TYPO3 Forge: Issueshttp://forge.typo3.org/http://forge.typo3.org/themes/typo3_forge/favicon/favicon.png?17058661692024-03-25T05:47:22ZTYPO3 Forge
Redmine TYPO3 Core - Bug #103478 (New): Linkvalidator should check fields with type "file"http://forge.typo3.org/issues/1034782024-03-25T05:47:22ZSybille Peterssypets@gmx.de
<p>e.g. pages.media</p>
<p>see documentation: <a class="external" href="https://docs.typo3.org/c/typo3/cms-linkvalidator/main/en-us/Configuration/Index.html">https://docs.typo3.org/c/typo3/cms-linkvalidator/main/en-us/Configuration/Index.html</a></p>
<p>LinkAnalyzer.php:</p>
<pre><code class="php syntaxhl" data-language="php"><span class="k">if</span> <span class="p">((</span><span class="nv">$conf</span><span class="p">[</span><span class="s1">'type'</span><span class="p">]</span> <span class="o">??</span> <span class="s1">''</span><span class="p">)</span> <span class="o">===</span> <span class="s1">'link'</span> <span class="o">&&</span> <span class="k">empty</span><span class="p">(</span><span class="nv">$conf</span><span class="p">[</span><span class="s1">'softref'</span><span class="p">]))</span> <span class="p">{</span>
<span class="nv">$conf</span><span class="p">[</span><span class="s1">'softref'</span><span class="p">]</span> <span class="o">=</span> <span class="s1">'typolink'</span><span class="p">;</span>
<span class="p">}</span>
</code></pre> TYPO3 Core - Bug #103059 (New): Not possible to see references if no access to content where file...http://forge.typo3.org/issues/1030592024-02-06T10:22:55ZSybille Peterssypets@gmx.de
<p>In the file list you can see the number of references for files which are referenced from content which you do not have access to, and you can also click on the link, but the references will not be displayed.</p>
<p>I would expect it to be possible to see the references (read-only) and also be able to see which pages the references are on (ideally by having a "view page" button).</p>
<p>Otherwise you cannot delete files and you can't find out (as normal editor) where they are still being referenced from.</p>
<p>This means, these cases can only be resolved by admin users or by users with access to both the files and the content.</p>
<a name="Example"></a>
<h2 >Example<a href="#Example" class="wiki-anchor">¶</a></h2>
<p>user A<br />- access to pages /a/<br />- access to files fileadmin/a</p>
<p>user B<br />- access to pages /b/<br />- access to files fileadmin/b</p>
<p>Content in /a/ links to file /b/test.png. Now, user b cannot see references for test.png and cannot delete test.png.</p> TYPO3 Core - Feature #102644 (New): Make it easier to restrict uploadable file types / extensions...http://forge.typo3.org/issues/1026442023-12-09T22:07:09ZSybille Peterssypets@gmx.de
<p>I want to prevent <strong>additional</strong> unwanted files from being uploaded, such as .exe, .zip, .iso etc. (this should be configurable). Right now, I can only do it AFAIK by changing the regex in fileDenyPattern.</p>
<a name="My-feature-reqeust"></a>
<h2 >My feature reqeust<a href="#My-feature-reqeust" class="wiki-anchor">¶</a></h2>
<ul>
<li>add a "safe" configuration, so you can add <strong>additional</strong> file extensions, without having to change fileDenyPattern. This does not even have to be a regex or be added to fileDenyPattern, it could be a comma separated list of file extensions, which is used in FileNameValidator</li>
<li>make it possible to use "explicit allow" instead of "explicit deny" here. This should probably not be the default yet, but could be in the future.</li>
</ul>
<a name="Background"></a>
<h2 >Background<a href="#Background" class="wiki-anchor">¶</a></h2>
<p>Currently, there is a setting which is a bit hidden: $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'], is used in FileNameValidator.</p>
<p>It is hidden, because it is not in the Default configuration and not visible when editing "Global configuration" in the BE.</p>
<p>I assume, that is for security reasons, that you don't accidentally mess up the regular expression, making the system less secure. In particular, it should not be possible to upload .php files, .htaccess files etc.</p>
