:32ZTYPO3 Forge
Redmine TYPO3 Core - Task #102262 (New): Add CSP MutationMode::InheritStatic (or similar)http://forge.typo3.org/issues/1022622023-10-26T08:30:32ZOliver Haderoliver.hader@typo3.org
<p>From <a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/80756/comments/83fac188_a7132447">https://review.typo3.org/c/Packages/TYPO3.CMS/+/80756/comments/83fac188_a7132447</a></p>
<blockquote>
<p>I would prefer we had some kind of "late static binding" extensions, that says: "whatever is changed on the ancestor sometime later, please inherit" <br />Maybe that could be "InheritStatic".<br />Anyway I'm still fine with this patch as is.</p>
</blockquote> TYPO3 Core - Bug #102058 (New): Meta tags rendered as XHTMLhttp://forge.typo3.org/issues/1020582023-09-28T10:21:50ZOliver Haderoliver.hader@typo3.org
<pre>
<meta name="generator" content="TYPO3 CMS" />
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" />
<meta name="robots" content="index,follow" />
...
<meta property="og:image:type" content="image/png" />
<meta property="og:title" content="IN.DIE.musik e.V." />
<meta name="twitter:card" content="summary" />
<meta name="twitter:site" content="@InDieMusik" />
</pre>
<p><a class="external" href="https://github.com/TYPO3/typo3/blob/main/typo3/sysext/core/Classes/MetaTag/AbstractMetaTagManager.php#L226-L239">https://github.com/TYPO3/typo3/blob/main/typo3/sysext/core/Classes/MetaTag/AbstractMetaTagManager.php#L226-L239</a></p>
<pre>
$metaTags[] = '<meta ' .
htmlspecialchars($nameAttribute) . '="' . htmlspecialchars($property) . '" ' .
htmlspecialchars($contentAttribute) . '="' . htmlspecialchars($propertyItem['content']) . '" />';
</pre> TYPO3 Core - Bug #102057 (New): W3C validator complains about base64 values in CSPhttp://forge.typo3.org/issues/1020572023-09-28T09:21:37ZOliver Haderoliver.hader@typo3.org
<p>From <a class="external" href="https://validator.w3.org/nu/">https://validator.w3.org/nu/</a></p>
<blockquote>
<p>Warning: Content-Security-Policy HTTP header: Bad content security policy: Invalid base64-value (should be multiple of 4 bytes: 54)</p>
</blockquote>
<p>From the specs at <a class="external" href="https://www.w3.org/TR/CSP3/#framework-directive-source-list">https://www.w3.org/TR/CSP3/#framework-directive-source-list</a></p>
<blockquote>
<p>; Nonces: 'nonce-[nonce goes here]'<br />nonce-source = "'nonce-" base64-value "'"</p>
<p>The base64-value grammar allows both base64 and base64url encoding. These encodings are treated as equivalant when processing hash-source values. Nonces, however, are strict string matches: we use the base64-value grammar to limit the characters available, and reduce the complexity for the server-side operator (encodings, etc), but the user agent doesn’t actually care about any underlying value, nor does it do any decoding of the nonce-source value.</p>
</blockquote>
<hr />
<p>For context, the used nonce value was <code>'nonce-GFsVtSG1EzqppYEFujbWjoMJS2r8FDH_Y8mRjRl-sKg9L0sLpQqsrA'</code></p>
<ul>
<li>that's <code>GFsVtSG1EzqppYEFujbWjoMJS2r8FDH_Y8mRjRl-sKg9L0sLpQqsrA</code> in base64web</li>
<li>that's <code>GFsVtSG1EzqppYEFujbWjoMJS2r8FDH/Y8mRjRl+sKg9L0sLpQqsrA</code> in base64 (shortened)</li>
<li>that's <code>GFsVtSG1EzqppYEFujbWjoMJS2r8FDH/Y8mRjRl+sKg9L0sLpQqsrA==</code> in base64 (complete, 56 chars, 56 mod 4 = 0)</li>
</ul> TYPO3 Core - Bug #101415 (New): Cannot localize page in backendhttp://forge.typo3.org/issues/1014152023-07-22T17:59:04ZOliver Haderoliver.hader@typo3.org
<p>(Actions performed as admin user)</p>
<p>Error message in JavaScript console:</p>
<pre>
Uncaught TypeError: Cannot convert undefined or null to object
at Function.keys (<anonymous>)
at InputTransformer.flattenObject (input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:641)
at input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:770
at Array.reduce (<anonymous>)
at InputTransformer.flattenObject (input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:649)
at InputTransformer.toSearchParams (input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:481)
at AjaxRequest.withQueryArguments (ajax-request.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:352)
at Localization.localizeRecords (localization.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:6623)
at Object.callback (localization.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:5597)
at Wizard.runSlideCallback (wizard.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:3552)
flattenObject @ input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
(anonymous) @ input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
flattenObject @ input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
toSearchParams @ input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
withQueryArguments @ ajax-request.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
localizeRecords @ localization.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
(anonymous) @ localization.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
runSlideCallback @ wizard.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
</pre>
<p>The reason is, that in <code>localization.ts</code>, the corresponding <code>action</code> is still <code>null, since there are two @availableLocalizationModes</code> (<code>copy</code> and <code>translate</code>), but the handling just expects to have one...</p>
<pre>
<a href="#" class="btn btn-default btn-sm t3js-localize" title=""
data-page="[Translate to Dansk:] 404" data-has-elements="0"
data-allow-copy="1" data-allow-translate="1" data-table="tt_content"
data-page-id="6" data-language-id="1" data-language-name="Dansk">
...
