TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692024-03-27T17:07:51ZTYPO3 Forge
Redmine TYPO3 Core - Feature #103493 (Under Review): Show button to edit full record in linkvalidator (ad...http://forge.typo3.org/issues/1034932024-03-27T17:07:51ZSybille Peterssypets@gmx.de
<p>By default, a form showing only the field with the broken link is opened, if clicking the "pencil" button in the Link Validator report.</p>
<p>If checking sys_redirect.target as well, I noticed that opening the form this way is not helpful, because some context is missing: we see only the target, but not the source_path and the rest of the fields.</p>
<p>In this particular case, the default behaviour is unhelpful.</p>
<p>Originally, the behaviour was that the entire record was edited. This, however also proved as unhelpful, because sometime the broken link was a bit hidden, or it was in a different tab.</p>
<a name="Implementation-options"></a>
<h2 >Implementation options<a href="#Implementation-options" class="wiki-anchor">¶</a></h2>
<ol>
<li>(Idealistic) would be if the full record was opened, but the tab where the broken link is contained is opened by default, and if necessary there is scrolling so the field is in focus. Additionally, it might be helpful if this field (or all fields with broken links) would be marked visibly. (However, marking visibly should be different from what is currently used in case of evaluation).</li>
<li>(pragmatic) show both buttons but make it configurable, e.g.</li>
</ol> TYPO3 Core - Bug #103478 (New): Linkvalidator should check fields with type "file"http://forge.typo3.org/issues/1034782024-03-25T05:47:22ZSybille Peterssypets@gmx.de
<p>e.g. pages.media</p>
<p>see documentation: <a class="external" href="https://docs.typo3.org/c/typo3/cms-linkvalidator/main/en-us/Configuration/Index.html">https://docs.typo3.org/c/typo3/cms-linkvalidator/main/en-us/Configuration/Index.html</a></p>
<p>LinkAnalyzer.php:</p>
<pre><code class="php syntaxhl" data-language="php"><span class="k">if</span> <span class="p">((</span><span class="nv">$conf</span><span class="p">[</span><span class="s1">'type'</span><span class="p">]</span> <span class="o">??</span> <span class="s1">''</span><span class="p">)</span> <span class="o">===</span> <span class="s1">'link'</span> <span class="o">&&</span> <span class="k">empty</span><span class="p">(</span><span class="nv">$conf</span><span class="p">[</span><span class="s1">'softref'</span><span class="p">]))</span> <span class="p">{</span>
<span class="nv">$conf</span><span class="p">[</span><span class="s1">'softref'</span><span class="p">]</span> <span class="o">=</span> <span class="s1">'typolink'</span><span class="p">;</span>
<span class="p">}</span>
</code></pre> TYPO3 Core - Task #103477 (Under Review): Documentation for Link Validator searchFields says it i...http://forge.typo3.org/issues/1034772024-03-25T05:45:44ZSybille Peterssypets@gmx.de
<p>This is no longer true, Link Validator also checks fields if TCA is configured with "type" => "link".</p>
<blockquote>
<p>Currently, LinkValidator can only detect links for fields having at least one softref set in their TCA configuration.</p>
</blockquote>
<p><a class="external" href="https://docs.typo3.org/c/typo3/cms-linkvalidator/main/en-us/Configuration/Index.html#searchfields-key">https://docs.typo3.org/c/typo3/cms-linkvalidator/main/en-us/Configuration/Index.html#searchfields-key</a></p>
<p><strong>LinkAnalyzer.php:</strong></p>
<pre><code class="php syntaxhl" data-language="php"><span class="k">if</span> <span class="p">((</span><span class="nv">$conf</span><span class="p">[</span><span class="s1">'type'</span><span class="p">]</span> <span class="o">??</span> <span class="s1">''</span><span class="p">)</span> <span class="o">===</span> <span class="s1">'link'</span> <span class="o">&&</span> <span class="k">empty</span><span class="p">(</span><span class="nv">$conf</span><span class="p">[</span><span class="s1">'softref'</span><span class="p">]))</span> <span class="p">{</span>
