TYPO3 4.6.7

Release Notes

Version 4.6.7

This version is not supported anymore.

The TYPO3 CMS community supported from 2011-10-25 until 2012-04-23. Extended security & compatibility support (ELTS) expired on 2015-04-23.

Please consider updating to a newer version.

Release Notes for TYPO3 4.6.7

This document contains information about TYPO3 version 4.6.6 which was released on March 28th 2012.


This release is a combined bug fix and security release.


Due to security issues found in the TYPO3 Core, there was a combined release of TYPO3 4.4.14, 4.5.14 and 4.6.7.\ Find more details in the security bulletin: <https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/&gt;



MD5 checksums

6464e9fbecbe218d0508c28b7ddf94ca  blankpackage-4.6.7.tar.gz
6a9e28cc3f44d7958f9dc66322a7f606  blankpackage-4.6.7.zip
9f68cc22e8d4b68852197625e25a1dfa  dummy-4.6.7.tar.gz
6671e1f654be11130bac7d76cb8b6afa  dummy-4.6.7.zip
6b149d5263678e2137900315dd52b1fc  introductionpackage-4.6.7.tar.gz
141df5c83487b2da3fd91eb78ccc9634  introductionpackage-4.6.7.zip
53c371c218d890fe847a6b52869ca7ab  typo3_src+dummy-4.6.7.zip
6d451794f1c9f2830255fde41e60fc5e  typo3_src-4.6.7.tar.gz
60682a77f94495807352d50cc360ef3e  typo3_src-4.6.7.zip


The usual upgrading procedure applies. No database updates are necessary.

Breaking Change

With the newly released TYPO3 versions, the description field of the filelink content element is HTML encoded by default. If you allowed editors to enter HTML code in this field, you may want to add the following line to your TypoScript template, before updating.

tt_content.uploads.20.itemRendering.20.2.htmlSpecialChars = 0

Allowing HTML in this field is discouraged for editors, same as allowing the plain HTML content.


Here is a list of what was fixed since [4.6.6](TYPO3_4.6.6 "wikilink"):

  • [RELEASE] Release of TYPO3 4.6.7
  • [SECURITY] Missing escaping for sys_notes (#22748)
  • [!!!][SECURITY] XSS in filelink element (#25246)
  • [SECURITY] Information disclosure showing DB name (#29060)
  • [SECURITY] XSS in show item (#29397)
  • [SECURITY] Missing escaping in scheduler (#24474)
  • [SECURITY] XSS in BE file list (#30940)
  • [SECURITY] XSS possibility in RemoveXSS (#30188)
  • [SECURITY] XSS in be_layouts (#29536)
  • [SECURITY] XSS for extension meta data in About module (#30969)
  • [BUGFIX] Missing column in t3lib_TCEmain::getPreviousLocalizedRecordUid (#35260)
  • [TASK] Add missing sql_free_result in alt_doc.php (#34771)
  • [BUGFIX] Tooltips for items in groupfields are not moved (#35176)
  • [TASK] Code clean-up in t3lib_PageRenderer (#35160)
  • [BUGFIX] Blank page after Save+Close in page settings (#33791)
  • Revert “[BUGFIX] showAccessRestrictedPages doesn't replace links to restricted subpages” (#32756)
  • [BUGFIX] Fix baseurl handling of IE with RTE htmlArea in FE and realurl (#30847)
  • [BUGFIX] Fatal error 't3lib_lock' does not exist (#34662)


  • [SECURITY] Protect arguments of form __referrer with HMAC (#35310)


  • [SECURITY] Protect arguments of form __referrer with HMAC (#35310)


  • [BUGFIX] Custom validators may be overriden by default validators (#34566)
  • [BUGFIX] Code cleanup tx_linkvalidator_processor (#35058)
  • [BUGFIX] Methods should not be private (#34581)


  • [BUGFIX] Version record array is sorted twice (#35165)