TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692019-10-10T15:54:25ZTYPO3 Forge
Redmine TYPO3 Core - Bug #89392 (Closed): Fix composer definitionshttp://forge.typo3.org/issues/893922019-10-10T15:54:25ZOliver Haderoliver.hader@typo3.org
<pre>
The typo3/cms-core package of which you are a maintainer has
failed to update due to invalid data contained in your composer.json.
Please address this as soon as possible since the package stopped updating.
It is recommended that you use `composer validate` to check for errors when you
change your composer.json.
Below is the full update log which should highlight errors as
"Skipped branch ...":
[Composer\Repository\InvalidRepositoryException]: Some branches contained invalid data and were discarded, it is advised to review the log and fix any issues present in branches
Reading composer.json of typo3/cms-core (v10.1.0)
Found cached composer.json of typo3/cms-core (v10.1.0)
Reading composer.json of typo3/cms-core (v10.0.0)
Found cached composer.json of typo3/cms-core (v10.0.0)
Reading composer.json of typo3/cms-core (v9.5.9)
Found cached composer.json of typo3/cms-core (v9.5.9)
Reading composer.json of typo3/cms-core (v9.5.8)
Found cached composer.json of typo3/cms-core (v9.5.8)
Reading composer.json of typo3/cms-core (v9.5.7)
Found cached composer.json of typo3/cms-core (v9.5.7)
Reading composer.json of typo3/cms-core (v9.5.6)
Found cached composer.json of typo3/cms-core (v9.5.6)
Reading composer.json of typo3/cms-core (v9.5.5)
Found cached composer.json of typo3/cms-core (v9.5.5)
Reading composer.json of typo3/cms-core (v9.5.4)
Found cached composer.json of typo3/cms-core (v9.5.4)
Reading composer.json of typo3/cms-core (v9.5.3)
Found cached composer.json of typo3/cms-core (v9.5.3)
Reading composer.json of typo3/cms-core (v9.5.2)
Found cached composer.json of typo3/cms-core (v9.5.2)
Reading composer.json of typo3/cms-core (v9.5.1)
Found cached composer.json of typo3/cms-core (v9.5.1)
Reading composer.json of typo3/cms-core (v9.5.0)
Found cached composer.json of typo3/cms-core (v9.5.0)
Reading composer.json of typo3/cms-core (v9.4.0)
Found cached composer.json of typo3/cms-core (v9.4.0)
Reading composer.json of typo3/cms-core (v9.3.3)
Found cached composer.json of typo3/cms-core (v9.3.3)
Reading composer.json of typo3/cms-core (v9.3.2)
Found cached composer.json of typo3/cms-core (v9.3.2)
Reading composer.json of typo3/cms-core (v9.3.1)
Found cached composer.json of typo3/cms-core (v9.3.1)
Reading composer.json of typo3/cms-core (v9.3.0)
Found cached composer.json of typo3/cms-core (v9.3.0)
Reading composer.json of typo3/cms-core (v9.2.1)
Found cached composer.json of typo3/cms-core (v9.2.1)
Reading composer.json of typo3/cms-core (v9.2.0)
Found cached composer.json of typo3/cms-core (v9.2.0)
Reading composer.json of typo3/cms-core (v9.1.0)
Found cached composer.json of typo3/cms-core (v9.1.0)
Reading composer.json of typo3/cms-core (v9.0.0)
Found cached composer.json of typo3/cms-core (v9.0.0)
Reading composer.json of typo3/cms-core (v8.7.27)
Found cached composer.json of typo3/cms-core (v8.7.27)
Reading composer.json of typo3/cms-core (v8.7.26)
Found cached composer.json of typo3/cms-core (v8.7.26)
Reading composer.json of typo3/cms-core (v8.7.25)
Found cached composer.json of typo3/cms-core (v8.7.25)
Reading composer.json of typo3/cms-core (v8.7.24)
Found cached composer.json of typo3/cms-core (v8.7.24)