<span class="nv">$conf</span><span class="p">[</span><span class="s1">'softref'</span><span class="p">]</span> <span class="o">=</span> <span class="s1">'typolink'</span><span class="p">;</span>
<span class="p">}</span>
</code></pre>
<p>patch can be backported up to v12.</p> TYPO3 Core - Bug #103476 (Under Review): Disrepancy of returned link type in LinktypeInternal::fe...http://forge.typo3.org/issues/1034762024-03-23T16:22:43ZSybille Peterssypets@gmx.de
<p>Currently, when calling fetchType for various link types differs if you change the order of the link types.</p>
<p>Also, InternalLinktype always returns "db" link type if the "db" link type is set by the softref parser even if it has no business doing so.</p>
<p>These link types are mutually exclusive:</p>
<p>- "db" => InternalLinktype<br />- "file" => FileLinktype<br />- "record" => RecordLinktype (introduced in patch via issue <a class="issue tracker-2 status-8 priority-3 priority-lowest" title="Feature: Make it possible to check custom record links with linkvalidator (Under Review)" href="http://forge.typo3.org/issues/103403">#103403</a>)</p>
<p>However, the softref parsers returns "db" for all of these.</p>
<p>Fixing this may avoid problems further down the line.</p>
<a name="Test-protocol-by-debugging-the-link-types"></a>
<h2 >Test protocol (by debugging the link types)<a href="#Test-protocol-by-debugging-the-link-types" class="wiki-anchor">¶</a></h2>
<p>file link: t3://file?uid=<uid><br />-------------------------------------</p>
<p>$softRefEntry<br />- value['type'] = 'db'<br />- value['recordRef'] = 'sys_file:94'<br />- value['tokenValue'] = 'file:94'</p>
<p>- result of fetchType: (order: db, file)<br /> - if class=InternatlLinktype => AbstactLinktype::fetchType: 'db'<br /> - if class=FileLinktype => FileLinkType::fetchType: 'file'</p>
<p>- after changing order: file,db<br /> - if class=FileLinktype => FileLinkType::fetchType: 'file'<br /> sets $value['type'] to 'file'<br /> - if class=InternatlLinktype => AbstactLinktype::fetchType: 'file'</p>
<p>!!!! discrepancy !!! effective type depends on order of evaluation!</p>
<blockquote><blockquote>
<p>if "file" type is not in "linktypes", file links will be checked with InteralLinktype</p>
</blockquote></blockquote>
BUT if "file" type is in "linktypes, file links will be checked with FileLinktype
<p>The result is in most cases still ok, because InternalLinktype refuses to check file links, but it is messy, makes troubleshooting difficult and may cause problems in some scenarios.</p> TYPO3 Core - Feature #103090 (Under Review): Add possibility to configure a language label for cu...http://forge.typo3.org/issues/1030902024-02-09T11:44:27ZSybille Peterssypets@gmx.de
<p>If you configure additional link types, the label which is display, will always be the link type (as used as identifier) because core LinkvalidatorController uses:</p>
<pre><code class="php syntaxhl" data-language="php"><span class="s1">'label'</span> <span class="o">=></span> <span class="nv">$this</span><span class="o">-></span><span class="nf">getLanguageService</span><span class="p">()</span><span class="o">-></span><span class="nf">sL</span><span class="p">(</span><span class="s1">'LLL:EXT:linkvalidator/Resources/Private/Language/Module/locallang.xlf:hooks.'</span> <span class="mf">.</span> <span class="nv">$type</span><span class="p">)</span> <span class="o">?:</span> <span class="nv">$type</span><span class="p">,</span>
</code></pre>
<p>We could add another function to the LinktypeInterface to pass the language string.</p> TYPO3 Core - Bug #103059 (New): Not possible to see references if no access to content where file...http://forge.typo3.org/issues/1030592024-02-06T10:22:55ZSybille Peterssypets@gmx.de
