TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692024-03-27T17:18:45ZTYPO3 Forge
Redmine TYPO3 Core - Bug #103494 (Under Review): Linkvalidator uses tstamp field directly without checkin...http://forge.typo3.org/issues/1034942024-03-27T17:18:45ZSybille Peterssypets@gmx.de
<p><strong>This should be merged before <a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/83612">https://review.typo3.org/c/Packages/TYPO3.CMS/+/83612</a></strong></p>
<p>TCA should be used to determine which field is relevant for tstamp (and if there is such a field) before using it for a DB query</p>
<p>$GLOBALS['TCA'][$table]['ctrl']['tstamp']</p>
<a name="Reproduce"></a>
<h2 >Reproduce<a href="#Reproduce" class="wiki-anchor">¶</a></h2>
<ol>
<li>Change configuration to mod.linkvalidator.searchFields.sys_redirect.target</li>
<li>check links (with a broken redirect target)</li>
<li>in the list of broken links, click pencil to edit redirect target field</li>
<li>close edit field</li>
</ol>
<p>Now, exception is thrown.</p> TYPO3 Core - Feature #103493 (Under Review): Show button to edit full record in linkvalidator (ad...http://forge.typo3.org/issues/1034932024-03-27T17:07:51ZSybille Peterssypets@gmx.de
<p>By default, a form showing only the field with the broken link is opened, if clicking the "pencil" button in the Link Validator report.</p>
<p>If checking sys_redirect.target as well, I noticed that opening the form this way is not helpful, because some context is missing: we see only the target, but not the source_path and the rest of the fields.</p>
<p>In this particular case, the default behaviour is unhelpful.</p>
<p>Originally, the behaviour was that the entire record was edited. This, however also proved as unhelpful, because sometime the broken link was a bit hidden, or it was in a different tab.</p>
<a name="Implementation-options"></a>
<h2 >Implementation options<a href="#Implementation-options" class="wiki-anchor">¶</a></h2>
<ol>
<li>(Idealistic) would be if the full record was opened, but the tab where the broken link is contained is opened by default, and if necessary there is scrolling so the field is in focus. Additionally, it might be helpful if this field (or all fields with broken links) would be marked visibly. (However, marking visibly should be different from what is currently used in case of evaluation).</li>
<li>(pragmatic) show both buttons but make it configurable, e.g.</li>
</ol> TYPO3 Core - Bug #103478 (New): Linkvalidator should check fields with type "file"http://forge.typo3.org/issues/1034782024-03-25T05:47:22ZSybille Peterssypets@gmx.de
<p>e.g. pages.media</p>
<p>see documentation: <a class="external" href="https://docs.typo3.org/c/typo3/cms-linkvalidator/main/en-us/Configuration/Index.html">https://docs.typo3.org/c/typo3/cms-linkvalidator/main/en-us/Configuration/Index.html</a></p>
<p>LinkAnalyzer.php:</p>
<pre><code class="php syntaxhl" data-language="php"><span class="k">if</span> <span class="p">((</span><span class="nv">$conf</span><span class="p">[</span><span class="s1">'type'</span><span class="p">]</span> <span class="o">??</span> <span class="s1">''</span><span class="p">)</span> <span class="o">===</span> <span class="s1">'link'</span> <span class="o">&&</span> <span class="k">empty</span><span class="p">(</span><span class="nv">$conf</span><span class="p">[</span><span class="s1">'softref'</span><span class="p">]))</span> <span class="p">{</span>
<span class="nv">$conf</span><span class="p">[</span><span class="s1">'softref'</span><span class="p">]</span> <span class="o">=</span> <span class="s1">'typolink'</span><span class="p">;</span>
<span class="p">}</span>
</code></pre> TYPO3 Core - Task #103477 (Under Review): Documentation for Link Validator searchFields says it i...http://forge.typo3.org/issues/1034772024-03-25T05:45:44ZSybille Peterssypets@gmx.de
<p>This is no longer true, Link Validator also checks fields if TCA is configured with "type" => "link".</p>
<blockquote>
<p>Currently, LinkValidator can only detect links for fields having at least one softref set in their TCA configuration.</p>
</blockquote>
<p><a class="external" href="https://docs.typo3.org/c/typo3/cms-linkvalidator/main/en-us/Configuration/Index.html#searchfields-key">https://docs.typo3.org/c/typo3/cms-linkvalidator/main/en-us/Configuration/Index.html#searchfields-key</a></p>
<p><strong>LinkAnalyzer.php:</strong></p>
