[Pkg-roundcube-maintainers] Security issues in roundcube 1.2.3+dfsg.1-4+deb9u3 and 1.3.10+dfsg.1-1~deb10u1
Guilhem Moulin
guilhem at debian.org
Wed Apr 29 23:36:11 BST 2020
Dear security team,
In a recent mail roundcube webmail upstream has announced the following
security fixes:
- Cross-Site Scripting (XSS) via malicious HTML content
- CSRF attack can cause an authenticated user to be logged out
https://github.com/roundcube/roundcubemail/pull/7302
(Plus two more that are are irrelevant for Debian.)
http://lists.roundcube.net/pipermail/announce/2020-April/thread.html
Unfortunately upstream didn't assign CVEs (yet?), however the issues are
respectively tracked in our BTS as #959140 and #959142.
For stretch-security I prepared 1.2.3+dfsg.1-4+deb9u4 with the attached
debdiff.
The package in buster is currently following the 1.3 branch so I guess
it'd make sense to upload 1.3.11+dfsg.1-1~deb10u1 to the upcoming Debian
10.4 and skip buster-security. I suppose the second debdiff is beyond
the scope of buster-security, but if you disagree I'd be happy to change
the target and upload there instead of buster-pu.
Both version have been tested.
Cheers,
--
Guilhem.
-------------- next part --------------
diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1
changelog | 10 ++++++++++
patches/bug959140.patch | 22 ++++++++++++++++++++++
patches/bug959142.patch | 41 +++++++++++++++++++++++++++++++++++++++++
patches/series | 2 ++
4 files changed, 75 insertions(+)
diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog 2018-11-24 04:36:11.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/changelog 2020-04-29 23:42:35.000000000 +0200
@@ -1,3 +1,13 @@
+roundcube (1.2.3+dfsg.1-4+deb9u4) stretch-security; urgency=high
+
+ * Backport security fixes from 1.2.10:
+ - Cross-Site Scripting (XSS) vulnerability via malicious HTML messages
+ (Closes: #959140)
+ - CSRF attack can cause an authenticated user to be logged out
+ (Closes: #959142)
+
+ -- Guilhem Moulin <guilhem at debian.org> Wed, 29 Apr 2020 23:42:35 +0200
+
roundcube (1.2.3+dfsg.1-4+deb9u3) stretch-security; urgency=high
* Backport fix for CVE-2018-19206: XSS vulnerability via crafted use of
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/bug959140.patch roundcube-1.2.3+dfsg.1/debian/patches/bug959140.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/bug959140.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/bug959140.patch 2020-04-29 23:42:35.000000000 +0200
@@ -0,0 +1,22 @@
+commit 4312dc4efecb9553fcacfab0ab9d9ee6e88477e7
+Author: Aleksander Machniak <alec at alec.pl>
+Date: Sun Apr 26 07:59:47 2020 +0200
+
+ Fix XSS issue in handling of CDATA in HTML messages
+
+---
+ program/lib/Roundcube/rcube_washtml.php | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/program/lib/Roundcube/rcube_washtml.php
++++ b/program/lib/Roundcube/rcube_washtml.php
+@@ -469,9 +469,6 @@ class rcube_washtml
+ break;
+
+ case XML_CDATA_SECTION_NODE:
+- $dump .= $node->nodeValue;
+- break;
+-
+ case XML_TEXT_NODE:
+ $dump .= htmlspecialchars($node->nodeValue);
+ break;
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/bug959142.patch roundcube-1.2.3+dfsg.1/debian/patches/bug959142.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/bug959142.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/bug959142.patch 2020-04-29 23:42:35.000000000 +0200
@@ -0,0 +1,41 @@
+commit cceeff2472c00acb2c6b96c9df7a289f1db77713
+Author: Aleksander Machniak <alec at alec.pl>
+Date: Sun Apr 26 08:03:59 2020 +0200
+
+ Fix CSRF bypass that could be used to log out an authenticated user (#7302)
+
+---
+ index.php | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/index.php
++++ b/index.php
+@@ -93,7 +93,9 @@ if ($RCMAIL->task == 'login' && $RCMAIL-
+ $request_valid = $_SESSION['temp'] && $RCMAIL->check_request();
+
+ // purge the session in case of new login when a session already exists
+- $RCMAIL->kill_session();
++ if ($request_valid) {
++ $RCMAIL->kill_session();
++ }
+
+ $auth = $RCMAIL->plugins->exec_hook('authenticate', array(
+ 'host' => $RCMAIL->autoselect_host(),
+@@ -168,13 +170,15 @@ if ($RCMAIL->task == 'login' && $RCMAIL-