<p>In the file list you can see the number of references for files which are referenced from content which you do not have access to, and you can also click on the link, but the references will not be displayed.</p>
<p>I would expect it to be possible to see the references (read-only) and also be able to see which pages the references are on (ideally by having a "view page" button).</p>
<p>Otherwise you cannot delete files and you can't find out (as normal editor) where they are still being referenced from.</p>
<p>This means, these cases can only be resolved by admin users or by users with access to both the files and the content.</p>
<a name="Example"></a>
<h2 >Example<a href="#Example" class="wiki-anchor">¶</a></h2>
<p>user A<br />- access to pages /a/<br />- access to files fileadmin/a</p>
<p>user B<br />- access to pages /b/<br />- access to files fileadmin/b</p>
<p>Content in /a/ links to file /b/test.png. Now, user b cannot see references for test.png and cannot delete test.png.</p> TYPO3 Core - Feature #102644 (New): Make it easier to restrict uploadable file types / extensions...http://forge.typo3.org/issues/1026442023-12-09T22:07:09ZSybille Peterssypets@gmx.de
<p>I want to prevent <strong>additional</strong> unwanted files from being uploaded, such as .exe, .zip, .iso etc. (this should be configurable). Right now, I can only do it AFAIK by changing the regex in fileDenyPattern.</p>
<a name="My-feature-reqeust"></a>
<h2 >My feature reqeust<a href="#My-feature-reqeust" class="wiki-anchor">¶</a></h2>
<ul>
<li>add a "safe" configuration, so you can add <strong>additional</strong> file extensions, without having to change fileDenyPattern. This does not even have to be a regex or be added to fileDenyPattern, it could be a comma separated list of file extensions, which is used in FileNameValidator</li>
<li>make it possible to use "explicit allow" instead of "explicit deny" here. This should probably not be the default yet, but could be in the future.</li>
</ul>
<a name="Background"></a>
<h2 >Background<a href="#Background" class="wiki-anchor">¶</a></h2>
<p>Currently, there is a setting which is a bit hidden: $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'], is used in FileNameValidator.</p>
<p>It is hidden, because it is not in the Default configuration and not visible when editing "Global configuration" in the BE.</p>
<p>I assume, that is for security reasons, that you don't accidentally mess up the regular expression, making the system less secure. In particular, it should not be possible to upload .php files, .htaccess files etc.</p>
<p>But, this also makes it difficult, in case you want to be <em>more restrictive</em> (!). You have to first find the hidden option and then edit the regex, hoping you don't break anything.</p> TYPO3 Core - Bug #102595 (New): Not possible to override richtextConfiguration via TSconfig if in...http://forge.typo3.org/issues/1025952023-12-04T05:11:41ZSybille Peterssypets@gmx.de
<p>Normally, overriding settings in Flexform via TSconfig is possibly, for example like this:</p>
<pre>
# TCEFORM.[tableName].[fieldName].[dataStructureKey].[flexSheet].[flexFieldName with escaped dots].[propertyName]
<pre>
TCEFORM.tt_content.pi_flexform.sfregister_create.sDEF.settings\.fields\.selected.addItems.ZZZ = ZZZ
</pre>
</pre><br />see <a class="external" href="https://docs.typo3.org/m/typo3/reference-tsconfig/main/en-us/PageTsconfig/TceForm.html">https://docs.typo3.org/m/typo3/reference-tsconfig/main/en-us/PageTsconfig/TceForm.html</a>
<p>But this does not seem to work with the richtextConfiguration if in a Flexform which would then be overridden with RTE, for example like this:</p>
<pre>
RTE.config.tx_news_domain_model_news.bodytext.preset = otherpreset
</pre>
<p>For a Flexform field, it should look for example like this:</p>
<pre>
RTE.config.tt_content.pi_flexform.powermail_pi1.thx.settings\.flexform\.thx\.body.preset = otherpreset
</pre>