Reading composer.json of typo3/cms-core (v8.7.23)
Found cached composer.json of typo3/cms-core (v8.7.23)
Reading composer.json of typo3/cms-core (v8.7.22)
Found cached composer.json of typo3/cms-core (v8.7.22)
Reading composer.json of typo3/cms-core (v8.7.21)
Found cached composer.json of typo3/cms-core (v8.7.21)
Reading composer.json of typo3/cms-core (v8.7.20)
Found cached composer.json of typo3/cms-core (v8.7.20)
Reading composer.json of typo3/cms-core (v8.7.19)
Found cached composer.json of typo3/cms-core (v8.7.19)
Reading composer.json of typo3/cms-core (v8.7.18)
Found cached composer.json of typo3/cms-core (v8.7.18)
Reading composer.json of typo3/cms-core (v8.7.17)
Found cached composer.json of typo3/cms-core (v8.7.17)
Reading composer.json of typo3/cms-core (v8.7.16)
Found cached composer.json of typo3/cms-core (v8.7.16)
Reading composer.json of typo3/cms-core (v8.7.15)
Found cached composer.json of typo3/cms-core (v8.7.15)
Reading composer.json of typo3/cms-core (v8.7.14)
Found cached composer.json of typo3/cms-core (v8.7.14)
Reading composer.json of typo3/cms-core (v8.7.13)
Found cached composer.json of typo3/cms-core (v8.7.13)
Reading composer.json of typo3/cms-core (v8.7.12)
Found cached composer.json of typo3/cms-core (v8.7.12)
Reading composer.json of typo3/cms-core (v8.7.11)
Found cached composer.json of typo3/cms-core (v8.7.11)
Reading composer.json of typo3/cms-core (v8.7.10)
Found cached composer.json of typo3/cms-core (v8.7.10)
Reading composer.json of typo3/cms-core (v8.7.9)
Found cached composer.json of typo3/cms-core (v8.7.9)
Reading composer.json of typo3/cms-core (v8.7.8)
Found cached composer.json of typo3/cms-core (v8.7.8)
Reading composer.json of typo3/cms-core (v8.7.7)
Found cached composer.json of typo3/cms-core (v8.7.7)
Reading composer.json of typo3/cms-core (master)
Importing branch master (dev-master)
Skipped branch master, Invalid package information:
Deprecation warning: replace.core is invalid, it should have a vendor name, a forward slash, and a package name. The vendor and package name can be words separated by -, . or _. The complete name should match "[a-z0-9]([_.-]?[a-z0-9]+)*/[a-z0-9]([_.-]?[a-z0-9]+)*". Make sure you fix this as Composer 2.0 will error.
Reading composer.json of typo3/cms-core (8.7)
Found cached composer.json of typo3/cms-core (8.7.x-dev)
Reading composer.json of typo3/cms-core (9.2)
Found cached composer.json of typo3/cms-core (9.2.x-dev)
Reading composer.json of typo3/cms-core (9.3)
Found cached composer.json of typo3/cms-core (9.3.x-dev)
Reading composer.json of typo3/cms-core (9.5)
Found cached composer.json of typo3/cms-core (9.5.x-dev)
</pre>
<p><code>composer validate</code> in typo3/sysext/core:</p>
<pre>
composer validate
Deprecation warning: replace.core is invalid, it should have a vendor name, a forward slash, and a package name. The vendor and package name can be words separated by -, . or _. The complete name should match "[a-z0-9]([_.-]?[a-z0-9]+)*/[a-z0-9]([_.-]?[a-z0-9]+)*". Make sure you fix this as Composer 2.0 will error.
Deprecation warning: replace.core is invalid, it should have a vendor name, a forward slash, and a package name. The vendor and package name can be words separated by -, . or _. The complete name should match "[a-z0-9]([_.-]?[a-z0-9]+)*/[a-z0-9]([_.-]?[a-z0-9]+)*". Make sure you fix this as Composer 2.0 will error.
