[TYPO3-english] CoolURI and link tag shot by Sec. Upd. 6.2.16?

Markus Klein markus.klein at typo3.org
Thu Dec 17 17:50:39 CET 2015 

Hi!

You have been warned: 

http://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-013/

> Please note, that in case editors were allowed to edit HTML in your particular installation,
> that you need to adapt the TypoScript to allow HTML input again.
> Be aware however that your editors will have full control over HTML,
> which equals to having permission to create HTML content elements.

Kind regards
Markus

------------------------------------------------------------
Markus Klein
TYPO3 CMS Active Contributors Team Member

TYPO3 .... inspiring people to share!
Get involved: typo3.org

> -----Original Message-----
> From: typo3-english-bounces at lists.typo3.org [mailto:typo3-english-
> bounces at lists.typo3.org] On Behalf Of Axel Joensson
> Sent: Thursday, December 17, 2015 5:44 PM
> To: typo3-english at lists.typo3.org
> Subject: [TYPO3-english] CoolURI and link tag shot by Sec. Upd. 6.2.16?
> 
> Hi there,
> 
> two days ago my hoster updated a five language T3 6.2.15 website to
> 6.2.16.
> 
> Today I first discovered that the CoolURIconf.xml (I had updated it just
> about three weeks ago to the recent version 1.1.1) had simply vanished
> from the typo3conf directory, while an old version (renamed for backup
> purposes to CoolURIconf-old.xml) was still present. Uploading the
> recently changed version by ftp to its place, CoolURI immediately awoke
> from knock-out and reassumed service.
> 
> How can an automated patch update shoot the conf-file of an up-to-date
> ext in its last available version for no reason? Didn't that happen to
> anyone else? And WHY?
> 
> Then something else: In each language in my site, there is a link page
> with about 100 links available. I choose a list as content element type,
> so each link is preceded by a dot. The syntax I used is simple and old,
> each link as plaintext in a line of its own:
> 
> <link http://www.example.com/1>Anchor 1</link>
> <link http://www.example.com/2>Anchor 2</link>
> 
> While T3 so far used to make proper clickable links out if this, it now
> suddenly vomits the plaintext text as quoted above into the webpage. No
> link, plain, unchanged syntax as entered.
> 
> Wouldn't it be nice to warn people if (obviously) an old tag is about to
> be executed? Or why does this syntax suddenly work no more? What am I
> expected to do?
> 
> That wasn't a nice way of providing a system security update patch, at
> least to me.
> 
> Greets,
> Axel
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english

More information about the TYPO3-english mailing list