<p>but this does not work</p> TYPO3 Core - Feature #102447 (New): Prevent information disclosure from Only Office by copy-paste...http://forge.typo3.org/issues/1024472023-11-22T12:21:55ZSybille Peterssypets@gmx.de
<p>This seems to be already fixed in ckeditor: <a class="external" href="https://github.com/ckeditor/ckeditor5/issues/14947">https://github.com/ckeditor/ckeditor5/issues/14947</a></p>
<blockquote>
<p>We have found blobs in the class attributes of HTML elements on some pages. These blobs seem to contain metadata from the document from which the content was copied. If you take the blob and decode it with base64 and encode the result as 'utf-16' you can read some text fragments. These fragments can contain chat, comments or parts of the onlyoffice document, which would result in a leak of data.</p>
</blockquote>
<p>However I am not sure which version and which versions of ckeditor and TYPO3 will have this fix.</p>
<p>Perhaps it is also possible to remove these when the CE is saved by default (RTE post-processing) to also remove already existing ones.</p>
<p>This is a problem because:</p>
<ul>
<li>sensitive information might get accidentally disclosed (unfortunately often editors are not even aware what they are copy-pasting into the RTE).</li>
<li>it bloats up the DB tables which is unnecessary and might have a performance / storage usage impact (in extreme cases)</li>
<li>it clutters up the visible history (sys_history view in BE)</li>
</ul>
<p>I have seen this in our site which uses latest TYPO3 v11.</p> TYPO3 Core - Feature #101935 (New): Better handling of curl error codes in linkvalidatorhttp://forge.typo3.org/issues/1019352023-09-17T14:38:56ZSybille Peterssypets@gmx.de
<p>Unfortunately, one curl error codes may be used for several different problems, e.g.</p>
<p>1. Certificate does not have matching target host name<br />2. Missing intermediate certificate - incomplete certificate chain</p>
<p>The text which is displayed by command line curl / or using Guzzle with libcurl does contain a different text in this case, but the error code is still the same (60 for the examples above).</p>
<p>A number of error codes were localized and the internal linkvalidator text is displayed, not the full error message supplied by curl.</p>
<a name="Solution"></a>
<h2 >Solution<a href="#Solution" class="wiki-anchor">¶</a></h2>
<p>(preliminary ideas)</p>
<ul>
<li>We should find a way to make this configurable, so that the full curl error message will be displayed</li>
<li>show both (e.g. show shorter, localized message by default and show full message as detail view</li>
</ul>
<a name="Info"></a>
<h2 >Info<a href="#Info" class="wiki-anchor">¶</a></h2>
<ul>
<li>curl error codes: <a class="external" href="https://curl.se/libcurl/c/libcurl-errors.html">https://curl.se/libcurl/c/libcurl-errors.html</a></li>
<li>curl source code: <a class="external" href="https://github.com/curl/curl">https://github.com/curl/curl</a></li>
</ul>
<a name="Examples"></a>
<h2 >Examples<a href="#Examples" class="wiki-anchor">¶</a></h2>
<pre>
curl -LI "https://www.rea.ru"
curl: (60) SSL certificate problem: unable to get local issuer certificate
</pre>
<pre>
curl -I https://t3coredev13
curl: (60) SSL: no alternative certificate subject name matches target host name 't3coredev13'
</pre> TYPO3 Core - Task #101934 (Closed): Cleanup code for ContentObjectRenderer::listNum and add testshttp://forge.typo3.org/issues/1019342023-09-17T12:18:16ZSybille Peterssypets@gmx.de
<p>- Add unit tests for function ContentObjectRenderer::listNum.<br />- Improve code by renaming function argument ($char => $delimeter)<br />- Make sure arguments are always passed as strings (and not null)<br /> (as declared in PHPDoc)<br />- Improve clarity of description in PHPDoc</p>
