TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692023-10-26T08:30:32ZTYPO3 Forge
Redmine TYPO3 Core - Task #102262 (New): Add CSP MutationMode::InheritStatic (or similar)http://forge.typo3.org/issues/1022622023-10-26T08:30:32ZOliver Haderoliver.hader@typo3.org
<p>From <a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/80756/comments/83fac188_a7132447">https://review.typo3.org/c/Packages/TYPO3.CMS/+/80756/comments/83fac188_a7132447</a></p>
<blockquote>
<p>I would prefer we had some kind of "late static binding" extensions, that says: "whatever is changed on the ancestor sometime later, please inherit" <br />Maybe that could be "InheritStatic".<br />Anyway I'm still fine with this patch as is.</p>
</blockquote> TYPO3 Core - Bug #101415 (New): Cannot localize page in backendhttp://forge.typo3.org/issues/1014152023-07-22T17:59:04ZOliver Haderoliver.hader@typo3.org
<p>(Actions performed as admin user)</p>
<p>Error message in JavaScript console:</p>
<pre>
Uncaught TypeError: Cannot convert undefined or null to object
at Function.keys (<anonymous>)
at InputTransformer.flattenObject (input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:641)
at input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:770
at Array.reduce (<anonymous>)
at InputTransformer.flattenObject (input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:649)
at InputTransformer.toSearchParams (input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:481)
at AjaxRequest.withQueryArguments (ajax-request.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:352)
at Localization.localizeRecords (localization.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:6623)
at Object.callback (localization.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:5597)
at Wizard.runSlideCallback (wizard.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13:3552)
flattenObject @ input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
(anonymous) @ input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
flattenObject @ input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
toSearchParams @ input-transformer.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
withQueryArguments @ ajax-request.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
localizeRecords @ localization.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
(anonymous) @ localization.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
runSlideCallback @ wizard.js?bust=f9d9bd3aaf0d3feb0db376ef46b9f751eb2d2929:13
</pre>
<p>The reason is, that in <code>localization.ts</code>, the corresponding <code>action</code> is still <code>null, since there are two @availableLocalizationModes</code> (<code>copy</code> and <code>translate</code>), but the handling just expects to have one...</p>
<pre>
<a href="#" class="btn btn-default btn-sm t3js-localize" title=""
data-page="[Translate to Dansk:] 404" data-has-elements="0"
data-allow-copy="1" data-allow-translate="1" data-table="tt_content"
data-page-id="6" data-language-id="1" data-language-name="Dansk">
...
Translate
</a>
</pre> TYPO3 Core - Task #100906 (New): Handle CSP violations in browser extensionshttp://forge.typo3.org/issues/1009062023-05-20T11:55:08ZOliver Haderoliver.hader@typo3.org
<a name="General"></a>
<h3 >General<a href="#General" class="wiki-anchor">¶</a></h3>
<ul>
<li><a class="external" href="https://csper.io/blog/csp-report-filtering">https://csper.io/blog/csp-report-filtering</a></li>
<li><a class="external" href="https://dropbox.tech/security/on-csp-reporting-and-filtering">https://dropbox.tech/security/on-csp-reporting-and-filtering</a></li>
<li><a class="external" href="https://github.com/nico3333fr/CSP-useful/tree/master/csp-wtf">https://github.com/nico3333fr/CSP-useful/tree/master/csp-wtf</a></li>
<li><a class="external" href="https://github.com/getsentry/sentry/blob/master/src/sentry/interfaces/security.py#L20">https://github.com/getsentry/sentry/blob/master/src/sentry/interfaces/security.py#L20</a></li>