+ $RCMAIL->plugins->exec_hook('login_failed', array(
+ 'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));
+
+- $RCMAIL->kill_session();
++ if (!isset($_SESSION['user_id'])) {
++ $RCMAIL->kill_session();
++ }
+ }
+ }
+
+ // end session
+ else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
+- $RCMAIL->request_security_check($mode = rcube_utils::INPUT_GET);
++ $RCMAIL->request_security_check(rcube_utils::INPUT_GET | rcube_utils::INPUT_POST);
+
+ $userdata = array(
+ 'user' => $_SESSION['username'],
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series 2018-11-24 04:36:11.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/series 2020-04-29 23:42:35.000000000 +0200
@@ -16,3 +16,5 @@
CVE-2018-9846.patch
CVE-2018-1000071.patch
CVE-2018-19206.patch
+bug959140.patch
+bug959142.patch
-------------- next part --------------
diffstat for roundcube-1.3.10+dfsg.1 roundcube-1.3.11+dfsg.1
.travis.yml | 4 ++
CHANGELOG | 12 +++++++
bin/install-jsdeps.sh | 2 -
debian/changelog | 10 ++++++
debian/patches/correct_install_path.patch | 2 -
debian/patches/upstream-Add-get-and-extract-arguments-and-CACHEDIR-env-varia.patch | 2 -
index.php | 12 +++++--
installer/index.php | 2 -
plugins/enigma/lib/enigma_mime_message.php | 11 +++++-
program/include/iniset.php | 2 -
program/include/rcmail_install.php | 2 -
program/lib/Roundcube/bootstrap.php | 2 -
program/lib/Roundcube/html.php | 4 ++
program/lib/Roundcube/rcube_image.php | 8 +++--
program/lib/Roundcube/rcube_imap.php | 3 -
program/lib/Roundcube/rcube_ldap_generic.php | 2 -
program/lib/Roundcube/rcube_plugin_api.php | 16 ++++++++++
program/lib/Roundcube/rcube_session_redis.php | 4 +-
program/lib/Roundcube/rcube_washtml.php | 3 -
program/steps/mail/sendmail.inc | 2 -
public_html/index.php | 2 -
public_html/plugins/enigma/lib/enigma_mime_message.php | 11 +++++-
22 files changed, 88 insertions(+), 30 deletions(-)
diff -Nru roundcube-1.3.10+dfsg.1/bin/install-jsdeps.sh roundcube-1.3.11+dfsg.1/bin/install-jsdeps.sh
--- roundcube-1.3.10+dfsg.1/bin/install-jsdeps.sh 2019-08-28 13:24:49.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/bin/install-jsdeps.sh 2020-04-26 22:20:25.000000000 +0200
@@ -195,7 +195,7 @@
$destdir = INSTALL_PATH . $package['dest'];
if (!is_dir($destdir)) {
- mkdir($destdir, 0774, true);
+ mkdir($destdir, 0775, true);
}
if (!is_writeable($destdir)) {
diff -Nru roundcube-1.3.10+dfsg.1/CHANGELOG roundcube-1.3.11+dfsg.1/CHANGELOG
--- roundcube-1.3.10+dfsg.1/CHANGELOG 2019-08-28 13:24:49.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/CHANGELOG 2020-04-26 22:20:25.000000000 +0200
@@ -1,6 +1,18 @@
CHANGELOG Roundcube Webmail
===========================
+RELEASE 1.3.11
+--------------
+- Enigma: Fix compatibility with Mail_Mime >= 1.10.5
+- Fix permissions on some folders created by bin/install-jsdeps.sh script (#6930)
+- Fix bug where inline images could have been ignored if Content-Id header contained redundant spaces (#6980)
+- Fix PHP Warning: Use of undefined constant LOG_EMERGE (#6991)
+- Fix PHP warning: "array_merge(): Expected parameter 2 to be an array, null given in sendmail.inc (#7003)
+- Security: Fix XSS issue in handling of CDATA in HTML messages
+- Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
+- Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
+- Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
+
RELEASE 1.3.10
--------------
- Managesieve: Fix so "Create filter" option does not show up when Filters menu is disabled (#6723)
diff -Nru roundcube-1.3.10+dfsg.1/debian/changelog roundcube-1.3.11+dfsg.1/debian/changelog
--- roundcube-1.3.10+dfsg.1/debian/changelog 2019-12-24 20:45:55.000000000 +0100
+++ roundcube-1.3.11+dfsg.1/debian/changelog 2020-04-29 23:08:38.000000000 +0200
@@ -1,3 +1,13 @@
+roundcube (1.3.11+dfsg.1-1~deb10u1) buster; urgency=high
+
+ * New security upstream release, with fixes for:
+ - Cross-Site Scripting (XSS) vulnerability via malicious HTML messages
+ (Closes: #959140)
+ - CSRF attack can cause an authenticated user to be logged out
+ (Closes: #959142)
+
+ -- Guilhem Moulin <guilhem at debian.org> Wed, 29 Apr 2020 23:08:38 +0200
+
