Commit Graph

112 Commits (219e353ac1fff08e572bc108d96e06c58273a2d7)

Author SHA1 Message Date
Aleksander Machniak bdf0a6539e Relaxed domain name validation for extended TLDs support (#5588) 5 years ago
johndoh 51a9dd631f Add support for SameSite cookie attribute (req PHP >= 7.3.0) (#6772) 5 years ago
Aleksander Machniak 0b45c3c6b0 Fix matching multiple X-Forwarded-For addresses with 'proxy_whitelist' (#7107) 5 years ago
Aleksander Machniak e3c6989494 Log X-Real-IP only when it's different than REMOTE_ADDR 5 years ago
Aleksander Machniak 63730cf842 Fix security issue where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (#6897) 5 years ago
Aleksander Machniak 057fb69bb9 Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899) 5 years ago
Aleksander Machniak 7bf868767e Fix security issue where it was possible to bypass the position:fixed CSS check in received messages (#6898) 5 years ago
Aleksander Machniak 1afa46d28d PHPDoc and CS fixes 5 years ago
Aleksander Machniak 8f895cb17f Replace function alias: getallheaders() -> apache_request_headers() 5 years ago
Aleksander Machniak 0a0ad2c9b7 Switch to IDNA2008 variant (#6806)
After switching IDNA_NONTRANSITIONAL_TO_ASCII on, switch to
IDNA2008 variant in Net_LDAP2. Add test, update changelog.
6 years ago
Max Bosse f1d3f9ee44 Fix: Use IDNA_NONTRANSITIONAL_TO_UNICODE for idn_to_utf8 call 6 years ago
Max Boße 70c20740e7
Set 'IDNA_NONTRANSITIONAL_TO_ASCII' idn-option 6 years ago
Amir Caspi 6b5fa52ec1 Update rcube_utils::parse_host, fixes #6746
Updated regexps used in parse_host to ensure that %t, %d, %z do not cut off domain and return only tld when underlying host has no subdomain (i.e., is just domain.tld rather than mail.domain.tld).  Update fixes #6746, now returns nothing shorter than domain.tld.

Also removed backslash from character class, period does not need to be escaped within character class.
6 years ago
Aleksander Machniak 57c67db029 Remove year(s) from copyright headers + some cleanup 6 years ago
Aleksander Machniak 61eb78ad64 Fix so ANY record is not used for email domain validation, use A, MX, CNAME, AAAA instead (#6581) 6 years ago
Aleksander Machniak afc68aae63 FIx temp_filename() regressions, update changelog, add note in UPGRADING 6 years ago
PhilW e024f133fa give all temp files a constant prefix 6 years ago
Aleksander Machniak 2dcf50019c Merge branch 'master' into dev/elastic 6 years ago
Aleksander Machniak c28242f63c Log errors caused by low pcre.backtrack_limit when sending a mail message (#6433) 6 years ago
Aleksander Machniak 796e5a17e6 Removed referer_check option (#6440) 6 years ago
Aleksander Machniak cba1605949 Add http_only argument to rcube_utils::setcookie() 6 years ago
Aleksander Machniak 0716d499bc Fix bug where some escape sequences in html styles could bypass security checks 7 years ago
Aleksander Machniak a889f55c31 Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl (#6244) 7 years ago
Aleksander Machniak b2bebe531a Fix bug where usernames without domain part could be malformed or converted to lower-case on logon (#6224) 7 years ago
Aleksander Machniak f36e23b778 Fix parsing date strings (e.g. from a Date: mail header) with comments (#6216) 7 years ago
Aleksander Machniak 0f3ad342f7 Fix bug where some unix timestamps were not handled correctly by rcube_utils::anytodatetime() (#6212) 7 years ago
Aleksander Machniak a1be62b19d Remove redundant trim() 7 years ago
Aleksander Machniak 9d2b303b51 Fix bug in remote content blocking on HTML image and style tags (#6178) 7 years ago
Aleksander Machniak b172fb505c Improve trusted_host_patterns code 7 years ago
Aleksander Machniak 4a5ca74724 Merge branch 'trusted-host-patterns' of https://github.com/dsoares/roundcubemail into dsoares-trusted-host-patterns 7 years ago
Daniel Kesselberg a8d5547163 Update idn convertion methods (#6115)
* Add more test cases
* Update phpdoc
7 years ago
Aleksander Machniak 63a7d2313f Improve SMTPUTF8 support and fix relaxed email validation issues 7 years ago
Aleksander Machniak 5665344673 Merge branch 'smtputf8' of https://github.com/jprjr/roundcubemail into jprjr-smtputf8 7 years ago
Aleksander Machniak 3cdc8af297 Fix possible performance issue when parsing malformed and long Date header (#6087) 7 years ago
Aleksander Machniak 3488531b26 Fix PHP Warning: Use of undefined constant INTL_IDNA_VARIANT_UTS46 on servers without php-intl extension 7 years ago
Aleksander Machniak ca39a4e093 Fix PHP warning "idn_to_utf8(): INTL_IDNA_VARIANT_2003 is deprecated" with PHP 7.2 (#6075) 7 years ago
dsoares 5282cbaff9 Check against trusted_host_patterns in rcube_utils::parse_host() 7 years ago
dsoares 50a9c8f777 Add option trusted_host_patterns 7 years ago
Aleksander Machniak 3196d656db Fix css conflicts in user interface and e-mail content (#5891)
... by adding prefix to element/class identifiers
Also cleaned up some code and removed global variable use.
7 years ago
Aleksander Machniak 5d16751ed8 Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview (#5580) 7 years ago
Thomas Bruederli 3723f3f178 Fix rcube_utils::random_bytes() to not throw exception for length=0 7 years ago
Aleksander Machniak 1fcf7bfab3 Fix bug where HTML messages with @media styles could moddify style of page body (#5811) 8 years ago
Aleksander Machniak f0431c7475 Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure rcube_utils::random_bytes() result has always requested length (#5788) 8 years ago
Aleksander Machniak 27a621818d Make sure rcube_utils::resolve_url() does not add port 80 to the url
...which might have happened with reverse proxies
8 years ago
Aleksander Machniak 8f22c3287d Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747) 8 years ago
Aleksander Machniak 9ff7b78c7e Fix conflict with _gid cookie of Google Analytics (#5748)
TODO: Review the whole code base and don't use INPUT_GPC when it's not really needed,
      in most cases we should not read $_COOKIE.
8 years ago
Thomas Bruederli bf21557873 Better fix for XSS in style tags (b59ff5ca) 8 years ago
Aleksander Machniak 05aae4711c Replace xss_entity_decode_callback() method with lambda function 8 years ago
Aleksander Machniak b59ff5cafb Fix XSS issue in handling of a style tag inside of an svg element 8 years ago
Aleksander Machniak 81f67a4de2 Don't use each() deprecated in PHP 7.2 8 years ago