<li><a class="external" href="https://github.com/jacobbednarz/go-csp-collector/blob/b3a8ff39e3835b3b9452898beb20677cee680dd0/csp_collector.go#L59">https://github.com/jacobbednarz/go-csp-collector/blob/b3a8ff39e3835b3b9452898beb20677cee680dd0/csp_collector.go#L59</a></li>
</ul>
<a name="Payloads"></a>
<h3 >Payloads<a href="#Payloads" class="wiki-anchor">¶</a></h3>
<code>{"blocked-uri":"inline","column-number":9,"disposition":"enforce","document-uri":"https:\/\/indiemusik-festival.de\/events\/festival-2023","effective-directive":"script-src-elem","line-number":33,"original-policy":"frame-src 'self' https:\/\/*.youtube-nocookie.com https:\/\/*.youtube.com https:\/\/*.vimeo.com https:\/\/instagram.com https:\/\/*.instagram.com; img-src 'self' https:\/\/*.ytimg.com https:\/\/*.vimeocdn.com data: https:\/\/instagram.com https:\/\/*.instagram.com; default-src 'self'; script-src 'self' 'nonce-XnDPuvTcc38QsmBT2aH5OLzK1Vv1G9l_HZZ-sioaqjJmVB2lpp7RXg' 'report-sample'; style-src-attr 'unsafe-inline' 'report-sample'; object-src 'none'; base-uri 'none'; style-src 'self' 'report-sample'; connect-src 'self' https:\/\/analytics.in-die-musik.de; script-src-elem 'self' 'nonce-XnDPuvTcc38QsmBT2aH5OLzK1Vv1G9l_HZZ-sioaqjJmVB2lpp7RXg' https:\/\/analytics.in-die-musik.de 'report-sample'; font-src 'self' data:; media-src 'self' https:\/\/cloud.in-die-musik.de; report-uri https:\/\/indiemusik-festival.de\/@http-reporting?csp=report&requestTime=1684526938506325","referrer":"","script-sample":"(function (NAVIGATOR, OBJECT) {\n\n if \u2026","source-file":"moz-extension","status-code":200,"violated-directive":"script-src-elem"}
</code>
<p>→ <code>"source-file":"moz-extension"</code><br />→ payload <code>(function (NAVIGATOR, OBJECT) { if </code><br />→ trigger <a class="external" href="https://github.com/EFForg/privacybadger/blob/ef6a2b38b2550e8805076b072645367c4e044a79/src/js/contentscripts/dnt.js#L23">https://github.com/EFForg/privacybadger/blob/ef6a2b38b2550e8805076b072645367c4e044a79/src/js/contentscripts/dnt.js#L23</a></p>
<hr />
<p>...</p> TYPO3 Core - Bug #100904 (New): Fallback to script-src and style-srchttp://forge.typo3.org/issues/1009042023-05-20T11:24:22ZOliver Haderoliver.hader@typo3.org
<p>Using CSP in the wild still shows several browsers not supporting the <code>-attr</code> or <code>-elem</code> (CSP level 3) variants of <code>script-src</code> and <code>style-src</code> (CSP level 1). Therefore it seems to be required, to introduce an internal merge/fall-back possibility, but still keeping the specific <code>-attr</code> or <code>-elem</code> declarations for the future.</p>
<p>Thus, when instructed, the <code>-attr</code> or <code>-elem</code> declarations shall be merged into their parent <code>script-src</code> and <code>style-src</code> directives. The instruction might be different for each scope (backend, frontend, frontend-site).</p> TYPO3 Core - Task #99046 (New): DOCS: Routing Troubleshooting Sectionhttp://forge.typo3.org/issues/990462022-11-10T11:39:03ZOliver Haderoliver.hader@typo3.org
<ul>
<li><a class="external" href="https://forge.typo3.org/issues/91530">https://forge.typo3.org/issues/91530</a>
<ul>
<li>describe consequences of using <code>PageType</code> decorator</li>
<li>concerning optional route variables (using <code>defaults</code>)</li>
</ul>
</li>
<li><a class="external" href="https://forge.typo3.org/issues/94585">https://forge.typo3.org/issues/94585</a>
<ul>
<li>describe consequences of using route without specific segment, e.g. <code>/{variable}</code></li>
<li>suggest to use specific segment, e.g. <code>/show/{variable}</code></li>
</ul>
</li>
<li><a class="external" href="https://forge.typo3.org/issues/90959#note-3">https://forge.typo3.org/issues/90959#note-3</a>
<ul>
<li>describe consequences of ambiguity</li>
</ul></li>
</ul> TYPO3 Core - Bug #96435 (New): Apply rate limiter to mail formshttp://forge.typo3.org/issues/964352021-12-27T18:09:10ZOliver Haderoliver.hader@typo3.org