<p>But, this also makes it difficult, in case you want to be <em>more restrictive</em> (!). You have to first find the hidden option and then edit the regex, hoping you don't break anything.</p> TYPO3 Core - Bug #102595 (New): Not possible to override richtextConfiguration via TSconfig if in...http://forge.typo3.org/issues/1025952023-12-04T05:11:41ZSybille Peterssypets@gmx.de
<p>Normally, overriding settings in Flexform via TSconfig is possibly, for example like this:</p>
<pre>
# TCEFORM.[tableName].[fieldName].[dataStructureKey].[flexSheet].[flexFieldName with escaped dots].[propertyName]
<pre>
TCEFORM.tt_content.pi_flexform.sfregister_create.sDEF.settings\.fields\.selected.addItems.ZZZ = ZZZ
</pre>
</pre><br />see <a class="external" href="https://docs.typo3.org/m/typo3/reference-tsconfig/main/en-us/PageTsconfig/TceForm.html">https://docs.typo3.org/m/typo3/reference-tsconfig/main/en-us/PageTsconfig/TceForm.html</a>
<p>But this does not seem to work with the richtextConfiguration if in a Flexform which would then be overridden with RTE, for example like this:</p>
<pre>
RTE.config.tx_news_domain_model_news.bodytext.preset = otherpreset
</pre>
<p>For a Flexform field, it should look for example like this:</p>
<pre>
RTE.config.tt_content.pi_flexform.powermail_pi1.thx.settings\.flexform\.thx\.body.preset = otherpreset
</pre>
<p>but this does not work</p> TYPO3 Core - Feature #102447 (New): Prevent information disclosure from Only Office by copy-paste...http://forge.typo3.org/issues/1024472023-11-22T12:21:55ZSybille Peterssypets@gmx.de
<p>This seems to be already fixed in ckeditor: <a class="external" href="https://github.com/ckeditor/ckeditor5/issues/14947">https://github.com/ckeditor/ckeditor5/issues/14947</a></p>
<blockquote>
<p>We have found blobs in the class attributes of HTML elements on some pages. These blobs seem to contain metadata from the document from which the content was copied. If you take the blob and decode it with base64 and encode the result as 'utf-16' you can read some text fragments. These fragments can contain chat, comments or parts of the onlyoffice document, which would result in a leak of data.</p>
</blockquote>
<p>However I am not sure which version and which versions of ckeditor and TYPO3 will have this fix.</p>
<p>Perhaps it is also possible to remove these when the CE is saved by default (RTE post-processing) to also remove already existing ones.</p>
<p>This is a problem because:</p>
<ul>
<li>sensitive information might get accidentally disclosed (unfortunately often editors are not even aware what they are copy-pasting into the RTE).</li>
<li>it bloats up the DB tables which is unnecessary and might have a performance / storage usage impact (in extreme cases)</li>
<li>it clutters up the visible history (sys_history view in BE)</li>
</ul>
<p>I have seen this in our site which uses latest TYPO3 v11.</p> TYPO3 Core - Feature #101935 (New): Better handling of curl error codes in linkvalidatorhttp://forge.typo3.org/issues/1019352023-09-17T14:38:56ZSybille Peterssypets@gmx.de
<p>Unfortunately, one curl error codes may be used for several different problems, e.g.</p>
<p>1. Certificate does not have matching target host name<br />2. Missing intermediate certificate - incomplete certificate chain</p>
<p>The text which is displayed by command line curl / or using Guzzle with libcurl does contain a different text in this case, but the error code is still the same (60 for the examples above).</p>
<p>A number of error codes were localized and the internal linkvalidator text is displayed, not the full error message supplied by curl.</p>
<a name="Solution"></a>
<h2 >Solution<a href="#Solution" class="wiki-anchor">¶</a></h2>
<p>(preliminary ideas)</p>
<ul>
<li>We should find a way to make this configurable, so that the full curl error message will be displayed</li>
<li>show both (e.g. show shorter, localized message by default and show full message as detail view</li>
</ul>
<a name="Info"></a>
<h2 >Info<a href="#Info" class="wiki-anchor">¶</a></h2>
<ul>
<li>curl error codes: <a class="external" href="https://curl.se/libcurl/c/libcurl-errors.html">https://curl.se/libcurl/c/libcurl-errors.html</a></li>
<li>curl source code: <a class="external" href="https://github.com/curl/curl">https://github.com/curl/curl</a></li>
</ul>
<a name="Examples"></a>
<h2 >Examples<a href="#Examples" class="wiki-anchor">¶</a></h2>
<pre>
curl -LI "https://www.rea.ru"
curl: (60) SSL certificate problem: unable to get local issuer certificate
</pre>
<pre>
