CHANGELOG Roundcube Webmail =========================== RELEASE 1.1.10 -------------- - Fix file disclosure vulnerability caused by insufficient input validation [CVE-2017-16651] (#6026) RELEASE 1.1.9 ------------- - Fix regression in LDAP fuzzy search where it always used prefix search instead (#5713) - Fix bug where base_dn setting was ignored inside group_filters (#5720) - Password: Fix security issue in virtualmin and sasl drivers [CVE-2017-8114] RELEASE 1.1.8 ------------- - Fix bug where mail content frame couldn't be reset in some corner cases (#5608) - Fix regression where groups with email address were resolved to its members' addresses - Fix so group/addressbook selection is retained on page refresh - Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628) - Fix so microseconds macro (u) in log_date_format works (#1490446) - Fix XSS issue in handling of a style tag inside of an svg element RELEASE 1.1.7 ------------- - Fix vulnerability in handling of mail()'s 5th argument RELEASE 1.1.6 ------------- - Searching in both contacts and groups when LDAP addressbook with group_filters option is used - Use contact_search_name format in popup on results in compose contacts search - Fix missing localization of HTML editor when assets_dir != INSTALL_PATH - Fix handling of blockquote tags with mixed case on html2text conversion (#5363) - Fix message list multi-select/deselect issue (#5219) - Fix bug where contact search menu fields where always unchecked in Larry skin - Fix XSS issue in href attribute on area tag (#5240) - Fix bug where message list columns could be in wrong order after column drag-n-drop and list sorting - Don't create multipart/alternative messages with empty text/plain part (#5283) - Wash position:fixed style in HTML mail for better security (#5264) - Fix error causing empty INBOX listing in Firefox when using an URL with user:password specified (#5400) RELEASE 1.1.5 ------------- - Plugin API: Add html2text hook - Plugin API: Added addressbook_export hook - Fix missing emoticons on html-to-text conversion - Fix random "access to this resource is secured against CSRF" message at logout (#4956) - Fix missing language name in "Add to Dictionary" request in HTML mode (#4951) - Enable use of TLSv1.1 and TLSv1.2 for IMAP (#4955) - Fix XSS issue in SVG images handling (#4949) - Fix (again) security issue in DBMail driver of password plugin [CVE-2015-2181] (#4958) - Fix bug where Archive/Junk buttons were not active after page jump with select=all mode (#4961) - Fix bug in long recipients list parsing for cases where recipient name contained @-char (#4964) - Fix additional_message_headers plugin compatibility with Mail_Mime >= 1.9 (#4966) - Hide DSN option in Preferences when smtp_server is not used (#4967) - Protect download urls against CSRF using unique request tokens (#4957) - newmail_notifier: Refactor desktop notifications - Fix so contactlist_fields option can be set via config file - Fix so SPECIAL-USE assignments are forced only until user sets special folders (#4782) - Fix performance in reverting order of THREAD result - Fix converting mail addresses with @www. into mailto links (#5197) RELEASE 1.1.4 ------------- - Add workaround for https://bugs.php.net/bug.php?id=70757 (#4931) - Fix duplicate messages in list and wrong count after delete (#4925) - Fix so Installer requires PHP5 - Make brute force attacks harder by re-generating security token on every failed login (#4913) - Slow down brute-force attacks by waiting for a second after failed login (#4913) - Fix .htaccess rewrite rules to not block .well-known URIs (#4943) - Fix mail view scaling on iOS (#4915) - Fix so database_attachments::cleanup() does not remove attachments from other sessions (#4907) - Fix responses list update issue after response name change (#4917) - Fix bug where message preview was unintentionally reset on check-recent action (#4921) - Fix bug where HTML messages with invalid/excessive css styles couldn't be displayed (#4905) - Fix redundant blank lines when using HTML and top posting (#4927) - Fix redundant blank lines on start of text after html to text conversion (#4928) - Fix HTML sanitizer to skip in output (#4932) - Fix invalid LDAP query in ACL user autocompletion (#4934) - Fix regression in displaying contents of message/rfc822 parts (#4937) - Fix handling of message/rfc822 attachments on replies and forwards (#4938) - Fix PDF support detection in Firefox > 19 (#4941) - Fix path traversal vulnerability (CWE-22) in setting a skin (#4945) - Fix so drag-n-drop of text (e.g. recipient addresses) on compose page actually works (#4944) RELEASE 1.1.3 ------------- - Fix closing of nested menus (#4854) - Fix so E_DEPRECATED errors from PEAR libs are ignored by error_reporting change (#4770) - Fix compatibility with PHP 5.3 in rcube_ldap class (#4842) - Get rid of Mail_mimeDecode package dependency (#4836) - Fix "Importing..." message does not hide on error (#4840) - Fix SQL error on logout when using session_storage=php (#4839) - Update to jQuery 2.1.4 (#5165) - Fix Compose action in addressbook for results from multiple addressbooks (#4834) - Fix bug where some messages in multi-folder search couldn't be viewed/printed/downloaded (#4843) - Fix unintentional messages list page change on page switch in compose addressbook (#4844) - Fix race-condition in saving user preferences and loading plugin config (#4845) - Fix so plain text signature field uses monospace font (#4848) - Fix so links with href == content aren't added to links list on html to text conversion (#4847) - Fix handling of non-break spaces in html to text conversion (#4849) - Fix self-reply detection issues (#4852) - Fix multi-folder search result sorting by arrival date (#4858) - Fix so *-request@ addresses in Sender: header are also ignored on reply-all (#4860) - Update to TinyMCE 4.1.10 (#5164) - Fix draft removal after a message is sent and storing sent message is disabled (#4869) - Fix so imap folder attribute comparisons are case-insensitive (#4868) - Fix bug where new messages