Commit Graph

69 Commits (ee6b5e9e58ad762d2e1500536a7d0740c4ff292c)

Author SHA1 Message Date
Aleksander Machniak 1fcf7bfab3 Fix bug where HTML messages with @media styles could moddify style of page body (#5811) 8 years ago
Aleksander Machniak f0431c7475 Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure rcube_utils::random_bytes() result has always requested length (#5788) 8 years ago
Aleksander Machniak 27a621818d Make sure rcube_utils::resolve_url() does not add port 80 to the url
...which might have happened with reverse proxies
8 years ago
Aleksander Machniak 8f22c3287d Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747) 8 years ago
Aleksander Machniak 9ff7b78c7e Fix conflict with _gid cookie of Google Analytics (#5748)
TODO: Review the whole code base and don't use INPUT_GPC when it's not really needed,
      in most cases we should not read $_COOKIE.
8 years ago
Thomas Bruederli bf21557873 Better fix for XSS in style tags (b59ff5ca) 8 years ago
Aleksander Machniak 05aae4711c Replace xss_entity_decode_callback() method with lambda function 8 years ago
Aleksander Machniak b59ff5cafb Fix XSS issue in handling of a style tag inside of an svg element 8 years ago
Aleksander Machniak 81f67a4de2 Don't use each() deprecated in PHP 7.2 8 years ago
Aleksander Machniak dfd19206a4 sizeof() -> count() 8 years ago
Aleksander Machniak 7340360e79 Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580) 8 years ago
Aleksander Machniak 4e0532808d Fix bug where it wasn't possible to store more that 2MB objects in memcache/apc (#5452)
Added memcache_max_allowed_packet and apc_max_allowed_packet settings
8 years ago
Aleksander Machniak 195dc11855 Support host-specific imap_conn_options/smtp_conn_options/managesieve_conn_options (#5136) 8 years ago
Aleksander Machniak dcabc1d814 Merge remote-tracking branch 'upstream/master'
Conflicts:
	tests/Framework/Washtml.php
8 years ago
Aleksander Machniak c3fc072d97 Remove code related to magic_quotes_* and register_globals
...they do not exist in PHP 5.4 which we now require.
8 years ago
Aleksander Machniak 906cf101c3 Better time handling in rcube_utils::clean_datestr() 8 years ago
Aleksander Machniak ec1525a1e6 Remove debug code 8 years ago
Aleksander Machniak ed35267b9b Managesieve: Fix parsing of vacation date-time with non-default date_format (#5372)
Added new method rcube_utils::format_datestr() to convert date_format date
into ISO date format.
8 years ago
Aleksander Machniak f2eafda539 Fix bug where microsecond format in logged date didn't work in some cases 9 years ago
Aleksander Machniak d61d33a12a Fix handling of --delete argument in moduserprefs.sh script (#5296) 9 years ago
Aleksander Machniak 6737e293bb Wash position:fixed style in HTML mail for better security (#5264) 9 years ago
Aleksander Machniak cbe701ac4a Fix rcube_utils::words_match() to work with mixed/invalid/binary content (T844) 9 years ago
Aleksander Machniak 7e3298753a Use ternary operator where aplicable 9 years ago
Aleksander Machniak a03233ceba CS fixes 9 years ago
Aleksander Machniak b2b9b591ce Fix handling random_bytes() errors in PHP 7.0.0RC3 9 years ago
Aleksander Machniak e85bbc9e9c random_bytes() can throw an exception in some cases, since PHP 7.0.0rc3 9 years ago
Aleksander Machniak 26086981a2 Improve randomness of security tokens (#1490529) 9 years ago
Aleksander Machniak f00e1f5333 CS fixes 9 years ago
Aleksander Machniak 7a42173a16 Simplify rcube_utils::check_ip() 9 years ago
Aleksander Machniak 6b31846c43 Fix IPv6 address validation on PHP with disabled IPv6 support 9 years ago
Aleksander Machniak 93e64008a6 Small code improvements 9 years ago
Aleksander Machniak 8447bae77c Require Mbstring and OpenSSL extensions (#1490415) - remove redundant code 10 years ago
Aleksander Machniak 9aae1b7fc3 Fix so microseconds macro (u) in log_date_format works (#1490446) 10 years ago
Aleksander Machniak a958748947 CS fixes 10 years ago
Aleksander Machniak 3994b3a26c Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#1490402) 10 years ago
Thomas Bruederli c32998084d Add untility function to match strings ignoring word order 10 years ago
Thomas Bruederli e8b82c2e7b Fix rcube_utils::normalize_string() to support unicode characters + add argument for minimum token length 10 years ago
Thomas Bruederli 09c58d1add Make rcube_utils::strtotime() timezone aware (#1490163) 10 years ago
Aleksander Machniak 787a421846 Fix rcube_utils::anytodatetime() with no timezone specified 10 years ago
Aleksander Machniak 848e204ef9 Fix validation of email addresses with IDNA domains (#1490067) 10 years ago
Aleksander Machniak 29c24e647c Get rid of DIRECTORY_SEPARATOR for consistency 10 years ago
Aleksander Machniak 5f58127eae Added rcube_utils::resolve_url() 10 years ago
Aleksander Machniak 75bbada03b Remove code for PHP<5.3, use PHP_VERSION_ID instead of version_compare() for version checks 10 years ago
Thomas Bruederli cc850263d4 Add optional timezone argument for date conversion 10 years ago
Aleksander Machniak 49dad5f669 Fix broken normalize_string(), add support for ISO-8859-2 11 years ago
Felix Eckhofer 30e6b980a6 Remove usage of $RCMAIL global variable 11 years ago
Felix Eckhofer ef721fc430 Add config variable 'proxy_whitelist'
HTTP headers X_FORWARDED_* and X_REAL_IP are only evaluated when
received from an IP listed in proxy_whitelist. Furthermore, only the
last non-trusted IP from X-Forwarded-For is used in place of the real
ip.

Without this, an attacker can easily spoof the headers and control the
result of the ip or ssl check.

This fixes several problems with [3a4c9f42], [4d480b36] and [a520f331] as
mentioned in #1489729.
11 years ago
Aleksander Machniak 517c9f9a8d Fix directories check in Installer on Windows (#1489576)
Added rcube_utils::is_absolute_path() method
11 years ago
Aleksander Machniak f6d23a8dce Fix PHP warning when 1st argument of parse_host() is not a string (#1489486) 11 years ago
Aleksander Machniak a520f331c1 Fix handling of X-Forwarded-For header with multiple addresses (#1489481) 11 years ago