3.0.1 (2015-11-23)

Overview of merged pull requests

[FEATURE] Configurable extension blacklist in filesystem targets

The FileSystemTarget and FileSystemSymlinkTarget now have a blacklist for file extension that must not be published.

It defaults to the list of extensions blacklisted for file uploads in the ResourceManager.

[FEATURE] Configurable extension blacklist for file uploads

The ResourceManager now has a blacklist for file extension that must not be uploaded.

It defaults to a number of popular script language file extensions.

[TASK] Handling script execution in _Resources

This change adds an .htaccess file to the installer defaults that will be copied to Web/_Resources and switch off further .htaccess overrides, disable PHP and make everything handled by he default-handler.

In addition the documentation explains the need for disallowing script execution below Web/_Resources.

[SECURITY] Fix potential XML External Entity Processing

The MediaTypeConverter in Flow is potentially vulnerable to XXE (see https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing)

This change fixes that by disabling the external entity loader.

Thanks to Wouter Wolters for reporting this (original Reporter: Wouter van Dongen).

[BUGFIX] Set correct request port if X-Forwarded-Proto is set

This fixes an issue resulting in wrong rendered URLs if Flow is accepting request from a load balancer or proxy which is accessed via https externally, sends the X-Forwarded-Proto header to Nginx but does not specify the X-Forwarded-Port header.

For example, a load balancer (for example Google HTTP/HTTPS load balancer) is accessible via https and terminates SSL. The load balancer communicates with Nginx via http on port 80. Google only sends the X-Forwarded-Proto header (“https”) but not the port. URLs, for example in an action URI of a form, are rendered wrongly.

An expected URL would be https://example.com/foo.html, however, the rendered URL is https://example.com:80/foo.html

This change changes the behavior in Request so that if the X-Forwarded-Proto header is set, but the X-Forwarded-Port header isn’t, the port is set to the standard port of the given protocol (80 / 443).

[BUGFIX] ResourceTypeConverter should return null for empty source

The given source can either be an array or a string and in both cases an empty value would signify a value that cannot be converted and probably stems from an empty input. In this case the converter should return null immediately, otherwise it will go on with processing the empty value and eventually ends up in returning a conversion error which would be wrong.

  • Packages: Flow Fluid

[TASK] Document issues with final SQLFilter constructor

When implementing a Doctrine filter the proxy building of Flow can cause problems. This change documents this and explains a solution.

  • Packages: Flow

[BUGFIX] Check if migrations exist before trying to register them

Backport from 9823ae980e803 (Author: Laurent Cherpit @lcherpit )

Currently the check for the existence of migration files is delegated to the doctrine/migration third party library.

The behavior has changed and an exception is thrown if the folder doesn’t exist. To not let the third party library handle that and to prevent this, the check is done upstream in Flow.

  • Packages: Flow

[BUGFIX] Make sure expired cache entries get deleted in PdoBackend

$this->has($entryIdentifier) returns false for expired cache entries which leads to duplicate key violations. Remove existing entries, including expired ones, before creating new cache entry.

[BUGFIX] Use CollectionInterface in resource management

Currently some methods use the Collection class instead of the CollectionInterface.

  • Packages: Flow Fluid

[BUGFIX] Fix lookup path for ``AvailableProxyClasses.php``

Since 2787b2a3216deb188c4cd1c9b2b823e6e3a10da3 Flow creates a map for available proxy classes stored in AvailableProxyClasses.php within the temporary directory.

The ClassLoader failed to include that file though when run in a nested Application Context. That is fixed with this change.

  • Packages: Flow

[BUGFIX] Initialize Router lazily

The Router should be able to initialize configured routes lazily except when explicitly told not to do so. This change allows the Router to get the configuration directly from the ConfigurationManager if no other routing configuration exists. If some routing configuration was set, this is used.

[BUGFIX] Skip commonObjectIsPersistedAndIsReconstituted() on PgSQL

The object we assign in the test is Persistence\Fixtures\CommonObject, containing a protected property. Doctrine stores object as serialize()`d PHP data in a text column. Which doesn’t work on PostgreSQL, since the string is truncated at the first `null byte, used in the serialised data to mark the protected property.

The official fix is to use a custom datatype if you need it, for the test I decided to skip it if on PostgreSQL.

