Some notes about regressions in latest security releases

By: Ernesto Baschny

Some general inquietude is being build up around the latest security releases of TYPO3 (4.1.13, 4.2.10 and 4.3beta2) because of regression bugs. Here I try to sum up the current (known) situation.

Is it a bug?

The following problems are known to have been introduced in the latest security updates. These regressions are of course not good, but their manifestation is currently of very isolated nature.

1. 4.3 beta2 only: FE-Editing does not work. This is of course the most critical error, but "hey, its beta!". The patch (#12321) is already in the SVN trunk.
2. Problem with backend modules of certain extensions (e.g. DAM), when the TYPO3 main URL contains a special char (like the tilde "~"). So this could affect cases where TYPO3 is running for example under domain/~user/typo3/
3. Missing thumbnails in the backend and hanging GraphicsMagick processes on the server. Problem comes from safe_mode=on and our use of escapeshellargs(). See #12341 for a discussion on the issue.
4. Install tool database "COMPARE" tool (and other actions in the install tool) fails to execute the action in certain environments. Instead it jumps back to the start screen or logs out completely. That could not be reproduced by the core team yet. Two things that might influence the new session based Install Tool:
   1. If you are using the Suhosin-Modul for hardened PHP, the default setup of max_vars=200 might be the problem (rise it).
   2. Another reporter has no Suhosin, but is running TYPO3 on FastCGI. If FastCGI or something else on the reporters environment brings up this problem is unclear to the moment. There have also been tests with successfully running Install tools under FastCGI.

That was it. So if you meet these conditions, you will most probably have no problems with update (as the majority of users):

• no "~" in the URL to TYPO3
• no safe_mode=on
• no suhosin-modul or if yes, set "php_value suhosin.request.max_vars 500" in your .htaccess
• potentiall no FastCGI (not certain yet if it has an influence at all).

As soon as these problems are solved, new minor versions will be released.