Translate
</a>
</pre> TYPO3 Core - Task #100906 (New): Handle CSP violations in browser extensionshttp://forge.typo3.org/issues/1009062023-05-20T11:55:08ZOliver Haderoliver.hader@typo3.org
<a name="General"></a>
<h3 >General<a href="#General" class="wiki-anchor">¶</a></h3>
<ul>
<li><a class="external" href="https://csper.io/blog/csp-report-filtering">https://csper.io/blog/csp-report-filtering</a></li>
<li><a class="external" href="https://dropbox.tech/security/on-csp-reporting-and-filtering">https://dropbox.tech/security/on-csp-reporting-and-filtering</a></li>
<li><a class="external" href="https://github.com/nico3333fr/CSP-useful/tree/master/csp-wtf">https://github.com/nico3333fr/CSP-useful/tree/master/csp-wtf</a></li>
<li><a class="external" href="https://github.com/getsentry/sentry/blob/master/src/sentry/interfaces/security.py#L20">https://github.com/getsentry/sentry/blob/master/src/sentry/interfaces/security.py#L20</a></li>
<li><a class="external" href="https://github.com/jacobbednarz/go-csp-collector/blob/b3a8ff39e3835b3b9452898beb20677cee680dd0/csp_collector.go#L59">https://github.com/jacobbednarz/go-csp-collector/blob/b3a8ff39e3835b3b9452898beb20677cee680dd0/csp_collector.go#L59</a></li>
</ul>
<a name="Payloads"></a>
<h3 >Payloads<a href="#Payloads" class="wiki-anchor">¶</a></h3>
<code>{"blocked-uri":"inline","column-number":9,"disposition":"enforce","document-uri":"https:\/\/indiemusik-festival.de\/events\/festival-2023","effective-directive":"script-src-elem","line-number":33,"original-policy":"frame-src 'self' https:\/\/*.youtube-nocookie.com https:\/\/*.youtube.com https:\/\/*.vimeo.com https:\/\/instagram.com https:\/\/*.instagram.com; img-src 'self' https:\/\/*.ytimg.com https:\/\/*.vimeocdn.com data: https:\/\/instagram.com https:\/\/*.instagram.com; default-src 'self'; script-src 'self' 'nonce-XnDPuvTcc38QsmBT2aH5OLzK1Vv1G9l_HZZ-sioaqjJmVB2lpp7RXg' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; object-src 'none'; base-uri 'none'; style-src 'self' 'report-sample'; connect-src 'self' https:\/\/analytics.in-die-musik.de; script-src-elem 'self' 'nonce-XnDPuvTcc38QsmBT2aH5OLzK1Vv1G9l_HZZ-sioaqjJmVB2lpp7RXg' https:\/\/analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https:\/\/cloud.in-die-musik.de; report-uri https:\/\/indiemusik-festival.de\/@http-reporting?csp=report&requestTime=1684526938506325","referrer":"","script-sample":"(function (NAVIGATOR, OBJECT) {\n\n if \u2026","source-file":"moz-extension","status-code":200,"violated-directive":"script-src-elem"}
</code>
<p>→ <code>"source-file":"moz-extension"</code><br />→ payload <code>(function (NAVIGATOR, OBJECT) { if </code><br />→ trigger <a class="external" href="https://github.com/EFForg/privacybadger/blob/ef6a2b38b2550e8805076b072645367c4e044a79/src/js/contentscripts/dnt.js#L23">https://github.com/EFForg/privacybadger/blob/ef6a2b38b2550e8805076b072645367c4e044a79/src/js/contentscripts/dnt.js#L23</a></p>
<hr />
<p>...</p> TYPO3 Core - Bug #100904 (New): Fallback to script-src and style-srchttp://forge.typo3.org/issues/1009042023-05-20T11:24:22ZOliver Haderoliver.hader@typo3.org
<p>Using CSP in the wild still shows several browsers not supporting the <code>-attr</code> or <code>-elem</code> (CSP level 3) variants of <code>script-src</code> and <code>style-src</code> (CSP level 1). Therefore it seems to be required, to introduce an internal merge/fall-back possibility, but still keeping the specific <code>-attr</code> or <code>-elem</code> declarations for the future.</p>