<pre><code class="php syntaxhl" data-language="php"><span class="k">if</span> <span class="p">((</span><span class="nv">$conf</span><span class="p">[</span><span class="s1">'type'</span><span class="p">]</span> <span class="o">??</span> <span class="s1">''</span><span class="p">)</span> <span class="o">===</span> <span class="s1">'link'</span> <span class="o">&&</span> <span class="k">empty</span><span class="p">(</span><span class="nv">$conf</span><span class="p">[</span><span class="s1">'softref'</span><span class="p">]))</span> <span class="p">{</span>
<span class="nv">$conf</span><span class="p">[</span><span class="s1">'softref'</span><span class="p">]</span> <span class="o">=</span> <span class="s1">'typolink'</span><span class="p">;</span>
<span class="p">}</span>
</code></pre>
<p>patch can be backported up to v12.</p> TYPO3 Core - Bug #103476 (Under Review): Disrepancy of returned link type in LinktypeInternal::fe...http://forge.typo3.org/issues/1034762024-03-23T16:22:43ZSybille Peterssypets@gmx.de
<p>Currently, when calling fetchType for various link types differs if you change the order of the link types.</p>
<p>Also, InternalLinktype always returns "db" link type if the "db" link type is set by the softref parser even if it has no business doing so.</p>
<p>These link types are mutually exclusive:</p>
<p>- "db" => InternalLinktype<br />- "file" => FileLinktype<br />- "record" => RecordLinktype (introduced in patch via issue <a class="issue tracker-2 status-8 priority-3 priority-lowest" title="Feature: Make it possible to check custom record links with linkvalidator (Under Review)" href="http://forge.typo3.org/issues/103403">#103403</a>)</p>
<p>However, the softref parsers returns "db" for all of these.</p>
<p>Fixing this may avoid problems further down the line.</p>
<a name="Test-protocol-by-debugging-the-link-types"></a>
<h2 >Test protocol (by debugging the link types)<a href="#Test-protocol-by-debugging-the-link-types" class="wiki-anchor">¶</a></h2>
<p>file link: t3://file?uid=<uid><br />-------------------------------------</p>
<p>$softRefEntry<br />- value['type'] = 'db'<br />- value['recordRef'] = 'sys_file:94'<br />- value['tokenValue'] = 'file:94'</p>
<p>- result of fetchType: (order: db, file)<br /> - if class=InternatlLinktype => AbstactLinktype::fetchType: 'db'<br /> - if class=FileLinktype => FileLinkType::fetchType: 'file'</p>
<p>- after changing order: file,db<br /> - if class=FileLinktype => FileLinkType::fetchType: 'file'<br /> sets $value['type'] to 'file'<br /> - if class=InternatlLinktype => AbstactLinktype::fetchType: 'file'</p>
<p>!!!! discrepancy !!! effective type depends on order of evaluation!</p>
<blockquote><blockquote>
<p>if "file" type is not in "linktypes", file links will be checked with InteralLinktype</p>
</blockquote></blockquote>
BUT if "file" type is in "linktypes, file links will be checked with FileLinktype
<p>The result is in most cases still ok, because InternalLinktype refuses to check file links, but it is messy, makes troubleshooting difficult and may cause problems in some scenarios.</p> TYPO3 Core - Feature #103403 (Under Review): Make it possible to check custom record links with l...http://forge.typo3.org/issues/1034032024-03-15T09:45:42ZSybille Peterssypets@gmx.de
<p><strong>Currently, there is a known problem that RECORD link checking is not possible via the typolink_tag softref parser, see <a class="issue tracker-1 status-1 priority-4 priority-default" title="Bug: Linkvalidator doesn't check record/custom links within RTEs at all (New)" href="http://forge.typo3.org/issues/102468">#102468</a>. Because of this, when fixing this issue, one must currently test the record link checking using urls which are not wrapped in an a tag. This can be done for example, by using tt_content.header_link.</strong></p>
<p>e.g. "t3://record?identifier=tx_news&uid=99999"</p>
<p>as described in <a class="external" href="https://docs.typo3.org/p/georgringer/news/main/en-us/Tutorials/BestPractice/Linkhandler/Index.html#linkhandler">https://docs.typo3.org/p/georgringer/news/main/en-us/Tutorials/BestPractice/Linkhandler/Index.html#linkhandler</a></p>
<p>Currently, InternalLinktype::checkLink is called for these types of links, but then it always evaluates to "true" if the target table is not "tt_content" or "pages":</p>