./composer.json is valid, but with a few warnings
See https://getcomposer.org/doc/04-schema.md for details on the schema
Deprecation warning: replace.core is invalid, it should have a vendor name, a forward slash, and a package name. The vendor and package name can be words separated by -, . or _. The complete name should match "[a-z0-9]([_.-]?[a-z0-9]+)*/[a-z0-9]([_.-]?[a-z0-9]+)*". Make sure you fix this as Composer 2.0 will error.
</pre> TYPO3 Core - Bug #86923 (Closed): Symfony expressions/conditions doesn't work in user-tsconfighttp://forge.typo3.org/issues/869232018-11-14T08:50:52ZOliver Haderoliver.hader@typo3.orgTYPO3 Core - Bug #85875 (Closed): Issues in ThumbnailControllerhttp://forge.typo3.org/issues/858752018-08-16T18:33:06ZOliver Haderoliver.hader@typo3.org
<ul>
<li>information disclosure (fileIdentifier can be arbitrary, supports fallback zero-storage)</li>
<li>denial of service (dimensions, basically whole configuration can be arbitrary)</li>
</ul>
<p>Introduced in <a class="external" href="https://review.typo3.org/#/c/56765/">https://review.typo3.org/#/c/56765/</a> - not released yet to 9.4.0 nor 8.7.19</p>
<p>Solution: Add HMAC to all HTTP request parameters.</p>
<a name="PoC"></a>
<h2 >PoC<a href="#PoC" class="wiki-anchor">¶</a></h2>
<p>XSRF Token has to be adjusted in the links below</p>
<a name="Information-Disclosure"></a>
<h3 >Information Disclosure<a href="#Information-Disclosure" class="wiki-anchor">¶</a></h3>
<pre>
http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731
&fileIdentifier=typo3conf/LocalConfiguration.php&processingInstructions%5Bwidth%5D=64
&processingInstructions%5Bheight%5D=64c
&processingInstructions%5Bcrop%5D=
</pre>
<a name="Denial-of-Service"></a>
<h3 >Denial of Service<a href="#Denial-of-Service" class="wiki-anchor">¶</a></h3>
<pre>
http://ip9.local/typo3/index.php?route=%2Fthumbnails&token=f956bed9f5fa218860ef00491b37d9ede93b7731
&fileIdentifier=1%3A%2Fuser_upload%2Fafter_01.png
&processingInstructions%5Bwidth%5D=1000000
&processingInstructions%5Bheight%5D=1000000c
&processingInstructions%5Bcrop%5D=
</pre> TYPO3 Core - Bug #85773 (Closed): Flaws in sys_log entry IP anonymizationhttp://forge.typo3.org/issues/857732018-08-07T14:22:19ZOliver Haderoliver.hader@typo3.org
The sys_log entry IP anonymization has several flaws which lead to a revert of the initial change in master:
<ul>
<li>REMOTE_ADDR is anonymized, REMOTE_HOST not (probably there are more occurrences)</li>
<li>PHP method <code>sprintf()</code> is invoked with too many arguments, username information is out of bounds</li>
<li>introduced in <a class="external" href="https://review.typo3.org/#/c/57313/">https://review.typo3.org/#/c/57313/</a></li>
</ul> TYPO3 Core - Bug #81747 (Closed): Copying workspace version record failshttp://forge.typo3.org/issues/817472017-06-29T18:16:07ZOliver Haderoliver.hader@typo3.org
<p>Copying workspace version records fails in Doctrine DBAL exception due to using computed properties directly in the database - which do not exist. This misbehavior has been introduced in issue <a class="issue tracker-4 status-5 priority-4 priority-default closed" title="Task: Wrap doesRecordExist in new method (Closed)" href="http://forge.typo3.org/issues/79515">#79515</a> which switched to use BackendUtility:workspaceOL() without further sanitization.</p>
<p>Example of Doctrine DBAL exception:<br /><pre>
