TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692019-10-10T15:54:25ZTYPO3 Forge
Redmine TYPO3 Core - Bug #89392 (Closed): Fix composer definitionshttp://forge.typo3.org/issues/893922019-10-10T15:54:25ZOliver Haderoliver.hader@typo3.org
<pre>
The typo3/cms-core package of which you are a maintainer has
failed to update due to invalid data contained in your composer.json.
Please address this as soon as possible since the package stopped updating.
It is recommended that you use `composer validate` to check for errors when you
change your composer.json.
Below is the full update log which should highlight errors as
"Skipped branch ...":
[Composer\Repository\InvalidRepositoryException]: Some branches contained invalid data and were discarded, it is advised to review the log and fix any issues present in branches
Reading composer.json of typo3/cms-core (v10.1.0)
Found cached composer.json of typo3/cms-core (v10.1.0)
Reading composer.json of typo3/cms-core (v10.0.0)
Found cached composer.json of typo3/cms-core (v10.0.0)
Reading composer.json of typo3/cms-core (v9.5.9)
Found cached composer.json of typo3/cms-core (v9.5.9)
Reading composer.json of typo3/cms-core (v9.5.8)
Found cached composer.json of typo3/cms-core (v9.5.8)
Reading composer.json of typo3/cms-core (v9.5.7)
Found cached composer.json of typo3/cms-core (v9.5.7)
Reading composer.json of typo3/cms-core (v9.5.6)
Found cached composer.json of typo3/cms-core (v9.5.6)
Reading composer.json of typo3/cms-core (v9.5.5)
Found cached composer.json of typo3/cms-core (v9.5.5)
Reading composer.json of typo3/cms-core (v9.5.4)
Found cached composer.json of typo3/cms-core (v9.5.4)
Reading composer.json of typo3/cms-core (v9.5.3)
Found cached composer.json of typo3/cms-core (v9.5.3)
Reading composer.json of typo3/cms-core (v9.5.2)
Found cached composer.json of typo3/cms-core (v9.5.2)
Reading composer.json of typo3/cms-core (v9.5.1)
Found cached composer.json of typo3/cms-core (v9.5.1)
Reading composer.json of typo3/cms-core (v9.5.0)
Found cached composer.json of typo3/cms-core (v9.5.0)
Reading composer.json of typo3/cms-core (v9.4.0)
Found cached composer.json of typo3/cms-core (v9.4.0)
Reading composer.json of typo3/cms-core (v9.3.3)
Found cached composer.json of typo3/cms-core (v9.3.3)
Reading composer.json of typo3/cms-core (v9.3.2)
Found cached composer.json of typo3/cms-core (v9.3.2)
Reading composer.json of typo3/cms-core (v9.3.1)
Found cached composer.json of typo3/cms-core (v9.3.1)
Reading composer.json of typo3/cms-core (v9.3.0)
Found cached composer.json of typo3/cms-core (v9.3.0)
Reading composer.json of typo3/cms-core (v9.2.1)
Found cached composer.json of typo3/cms-core (v9.2.1)
Reading composer.json of typo3/cms-core (v9.2.0)
Found cached composer.json of typo3/cms-core (v9.2.0)
Reading composer.json of typo3/cms-core (v9.1.0)
Found cached composer.json of typo3/cms-core (v9.1.0)
Reading composer.json of typo3/cms-core (v9.0.0)
Found cached composer.json of typo3/cms-core (v9.0.0)
Reading composer.json of typo3/cms-core (v8.7.27)
Found cached composer.json of typo3/cms-core (v8.7.27)
Reading composer.json of typo3/cms-core (v8.7.26)
Found cached composer.json of typo3/cms-core (v8.7.26)
Reading composer.json of typo3/cms-core (v8.7.25)
Found cached composer.json of typo3/cms-core (v8.7.25)
Reading composer.json of typo3/cms-core (v8.7.24)
Found cached composer.json of typo3/cms-core (v8.7.24)
