Aleksander Machniak
bdf0a6539e
Relaxed domain name validation for extended TLDs support ( #5588 )
5 years ago
johndoh
51a9dd631f
Add support for SameSite cookie attribute (req PHP >= 7.3.0) ( #6772 )
5 years ago
Aleksander Machniak
0b45c3c6b0
Fix matching multiple X-Forwarded-For addresses with 'proxy_whitelist' ( #7107 )
5 years ago
Aleksander Machniak
e3c6989494
Log X-Real-IP only when it's different than REMOTE_ADDR
5 years ago
Aleksander Machniak
63730cf842
Fix security issue where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class ( #6897 )
5 years ago
Aleksander Machniak
057fb69bb9
Fix bug where some strict remote URIs in url() style were unintentionally blocked ( #6899 )
5 years ago
Aleksander Machniak
7bf868767e
Fix security issue where it was possible to bypass the position:fixed CSS check in received messages ( #6898 )
5 years ago
Aleksander Machniak
1afa46d28d
PHPDoc and CS fixes
5 years ago
Aleksander Machniak
8f895cb17f
Replace function alias: getallheaders() -> apache_request_headers()
5 years ago
Aleksander Machniak
0a0ad2c9b7
Switch to IDNA2008 variant ( #6806 )
...
After switching IDNA_NONTRANSITIONAL_TO_ASCII on, switch to
IDNA2008 variant in Net_LDAP2. Add test, update changelog.
6 years ago
Max Bosse
f1d3f9ee44
Fix: Use IDNA_NONTRANSITIONAL_TO_UNICODE for idn_to_utf8 call
6 years ago
Max Boße
70c20740e7
Set 'IDNA_NONTRANSITIONAL_TO_ASCII' idn-option
6 years ago
Amir Caspi
6b5fa52ec1
Update rcube_utils::parse_host, fixes #6746
...
Updated regexps used in parse_host to ensure that %t, %d, %z do not cut off domain and return only tld when underlying host has no subdomain (i.e., is just domain.tld rather than mail.domain.tld). Update fixes #6746 , now returns nothing shorter than domain.tld.
Also removed backslash from character class, period does not need to be escaped within character class.
6 years ago
Aleksander Machniak
57c67db029
Remove year(s) from copyright headers + some cleanup
6 years ago
Aleksander Machniak
61eb78ad64
Fix so ANY record is not used for email domain validation, use A, MX, CNAME, AAAA instead ( #6581 )
6 years ago
Aleksander Machniak
afc68aae63
FIx temp_filename() regressions, update changelog, add note in UPGRADING
6 years ago
PhilW
e024f133fa
give all temp files a constant prefix
6 years ago
Aleksander Machniak
2dcf50019c
Merge branch 'master' into dev/elastic
6 years ago
Aleksander Machniak
c28242f63c
Log errors caused by low pcre.backtrack_limit when sending a mail message ( #6433 )
6 years ago
Aleksander Machniak
796e5a17e6
Removed referer_check option ( #6440 )
6 years ago
Aleksander Machniak
cba1605949
Add http_only argument to rcube_utils::setcookie()
6 years ago
Aleksander Machniak
0716d499bc
Fix bug where some escape sequences in html styles could bypass security checks
7 years ago
Aleksander Machniak
a889f55c31
Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl ( #6244 )
7 years ago
Aleksander Machniak
b2bebe531a
Fix bug where usernames without domain part could be malformed or converted to lower-case on logon ( #6224 )
7 years ago
Aleksander Machniak
f36e23b778
Fix parsing date strings (e.g. from a Date: mail header) with comments ( #6216 )
7 years ago
Aleksander Machniak
0f3ad342f7
Fix bug where some unix timestamps were not handled correctly by rcube_utils::anytodatetime() ( #6212 )
7 years ago
Aleksander Machniak
a1be62b19d
Remove redundant trim()
7 years ago
Aleksander Machniak
9d2b303b51
Fix bug in remote content blocking on HTML image and style tags ( #6178 )
7 years ago
Aleksander Machniak
b172fb505c
Improve trusted_host_patterns code
7 years ago
Aleksander Machniak
4a5ca74724
Merge branch 'trusted-host-patterns' of https://github.com/dsoares/roundcubemail into dsoares-trusted-host-patterns
7 years ago
Daniel Kesselberg
a8d5547163
Update idn convertion methods ( #6115 )
...
* Add more test cases
* Update phpdoc
7 years ago
Aleksander Machniak
63a7d2313f
Improve SMTPUTF8 support and fix relaxed email validation issues
7 years ago
Aleksander Machniak
5665344673
Merge branch 'smtputf8' of https://github.com/jprjr/roundcubemail into jprjr-smtputf8
7 years ago
Aleksander Machniak
3cdc8af297
Fix possible performance issue when parsing malformed and long Date header ( #6087 )
7 years ago
Aleksander Machniak
3488531b26
Fix PHP Warning: Use of undefined constant INTL_IDNA_VARIANT_UTS46 on servers without php-intl extension
7 years ago
Aleksander Machniak
ca39a4e093
Fix PHP warning "idn_to_utf8(): INTL_IDNA_VARIANT_2003 is deprecated" with PHP 7.2 ( #6075 )
7 years ago
dsoares
5282cbaff9
Check against trusted_host_patterns in rcube_utils::parse_host()
7 years ago
dsoares
50a9c8f777
Add option trusted_host_patterns
7 years ago
Aleksander Machniak
3196d656db
Fix css conflicts in user interface and e-mail content ( #5891 )
...
... by adding prefix to element/class identifiers
Also cleaned up some code and removed global variable use.
7 years ago
Aleksander Machniak
5d16751ed8
Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview ( #5580 )
7 years ago
Thomas Bruederli
3723f3f178
Fix rcube_utils::random_bytes() to not throw exception for length=0
7 years ago
Aleksander Machniak
1fcf7bfab3
Fix bug where HTML messages with @media styles could moddify style of page body ( #5811 )
8 years ago
Aleksander Machniak
f0431c7475
Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure rcube_utils::random_bytes() result has always requested length ( #5788 )
8 years ago
Aleksander Machniak
27a621818d
Make sure rcube_utils::resolve_url() does not add port 80 to the url
...
...which might have happened with reverse proxies
8 years ago
Aleksander Machniak
8f22c3287d
Fix bug where comment notation within style tag would cause the whole style to be ignored ( #5747 )
8 years ago
Aleksander Machniak
9ff7b78c7e
Fix conflict with _gid cookie of Google Analytics ( #5748 )
...
TODO: Review the whole code base and don't use INPUT_GPC when it's not really needed,
in most cases we should not read $_COOKIE.
8 years ago
Thomas Bruederli
bf21557873
Better fix for XSS in style tags ( b59ff5ca
)
8 years ago
Aleksander Machniak
05aae4711c
Replace xss_entity_decode_callback() method with lambda function
8 years ago
Aleksander Machniak
b59ff5cafb
Fix XSS issue in handling of a style tag inside of an svg element
8 years ago
Aleksander Machniak
81f67a4de2
Don't use each() deprecated in PHP 7.2
8 years ago