RSS 2.0
RSS 0.91
ATOM 0.3
July 30, 2010

Regressions in latest security release

Category: Core

By: Ernesto Baschny

The latest security releases contains some regression that I'd like to explain in this article

In the security releases from 28th of July, unfortunately some new bugs were introduced. This article tries to summarize what has been known about it and how to solve particular problems.

In TYPO3 4.1.14:

Problem: On logout from BE and on clearing all caches the error “Call to undefined method t3lib_div::sanitizeLocalUrl” or an empty frame is displayed. So it is not possible to clear all cache anymore.

Solution: Is being worked on in #15260, which is partly commited, but a new version discussed in #15263 and a new patch from that issue might solve the issue. Testers needed.

In TYPO3 4.3.4:

Problem: extbase introduced several changes, one of which made fluid break, causing all frontend plugins to crash.

Solution: Sebastian Kurfürst already fixed that in the SVN-repository, a quick fix is described here.

Extbase and Fluid versions were rised from 1.0.2 to 1.1.0 in TYPO3 4.3.4. This was made to make the versioning scheme consistent. But it also introduced a set of new features and changes, which are documented in the SVN commit log of the 1.1 branch.

In TYPO3 4.4.1:

Problem: Install tool doesn't allow a login in certain environments after the upgrade to 4.4.1.

Solution: Not reproduceable yet by the core team. It is being discussed in #15265 and only solutions until now are:

  • if ameos_formidable is installed, a start_session is done on every request in ext_localconf.php. This conflicts with the install tool session management. One potential solution is to put this around the line that does the "session_start()" in ameos_formidable ext_localconf.php:
    if (TYPO3_MODE === "FE") {

  • on other cases, a solution is to revert the install tool security fix, by copying the file typo3/sysext/install/mod/class.tx_install_session.php from a working 4.4.0 installation. Since the security fix is then no longer applied, you have to make sure to disable the Install Tool when it is not used.

In 4.4.1, 4.3.4 and 4.2.12:

Problem: It's impossible to set links to files any more with the link wizard.

Solution: Issue is being discussed in #15282.

In 4.4.1, 4.3.4 and 4.2.12:

Problem: felogin redirect doesn't work as expected anymore

Solution: Issue is being discussed in #15280. Probably applies to all releases that shipped with felogin.

As soon as the issues have been solved, new release of 4.1 and 4.3 are planned. For the 4.4 install tool problem, we still need to understand under what circumstances the problem occurs to be able to decide if a new release is required.

Please check the bug tracker for new regression issues that might have been discovered or discussed.

This article will be revised as soon as new information is available.


comment #1
Gravatar: Lienhart Woitok Lienhart Woitok July 30, 2010 10:45
I think another regression is this issue: (Element-Browser page tree has HSC'ed elements).

By the way, the link to the bug tracker regressions list does not work: "A required parameter to this page (hide_status_id) was not found."

comment #2
Gravatar: Ernesto Baschny Ernesto Baschny July 30, 2010 14:00
Thanks for the Feedback Lienhart. I corrected the link to the bug tracker and your new issue is also listed on that bug tracker filtering.

comment #3
Gravatar: maholtz maholtz August 2, 2010 09:35
Hi Ernesto,

many thanks for pointing out these issues. It is very helpfull!

Sorry, comments are closed for this post.