Reading composer.json of typo3/cms-core (v8.7.23)
Found cached composer.json of typo3/cms-core (v8.7.23)
Reading composer.json of typo3/cms-core (v8.7.22)
Found cached composer.json of typo3/cms-core (v8.7.22)
Reading composer.json of typo3/cms-core (v8.7.21)
Found cached composer.json of typo3/cms-core (v8.7.21)
Reading composer.json of typo3/cms-core (v8.7.20)
Found cached composer.json of typo3/cms-core (v8.7.20)
Reading composer.json of typo3/cms-core (v8.7.19)
Found cached composer.json of typo3/cms-core (v8.7.19)
Reading composer.json of typo3/cms-core (v8.7.18)
Found cached composer.json of typo3/cms-core (v8.7.18)
Reading composer.json of typo3/cms-core (v8.7.17)
Found cached composer.json of typo3/cms-core (v8.7.17)
Reading composer.json of typo3/cms-core (v8.7.16)
Found cached composer.json of typo3/cms-core (v8.7.16)
Reading composer.json of typo3/cms-core (v8.7.15)
Found cached composer.json of typo3/cms-core (v8.7.15)
Reading composer.json of typo3/cms-core (v8.7.14)
Found cached composer.json of typo3/cms-core (v8.7.14)
Reading composer.json of typo3/cms-core (v8.7.13)
Found cached composer.json of typo3/cms-core (v8.7.13)
Reading composer.json of typo3/cms-core (v8.7.12)
Found cached composer.json of typo3/cms-core (v8.7.12)
Reading composer.json of typo3/cms-core (v8.7.11)
Found cached composer.json of typo3/cms-core (v8.7.11)
Reading composer.json of typo3/cms-core (v8.7.10)
Found cached composer.json of typo3/cms-core (v8.7.10)
Reading composer.json of typo3/cms-core (v8.7.9)
Found cached composer.json of typo3/cms-core (v8.7.9)
Reading composer.json of typo3/cms-core (v8.7.8)
Found cached composer.json of typo3/cms-core (v8.7.8)
Reading composer.json of typo3/cms-core (v8.7.7)
Found cached composer.json of typo3/cms-core (v8.7.7)
Reading composer.json of typo3/cms-core (master)
Importing branch master (dev-master)
Skipped branch master, Invalid package information:
Deprecation warning: replace.core is invalid, it should have a vendor name, a forward slash, and a package name. The vendor and package name can be words separated by -, . or _. The complete name should match "[a-z0-9]([_.-]?[a-z0-9]+)*/[a-z0-9]([_.-]?[a-z0-9]+)*". Make sure you fix this as Composer 2.0 will error.
Reading composer.json of typo3/cms-core (8.7)
Found cached composer.json of typo3/cms-core (8.7.x-dev)
Reading composer.json of typo3/cms-core (9.2)
Found cached composer.json of typo3/cms-core (9.2.x-dev)
Reading composer.json of typo3/cms-core (9.3)
Found cached composer.json of typo3/cms-core (9.3.x-dev)
Reading composer.json of typo3/cms-core (9.5)
Found cached composer.json of typo3/cms-core (9.5.x-dev)
</pre>
<p><code>composer validate</code> in typo3/sysext/core:</p>
<pre>
composer validate
Deprecation warning: replace.core is invalid, it should have a vendor name, a forward slash, and a package name. The vendor and package name can be words separated by -, . or _. The complete name should match "[a-z0-9]([_.-]?[a-z0-9]+)*/[a-z0-9]([_.-]?[a-z0-9]+)*". Make sure you fix this as Composer 2.0 will error.
Deprecation warning: replace.core is invalid, it should have a vendor name, a forward slash, and a package name. The vendor and package name can be words separated by -, . or _. The complete name should match "[a-z0-9]([_.-]?[a-z0-9]+)*/[a-z0-9]([_.-]?[a-z0-9]+)*". Make sure you fix this as Composer 2.0 will error.
