TYPO3-CORE-SA-2012-005: Several Vulnerabilities in TYPO3 Core
2012-11-08 54eab24 [RELEASE] Release of TYPO3 4.7.6 (TYPO3 Release Team)
2012-11-08 f5d3162 #42696 [SECURITY] Fix SQL injection and XSS in record history (Oliver Hader)
2012-11-08 07c3d63 #42774 [SECURITY] XSS in TCA Tree (Oliver Hader)
2012-11-08 7b916d0 #42776 [SECURITY] Fix potential XSS in t3lib_BEfunc::getFuncCheck (Helmut Hummel)
2012-11-08 389452e [TASK] Raise submodule pointer (TYPO3 Release Team)
2012-11-07 3f2929d #39677 [BUGFIX] No sorting in TypoScript Object Browser when browsing (Nicole Cordes)
2012-11-02 b69dc9d #42281 [BUGFIX] Translated non-published page in workspace breaks live workspace (Oliver Hader)
2012-11-02 9330ab6 #38024 [BUGFIX] Illegal string offsets in t3lib_stdgraphic (Wouter Wolters)
2012-11-01 8098997 [TASK] Use correct branch for travis integration build (Helmut Hummel)
2012-11-01 24f4a8d#37578 [BUGFIX] PHP 5.4 warning in CLI context in switch back user (Christian Kuhn)
2012-10-31 dc73a91 #39662 [BUGFIX] RTE: Link class not always set in Firefox (Stanislas Rolland)
2012-10-31 ba8ead7 #42046 [BUGFIX] Restore display of mount points path (Francois Suter)
2012-10-29 fbd5057 #40733 [BUGFIX] Wrong call to TSFE in FrontendEditing (Steffen Ritter)
2012-10-29 4bf3cca #42054 [BUGFIX] PHP warning: open_basedir restriction (Xavier Perseguers)
2012-10-28 19f0cbb #42454 [BUGFIX] Fix usage of fileadminDir (Helmut Hummel)
2012-10-27 dd20440 #42444 [TASK] Fix generation of ext_emconf.php (Wouter Wolters)
2012-10-22 ce6ab74 #41980 [TASK] Clean-up EXT: aboutmodules, adapt to "TYPO3 CMS" (Felix Kopp)
2012-10-22 3440228 #38699 [BUGFIX] t3lib_div::unlink_tempfile does not always work on Windows (Stanislas Rolland)
2012-10-22 689f1fb #33504 [BUGFIX] New form wizard not loading in IE8 (Sebastian Schawohl)
2012-10-19 74c10e0 [BUGFIX] Unit test for saltedpasswords fail (Xavier Perseguers)
2012-10-18 bfb12db #36087 [BUGFIX] RTE: Link to disabled page doesn't show in FE, link icon does (Stanislas Rolland)
2012-10-18 9d621aa #29685 [BUGFIX] RTE: Words containing umlauts not added to personal dictionary (Stanislas Rolland)
2012-10-17 bd4645c #38406 [BUGFIX] Extension Import not working with postgresql and DBAL (Ernesto Baschny)
For detail, please refer http://wiki.typo3.org/TYPO3_4.7
===============================================================================
Compatibility
===============================================================================
* PHP 5.3
This version requires at least PHP 5.3, older versions of PHP are not supported
anymore with TYPO3 4.7.
* safe_mode is not supported anymore
* magic_quotes_gpc is deprecated. You are encouraged to turn this option
off as it still defaults to "On".
* ImageMagick
If you are using ImageMagick, only versions 6.0 and above are supported.
* Deprecated methods
Deprecated methods that were initially targeted to be removed in TYPO3 4.7 have
finally been removed. The deprecation log shows which functions were declared
to be deprecated and will be removed in the next TYPO3 versions.
Removed Functionality / Overworked Functionality
-------------------------------------------------------------------------------
* non utf-8 support removed
Before upgrading, check that your database is encoded in utf-8 and your
database connection is encoded same way. TYPO3 4.7 only will work with utf-8 after
other charsets have been deprecated in TYPO3 version 4.5 LTS.
* The old HTML-Mailer Class (t3lib_htmlmail) has been removed
After a grace period of two version t3lib_htmlmail finally has been removed from
TYPO3 Core. All extensions which had not been adapted yet, will break. Most
likely this will affect many extensions.
* Highly changed CSS Styled Content Classes
The System Extensions CSS Styled Content and the content rendering within sysext
CMS have been heavily overworked as well as the TypoScript changed remarkibly.
We expect all extensions X-Classing the Content-Rendering as well as adapting
TypoScript of CSS Styled Content to break. This might affect Lightbox-Extensions
as well as for example dam_content (old version).
!!! PLEASE SEE A LIST OF INCOMPATIBLE EXTENSIONS WITHIN THE WIKI !!!
===============================================================================
Changes and Improvements
===============================================================================
This will list important changes and improvements between TYPO3 4.6 and 4.7. For
technical details see ChangeLog included in the typo3_src package.
Authentication Services
-------------------------------------------------------------------------------
With this version the authentication chain has been cleaned up so that third
party authentication services can benefit from RSA encrypted login without the
need of decrypting the submitted password in their own code.
The system extension rsaauth will now decrypt the password and provide the
decrypted version for other services. So external authentication services can
access the clear text password always through $this->loginData['uident_text'],
no matter if the password has been transmitted as plain text during the login
or rsaauth has decrypted it.
Due to major changes in the login service of rsaauth, all extensions which
use XCLASS to extend that class, most likely will fail, whereas other extension
which make proper use of the public API of the system extension rsaauth will
continue working without any problem.
In any case, it is recommended to adjust external authentication services to
benefit from the changes.
See new chapter in TYPO3 services documentation (doc_core_services) about the
topic of authentication services: http://forge.typo3.org/issues/31413
taca