Project

General

Profile

Actions

Bug #28847

closed

Security fix for #26876 breaks backwards compatibility

Added by Michael Stucki almost 13 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2011-08-08
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The security fix for #26876 is well neccessary, however it may break compatibility with existing sites and therefore should be avoided.
The fix has already been released, however if we a follow-up is released soon, users may not have to worry about it any more.


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Task #27106: <h_ {register:headerStyle}{register:headerClass}>|</h_> doesn't work any longer!?RejectedSteffen Gebert2011-05-282011-05-30

Actions
Actions #1

Updated by Michael Stucki almost 13 years ago

I suggest to add this fix (which is clearly a workaround!) only to versions 4.3, 4.4 and 4.5. That means, 4.6 will keep the breaking change.

Actions #2

Updated by Mr. Hudson almost 13 years ago

Patch set 2 of change I04f977ea0a745052ade359454144e51d154dcf6c has been pushed to the review server.
It is available at http://review.typo3.org/4225

Actions #3

Updated by Susanne Moog almost 13 years ago

  • Status changed from New to Under Review
Actions #4

Updated by Chris topher almost 13 years ago

Hi Michael!

This change does not make sense to me.
What about the people who did the update to 4.5.4 or the update to 4.4.9 or the update to 4.3.12 respectively? As a security release these versions should be used and no older ones. So this most probably will be quite many users. If they modified this 10.1.fontTag thingy, all these people already had to adjust their TS configuration to be working again with version 4.5.4.

Now you propose to turn these changes back again, so that the same configuration has to be changed again another time?

You say you want to fix a break of backwards compatibility. Considering this would have been a good idea before releasing 4.5.4. Now your change does the opposite: You in fact introduce another break of backwards compatibility.

Where is the backwards compatibility for all those users who already were forced to change their configuration for 4.5.4?

Actions #5

Updated by Michael Stucki almost 13 years ago

Hi Christopher,

This change does not make sense to me.
What about the people who did the update to 4.5.4 or the update to 4.4.9 or the update to 4.3.12 respectively? As a security release these versions should be used and no older ones. So this most probably will be quite many users. If they modified this 10.1.fontTag thingy, all these people already had to adjust their TS configuration to be working again with version 4.5.4.

Now you propose to turn these changes back again, so that the same configuration has to be changed again another time?

Oh well, thanks for that. You are totally right of course. I will think about if there's a way to work around that and keep changed templates working.

You say you want to fix a break of backwards compatibility. Considering this would have been a good idea before releasing 4.5.4. Now your change does the opposite: You in fact introduce another break of backwards compatibility.

I'm fully with you that this should have been done before, and I'm sorry that I didn't look at it until now. However, I consider it as a major drawback if this issue remains backwards-incompatible, and therefore do my best to find a solution that fits all setups.

Where is the backwards compatibility for all those users who already were forced to change their configuration for 4.5.4?

I'll try to change the patch so that backwards compatibility is still provided.

- michael

Actions #6

Updated by Jigal van Hemert almost 13 years ago

The "breaking change" in the heading rendering isn't such a big issue. So far I've seen one site which needed to be adjusted (because it had the page title in <h1> and thus needed every heading level in a lower level) and all I needed to do was replace 'fontTag' with 'dataWrap'.
It's now on the check list for this upgrade.

People understand that things change for security reasons and the only effect of this "breaking change" is just cosmetic.

Actions #7

Updated by Mr. Hudson almost 13 years ago

Patch set 2 of change I376c9fe013a21ac3e2e82a23d8d194fba9ac21f5 has been pushed to the review server.
It is available at http://review.typo3.org/4230

Actions #8

Updated by Michael Stucki almost 13 years ago

Hi Jigal and Christopher,

The "breaking change" in the heading rendering isn't such a big issue. So far I've seen one site which needed to be adjusted (because it had the page title in <h1> and thus needed every heading level in a lower level) and all I needed to do was replace 'fontTag' with 'dataWrap'.
It's now on the check list for this upgrade.

You may be right with this, however even the fact that it could break something breaks a promise which we made to our users. If we want our users to trust that what we release as patch-level updates can be rolled out blindly, then we should aim for fixing this even though the damage was done.

People understand that things change for security reasons and the only effect of this "breaking change" is just cosmetic.

I disagree on this. "just" cosmetic may result in companies not willing to roll out security updates anymore. We need to give high priority to both!

Please check my new patch in Gerrit, which hopefully fits your needs.

Actions #9

Updated by Mr. Hudson almost 13 years ago

Patch set 3 of change I376c9fe013a21ac3e2e82a23d8d194fba9ac21f5 has been pushed to the review server.
It is available at http://review.typo3.org/4230

Actions #10

Updated by Mr. Hudson almost 13 years ago

Patch set 4 of change I376c9fe013a21ac3e2e82a23d8d194fba9ac21f5 has been pushed to the review server.
It is available at http://review.typo3.org/4230

Actions #11

Updated by Mr. Hudson almost 13 years ago

Patch set 5 of change I376c9fe013a21ac3e2e82a23d8d194fba9ac21f5 has been pushed to the review server.
It is available at http://review.typo3.org/4230

Actions #12

Updated by Mr. Hudson almost 13 years ago

Patch set 1 of change I6f05005e30c63ec2cf81eed1d9adeeb4f9828e82 has been pushed to the review server.
It is available at http://review.typo3.org/4282

Actions #13

Updated by Mr. Hudson almost 13 years ago

Patch set 1 of change Ieffeed7b7d766b0d248ed666bfef6e8f62ea1f38 has been pushed to the review server.
It is available at http://review.typo3.org/4283

Actions #14

Updated by Helmut Hummel almost 13 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #15

Updated by Benni Mack over 5 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF