554a20fe49
Fix security issue where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class ( #6897 )
6 years ago
c0c42d1075
Fix bug where some strict remote URIs in url() style were unintentionally blocked ( #6899 )
6 years ago
d0d8c1ace5
Fix security issue where it was possible to bypass the position:fixed CSS check in received messages ( #6898 )
6 years ago
06c5a20331
Update rcube_utils::parse_host, fixes #6746
...
Updated regexps used in parse_host to ensure that %t, %d, %z do not cut off domain and return only tld when underlying host has no subdomain (i.e., is just domain.tld rather than mail.domain.tld). Update fixes #6746 , now returns nothing shorter than domain.tld.
Also removed backslash from character class, period does not need to be escaped within character class.
7 years ago
1d7b488841
Fix so ANY record is not used for email domain validation, use A, MX, CNAME, AAAA instead ( #6581 )
7 years ago
d9eed3625b
Fix bug where some escape sequences in html styles could bypass security checks
8 years ago
8477b881e5
Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl ( #6244 )
8 years ago
c278b8796f
Fix bug where usernames without domain part could be malformed or converted to lower-case on logon ( #6224 )
8 years ago
60902de521
Fix parsing date strings (e.g. from a Date: mail header) with comments ( #6216 )
8 years ago
f55724d1e8
Fix bug where some unix timestamps were not handled correctly by rcube_utils::anytodatetime() ( #6212 )
8 years ago
b8e51b9d2f
Remove redundant trim()
8 years ago
24dcdb5414
Fix bug in remote content blocking on HTML image and style tags ( #6178 )
8 years ago
472e48ff0d
Fix possible performance issue when parsing malformed and long Date header ( #6087 )
8 years ago
cdf7a88b3e
Fix PHP Warning: Use of undefined constant INTL_IDNA_VARIANT_UTS46 on servers without php-intl extension
8 years ago
a315f2b16d
Fix PHP warning "idn_to_utf8(): INTL_IDNA_VARIANT_2003 is deprecated" with PHP 7.2 ( #6075 )
8 years ago
3762dba408
Fix rcube_utils::random_bytes() to not throw exception for length=0
8 years ago
972be07a41
Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview ( #5580 )
8 years ago
39fa590bad
Fix bug where HTML messages with @media styles could moddify style of page body ( #5811 )
9 years ago
2c6cc41c8f
Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure rcube_utils::random_bytes() result has always requested length ( #5788 )
9 years ago
dade481658
Fix bug where comment notation within style tag would cause the whole style to be ignored ( #5747 )
9 years ago
41c70e162b
Fix conflict with _gid cookie of Google Analytics ( #5748 )
...
TODO: Review the whole code base and don't use INPUT_GPC when it's not really needed,
in most cases we should not read $_COOKIE.
9 years ago
bf21557873
Better fix for XSS in style tags ( b59ff5ca)
9 years ago
05aae4711c
Replace xss_entity_decode_callback() method with lambda function
9 years ago
b59ff5cafb
Fix XSS issue in handling of a style tag inside of an svg element
9 years ago
81f67a4de2
Don't use each() deprecated in PHP 7.2
9 years ago
dfd19206a4
sizeof() -> count()
9 years ago
7340360e79
Fix bug where image data URIs in css style were treated as evil/remote in mail preview ( #5580 )
9 years ago
4e0532808d
Fix bug where it wasn't possible to store more that 2MB objects in memcache/apc ( #5452 )
...
Added memcache_max_allowed_packet and apc_max_allowed_packet settings
9 years ago
195dc11855
Support host-specific imap_conn_options/smtp_conn_options/managesieve_conn_options ( #5136 )
9 years ago
dcabc1d814
Merge remote-tracking branch 'upstream/master'
...
Conflicts:
tests/Framework/Washtml.php
10 years ago
c3fc072d97
Remove code related to magic_quotes_* and register_globals
...
...they do not exist in PHP 5.4 which we now require.
10 years ago
906cf101c3
Better time handling in rcube_utils::clean_datestr()
10 years ago
ec1525a1e6
Remove debug code
10 years ago
ed35267b9b
Managesieve: Fix parsing of vacation date-time with non-default date_format ( #5372 )
...
Added new method rcube_utils::format_datestr() to convert date_format date
into ISO date format.
10 years ago
f2eafda539
Fix bug where microsecond format in logged date didn't work in some cases
10 years ago
d61d33a12a
Fix handling of --delete argument in moduserprefs.sh script ( #5296 )
10 years ago
6737e293bb
Wash position:fixed style in HTML mail for better security ( #5264 )
10 years ago
cbe701ac4a
Fix rcube_utils::words_match() to work with mixed/invalid/binary content (T844)
10 years ago
7e3298753a
Use ternary operator where aplicable
10 years ago
a03233ceba
CS fixes
10 years ago
b2b9b591ce
Fix handling random_bytes() errors in PHP 7.0.0RC3
10 years ago
e85bbc9e9c
random_bytes() can throw an exception in some cases, since PHP 7.0.0rc3
10 years ago
26086981a2
Improve randomness of security tokens ( #1490529 )
10 years ago
f00e1f5333
CS fixes
10 years ago
7a42173a16
Simplify rcube_utils::check_ip()
11 years ago
6b31846c43
Fix IPv6 address validation on PHP with disabled IPv6 support
11 years ago
93e64008a6
Small code improvements
11 years ago
8447bae77c
Require Mbstring and OpenSSL extensions ( #1490415 ) - remove redundant code
11 years ago
9aae1b7fc3
Fix so microseconds macro (u) in log_date_format works ( #1490446 )
11 years ago
a958748947
CS fixes
11 years ago
Aleksander Machniak