curl -I https://t3coredev13
curl: (60) SSL: no alternative certificate subject name matches target host name 't3coredev13'
</pre> TYPO3 Core - Task #101711 (New): document classesAnchor for rte_ckeditorhttp://forge.typo3.org/issues/1017112023-08-18T14:58:45ZSybille Peterssypets@gmx.de
<p>This is the only documentation for classesAnchor I could find so far, but this is for rtehtmlarea:</p>
<p><a class="external" href="https://docs.typo3.org/p/friendsoftypo3/rtehtmlarea/main/en-us//Configuration/PageTsconfig/classesAnchor/Index.html">https://docs.typo3.org/p/friendsoftypo3/rtehtmlarea/main/en-us//Configuration/PageTsconfig/classesAnchor/Index.html</a></p>
<p>classesAnchor is not documented in the rte_ckeditor documentation: <a class="external" href="https://docs.typo3.org/c/typo3/cms-rte-ckeditor/main/en-us/Index.html">https://docs.typo3.org/c/typo3/cms-rte-ckeditor/main/en-us/Index.html</a></p>
<p>classesAnchor can be used in rte_ckeditor as well, see example in bootstrap_package:</p>
<pre>
classesAnchor:
page:
class: 'link-page'
type: 'page'
folder:
class: 'link-folder'
type: 'folder'
file:
class: 'link-file'
type: 'file'
external:
class: 'link-external'
type: 'url'
mail:
class: 'link-mail'
type: 'mail'
</pre>
<p><a class="external" href="https://github.com/benjaminkott/bootstrap_package/blob/master/Configuration/RTE/Default.yaml">https://github.com/benjaminkott/bootstrap_package/blob/master/Configuration/RTE/Default.yaml</a></p>
<a name="Search-for-classesAnchor"></a>
<h3 >Search for "classesAnchor"<a href="#Search-for-classesAnchor" class="wiki-anchor">¶</a></h3>
<ul>
<li>in "TYPO3 Explained": no result</li>
<li>in rte_ckeditor Documentation: no result</li>
</ul>
<a name="Related"></a>
<h3 >Related<a href="#Related" class="wiki-anchor">¶</a></h3>
<ul>
<li>changelog: <a href="https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/12.0/Breaking-98275-RemovedPreDefinedLinkTitleAttributesInRTELinkBrowser.html" class="external">Breaking: #98275 - Removed pre-defined link title attributes in RTE link browser</a></li>
</ul> TYPO3 Core - Bug #101670 (New): Linkvalidator reports some external URLs as "false positives"http://forge.typo3.org/issues/1016702023-08-13T06:39:37ZSybille Peterssypets@gmx.de
<p>Links are reported as broken which are not broken.</p>
<p>Known cases:</p>
<p>1. sites without complete certificate chain ( <strong>intermediate</strong> (not root) certs missing), Qualys SSLLabs reports this when checking, but browsers resolve this by fetching (and storing) the intermediate certificates, so the URL seems to work fine in the browser<br />2. sites protected by Cloadflare (returns status code 503)</p>
<p>Some other sites also cause problems for unknown reasons:</p>
<ul>
<li>twitter</li>
<li>linkedin</li>
<li>etc.</li>
</ul> TYPO3 Core - Bug #101411 (New): Message that there are references which point to this record is n...http://forge.typo3.org/issues/1014112023-07-22T12:42:30ZSybille Peterssypets@gmx.de
<p>Usually, we get an alert, sometime like this:</p>
<blockquote>
<p>Are you sure you want to delete the record 'textmedia1 [tt_content:54]'? There are 1 reference(s) to this record!</p>
</blockquote>
<p>or</p>
<blockquote>
<p>Are you sure you want to delete 'textmedia with shortcuts to this ce'? (There are 1 reference(s) to this record!)</p>
</blockquote>
<p>when trying to delete a record (e.g. [textmedia]) which has references pointing to it (e.g. "Insert Records" [shortcut]").</p>
<p>But sometimes we get a generic message which does not point out there are references, such as:</p>
<blockquote>
<p>Are you sure you want to delete this record?</p>
</blockquote>
<p>It looks like the behaviour improved between v11 => v13 but is not fully resolved.</p>
<p>(language label: labels.referencesToRecord)</p>
<a name="Problems-Inconsistencies"></a>
<h2 >Problems / Inconsistencies<a href="#Problems-Inconsistencies" class="wiki-anchor">¶</a></h2>
<p>in <strong>v13</strong></p>
<ul>
<li>list module: if using checkboxes to select several records then deleting, we get:</li>
</ul>
<blockquote>
<p>Delete marked<br />Are you sure you want to delete all marked records from the table 'Page Content'?<br />Close Delete</p>
</blockquote>
<p>(no hint that there are references)</p>
<ul>
<li>(minor): in FormEngine the "Delete record" button does not have an "(!)", in the other cases it does</li>