<p>Thus, when instructed, the <code>-attr</code> or <code>-elem</code> declarations shall be merged into their parent <code>script-src</code> and <code>style-src</code> directives. The instruction might be different for each scope (backend, frontend, frontend-site).</p> TYPO3 Core - Task #99046 (New): DOCS: Routing Troubleshooting Sectionhttp://forge.typo3.org/issues/990462022-11-10T11:39:03ZOliver Haderoliver.hader@typo3.org
<ul>
<li><a class="external" href="https://forge.typo3.org/issues/91530">https://forge.typo3.org/issues/91530</a>
<ul>
<li>describe consequences of using <code>PageType</code> decorator</li>
<li>concerning optional route variables (using <code>defaults</code>)</li>
</ul>
</li>
<li><a class="external" href="https://forge.typo3.org/issues/94585">https://forge.typo3.org/issues/94585</a>
<ul>
<li>describe consequences of using route without specific segment, e.g. <code>/{variable}</code></li>
<li>suggest to use specific segment, e.g. <code>/show/{variable}</code></li>
</ul>
</li>
<li><a class="external" href="https://forge.typo3.org/issues/90959#note-3">https://forge.typo3.org/issues/90959#note-3</a>
<ul>
<li>describe consequences of ambiguity</li>
</ul></li>
</ul> TYPO3 Core - Bug #96435 (New): Apply rate limiter to mail formshttp://forge.typo3.org/issues/964352021-12-27T18:09:10ZOliver Haderoliver.hader@typo3.org
<p>In order to limit sending forms again and again (which can be automated e.g. by using Selenium or similar techniques), sending out a particular form should be rate-limited (available since TYPO3 v11).</p> TYPO3 Core - Bug #95725 (New): Title shown twice with pdfinfo using PDF/X fileshttp://forge.typo3.org/issues/957252021-10-21T18:44:48ZOliver Haderoliver.hader@typo3.org
<p>The following report has been sent to me via mail by Josef Sigritz, I'm just dumping it here:</p>
<hr />
<p>wir haben ein Problem mit dem FileContentParser der Indexed_Search: pdfinfo gibt bei PDF/X-Dateien zweimal den Title aus. Dadurch wird der eigentliche Title überschrieben.</p>
<p>Beispiel:<br />pdfinfo test.pdf</p>
<pre>
*Title: BAA010718_Broschüre_Chancen_bieten_V2.indd*
Creator: Adobe InDesign CC 13.0 (Macintosh)
Producer: Adobe PDF Library 15.0
CreationDate: Thu Feb 22 15:51:27 2018 CET
ModDate: Mon Mar 12 12:12:12 2018 CET
Tagged: no
UserProperties: no
Suspects: no
Form: none
JavaScript: no
Pages: 20
Encrypted: no
Page size: 595.276 x 841.89 pts (A4)
Page rot: 0
File size: 2292621 bytes
Optimized: yes
PDF version: 1.3
PDF subtype: PDF/X-3:2002
*Title: ISO 15930 - Electronic document file format for prepress digital data exchange (PDF/X)*
Abbreviation: PDF/X-3:2002
Subtitle: Part 3: Complete exchange suitable for colour-managed workflows (PDF/X-3)
Standard: ISO 15930-3
</pre>
<p>Verbesserungsvorschlag:<br />Klasse: typo3/typo3/sysext/indexed_search/Classes/FileContentParser.php, function splitPdfInfo</p>
<pre>
public function splitPdfInfo($pdfInfoArray)
{
$res = [];
if (is_array($pdfInfoArray)) {
foreach ($pdfInfoArray as $line) {
$parts = explode(':', $line, 2);
if (count($parts) > 1 && trim($parts[0])) {
if (!array_key_exists(strtolower(trim($parts[0])), $res)){
$res[strtolower(trim($parts[0]))] = trim($parts[1]);
}
$res[strtolower(trim($parts[0]))] = trim($parts[1]);
}
}
}
return $res;
}
</pre> TYPO3 Core - Task #95559 (New): Make authentication warnings configurablehttp://forge.typo3.org/issues/955592021-10-11T10:42:26ZOliver Haderoliver.hader@typo3.org
<p>Following <code>TYPO3_CONF_VARS</code> should be configurable:</p>
<ul>
<li><code>['BE']['warning_email_addr']</code> (possible already)</li>