<p>In order to limit sending forms again and again (which can be automated e.g. by using Selenium or similar techniques), sending out a particular form should be rate-limited (available since TYPO3 v11).</p> TYPO3 Core - Task #91703 (New): Add configuration guard for ambiguous literals in route pathshttp://forge.typo3.org/issues/917032020-06-23T23:57:56ZOliver Haderoliver.hader@typo3.org
<pre>
routePath: '/{value__value}/{other__}'
_arguments:
value__value: 'value/value'
other__: 'other__'
</pre>
<p>Given URL parameters would look like <code>&value[value]=a&other__=b</code>.<br />Literal <code>__</code> using as delimiter in <code>VariableProcessor</code>, see <a class="external" href="https://github.com/TYPO3/TYPO3.CMS/blob/9.5/typo3/sysext/core/Classes/Routing/Enhancer/VariableProcessor.php#L24">https://github.com/TYPO3/TYPO3.CMS/blob/9.5/typo3/sysext/core/Classes/Routing/Enhancer/VariableProcessor.php#L24</a></p>
<ul>
<li>add test-cases for those scenarios</li>
<li>adjust implementation, add guards based on findings</li>
</ul> TYPO3 Core - Task #91702 (New): Evaluate possibility for optional route partshttp://forge.typo3.org/issues/917022020-06-23T23:53:09ZOliver Haderoliver.hader@typo3.org
<p>The following would lead to URL parameters like <code>&value=abc&optional=</code></p>
<pre>
routerPath: '{value}/{optional}'
defaults:
optional: ''
</pre>
<p>The desired behavior would be to not expose the URL parameter <code>optional</code> at all, thus only having <code>&value=abc</code>.</p>
<pre>
routerPath: '{value}/{optional}'
defaults:
optional: null
</pre>
<p>This example is untested - in case it works already, cool.</p> TYPO3 Core - Feature #91668 (New): Add system communication APIhttp://forge.typo3.org/issues/916682020-06-17T17:46:25ZOliver Haderoliver.hader@typo3.org
<p>A system communication API could be used to retrieve data from official typo3.org services or send back anonymous usage data in order to help understand TYPO3-use-cases much better.</p>
<a name="Scenarios"></a>
<h2 >Scenarios<a href="#Scenarios" class="wiki-anchor">¶</a></h2>
<ul>
<li>compare current TYPO3 version with latest TYPO3 version & warn about missing security updates</li>
<li>fetch and display vendor messages for selected topics - e.g. release updates, important security notifications, etc.</li>
<li>send anonymous usage data back to granted services (typo3.org or custom endpoints)</li>
</ul>
<a name="Requirements"></a>
<h2 >Requirements<a href="#Requirements" class="wiki-anchor">¶</a></h2>
<ul>
<li>non-blocking - most of the communication shall happen in the background or in the client only (AJAX)</li>
<li>HTTP requests need to provide as less information as possible (no referrers, no cookies, ...)</li>
<li>each used communication stream/channel must be opt-in - users or site admins have to subscribe</li>
</ul> TYPO3 Core - Task #89414 (New): Document new search behavior in filelist and suggest wizardhttp://forge.typo3.org/issues/894142019-10-14T22:00:44ZOliver Haderoliver.hader@typo3.org
<ul>
<li><a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/61927">https://review.typo3.org/c/Packages/TYPO3.CMS/+/61927</a></li>
<li><a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/61929">https://review.typo3.org/c/Packages/TYPO3.CMS/+/61929</a></li>
</ul>
<p>new search syntax is</p>
<pre>"first aspect" second "third"</pre> TYPO3 Core - Task #89252 (New): Enhance usability of Install Tool presetshttp://forge.typo3.org/issues/892522019-09-24T18:29:54ZOliver Haderoliver.hader@typo3.org
<ul>
<li>in Install Tool</li>
<li>all settings for instance allow to make use of dropdowns (using <code>allowedValues</code>)</li>
<li>this rendering possibility is not available in presets which makes it hard to select proper values</li>
<li>besides that, not description is rendered in presets</li>
</ul>
<p>This way, using presets and having to fill in settings is actually harder than doing that among all settings.</p>