Doctrine\DBAL\Exception\InvalidFieldNameException: An exception occurred while executing 'SELECT `uid`, `pid`, `t3ver_oid`, `t3ver_id`, `t3ver_wsid`, `t3ver_label`, `t3ver_state`, `t3ver_stage`, `t3ver_count`, `t3ver_tstamp`, `t3ver_move_id`, `t3_origuid`, `tstamp`, `crdate`, `cruser_id`, `editlock`, `hidden`, `sorting`, `CType`, `header`, `header_position`, `rowDescription`, `bodytext`, `bullets_type`, `uploads_description`, `uploads_type`, `assets`, `image`, `imagewidth`, `imageorient`, `imagecols`, `imageborder`, `media`, `layout`, `frame_class`, `deleted`, `cols`, `spaceBefore`, `spaceAfter`, `space_before_class`, `space_after_class`, `records`, `pages`, `starttime`, `endtime`, `colPos`, `subheader`, `fe_group`, `header_link`, `image_zoom`, `header_layout`, `list_type`, `sectionIndex`, `linkToTop`, `file_collections`, `filelink_size`, `filelink_sorting`, `target`, `date`, `recursive`, `imageheight`, `sys_language_uid`, `pi_flexform`, `accessibility_title`, `accessibility_bypass`, `accessibility_bypass_text`, `l18n_parent`, `l18n_diffsource`, `l10n_source`, `selected_categories`, `category_field`, `table_class`, `table_caption`, `table_delimiter`, `table_enclosure`, `table_header_position`, `table_tfoot`, `tx_irretutorial_1nff_hotels`, `tx_irretutorial_1ncsv_hotels`, `tx_irretutorial_flexform`, `l10n_state`, `categories`, `_ORIG_pid` FROM `tt_content` WHERE (`pid` = ?) AND (`t3ver_oid` = ?) AND (`t3ver_wsid` = ?) AND (`tt_content`.`deleted` = 0)' with params [-1, 300, 1]:
</pre></p> TYPO3 Core - Task #80149 (Closed): Remove $GLOBALS['TYPO3_CONF_VARS']['FE']['pageOverlayFields']http://forge.typo3.org/issues/801492017-03-06T12:27:17ZOliver Haderoliver.hader@typo3.org
<p>The configuration $GLOBALS['TYPO3_CONF_VARS']['FE']['pageOverlayFields']<br />is removed from the default configuration as well as from the overlay<br />handling in PageRepository and RootlineUtility. This setting has been<br />used to determine overlay fields in the table pages_language_overlay at<br />a time in the runtime processing when the complete TCA was not fully<br />available. Since the allowLanguageSynchronization possibility has been<br />integrated into TYPO3 CMS 8, l10n_mode was available already and the TCA<br />is loaded as well, the pageOverlayFields settings are superfluous.</p> TYPO3 Core - Task #69369 (Closed): EXT:form - Use property value instead of data for TEXTAREA, TE...http://forge.typo3.org/issues/693692015-08-27T17:02:52ZOliver Haderoliver.hader@typo3.org
<p>The Form Objects (system extension "form") TEXTAREA, TEXTBLOCK, OPTION currently use <code>data</code> as property name to define default values. However, all other objects use <code>value</code>. Since <code>data</code> implies the possibility to use computed values, it shall be deprecated and <code>value</code> used instead.</p> TYPO3 Core - Task #60249 (Closed): Publishing delete placeholder affects different workspaces as ...http://forge.typo3.org/issues/602492014-07-10T20:37:53ZOliver Haderoliver.hader@typo3.org
Scenario:
<ul>
<li>having two workspaces (1 and 2)</li>
<li>having a live record with uid 10</li>
<li>having a delete placeholder for uid 10 in workspace 1</li>
<li>having a delete placeholder for uid 10 in workspace 2</li>
</ul>
Action:
<ul>
<li>publish the delete placholder for uid 10 in workspace 1</li>
</ul>
Experience:
<ul>
<li>published delete placeholder for uid 10 in workspace 2 (which was not the active workspace)</li>
</ul> TYPO3 Core - Task #45676 (Rejected): Workspace references are not consideredhttp://forge.typo3.org/issues/456762013-02-20T21:32:35ZOliver Haderoliver.hader@typo3.org
<p>Workspace references for MM and IRRE records are not considered, since only the UID of the live record is considered (due to overlays).<br />Since this might(!) work in most cases for existing records that get modified in a workspace, it does not not for records that are newly created. In this case, the "live record" is a workspace placeholder without any data.</p>
