Bug #28847
closed
Security fix for #26876 breaks backwards compatibility
Added by Michael Stucki over 13 years ago. Updated about 6 years ago.
100%
Description
The security fix for #26876 is well neccessary, however it may break compatibility with existing sites and therefore should be avoided.
The fix has already been released, however if we a follow-up is released soon, users may not have to worry about it any more.
Updated by Michael Stucki over 13 years ago
I suggest to add this fix (which is clearly a workaround!) only to versions 4.3, 4.4 and 4.5. That means, 4.6 will keep the breaking change.
Updated by Mr. Hudson over 13 years ago
Patch set 2 of change I04f977ea0a745052ade359454144e51d154dcf6c has been pushed to the review server.
It is available at http://review.typo3.org/4225
Updated by Susanne Moog over 13 years ago
- Status changed from New to Under Review
Updated by Chris topher over 13 years ago
Hi Michael!
This change does not make sense to me.
What about the people who did the update to 4.5.4 or the update to 4.4.9 or the update to 4.3.12 respectively? As a security release these versions should be used and no older ones. So this most probably will be quite many users. If they modified this 10.1.fontTag thingy, all these people already had to adjust their TS configuration to be working again with version 4.5.4.
Now you propose to turn these changes back again, so that the same configuration has to be changed again another time?
You say you want to fix a break of backwards compatibility. Considering this would have been a good idea before releasing 4.5.4. Now your change does the opposite: You in fact introduce another break of backwards compatibility.
Where is the backwards compatibility for all those users who already were forced to change their configuration for 4.5.4?
Updated by Michael Stucki over 13 years ago
Hi Christopher,
This change does not make sense to me.
What about the people who did the update to 4.5.4 or the update to 4.4.9 or the update to 4.3.12 respectively? As a security release these versions should be used and no older ones. So this most probably will be quite many users. If they modified this10.1.fontTagthingy, all these people already had to adjust their TS configuration to be working again with version 4.5.4.Now you propose to turn these changes back again, so that the same configuration has to be changed again another time?
Oh well, thanks for that. You are totally right of course. I will think about if there's a way to work around that and keep changed templates working.
You say you want to fix a break of backwards compatibility. Considering this would have been a good idea before releasing 4.5.4. Now your change does the opposite: You in fact introduce another break of backwards compatibility.
I'm fully with you that this should have been done before, and I'm sorry that I didn't look at it until now. However, I consider it as a major drawback if this issue remains backwards-incompatible, and therefore do my best to find a solution that fits all setups.
Where is the backwards compatibility for all those users who already were forced to change their configuration for 4.5.4?
I'll try to change the patch so that backwards compatibility is still provided.
- michael
Updated by Jigal van Hemert over 13 years ago
The "breaking change" in the heading rendering isn't such a big issue. So far I've seen one site which needed to be adjusted (because it had the page title in <h1> and thus needed every heading level in a lower level) and all I needed to do was replace 'fontTag' with 'dataWrap'.
It's now on the check list for this upgrade.
People understand that things change for security reasons and the only effect of this "breaking change" is just cosmetic.
Updated by Mr. Hudson over 13 years ago
Patch set 2 of change I376c9fe013a21ac3e2e82a23d8d194fba9ac21f5 has been pushed to the review server.
It is available at http://review.typo3.org/4230
Updated by Michael Stucki over 13 years ago
Hi Jigal and Christopher,
The "breaking change" in the heading rendering isn't such a big issue. So far I've seen one site which needed to be adjusted (because it had the page title in <h1> and thus needed every heading level in a lower level) and all I needed to do was replace 'fontTag' with 'dataWrap'.
It's now on the check list for this upgrade.
You may be right with this, however even the fact that it could break something breaks a promise which we made to our users. If we want our users to trust that what we release as patch-level updates can be rolled out blindly, then we should aim for fixing this even though the damage was done.
People understand that things change for security reasons and the only effect of this "breaking change" is just cosmetic.
I disagree on this. "just" cosmetic may result in companies not willing to roll out security updates anymore. We need to give high priority to both!
Please check my new patch in Gerrit, which hopefully fits your needs.
Updated by Mr. Hudson over 13 years ago
Patch set 3 of change I376c9fe013a21ac3e2e82a23d8d194fba9ac21f5 has been pushed to the review server.
It is available at http://review.typo3.org/4230
Updated by Mr. Hudson over 13 years ago
Patch set 4 of change I376c9fe013a21ac3e2e82a23d8d194fba9ac21f5 has been pushed to the review server.
It is available at http://review.typo3.org/4230
Updated by Mr. Hudson over 13 years ago
Patch set 5 of change I376c9fe013a21ac3e2e82a23d8d194fba9ac21f5 has been pushed to the review server.
It is available at http://review.typo3.org/4230
Updated by Mr. Hudson over 13 years ago
Patch set 1 of change I6f05005e30c63ec2cf81eed1d9adeeb4f9828e82 has been pushed to the review server.
It is available at http://review.typo3.org/4282
Updated by Mr. Hudson over 13 years ago
Patch set 1 of change Ieffeed7b7d766b0d248ed666bfef6e8f62ea1f38 has been pushed to the review server.
It is available at http://review.typo3.org/4283
Updated by Helmut Hummel over 13 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 1c946cb63f4a98164f40bf305452fd60883dd853.
Updated by