TYPO3 Core

Hi Michael,

I tried to reproduce this using following SQL statement:

SELECT extension_key, count(*) as count FROM tx_extensionmanager_domain_model_extension WHERE current_version=1 GROUP BY extension_key HAVING count>1 ORDER BY count DESC;

There is no extension_key with a count greater than 1 currently. There was recently some refactoring of the whole EM done. Maybe this has already resolved the issue.

Furthermore it's according to docs and TER not valid to upload a version in this syntax ("3.53.3-1157").

// https://docs.typo3.org/m/typo3/reference-coreapi/master/en-us/ExtensionArchitecture/DeclarationFile/Index.html#declaration-file-ext-emconf-php

Version of the extension. Automatically managed by EM / TER. Format is [int].[int].[int]

// https://extensions.typo3.org/my-extensions/extension-upload/

Please notice that the version number in ext_emconf.php must match the version number in the filename.

Linux (Shell): zip -r ../my_extension_key_x.y.z.zip *
OS X (Shell): zip -r ../my_extension_key_x.y.z.zip *

Could you therefore please have a look if you are still able reproduce this?

I just re-tested the issue and I can confirm that the bug still exists in v10.4.9. The XML Importer of the Extension Manager imports polluted data and marks multiple extension versions as "current version".

However, in a standard installation, the result of the bug is no longer apparent today (more than three years after I reported this issue). This is because of three reasons:

1) It seems that the TER team fixed most of the invalid extension versions. So the extensions.xml.gz file is much cleaner today.
2) The TER possibly filters invalid version strings when users upload extensions today (not tested!).
3) The Extension Manager only imports extensions younger than 04 April 2017 and ignores all extensions older than this date (this is hard-coded).

I recorded my tests (see attached file issue81159.mp4). It shows the following steps:

- Fresh installation of TYPO3 v10.4.9 using the traditional installation method.
- Show that the database table tx_extensionmanager_domain_model_extensions is empty (0 records).
- Apply a core patch that bypasses the aforementioned restriction to only import extensions newer than 04/2017.
- Import extension list using the Extension Manager in the TYPO3 BE.
- Show that the database table tx_extensionmanager_domain_model_extensions now contains all extensions (49,000+ records).
- Show that extension EXT:wiris_plugin has two versions, both are marked as "current version".
- Show that this is the only extension with this issue.

Although the problem does not occur in modern TYPO3 versions anymore, the core still has this bug and is vulnerable to invalid version strings in the extensions.xml.gz file.

I will check with the TER team if they can delete the invalid version of EXT:wiris_plugin from the TER. However, this does not fix the bug in the TYPO3 core of course. In case the data that is imported through the Extension Manager shows invalid version strings (for whatever reason), this may result in issues in TYPO3 instances. Following the principle of not trusting any input data, this bug is still open and should be fixed from my perspective.

Core patch used to import all extensions: see GitHub

Thanks for the detailed feedback.

hey michael,

I stumbled upon this issue and close it as I couldn't reproduce it and as you said, the xml is cleaned up. hope this is fine for you, otherwise don't hesitate to contact me via slack