./composer.json is valid, but with a few warnings
See https://getcomposer.org/doc/04-schema.md for details on the schema
Deprecation warning: replace.core is invalid, it should have a vendor name, a forward slash, and a package name. The vendor and package name can be words separated by -, . or _. The complete name should match "[a-z0-9]([_.-]?[a-z0-9]+)*/[a-z0-9]([_.-]?[a-z0-9]+)*". Make sure you fix this as Composer 2.0 will error.
</pre> TYPO3 Core - Bug #86923 (Closed): Symfony expressions/conditions doesn't work in user-tsconfighttp://forge.typo3.org/issues/869232018-11-14T08:50:52ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Bug #85875 (Closed): Issues in ThumbnailControllerhttp://forge.typo3.org/issues/858752018-08-16T18:33:06ZOliver Haderoliver.hader@typo3.org
<ul>
<li>information disclosure (fileIdentifier can be arbitrary, supports fallback zero-storage)</li>
<li>denial of service (dimensions, basically whole configuration can be arbitrary)</li>
</ul>
<p>Introduced in <a class="external" href="https://review.typo3.org/#/c/56765/">https://review.typo3.org/#/c/56765/</a> - not released yet to 9.4.0 nor 8.7.19</p>
<p>Solution: Add HMAC to all HTTP request parameters.</p>
<a name="PoC"></a>
<h2 >PoC<a href="#PoC" class="wiki-anchor">¶</a></h2>
<p>XSRF Token has to be adjusted in the links below</p>
<a name="Information-Disclosure"></a>
<h3 >Information Disclosure<a href="#Information-Disclosure" class="wiki-anchor">¶</a></h3>
<pre>
http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731
&fileIdentifier=typo3conf/LocalConfiguration.php&processingInstructions%5Bwidth%5D=64
&processingInstructions%5Bheight%5D=64c
&processingInstructions%5Bcrop%5D=
</pre>
<a name="Denial-of-Service"></a>
<h3 >Denial of Service<a href="#Denial-of-Service" class="wiki-anchor">¶</a></h3>
<pre>
http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731
&fileIdentifier=1%3A%2Fuser_upload%2Fafter_01.png
&processingInstructions%5Bwidth%5D=1000000
&processingInstructions%5Bheight%5D=1000000c
&processingInstructions%5Bcrop%5D=
</pre> TYPO3 Core - Bug #85773 (Closed): Flaws in sys_log entry IP anonymizationhttp://forge.typo3.org/issues/857732018-08-07T14:22:19ZOliver Haderoliver.hader@typo3.org
The sys_log entry IP anonymization has several flaws which lead to a revert of the initial change in master:
<ul>
<li>REMOTE_ADDR is anonymized, REMOTE_HOST not (probably there are more occurrences)</li>
<li>PHP method <code>sprintf()</code> is invoked with too many arguments, username information is out of bounds</li>
<li>introduced in <a class="external" href="https://review.typo3.org/#/c/57313/">https://review.typo3.org/#/c/57313/</a></li>
</ul> TYPO3 Core - Bug #81747 (Closed): Copying workspace version record failshttp://forge.typo3.org/issues/817472017-06-29T18:16:07ZOliver Haderoliver.hader@typo3.org
<p>Copying workspace version records fails in Doctrine DBAL exception due to using computed properties directly in the database - which do not exist. This misbehavior has been introduced in issue <a class="issue tracker-4 status-5 priority-4 priority-default closed" title="Task: Wrap doesRecordExist in new method (Closed)" href="http://forge.typo3.org/issues/79515">#79515</a> which switched to use BackendUtility:workspaceOL() without further sanitization.</p>
<p>Example of Doctrine DBAL exception:<br /><pre>
