e4dc3e942c
Bump version to 1.3.15
5 years ago
d44ca2308a
Fix cross-site scripting (XSS) via HTML messages with malicious svg or math content
5 years ago
abddddb12c
Bump version to 1.3.14
5 years ago
1950241975
Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
Credits to SSD Secure Disclosure (https://ssd-disclosure.com/ )
5 years ago
45dced3b8f
Bump version to 1.3.13
5 years ago
2bf097dcdb
Installer: Fix regression in SMTP test section ( #7417 )
5 years ago
7a792f8a90
Fix changelog
[skip ci]
5 years ago
884eb61162
Security: Fix cross-site scripting (XSS) via malicious XML attachment
5 years ago
fc97dc2e67
Bump version to 1.3.12
5 years ago
db49dba3e4
Security: Better fix for CVE-2020-12641
5 years ago
37e2bc7457
Security: Fix XSS issue in template object 'username' ( #7406 )
5 years ago
655cfa50cc
Security: Fix couple of XSS issues in Installer ( #7406 )
5 years ago
fe0d97e5e0
Bump version to 1.3.11
5 years ago
1e7bec9cb8
Fix CSRF bypass that could be used to log out an authenticated user ( #7302 )
5 years ago
c0eea755cf
Fix local file inclusion (and code execution) via crafted 'plugins' option
5 years ago
47f431b1d6
Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
5 years ago
23c06159ae
Fix XSS issue in handling of CDATA in HTML messages
5 years ago
25c4861542
Update changelog
6 years ago
b7f1c94b97
Enigma: Fix incorrect encrypted mail structure (boundary) with Mail_Mime >= 1.10.5
6 years ago
c76153e752
Fix PHP warning: "array_merge(): Expected parameter 2 to be an array, null given in sendmail.inc ( #7003 )
6 years ago
3483c6407f
Fix PHP Warning: Use of undefined constant LOG_EMERGE ( #6991 )
6 years ago
e97837ba21
Fix bug where inline images could have been ignored if Content-Id header contained redundant spaces ( #6980 )
6 years ago
e37d9a1337
Fix travis testing on PHP 5.4 and 5.5
6 years ago
4683204ddf
Fix PHP Warning: Redis::connect() expects parameter 2 to be int, string given
6 years ago
5315c7507f
Update changelog
6 years ago
ff7161ddc4
Use 0775 permission, it's needed for e.g. skins/elastic/deps folder
8 years ago
25a97474a5
Fix array offset access syntax with curly braces
6 years ago
0132ff0d85
Fix PHP 7.4 warning: "Creating default object from empty value"
6 years ago
2348899a3f
Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs ( #6896 )
6 years ago
554a20fe49
Fix security issue where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class ( #6897 )
6 years ago
c0c42d1075
Fix bug where some strict remote URIs in url() style were unintentionally blocked ( #6899 )
6 years ago
d0d8c1ace5
Fix security issue where it was possible to bypass the position:fixed CSS check in received messages ( #6898 )
6 years ago
f2e610dbe5
Bump version to 1.3.10
6 years ago
45e099b0be
Fix implode() wrong parameter order ( #6866 )
It has been deprecated in PHP 7.4.
Such as PHP deprecated: implode(): Passing glue string after array is deprecated. Swap the parameters in /var/www/roundcubemail/program/lib/Roundcube/rcube_db.php on line 917
Signed-off-by: Jack Cherng <jfcherng@gmail.com>
6 years ago
42c473aedd
Fix wrong messages order after returning to a multi-folder search result ( #6836 )
6 years ago
c25a6cf09b
Fix bug in miemetype name comparator
The code was removing the first matching prefix (x- or x-ms-), which
caused 'x-ms-bmp' to end up as 'ms-bmp'. It should be 'bmp'. Fixed by
reverting the order of tokens in the regexp.
6 years ago
22375170df
Fix bug in converting multi-page Tiff images into Jpeg ( #6824 )
When using 'convert' binary we have to use -flatten argument (the same
as we do with thumbnails) otherwise it will produce multiple output files
with -0, -1, etc. suffix. This way we make sure to generate only one image
until we support multi-page Tiff properly.
6 years ago
77c2c8155a
Fix bug where selection of columns on messages list wasn't working
6 years ago
70622c37e6
Fix bug where Next/Prev button in mail view didn't work with multi-folder search result ( #6793 )
6 years ago
d6f9b79be5
Update changelog
6 years ago
1cd1990053
Fix PHP error when using Net_LDAP3 from master
get_entry() method signature has changed. We don't really needed
that override in rcube_ldap_generic, so it's now removed.
6 years ago
37f4c7df77
Update changelog, add some tests for rcube_utils::parse_host()
6 years ago
06c5a20331
Update rcube_utils::parse_host, fixes #6746
Updated regexps used in parse_host to ensure that %t, %d, %z do not cut off domain and return only tld when underlying host has no subdomain (i.e., is just domain.tld rather than mail.domain.tld). Update fixes #6746 , now returns nothing shorter than domain.tld.
Also removed backslash from character class, period does not need to be escaped within character class.
6 years ago
55ebae3c1e
Fix bug where bold/strong text was converted to upper-case on html-to-text conversion (6758)
6 years ago
de25226d31
Enigma: Fix "decryption oracle" bug [CVE-2019-10740] ( #6638 )
When composing mail (on reply/forward/edit) we decrypt content only
in the first "content part" of the message.
6 years ago
8b649420ff
Fix regexp
6 years ago
f8afd18713
Enigma: Fix error message when trying to encrypt with a revoked private key ( #6607 )
6 years ago
0c828a254e
Enigma: Fix bug where revoked users/keys were not greyed out in key info
The 'deleted' class was assigned to the wrong (next) row in a table.
It also didn't work in Elastic skin at all because of the missing style.
6 years ago
cfd3d4ad38
Fix PHP Deprecated: idn_to_ascii(): INTL_IDNA_VARIANT_2003 is deprecated
Use rcube_utils::idn_to_ascii() instead of idn_to_ascii().
6 years ago
8b706775f3
Fix bug in parsing vCard data using PHP 7.3 due to an invalid regexp ( #6744 )
Looks like \R is not allowed in character class, but \r\n is fine.
On PHP 7.3.5 it throws warnings and empty result from preg_replace(),
though I couldn't reproduce.
6 years ago
Thomas Bruederli