[TASK] Remove use of deprecated apigen options

The todo and deprecated options have been deprecated in favour of the annotation-groups feature. This adjusts apigen.yml to comply.

[TASK] Add apigen.yml

This adds an apigen.yml file for use when generating API docs.

[BUGFIX] Make ObjectAccess use TypeHandling (FLOW-397)

This change adjusts ObjectAccess to use getTypeForValue() instead of get_class() so Doctrine proxies are handled correctly.

  • Packages: Flow

[BUGFIX] Bind expression storing closer to privilege data

As the runtime expressions are generated while evaluating the method privileges in the MethodPrivilegePointcutFilter both should be saved at the same point in time, so instead of saving the expressions via lifecycle methods they are now saved on the same signal as the method permission cache entry. This can prevent race conditions that might happen between writing the permission cache and the expression cache.

  • Packages: Flow

[BUGFIX] Fix functional test by explicitly naming sequence

The auto-generated name of a sequence exceeds the maximum length, is truncated and thus duplicates an already existing name in the schema. This is solved by manually giving a name to the sequence.

This bug affects only PostgreSQL and is triggered by a functional test fixture.

  • Packages: Flow

[TASK] Update license headers

This change updates license headers in all packages contained in the Flow Development Collection according to what has been discussed earlier: https://discuss.neos.io/t/rfc-license-header-file-doc-comment-change/517

  • Packages: Fluid Kickstart

[TASK] Add example for if view helper inline syntax

This adds another example for the if view helper inline syntax, explaining the format for conditions when using comparisons.

  • Packages: Fluid

[BUGFIX] Class loader includes some files twice

For some reason, the FLOW class loader includes some files twice.

This especially occurs when a Composer dependency declares an autoload file that contains function definitions (one example for a package like that being guzzlehttp/promises).

This commit fixes this issue by replacing include with include_once.

[BUGFIX] Fix a syntax error caused by a broken file header

The MIT change had introduced a stray block comment end marker.

  • Packages: Flow

[TASK] Apply MIT license to the Flow framework

This change adjusts all file headers to state the code is under the MIT license now. It removes the use of the name TYPO3 in comments along the way.

Our reasoning for the license change has been explained at
and the TYPO3 Association has published the decision at

With this change, the need for a CLA is gone.

  • Packages: Eel Flow Fluid Kickstart

[TASK] Improve exception output for subprocesses failing with fatal error

Improves the exception output in development context when a command executed in a subprocess fails with fatal error. Previously the actual error could only be found by looking in the system log or in some cases by running a CLI command.

[TASK] Add configuration file for StyleCI

  • Packages: Eel Flow Fluid Kickstart

[TASK] Add Code of Conduct

This adds a reStructuredText version of the Contributor Covenant code of conduct, to make it clear the project is governed by that.

See also http://contributor-covenant.org/version/1/2/0/

[TASK] Add Readme.rst files for individual packages

This adds a Readme.rst to each package, so that the read-only subplit repositories have a readme file for GitHub to show and for the users to read.

  • Packages: Eel Flow Fluid Kickstart

[BUGFIX] Remove neos composer plugin from reflection

As Flow 2.3 still uses a blacklist approach for reflection and proxybuilding the neos composer plugin needs to be excluded instead of the composer installers package.

  • Packages: Flow

[BUGFIX] SecurityContext does not inject SessionManagerInterface

In TYPO3/Flow/Security/Context class SessionManagerInterface should be injected to follow the Objects configuration. This breaks projects where a custom SessionManager is implemented and switched using Objects configuration.

However in the Unit test for security context SessionManagerInterface is mocked.

PS: This issue is already handled in Flow 3.0 so need a HotFix for 2.3

[TASK] Allow InstallerScripts to work with collection repository

The InstallerScripts taking care of copying distribution resources after composer operations would assume package paths that are incompatible with the joined repositories. This will result in missing Neos Routes on installing from the collection repository.

This is a first step after which the joined composer.json can be used fully.

This deprecates the [“extras”][“typo3/flow”][“manage-resources”] configuration for copying distribution resources. The deprecation is in effect from 3.1 onwards and this option will be removed three versions later. The new [“extras”][“neos”][“installer-resource-folders”] configuration which is an array of directories containing installer resources superseeds it with this changes and takes precedence. A typical replacement would be:

“installer-resource-folders”: [“Resources/Private/Installer/”]
  • Packages: Flow