Doctrine\DBAL\Exception\InvalidFieldNameException: An exception occurred while executing 'SELECT `uid`, `pid`, `t3ver_oid`, `t3ver_id`, `t3ver_wsid`, `t3ver_label`, `t3ver_state`, `t3ver_stage`, `t3ver_count`, `t3ver_tstamp`, `t3ver_move_id`, `t3_origuid`, `tstamp`, `crdate`, `cruser_id`, `editlock`, `hidden`, `sorting`, `CType`, `header`, `header_position`, `rowDescription`, `bodytext`, `bullets_type`, `uploads_description`, `uploads_type`, `assets`, `image`, `imagewidth`, `imageorient`, `imagecols`, `imageborder`, `media`, `layout`, `frame_class`, `deleted`, `cols`, `spaceBefore`, `spaceAfter`, `space_before_class`, `space_after_class`, `records`, `pages`, `starttime`, `endtime`, `colPos`, `subheader`, `fe_group`, `header_link`, `image_zoom`, `header_layout`, `list_type`, `sectionIndex`, `linkToTop`, `file_collections`, `filelink_size`, `filelink_sorting`, `target`, `date`, `recursive`, `imageheight`, `sys_language_uid`, `pi_flexform`, `accessibility_title`, `accessibility_bypass`, `accessibility_bypass_text`, `l18n_parent`, `l18n_diffsource`, `l10n_source`, `selected_categories`, `category_field`, `table_class`, `table_caption`, `table_delimiter`, `table_enclosure`, `table_header_position`, `table_tfoot`, `tx_irretutorial_1nff_hotels`, `tx_irretutorial_1ncsv_hotels`, `tx_irretutorial_flexform`, `l10n_state`, `categories`, `_ORIG_pid` FROM `tt_content` WHERE (`pid` = ?) AND (`t3ver_oid` = ?) AND (`t3ver_wsid` = ?) AND (`tt_content`.`deleted` = 0)' with params [-1, 300, 1]:
</pre></p> TYPO3 Core - Task #80149 (Closed): Remove $GLOBALS['TYPO3_CONF_VARS']['FE']['pageOverlayFields']http://forge.typo3.org/issues/801492017-03-06T12:27:17ZOliver Haderoliver.hader@typo3.org
<p>The configuration $GLOBALS['TYPO3_CONF_VARS']['FE']['pageOverlayFields']<br />is removed from the default configuration as well as from the overlay<br />handling in PageRepository and RootlineUtility. This setting has been<br />used to determine overlay fields in the table pages_language_overlay at<br />a time in the runtime processing when the complete TCA was not fully<br />available. Since the allowLanguageSynchronization possibility has been<br />integrated into TYPO3 CMS 8, l10n_mode was available already and the TCA<br />is loaded as well, the pageOverlayFields settings are superfluous.</p> TYPO3 Core - Bug #70542 (Closed): Save and new record fails in workspace modehttp://forge.typo3.org/issues/705422015-10-09T16:04:08ZOliver Haderoliver.hader@typo3.org
<p>The exception <code>#1437656456: $uid must be positive integer</code> is issued when using the save and new button in the backend and working on a workspace.<br />DatabaseParentPageRow does not have any workspace handling on the "neighborRow" variable.</p> TYPO3 Core - Task #69369 (Closed): EXT:form - Use property value instead of data for TEXTAREA, TE...http://forge.typo3.org/issues/693692015-08-27T17:02:52ZOliver Haderoliver.hader@typo3.org
<p>The Form Objects (system extension "form") TEXTAREA, TEXTBLOCK, OPTION currently use <code>data</code> as property name to define default values. However, all other objects use <code>value</code>. Since <code>data</code> implies the possibility to use computed values, it shall be deprecated and <code>value</code> used instead.</p> TYPO3 Core - Task #60249 (Closed): Publishing delete placeholder affects different workspaces as ...http://forge.typo3.org/issues/602492014-07-10T20:37:53ZOliver Haderoliver.hader@typo3.org
Scenario:
<ul>
<li>having two workspaces (1 and 2)</li>
<li>having a live record with uid 10</li>
<li>having a delete placeholder for uid 10 in workspace 1</li>
<li>having a delete placeholder for uid 10 in workspace 2</li>
</ul>
Action:
<ul>
<li>publish the delete placholder for uid 10 in workspace 1</li>
</ul>
Experience:
<ul>
<li>published delete placeholder for uid 10 in workspace 2 (which was not the active workspace)</li>
</ul> TYPO3 Core - Bug #55246 (Closed): Class 'TYPO3\CMS\Recordlist\Browser\GeneralUtility' not foundhttp://forge.typo3.org/issues/552462014-01-22T14:37:05ZOliver Haderoliver.hader@typo3.org