</ul>
<p>in <strong>v11</strong> , sames as v13, but also</p>
<ul>
<li>in page layout: using inline delete button, we get generic message (not warning about references):</li>
</ul>
<blockquote>
<p>Delete this record?<br />Delete this record?<br />Cancel | OK</p>
</blockquote>
<ul>
<li>some more minor inconsistencies in how the delete button is named etc.</li>
</ul>
<a name="Screenshots"></a>
<h2 >Screenshots<a href="#Screenshots" class="wiki-anchor">¶</a></h2>
<p><img src="http://forge.typo3.org/attachments/download/37844/delete_record_with_references_generic_message.png" title="generic delete message" alt="generic delete message" loading="lazy" /></p>
<p><img src="http://forge.typo3.org/attachments/download/37845/delete_record_with_references_message_points_out_references.png" title="delete message which mentions references" alt="delete message which mentions references" loading="lazy" /></p>
<p>v13</p>
<p><img src="http://forge.typo3.org/attachments/download/37846/v13_delete_record_with_references_in_list_module_bulk_removal_no_mention_of_references.png" title="v13 bulk removal in list module (references not mentioned)" alt="v13 bulk removal in list module (references not mentioned)" loading="lazy" /></p>
<a name="Full-report"></a>
<h2 >Full report<a href="#Full-report" class="wiki-anchor">¶</a></h2>
<p>see delete_record_with_references.txt</p> TYPO3 Core - Bug #101367 (New): page link to not hidden child of hidden page with extendToSubpage...http://forge.typo3.org/issues/1013672023-07-17T15:58:03ZSybille Peterssypets@gmx.de
<p>In linkvalidator, page links to hidden pages are considered broken.</p>
<p>But extendToSubpages is not considered, the rootline is not traversed.</p>
<pre>
page [3] (hidden, extendToSubpages)
└── page [4] (not hidden)
</pre>
<ul>
<li>link to => 3 (hidden) : marked as broken</li>
<li>link to => 4 (child of hidden/extendToSubapges: not marked as broken, wrong.</li>
</ul> TYPO3 Core - Bug #101336 (New): Pages are shown in page tree even if (non-admin) BE user has no D...http://forge.typo3.org/issues/1013362023-07-12T10:56:48ZSybille Peterssypets@gmx.de
<p>This could also be a privacy problem because user sees pages in page tree which he has no business seeing (which might be access protected).</p>
<p>He can also sees<br />- which user is currently editing the page (see first screenshot)</p>
<p>I could reproduce it in a way where the user sees all pages in entire installation (even though they are not even in the DB mount in the group).</p>
<p>Is only reproducable</p>
<p>- if the user does not have any DB mounts at all<br />- OR has a DB mount but no permission for the pages.</p>
<p>This could happen by wrong page permissions or misconfiguration of BE user.</p>
<a name="Reproduce"></a>
<h2 >Reproduce<a href="#Reproduce" class="wiki-anchor">¶</a></h2>
<ol>
<li>create user with no DB mount and set "Mount from groups" | "DB mounts" to off, assign this user to a group</li>
<li>add a DB mount in the group</li>
<li>switch to user</li>
<li>switch to page module (or list module)</li>
</ol>
<a name="Result"></a>
<h2 >Result<a href="#Result" class="wiki-anchor">¶</a></h2>
<p>The pages which are available for the group will now be displayed in the pagetree but the user has no access to them. If he clicks on a page, exception is thrown: "You don't have access to this page".</p>
<p>Also: context menu | "Info" is displayed, but this results in error message: "Sorry, you didn't have proper permissions to perform this change."</p>
<a name="Expected-behaviour"></a>
<h2 >Expected behaviour<a href="#Expected-behaviour" class="wiki-anchor">¶</a></h2>
<p>- If the user does not have access to the pages, they should <strong>not</strong> be displayed in the page tree and if he has access to no pages, no pages should be displayed in page tree<br />- in one case, an exception is thrown, in the other (Context "Info") a modal dialog is displayed with error. I would always expect the error message, not the exception</p>
<a name="Setup"></a>
<h2 >Setup<a href="#Setup" class="wiki-anchor">¶</a></h2>
user1:
<ul>
<li>has mostly default permissions, no DB mounts or any modifications of permissions, except:</li>
<li>has group group1</li>
<li>"Mounts and Workspaces" | ""Mount from groups" | "DB Mounts" is off</li>
</ul>
group1
<ul>
<li>has DB mount (page id 1)</li>