<p><img src="http://forge.typo3.org/attachments/download/34574/89252.png" alt="" loading="lazy" /></p> TYPO3 Core - Bug #86231 (New): Distinguish between free-mode localization and chained translationhttp://forge.typo3.org/issues/862312018-09-12T08:51:28ZOliver Haderoliver.hader@typo3.org
<p>Based on my note <a class="external" href="https://forge.typo3.org/issues/86141#note-5">https://forge.typo3.org/issues/86141#note-5</a> when analyzing the behavior</p>
<a name="TLDR"></a>
<h2 >TL;DR<a href="#TLDR" class="wiki-anchor">¶</a></h2>
<p>When skimming over the examples below, focus and compare the values in <code>l10n_parent</code> and realize that <code>l10n_source</code> is <strong>optional</strong>.</p>
<a name="Usage"></a>
<h2 >Usage<a href="#Usage" class="wiki-anchor">¶</a></h2>
<p>Localizations can be created using the graphical backend interface (e.g. page module) or by invoking direct commands to DataHandler [1]. Thus even if the page module is only valid for <code>tt_content</code> records, it does not prevent records from being translated or localized explicitly. That's why this analysis used <code>element</code> instead of <code>tt_conent</code> a pointer to a database table holding relevant records.</p>
<a name="Terminology"></a>
<h2 >Terminology<a href="#Terminology" class="wiki-anchor">¶</a></h2>
<a name="Connected-Mode"></a>
<h3 >Connected Mode<a href="#Connected-Mode" class="wiki-anchor">¶</a></h3>
<p>When translating elements, each element is bound to it's relative ancestor. This results into a chain (that can be used for language fallbacks etc.).<br />The following example illustrates that, <code>l10n_parent</code> always points to the initial record in default language, <code>l10n_source</code> points to it's relative translation ancestor - that's the record a new translation is based on. All records are connected in a chain.</p>
<pre>
+ element:1 - English (Default) - language:0, l10n_parent=0, l10n_source=0
+ element:2 - French Translation - language:1, l10n_parent=1, l10n_source=1
+ element:3 - Franco-Canadian Translation - language:2, l10n_parent=1, l10n_source=2
</pre>
<a name="Free-Mode"></a>
<h3 >Free Mode<a href="#Free-Mode" class="wiki-anchor">¶</a></h3>
<p>When localizing elements in free-mode, the previously mentioned translation chain is broken up, thus "free-mode localizaion elements" are in a specific language, but are not related to any relative ancestor and thus are idependent. The following example uses <code>element:3</code> as "free-mode localization", <code>l10n_parent</code> is set to <code>0</code>, but <code>l10n_source</code> still points to it's relative localization ancestor (just as information, not as a strict relation in like a "composition" [2] would have been).</p>
<pre>
+ element:1 - English (Default) - language:0, l10n_parent=0, l10n_source=0
+ element:2 - French Translation - language:1, l10n_parent=1, l10n_source=1
+ element:3 - Franco-Canadian Translation - language:2, l10n_parent=0, l10n_source=2
</pre>
<a name="The-Challenge"></a>
<h2 >The Challenge<a href="#The-Challenge" class="wiki-anchor">¶</a></h2>
<a name="Translation-from-existing-localization"></a>
<h3 >Translation from existing localization<a href="#Translation-from-existing-localization" class="wiki-anchor">¶</a></h3>
<p>It is possible, to create a new localization directly, that does not have a record in default language - or as alternative start a translation based on a "free-mode localization element".<br />The example shows, that the "English (Default)" record is now missing - the translation chain should(!) start with "French Translation" as first chain link. Since no record in default language s involved <code>l10n_parent</code> stay empty with <code>0</code>, only <code>l10n_source</code> point to their according relative ancestor records.</p>
<pre>
+ element:2 - French Translation - language:1, l10n_parent=0, l10n_source=1 # <- translation chain or free-mode localization?!
+ element:3 - Franco-Canadian Translation - language:2, l10n_parent=0, l10n_source=2 # <- translation chain or free-mode localization?!