<li><code>['BE']['warning_period']</code> (new, time in seconds >= 0, 0 means always)</li>
<li><code>['BE']['warning_max']</code> (new, integer >= 0, 0 means always)</li>
</ul> TYPO3 Core - Feature #93390 (New): Integrate source file based integrity checkhttp://forge.typo3.org/issues/933902021-02-01T07:56:59ZOliver Haderoliver.hader@typo3.org
<ul>
<li>having signed(!) list of valid hashsums of core and extension files
<ul>
<li>being part core release process</li>
<li>being part of TER publication process</li>
</ul>
</li>
<li>system report comparing file hashes
<ul>
<li>detect modifications</li>
<li>detect additional files</li>
</ul></li>
</ul>
<p>This probably works for know locations, but cannot be applied directly to "arbitrary file storages" like /fileadmin/.</p> TYPO3 Core - Task #91703 (New): Add configuration guard for ambiguous literals in route pathshttp://forge.typo3.org/issues/917032020-06-23T23:57:56ZOliver Haderoliver.hader@typo3.org
<pre>
routePath: '/{value__value}/{other__}'
_arguments:
value__value: 'value/value'
other__: 'other__'
</pre>
<p>Given URL parameters would look like <code>&value[value]=a&other__=b</code>.<br />Literal <code>__</code> using as delimiter in <code>VariableProcessor</code>, see <a class="external" href="https://github.com/TYPO3/TYPO3.CMS/blob/9.5/typo3/sysext/core/Classes/Routing/Enhancer/VariableProcessor.php#L24">https://github.com/TYPO3/TYPO3.CMS/blob/9.5/typo3/sysext/core/Classes/Routing/Enhancer/VariableProcessor.php#L24</a></p>
<ul>
<li>add test-cases for those scenarios</li>
<li>adjust implementation, add guards based on findings</li>
</ul> TYPO3 Core - Task #91702 (New): Evaluate possibility for optional route partshttp://forge.typo3.org/issues/917022020-06-23T23:53:09ZOliver Haderoliver.hader@typo3.org
<p>The following would lead to URL parameters like <code>&value=abc&optional=</code></p>
<pre>
routerPath: '{value}/{optional}'
defaults:
optional: ''
</pre>
<p>The desired behavior would be to not expose the URL parameter <code>optional</code> at all, thus only having <code>&value=abc</code>.</p>
<pre>
routerPath: '{value}/{optional}'
defaults:
optional: null
</pre>
<p>This example is untested - in case it works already, cool.</p> TYPO3 Core - Feature #91668 (New): Add system communication APIhttp://forge.typo3.org/issues/916682020-06-17T17:46:25ZOliver Haderoliver.hader@typo3.org
<p>A system communication API could be used to retrieve data from official typo3.org services or send back anonymous usage data in order to help understand TYPO3-use-cases much better.</p>
<a name="Scenarios"></a>
<h2 >Scenarios<a href="#Scenarios" class="wiki-anchor">¶</a></h2>
<ul>
<li>compare current TYPO3 version with latest TYPO3 version & warn about missing security updates</li>
<li>fetch and display vendor messages for selected topics - e.g. release updates, important security notifications, etc.</li>
<li>send anonymous usage data back to granted services (typo3.org or custom endpoints)</li>
</ul>
<a name="Requirements"></a>
<h2 >Requirements<a href="#Requirements" class="wiki-anchor">¶</a></h2>
<ul>
<li>non-blocking - most of the communication shall happen in the background or in the client only (AJAX)</li>
<li>HTTP requests need to provide as less information as possible (no referrers, no cookies, ...)</li>
<li>each used communication stream/channel must be opt-in - users or site admins have to subscribe</li>
</ul> TYPO3 Core - Bug #91572 (New): Streamline install tool API usagehttp://forge.typo3.org/issues/915722020-06-03T19:06:31ZOliver Haderoliver.hader@typo3.org