<p>In the future typehints can be added for function arguments and<br />return type.</p> TYPO3 Core - Task #101716 (Closed): Improve changelog Breaking-100229-ConvertJSConfirmationToBitS...http://forge.typo3.org/issues/1017162023-08-20T08:45:00ZSybille Peterssypets@gmx.de
<p><a class="external" href="https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/13.0/Breaking-100229-ConvertJSConfirmationToBitSet.html">https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/13.0/Breaking-100229-ConvertJSConfirmationToBitSet.html</a></p>
<p>The improvements are pretty minimal and not strictly necessary (except for the formatting). Normally, I would not start a patch for this, but there is already a patch <a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/80599">https://review.typo3.org/c/Packages/TYPO3.CMS/+/80599</a> where I first intended to make more changes (in particular the formatting of the bullet lists), but was deemed as too much.</p>
<p>1. bullet lists should have a newline before and after, otherwise they will not be rendered correctly, see <a class="external" href="https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/13.0/Breaking-100229-ConvertJSConfirmationToBitSet.html#impact">https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/13.0/Breaking-100229-ConvertJSConfirmationToBitSet.html#impact</a>: matches, setValue and isValid is a list</p>
<p>2. \TYPO3\CMS\Core\Type\Bitmask\JSConfirmation::method should be \TYPO3\CMS\Core\Type\Bitmask\JSConfirmation?</p>
<p>3. "calling public methods methods" should be "calling public methods"</p>
<p>4. The part for BackendUserAuthentication->jsConfirmation() in "Affected installations" could be rephrased for "affected installations"</p> TYPO3 Core - Task #90848 (Accepted): No longer possible to enter several pids in linkvalidator sc...http://forge.typo3.org/issues/908482020-03-27T07:07:13ZSybille Peterssypets@gmx.de
<p>TYPO3 10,9,8 ...</p>
<p>I am not sure when this was changed:</p>
<p>In the scheduler task for linkvalidator it is no longer possible to enter several page ids in "Start page (uid)"</p>
<p>This used to be possible which was very helpful if you had several sites. In that case, you would get an aggregated report in the mail with information per site.</p>
<p>Also, you could exclude inactive sites this way. Now you can only enter startpage of one site or 0. (Of course, you can always enter several scheduler tasks).</p>
<p>In some cases, sites that are being updated will most likely have problems and need to change this. (Not sure if the old behaviour will still work with several pids).</p>
<p><img src="http://forge.typo3.org/attachments/download/35011/linkvalidator_scheduler.png" alt="" loading="lazy" /></p>
<p>Anyhow, it is no longer possible to enter several pids, separated by comma, which used to be possible.</p>
<p>(I would actually prefer an option to determine this automatically, based on sites configuration)</p> TYPO3 Core - Feature #76895 (Rejected): Add [FE][lockSSL] option in TYPO3_CONF_VARS (as in [BE][l...http://forge.typo3.org/issues/768952016-06-30T17:12:06ZSybille Peterssypets@gmx.de
<p>Proposal to add an option to enforce HTTPS if currently logged in as FE user. Could be implemented as in already existing [BE][lockSSL] option.</p>
<p>This would make Extensions like https_enforcer more or less redundant, because TYPO3 core would handle this functionality:</p>
<p>1) already existing in core: Force HTTPS for specific page (pages.url_scheme)<br />2) already existing in core: Force HTTPS if logged in as BE-User: [BE][lockSSL]<br />2) not exisiting? : Force HTTPS if logged in as FE-User</p> TYPO3 Core - Bug #51360 (Closed): Linkvalidator: specifying TSconfig in scheduler has no effecthttp://forge.typo3.org/issues/513602013-08-26T17:22:37ZSybille Peterssypets@gmx.de
<p>It is possible to set for example subject and content type via page TSconfig. This works fine. However, setting TSconfig in linkvalidator task in scheduler has no effect.</p>
<p>Using version TYPO3 4.5.29</p>