<li>has access to all modules: "Access Lists" | "Modules" : all selected</li>
<li>has (read) access to all tables: "Access Lists" | "Tables (listing)" : all selected</li>
</ul>
page tree (page id 1):
<ul>
<li>"everybody" has all permisions (set in "Access" module)</li>
</ul>
<a name="Versions"></a>
<h2 >Versions<a href="#Versions" class="wiki-anchor">¶</a></h2>
<p>Reproduced with</p>
<ul>
<li>v11 ... latest main</li>
</ul>
<a name="Screenshot"></a>
<h2 >Screenshot<a href="#Screenshot" class="wiki-anchor">¶</a></h2>
<p><img src="http://forge.typo3.org/attachments/download/37818/be_user_mount_from_groups_off_editing.png" alt="" loading="lazy" /></p>
<p><img src="http://forge.typo3.org/attachments/download/37817/mount_from_groups.png" alt="" loading="lazy" /></p>
<p><img src="http://forge.typo3.org/attachments/download/37815/be_user_mount_from_groups_off.png" alt="" loading="lazy" /></p> TYPO3 Core - Feature #101077 (New): Improve administrative handling of "Anonymize IP Adresses"http://forge.typo3.org/issues/1010772023-06-15T05:24:09ZSybille Peterssypets@gmx.de
<ul>
<li>currently it is only possible to select 1 table in the task (but more can be configured in ext_localconf.php)</li>
<li>the task is a scheduler task which means you have to create a scheduler task first, you can't just run it from the console (which means extra work and you can't (easily) store the configuration in a Git repo)</li>
</ul>
<a name="Sugestions"></a>
<h2 >Sugestions<a href="#Sugestions" class="wiki-anchor">¶</a></h2>
<ul>
<li>make a Symfony command out of it</li>
<li>make it possible to run it with "all configured tables" which would use all tables in $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['scheduler']['tasks'][self::class]['options']</li>
</ul>
<p>In the "Table garbage collection" task there is a checkbox "Clean all available tables"</p>
<a name="Side-note"></a>
<h2 >Side note<a href="#Side-note" class="wiki-anchor">¶</a></h2>
<p>It is unclear to me whether all current scheduler tasks will be migrated to Symfony commands in the future.</p> TYPO3 Core - Task #90848 (Accepted): No longer possible to enter several pids in linkvalidator sc...http://forge.typo3.org/issues/908482020-03-27T07:07:13ZSybille Peterssypets@gmx.de
<p>TYPO3 10,9,8 ...</p>
<p>I am not sure when this was changed:</p>
<p>In the scheduler task for linkvalidator it is no longer possible to enter several page ids in "Start page (uid)"</p>
<p>This used to be possible which was very helpful if you had several sites. In that case, you would get an aggregated report in the mail with information per site.</p>
<p>Also, you could exclude inactive sites this way. Now you can only enter startpage of one site or 0. (Of course, you can always enter several scheduler tasks).</p>
<p>In some cases, sites that are being updated will most likely have problems and need to change this. (Not sure if the old behaviour will still work with several pids).</p>
<p><img src="http://forge.typo3.org/attachments/download/35011/linkvalidator_scheduler.png" alt="" loading="lazy" /></p>
<p>Anyhow, it is no longer possible to enter several pids, separated by comma, which used to be possible.</p>
<p>(I would actually prefer an option to determine this automatically, based on sites configuration)</p> TYPO3 Core - Feature #76895 (Rejected): Add [FE][lockSSL] option in TYPO3_CONF_VARS (as in [BE][l...http://forge.typo3.org/issues/768952016-06-30T17:12:06ZSybille Peterssypets@gmx.de
<p>Proposal to add an option to enforce HTTPS if currently logged in as FE user. Could be implemented as in already existing [BE][lockSSL] option.</p>
<p>This would make Extensions like https_enforcer more or less redundant, because TYPO3 core would handle this functionality:</p>
<p>1) already existing in core: Force HTTPS for specific page (pages.url_scheme)<br />2) already existing in core: Force HTTPS if logged in as BE-User: [BE][lockSSL]<br />2) not exisiting? : Force HTTPS if logged in as FE-User</p> TYPO3 Core - Bug #51360 (Closed): Linkvalidator: specifying TSconfig in scheduler has no effecthttp://forge.typo3.org/issues/513602013-08-26T17:22:37ZSybille Peterssypets@gmx.de
<p>It is possible to set for example subject and content type via page TSconfig. This works fine. However, setting TSconfig in linkvalidator task in scheduler has no effect.</p>
<p>Using version TYPO3 4.5.29</p>