<pre><code class="php syntaxhl" data-language="php"><span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nb">in_array</span><span class="p">(</span><span class="nv">$table</span><span class="p">,</span> <span class="p">[</span><span class="s1">'pages'</span><span class="p">,</span> <span class="s1">'tt_content'</span><span class="p">],</span> <span class="kc">true</span><span class="p">))</span> <span class="p">{</span>
<span class="k">return</span> <span class="kc">true</span><span class="p">;</span>
<span class="p">}</span>
</code></pre>
<p><a class="external" href="https://github.com/TYPO3/typo3/blob/5c95229af666e4ce39dd5a22baecd3390d649c49/typo3/sysext/linkvalidator/Classes/Linktype/InternalLinktype.php#L85">https://github.com/TYPO3/typo3/blob/5c95229af666e4ce39dd5a22baecd3390d649c49/typo3/sysext/linkvalidator/Classes/Linktype/InternalLinktype.php#L85</a></p>
<p>Ideally, the InternalLinktype could handle custom records for other tables as well, e.g. tx_news_domain_model_news.</p> TYPO3 Core - Bug #103100 (Resolved): "Refresh display" or "Check links" button is entirely disabl...http://forge.typo3.org/issues/1031002024-02-11T13:18:51ZSybille Peterssypets@gmx.de
<p>By default, the buttons in "Report" and "Check links" module are disabled. They are enabled via JavaScript if a check option is enabled.</p>
<p>However, in TYPO3 v13 (and possibly below), this does not work correctly: if all options are unchecked (which is the default for new users) and then one of them is toggled (to enabled), it is still not possible to click the button at all, it remains disabled even if options are being checked. It looks like the event listener is not being called.</p>
<a name="Reproduce"></a>
<h2 >Reproduce<a href="#Reproduce" class="wiki-anchor">¶</a></h2>
<p>1. switch to a new user where the options have not been enabled yet<br />2. Either in the "Report" or "Check links" view, enable one of the checkboxes for the link types<br />3. Try to click the button</p>
<p>Result: nothing happens, the button is disabled, so it is not possible to execute the new selection.</p>
<a name="Versions"></a>
<h2 >Versions<a href="#Versions" class="wiki-anchor">¶</a></h2>
<p>Could be reproduced in TYPO3 v13 (main).</p>
<p>Could NOT be reproduce din TYPO3 v12.</p>
<a name="Screenshot"></a>
<h2 >Screenshot<a href="#Screenshot" class="wiki-anchor">¶</a></h2>
<p><img src="http://forge.typo3.org/attachments/download/38255/linkvalidator_checkboxes.png" alt="" loading="lazy" /></p> TYPO3 Core - Feature #103090 (Under Review): Add possibility to configure a language label for cu...http://forge.typo3.org/issues/1030902024-02-09T11:44:27ZSybille Peterssypets@gmx.de
<p>If you configure additional link types, the label which is display, will always be the link type (as used as identifier) because core LinkvalidatorController uses:</p>
<pre><code class="php syntaxhl" data-language="php"><span class="s1">'label'</span> <span class="o">=></span> <span class="nv">$this</span><span class="o">-></span><span class="nf">getLanguageService</span><span class="p">()</span><span class="o">-></span><span class="nf">sL</span><span class="p">(</span><span class="s1">'LLL:EXT:linkvalidator/Resources/Private/Language/Module/locallang.xlf:hooks.'</span> <span class="mf">.</span> <span class="nv">$type</span><span class="p">)</span> <span class="o">?:</span> <span class="nv">$type</span><span class="p">,</span>
</code></pre>
<p>We could add another function to the LinktypeInterface to pass the language string.</p> TYPO3 Core - Bug #103059 (New): Not possible to see references if no access to content where file...http://forge.typo3.org/issues/1030592024-02-06T10:22:55ZSybille Peterssypets@gmx.de
<p>In the file list you can see the number of references for files which are referenced from content which you do not have access to, and you can also click on the link, but the references will not be displayed.</p>
<p>I would expect it to be possible to see the references (read-only) and also be able to see which pages the references are on (ideally by having a "view page" button).</p>
<p>Otherwise you cannot delete files and you can't find out (as normal editor) where they are still being referenced from.</p>
<p>This means, these cases can only be resolved by admin users or by users with access to both the files and the content.</p>
<a name="Example"></a>
<h2 >Example<a href="#Example" class="wiki-anchor">¶</a></h2>