weren't added to the list in search mode - Fix wrong positioning of message list header on page scroll in Webkit browsers (#4646) - Fix some javascript errors in rare situations (#4853) - Fix error when using back button after sending an email (#4628) - Fix removing signature when switching to identity with an empty sig in HTML mode (#4872) - Disable links list generation on html-to-text conversion of identities or composed message (#4850) - Fix "washing" of style elements wrapped into many lines - Fix so input field (e.g. search box) does not loose focus on list load (#4862) - Fix so css of one html part does not apply to other text parts on message display (#4887) - Fix handling of plus character in mailto: links (#4891) - Fix so adding CC/BCC recipients from the sidebar unhides compose form fields in Classic skin (#4874) - Fix so gc.sh script removes also expired sessions from sql database (#4893) - Fix support for Mozilla-based browsers, e.g. Pale Moon (#4895) - Fix various issues with Turkish (and similar) locales (#4896) - Fix so In-Reply-To header is set also for MDN receipts (#4897) - Fix missing HTTP_X_FORWARDED_FOR address in generated Received header - Fix XSS issue in drag-n-drop file uploads (#4900) - Fix issue where Content-Length of some attachments could be set to wrong value causing browser errors (#4877) RELEASE 1.1.2 ------------- - Add new plugin hook 'identity_create_after' providing the ID of the inserted identity (#4807) - Add option to place signature at bottom of the quoted text even in top-posting mode [sig_below] - Fix handling of %-encoded entities in mailto: URLs (#4799) - Fix zipped messages downloads after selecting all messages in a folder (#4797) - Fix vpopmaild driver of password plugin - Fix PHP warning: Non-static method PEAR::setErrorHandling() should not be called statically (#4798) - Fix tables listing routine on mysql and postgres so it skips system or other database tables and views (#4796) - Fix message list header in classic skin on window resize in Internet Explorer (#4732) - Fix so text/calendar parts are listed as attachments even if not marked as such (#4795) - Fix lack of signature separator for plain text signatures in html mode (#4802) - Fix font artifact in Google Chrome on Windows (#4803) - Fix bug where forced extwin page reload could exit from the extwin mode (#4801) - Fix bug where some unrelated attachments in multipart/related message were not listed (#4805) - Fix mouseup event handling when dragging a list record (#4808) - Fix bug where preview_pane setting wasn't always saved into user preferences (#4809) - Fix bug where messages count was not updated after message move/delete with skip_deleted=false (#4814) - Fix security issue in contact photo handling (#4817) - Fix possible memcache/apc cache data consistency issues (#4820) - Fix bug where imap_conn_options were ignored in IMAP connection test (#4822) - Fix bug where some files could have "executable" extension when stored in temp folder (#4815) - Fix attached file path unsetting in database_attachments plugin (#4823) - Fix issues when using moduserprefs.sh without --user argument (#4825) - Fix potential info disclosure issue by protecting directory access (#4816) - Fix blank image in html_signature when saving identity changes (#4833) - Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#4827) - Fix XSS vulnerability in _mbox argument handling (#4837) RELEASE 1.1.1 ------------- - ACL: Allow other plugins to adjust the list of permissions and groups to edit - Add possibility to print contact information (of a single contact) - Add possibility to configure max_allowed_packet value for all database engines (#4772) - Improved handling of storage errors after message is sent - Update to TinyMCE 4.1.9 - Unified request* event arguments handling, added support for _unlock and _action parameters - Security: Generate random hash for the per-user local storage prefix (#4768) - Fix refreshing of drafts list when sending a message which was saved in meantime (#4745) - Fix saving/sending emoticon images when assets_dir is set - Fix PHP fatal error when visiting Vacation interface and there's no sieve script yet (#4778) - Fix setting max packet size for DB caches and check packet size also in shared cache - Fix needless security warning on BMP attachments display (#4771) - Fix handling of some improper constructs in format=flowed text as per the RFC3676[4.5] (#4773) - Fix performance of rcube_db_mysql::get_variable() - Fix missing or not up-to-date CATEGORIES entry in vCard export (#4766) - Fix fatal errors on systems without mbstring extension or mb_regex_encoding() function (#4769) - Fix cursor position on reply below the quote in HTML mode (#4759) - Fix so "over quota" errors are displayed also in message compose page - Fix duplicate entries supression in autocomplete result (#4776) - Fix "Non-static method PEAR::isError() should not be called statically" errors (#4770) - Fix parsing invalid HTML messages with BOM after (#4777) - Fix duplicate entry on timezones list in rcube_config::timezone_name_from_abbr() (#4779) - Fix so localized folder name is displayed in multi-folder search result (#4750) - Fix javascript error after creating a folder which is a subfolder of another one (#4781) - Fix bug where subject of sent/saved message was removed if mbstring wasn't installed (#4780) - Fix missing vcard_attachment icon on messages list (#4783) - Fix storing signatures with big images in MySQL database (#4785) - Fix Opera browser detection in javascript (#4786) - Fix so search filter, scope and fields are reset on folder change - Fix rows count when messages search fails (#4760) - Fix bug where spellchecking in HTML editor do not work after switching editor type more than once (#4789) - Fix bug where TinyMCE area height was too small on slow network connection (#4788) - Fix backtick character handling in sql queries (#4790) - Fix redirct URL for attachments loaded in an iframe when behind proxy (#4724) - Fix menu container references to point to the actual