</pre>
<p>When comparing the "Franco-Canadian Translation" here to the one shown in the "Free Mode" section, it cannot be distinguished anymore, whether the record is part of a "translation chain" or has been created as "free-mode localization".</p>
<a name="The-information-in-l10n_source-is-not-mandatory"></a>
<h3 >The information in <code>l10n_source</code> is not mandatory<a href="#The-information-in-l10n_source-is-not-mandatory" class="wiki-anchor">¶</a></h3>
<p>Besides that, the information stored in the <code>l10n_source</code> field is optional and has to be configured in the control section of <code>$TCA</code> using the <code>translationSource</code> property. Thus, that information might not be available at all. The following examples show persisted results without having the <code>l10n_source</code> information.</p>
<a name="Connected-Mode-without-l10n_source"></a>
<h4 >Connected Mode without <code>l10n_source</code><a href="#Connected-Mode-without-l10n_source" class="wiki-anchor">¶</a></h4>
<pre>
+ element:1 - English (Default) - language:0, l10n_parent=0
+ element:2 - French Translation - language:1, l10n_parent=1 # <- part of a translation chain, which one?!
+ element:3 - Franco-Canadian Translation - language:2, l10n_parent=1 # <- part of a translation chain, which one?!
</pre>
<p>It is not possible anymore to determine at all, whether a record is part of a translation chain - since the relative ancestor is missing.</p>
<a name="Free-Mode-without-l10n_source"></a>
<h4 >Free Mode without <code>l10n_source</code><a href="#Free-Mode-without-l10n_source" class="wiki-anchor">¶</a></h4>
<pre>
+ element:1 - English (Default) - language:0, l10n_parent=0
+ element:2 - French Translation - language:1, l10n_parent=1 # <- part of a translation chain, which one?!
+ element:3 - Franco-Canadian Translation - language:2, l10n_parent=0 # <- translation chain or free-mode localization?!
</pre>
<p>It is (like in section "Translation from existing localization") not possible to distinguish between "connected translations" and "free-mode localizations".</p>
<a name="References"></a>
<h2 >References<a href="#References" class="wiki-anchor">¶</a></h2>
<p>[1]: DataHandler commands "localize" and "copyToLanguage": <a class="external" href="https://docs.typo3.org/typo3cms/CoreApiReference/ApiOverview/Typo3CoreEngine/Database/Index.html#command-keywords-and-values">https://docs.typo3.org/typo3cms/CoreApiReference/ApiOverview/Typo3CoreEngine/Database/Index.html#command-keywords-and-values</a><br />[2]: Association, Aggregation, Composition in UML: <a class="external" href="https://www.visual-paradigm.com/guide/uml-unified-modeling-language/uml-aggregation-vs-composition/">https://www.visual-paradigm.com/guide/uml-unified-modeling-language/uml-aggregation-vs-composition/</a></p> TYPO3 Core - Bug #81552 (New): Disable creating new inline child records if allowLanguageSynchron...http://forge.typo3.org/issues/815522017-06-12T13:14:29ZOliver Haderoliver.hader@typo3.org
<p><img src="http://forge.typo3.org/attachments/download/32533/81552.png" alt="" loading="lazy" /><br /><img src="http://forge.typo3.org/attachments/download/32538/81552_2.png" alt="" loading="lazy" /></p>
<p>If allowLanguageSynchronization is active for inline child elements, the "create new" buttons and any other interaction shall be disabled for localized parent records - since these child records. Otherwise there's the possibility to create inconsistent and non-synchronized scenarios.</p> TYPO3 Core - Feature #79105 (New): Extend workspace notification channelshttp://forge.typo3.org/issues/791052016-12-29T13:15:10ZOliver Haderoliver.hader@typo3.org
<p>Currently workspaces only supports sending out notifications via mail, however it would be great if this can be enhanced to push notifications to any other service, like e.g. Slack, IRC. This feature is about providing to possibility to have a custom API for attaching new notification services.</p> TYPO3 Core - Feature #65720 (New): Add workspace element filter settingshttp://forge.typo3.org/issues/657202015-03-13T14:55:48ZOliver Haderoliver.hader@typo3.org
<p>The workspace configuration is extended by an element filter setting that allows to define record visibility in the workspace module per stage. This way, it can be defined, that either workspace owner, members or editors/creators of a particular record are allowed to see elements in the module - depending on the setting for the element's workspace stage.</p>