<p>user A<br />- access to pages /a/<br />- access to files fileadmin/a</p>
<p>user B<br />- access to pages /b/<br />- access to files fileadmin/b</p>
<p>Content in /a/ links to file /b/test.png. Now, user b cannot see references for test.png and cannot delete test.png.</p> TYPO3 Core - Feature #102644 (New): Make it easier to restrict uploadable file types / extensions...http://forge.typo3.org/issues/1026442023-12-09T22:07:09ZSybille Peterssypets@gmx.de
<p>I want to prevent <strong>additional</strong> unwanted files from being uploaded, such as .exe, .zip, .iso etc. (this should be configurable). Right now, I can only do it AFAIK by changing the regex in fileDenyPattern.</p>
<a name="My-feature-reqeust"></a>
<h2 >My feature reqeust<a href="#My-feature-reqeust" class="wiki-anchor">¶</a></h2>
<ul>
<li>add a "safe" configuration, so you can add <strong>additional</strong> file extensions, without having to change fileDenyPattern. This does not even have to be a regex or be added to fileDenyPattern, it could be a comma separated list of file extensions, which is used in FileNameValidator</li>
<li>make it possible to use "explicit allow" instead of "explicit deny" here. This should probably not be the default yet, but could be in the future.</li>
</ul>
<a name="Background"></a>
<h2 >Background<a href="#Background" class="wiki-anchor">¶</a></h2>
<p>Currently, there is a setting which is a bit hidden: $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'], is used in FileNameValidator.</p>
<p>It is hidden, because it is not in the Default configuration and not visible when editing "Global configuration" in the BE.</p>
<p>I assume, that is for security reasons, that you don't accidentally mess up the regular expression, making the system less secure. In particular, it should not be possible to upload .php files, .htaccess files etc.</p>
<p>But, this also makes it difficult, in case you want to be <em>more restrictive</em> (!). You have to first find the hidden option and then edit the regex, hoping you don't break anything.</p> TYPO3 Core - Bug #102595 (New): Not possible to override richtextConfiguration via TSconfig if in...http://forge.typo3.org/issues/1025952023-12-04T05:11:41ZSybille Peterssypets@gmx.de
<p>Normally, overriding settings in Flexform via TSconfig is possibly, for example like this:</p>
<pre>
# TCEFORM.[tableName].[fieldName].[dataStructureKey].[flexSheet].[flexFieldName with escaped dots].[propertyName]
<pre>
TCEFORM.tt_content.pi_flexform.sfregister_create.sDEF.settings\.fields\.selected.addItems.ZZZ = ZZZ
</pre>
</pre><br />see <a class="external" href="https://docs.typo3.org/m/typo3/reference-tsconfig/main/en-us/PageTsconfig/TceForm.html">https://docs.typo3.org/m/typo3/reference-tsconfig/main/en-us/PageTsconfig/TceForm.html</a>
<p>But this does not seem to work with the richtextConfiguration if in a Flexform which would then be overridden with RTE, for example like this:</p>
<pre>
RTE.config.tx_news_domain_model_news.bodytext.preset = otherpreset
</pre>
<p>For a Flexform field, it should look for example like this:</p>
<pre>
RTE.config.tt_content.pi_flexform.powermail_pi1.thx.settings\.flexform\.thx\.body.preset = otherpreset
</pre>
<p>but this does not work</p> TYPO3 Core - Feature #102447 (New): Prevent information disclosure from Only Office by copy-paste...http://forge.typo3.org/issues/1024472023-11-22T12:21:55ZSybille Peterssypets@gmx.de
<p>This seems to be already fixed in ckeditor: <a class="external" href="https://github.com/ckeditor/ckeditor5/issues/14947">https://github.com/ckeditor/ckeditor5/issues/14947</a></p>
<blockquote>
<p>We have found blobs in the class attributes of HTML elements on some pages. These blobs seem to contain metadata from the document from which the content was copied. If you take the blob and decode it with base64 and encode the result as 'utf-16' you can read some text fragments. These fragments can contain chat, comments or parts of the onlyoffice document, which would result in a leak of data.</p>
</blockquote>
<p>However I am not sure which version and which versions of ckeditor and TYPO3 will have this fix.</p>
<p>Perhaps it is also possible to remove these when the CE is saved by default (RTE post-processing) to also remove already existing ones.</p>
<p>This is a problem because:</p>
<ul>