<p><code>Class 'TYPO3\CMS\Recordlist\Browser\GeneralUtility' not found in typo3/branches/TYPO3_6-1/typo3/sysext/recordlist/Classes/Browser/ElementBrowser.php on line 704</code></p> TYPO3 Core - Bug #54857 (Closed): Test extensions are not considered in functional test caseshttp://forge.typo3.org/issues/548572014-01-09T00:12:28ZOliver Haderoliver.hader@typo3.org
<p>The functional testing framework offers the possibility to define custom extension to be installed for each test scenario.<br />However, this does not work at all, only extensions that are available in the original base installation can be used.</p>
<p>The origin of this misbehaviour can be found in this change set:<br /><a class="external" href="https://review.typo3.org/#/c/19605/32/typo3/sysext/core/Tests/FunctionalTestCaseBootstrapUtility.php">https://review.typo3.org/#/c/19605/32/typo3/sysext/core/Tests/FunctionalTestCaseBootstrapUtility.php</a></p> TYPO3 Core - Bug #52585 (Closed): Overwriting exiting database during install does not workhttp://forge.typo3.org/issues/525852013-10-07T16:34:30ZOliver Haderoliver.hader@typo3.org
<p>It sounds nice that existing data cannot be overwritten anymore... however, if it's intended and the database user is not allowed to create new databases, then one is lost after the first 10 seconds with TYPO3.</p>
Steps to reproduce:
<ul>
<li>install TYPO3 CMS 6.2</li>
<li>use user that has a database with data/tables</li>
<li>you won't find the database in the list of "empty databases" - which is correct of course, but not helpful</li>
</ul> TYPO3 Core - Bug #52578 (Closed): Install process removes permissionhttp://forge.typo3.org/issues/525782013-10-07T13:59:57ZOliver Haderoliver.hader@typo3.org
<p>The initial server error reads like this:</p>
<p>Forbidden<br />You don't have permission to access /typo3/sysext/install/Start/Install.php on this server.</p>
<p>The permission to the document root folder is modified and thus TYPO3 is currently locking out itself during the install process.<br />Looks like $GLOBALS['TYPO3_CONF_VARS']['BE']['folderCreateMask'] is used as targetPermission...<br />So, either leave out the root node or find a way to determine the correct permission.</p>
<p>In my case I get a<br /><code>Permission denied: /.../introduction/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: http://.../typo3/sysext/install/Start/Install.php</code></p> TYPO3 Core - Bug #51411 (Closed): Label user function for sys_file_reference uses HTMLhttp://forge.typo3.org/issues/514112013-08-27T22:31:46ZOliver Haderoliver.hader@typo3.org
<p>The label user function for sys_file_reference uses HTML which results in strange data in the workspace module, the admin log and possibly also in other components that list sys_file_reference records in a list (see attached screenshots).</p>
<p>This behaviour has been introduced with this change:<br /><a class="external" href="https://review.typo3.org/21916">https://review.typo3.org/21916</a></p> TYPO3 Core - Bug #48138 (Closed): Cannot connect to the current databasehttp://forge.typo3.org/issues/481382013-05-13T14:46:45ZOliver Haderoliver.hader@typo3.org
Scenario:
<ul>
<li>blank website, no LocalConfiguration.php file</li>
<li>MySQL user that sees all databases but does not have access to all of them</li>
<li>request to <a class="external" href="http://lotse.local/typo3/install/index.php?TYPO3_INSTALL[type]=config">http://lotse.local/typo3/install/index.php?TYPO3_INSTALL[type]=config</a></li>
</ul>
<p>Bug:<br />#1270853883: TYPO3 Fatal Error: Cannot connect to the current database, "#mysql50#.backup"!</p>
<p>Reason:<br />DatabaseConnection::admin_get_dbs() iterates over all existing databases and tries to use it. If that fails, an exception is thrown - which is not caught in the mentioned method.</p>