<p>MM and IRRE always need to use the most specific UID in references, which is the versioned record in this case.</p> TYPO3 Core - Feature #31767 (Closed): Integrate accessible content renderinghttp://forge.typo3.org/issues/317672011-11-12T11:31:49ZOliver Haderoliver.hader@typo3.org
<p>Integrate accessible content rendering to the frontend.</p>
<p>These changes are a result of the BLE project and are taken from<br />git://git.typo3.org/TYPO3v4/Incubator.git project-accessibility</p>
<pre>
git merge --squash --no-commit ed780a59b42b39dc85b37a46fb1ba03938ac4ca6
git cherry-pick eb77a4890a27075f970e96b0fcef0d4d088d4ad4 --no-commit
git cherry-pick 6238dcf224d5a3deb1744db1d81959e6609bfed6 --no-commit
git cherry-pick 16541a886146a56a8d9797466183c3788c107fbe --no-commit
</pre> TYPO3 Core - Task #31274 (Closed): Disable file upload in form wizardhttp://forge.typo3.org/issues/312742011-10-25T12:24:00ZOliver Haderoliver.hader@typo3.org
<p>Due to a wrong implementation the file upload feature in the form wizard will be disbled for the time being.</p> TYPO3 Core - Task #11162 (Closed): Suggest to Core and other extensions to increase the type of t...http://forge.typo3.org/issues/111622010-11-30T12:40:17ZOliver Haderoliver.hader@typo3.org
<p>Currently the field t3ver_stage which is defined by each module/extension that supports workspaces is defined as TINYINT and thus supports up to 255 stages. This was way enough until now - however since we have custom stages right now and each workspace can also have stages, it might happen that 255 is not enough anymore.</p>
<p>Thus, we should consider to give the suggestion to the Core and Extension Developers to use INT as storage type for the t3ver_stage field.</p> TYPO3 Core - Task #10201 (Closed): Set up test environment for team membershttp://forge.typo3.org/issues/102012010-10-11T18:29:49ZOliver Haderoliver.hader@typo3.org
<p>Set up a test environment for team members.<br />A TYPO3 introduction package will be used to visualize the work. The sources are fetched automatically via cron job from GitHub.</p>
<p>Future URL: <a class="external" href="http://workspaces.typo3projects.org/">http://workspaces.typo3projects.org/</a></p> TYPO3 Core - Feature #19347 (Closed): Integrate string replacement to stdWraphttp://forge.typo3.org/issues/193472008-09-17T20:23:49ZOliver Haderoliver.hader@typo3.org
<p>With stdWrap it's not possible yet to do (ordered) string replacements for processing content data.</p>
<p>On introducing a new stdWrap property "replacement" that takes a ordered list of replacement definitions multiple manipulations could be executed the same time. Additionally it regular expressions can be used if required.</p>
<p><b>TypoScript example:</b><br /><pre>20 = TEXT
20 {
value = There_is_a_cat,_a_dog_and_a_tiger_in_da_hood!_Yeah!
stdWrap.replacement {
10 {
search = _
replace.char = 32
}
20 {
search = in da hood
replace = around the block
}
30 {
search = #a (Cat|Dog|Tiger)#i
replace = an animal
useRegExp = 1
}
}
}</pre></p>
<p>The indexes 10, 20, 30 are just for setting an order on the execution of the replacement. Each subkey "search", "replace" and "useRegExp" has again stdWrap functionality.</p>
<p>(issue imported from #M9373)</p> TYPO3 Core - Feature #17500 (Closed): Localization of child recordshttp://forge.typo3.org/issues/175002007-08-06T20:58:11ZOliver Haderoliver.hader@typo3.org
<p>The localization of child records when viewing the parent record isn't possible. This is a missing feature of TYPO3 4.1.</p>
<p>(issue imported from #M6087)</p>