<li>sensitive information might get accidentally disclosed (unfortunately often editors are not even aware what they are copy-pasting into the RTE).</li>
<li>it bloats up the DB tables which is unnecessary and might have a performance / storage usage impact (in extreme cases)</li>
<li>it clutters up the visible history (sys_history view in BE)</li>
</ul>
<p>I have seen this in our site which uses latest TYPO3 v11.</p> TYPO3 Core - Feature #101935 (New): Better handling of curl error codes in linkvalidatorhttp://forge.typo3.org/issues/1019352023-09-17T14:38:56ZSybille Peterssypets@gmx.de
<p>Unfortunately, one curl error codes may be used for several different problems, e.g.</p>
<p>1. Certificate does not have matching target host name<br />2. Missing intermediate certificate - incomplete certificate chain</p>
<p>The text which is displayed by command line curl / or using Guzzle with libcurl does contain a different text in this case, but the error code is still the same (60 for the examples above).</p>
<p>A number of error codes were localized and the internal linkvalidator text is displayed, not the full error message supplied by curl.</p>
<a name="Solution"></a>
<h2 >Solution<a href="#Solution" class="wiki-anchor">¶</a></h2>
<p>(preliminary ideas)</p>
<ul>
<li>We should find a way to make this configurable, so that the full curl error message will be displayed</li>
<li>show both (e.g. show shorter, localized message by default and show full message as detail view</li>
</ul>
<a name="Info"></a>
<h2 >Info<a href="#Info" class="wiki-anchor">¶</a></h2>
<ul>
<li>curl error codes: <a class="external" href="https://curl.se/libcurl/c/libcurl-errors.html">https://curl.se/libcurl/c/libcurl-errors.html</a></li>
<li>curl source code: <a class="external" href="https://github.com/curl/curl">https://github.com/curl/curl</a></li>
</ul>
<a name="Examples"></a>
<h2 >Examples<a href="#Examples" class="wiki-anchor">¶</a></h2>
<pre>
curl -LI "https://www.rea.ru"
curl: (60) SSL certificate problem: unable to get local issuer certificate
</pre>
<pre>
curl -I https://t3coredev13
curl: (60) SSL: no alternative certificate subject name matches target host name 't3coredev13'
</pre> TYPO3 Core - Task #101934 (Closed): Cleanup code for ContentObjectRenderer::listNum and add testshttp://forge.typo3.org/issues/1019342023-09-17T12:18:16ZSybille Peterssypets@gmx.de
<p>- Add unit tests for function ContentObjectRenderer::listNum.<br />- Improve code by renaming function argument ($char => $delimeter)<br />- Make sure arguments are always passed as strings (and not null)<br /> (as declared in PHPDoc)<br />- Improve clarity of description in PHPDoc</p>
<p>In the future typehints can be added for function arguments and<br />return type.</p> TYPO3 Core - Task #101716 (Closed): Improve changelog Breaking-100229-ConvertJSConfirmationToBitS...http://forge.typo3.org/issues/1017162023-08-20T08:45:00ZSybille Peterssypets@gmx.de
<p><a class="external" href="https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/13.0/Breaking-100229-ConvertJSConfirmationToBitSet.html">https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/13.0/Breaking-100229-ConvertJSConfirmationToBitSet.html</a></p>
<p>The improvements are pretty minimal and not strictly necessary (except for the formatting). Normally, I would not start a patch for this, but there is already a patch <a class="external" href="https://review.typo3.org/c/Packages/TYPO3.CMS/+/80599">https://review.typo3.org/c/Packages/TYPO3.CMS/+/80599</a> where I first intended to make more changes (in particular the formatting of the bullet lists), but was deemed as too much.</p>
<p>1. bullet lists should have a newline before and after, otherwise they will not be rendered correctly, see <a class="external" href="https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/13.0/Breaking-100229-ConvertJSConfirmationToBitSet.html#impact">https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/13.0/Breaking-100229-ConvertJSConfirmationToBitSet.html#impact</a>: matches, setValue and isValid is a list</p>
<p>2. \TYPO3\CMS\Core\Type\Bitmask\JSConfirmation::method should be \TYPO3\CMS\Core\Type\Bitmask\JSConfirmation?</p>
<p>3. "calling public methods methods" should be "calling public methods"</p>
<p>4. The part for BackendUserAuthentication->jsConfirmation() in "Affected installations" could be rephrased for "affected installations"</p>