TYPO3 4.2.16

Release Notes

Version 4.2.16

This version is not supported anymore.

The TYPO3 CMS community supported from 2009-07-03 until 2009-11-30. Please consider updating to a newer version.

Release Notes for TYPO3 4.2.16

This document contains information about TYPO3 version 4.2.16 which was released on December 16, 2010.


This release is a combined bugfix and security release.


Due to several security issues found in the TYPO3 Core, there was a combined release of TYPO3 4.2.16, 4.3.9 and 4.4.5.\ Find more details in the security bulletin: <https://typo3.org/teams/security/security-bulletins/typo3-sa-2010-022/&gt;



MD5 checksums

ad01b11987351a050c0d11663fedef16  dummy-4.2.16.tar.gz
627944cc19f84b91ff0687cebb832f9e  dummy-4.2.16.zip
c556a17485887463e67ea0771d7914c4  typo3_src-4.2.16.tar.gz
f3f01e41bdfbc275b2f6bc8140224b19  typo3_src-4.2.16.zip
3bb55206eb08e9c9f70b44ab4a168b98  typo3_src+dummy-4.2.16.zip


The usual upgrading procedure applies; no database updates are necessary.


2010-12-16  Oliver Hader  &lt;oliver.hader@typo3.org&gt;

    * Release of TYPO3 4.2.16

2010-12-16  Oliver Hader  &lt;oliver@typo3.org&gt;

    * Fixed bug #14402: XSS in Install tool (thanks to Benjamin Mack)
    * Fixed bug #16590: t3lib_TSparser::checkIncludeLines() does not check files to be included (thanks to Fabrizio Branca)
    * Fixed bug #15737: quoteStrForLike does not properly escape strings in sql_mode NO_BACKSLASH_ESCAPES
    * Fixed bug #16653: SQL injection problem in class.db_list.inc (thanks to Jigal van Hemert)
    * Fixed bug #15735: FORM content object is susceptible to XSS (thanks to Benjamin Mack)
    * Fixed bug #16362: Directory traversal attack in em_unzip
    * Fixed bug #16593: It is possible to bypass &#039;verifyFilenameAgainstDenyPattern&#039;

2010-11-12  Ernesto Baschny  &lt;ernst@cron-it.de&gt;

    * Fixed bug #15456: Changes made by ColorPicker Wizard are not saved (Thanks to Tobias Hoevelborn)

2010-10-27  Steffen Gebert  &lt;steffen@steffen-gebert.de&gt;

    * Fixed bug #15503: Improve t3lib_userAuth::getCookie() (Thanks to Michael Bürgi)

2010-10-18  Xavier Perseguers  &lt;typo3@perseguers.ch&gt;

    * Fixed bug #1318: &#039;removeTag&#039; does not remove closing tags

2010-10-11  Steffen Kamper  &lt;steffen@typo3.org&gt;

    * Fixed bug #12376: typo3temp got filled with thousands of javascript_* files (Thanks to Georg Ringer)