roundcube (1.3.10+dfsg.1-1~deb10u1) buster; urgency=medium
* d/control: revert bump of Standards-Version, as we want to release to
diff -Nru roundcube-1.3.10+dfsg.1/debian/patches/correct_install_path.patch roundcube-1.3.11+dfsg.1/debian/patches/correct_install_path.patch
--- roundcube-1.3.10+dfsg.1/debian/patches/correct_install_path.patch 2019-12-18 01:11:49.000000000 +0100
+++ roundcube-1.3.11+dfsg.1/debian/patches/correct_install_path.patch 2020-04-29 23:08:38.000000000 +0200
@@ -6,7 +6,7 @@
--- a/program/include/iniset.php
+++ b/program/include/iniset.php
-@@ -25,7 +25,7 @@ define('RCMAIL_VERSION', '1.3.9');
+@@ -25,7 +25,7 @@ define('RCMAIL_VERSION', '1.3.11');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.3.10+dfsg.1/debian/patches/upstream-Add-get-and-extract-arguments-and-CACHEDIR-env-varia.patch roundcube-1.3.11+dfsg.1/debian/patches/upstream-Add-get-and-extract-arguments-and-CACHEDIR-env-varia.patch
--- roundcube-1.3.10+dfsg.1/debian/patches/upstream-Add-get-and-extract-arguments-and-CACHEDIR-env-varia.patch 2019-12-18 01:11:49.000000000 +0100
+++ roundcube-1.3.11+dfsg.1/debian/patches/upstream-Add-get-and-extract-arguments-and-CACHEDIR-env-varia.patch 2020-04-29 23:08:38.000000000 +0200
@@ -102,7 +102,7 @@
+
$destdir = INSTALL_PATH . $package['dest'];
if (!is_dir($destdir)) {
- mkdir($destdir, 0774, true);
+ mkdir($destdir, 0775, true);
@@ -295,9 +309,14 @@ function delete_destfile($package)
//////////////// Execution
diff -Nru roundcube-1.3.10+dfsg.1/index.php roundcube-1.3.11+dfsg.1/index.php
--- roundcube-1.3.10+dfsg.1/index.php 2019-08-28 13:24:49.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/index.php 2020-04-26 22:20:25.000000000 +0200
@@ -2,7 +2,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.3.10 |
+ | Version 1.3.11 |
| |
| Copyright (C) 2005-2019, The Roundcube Dev Team |
| |
@@ -106,7 +106,9 @@
$pass_charset = $RCMAIL->config->get('password_charset', 'ISO-8859-1');
// purge the session in case of new login when a session already exists
- $RCMAIL->kill_session();
+ if ($request_valid) {
+ $RCMAIL->kill_session();
+ }
$auth = $RCMAIL->plugins->exec_hook('authenticate', array(
'host' => $RCMAIL->autoselect_host(),
@@ -180,13 +182,15 @@
$RCMAIL->plugins->exec_hook('login_failed', array(
'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));
- $RCMAIL->kill_session();
+ if (!isset($_SESSION['user_id'])) {
+ $RCMAIL->kill_session();
+ }
}
}
// end session
else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
- $RCMAIL->request_security_check($mode = rcube_utils::INPUT_GET);
+ $RCMAIL->request_security_check(rcube_utils::INPUT_GET | rcube_utils::INPUT_POST);
$userdata = array(
'user' => $_SESSION['username'],
diff -Nru roundcube-1.3.10+dfsg.1/installer/index.php roundcube-1.3.11+dfsg.1/installer/index.php
--- roundcube-1.3.10+dfsg.1/installer/index.php 2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/installer/index.php 2020-04-26 22:20:26.000000000 +0200
@@ -3,7 +3,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail setup tool |
- | Version 1.3.10 |
+ | Version 1.3.11 |
| |
| Copyright (C) 2009-2019, The Roundcube Dev Team |
| |
diff -Nru roundcube-1.3.10+dfsg.1/plugins/enigma/lib/enigma_mime_message.php roundcube-1.3.11+dfsg.1/plugins/enigma/lib/enigma_mime_message.php
--- roundcube-1.3.10+dfsg.1/plugins/enigma/lib/enigma_mime_message.php 2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/plugins/enigma/lib/enigma_mime_message.php 2020-04-26 22:20:25.000000000 +0200
@@ -243,8 +243,6 @@
}
$this->headers = array_merge($this->headers, $headers);
-
- return;
}
else {
$output = $message->encode($boundary, $skip_head);
@@ -254,9 +252,16 @@
}
$this->headers = array_merge($this->headers, $output['headers']);
+ }
- return $output['body'];
+ // remember the boundary used, in case we'd handle headers() call later
+ if (empty($boundary) && !empty($this->headers['Content-Type'])) {
+ if (preg_match('/boundary="([^"]+)/', $this->headers['Content-Type'], $m)) {
+ $this->build_params['boundary'] = $m[1];
+ }
}
+
+ return $filename ? null : $output['body'];
}
/**
diff -Nru roundcube-1.3.10+dfsg.1/program/include/iniset.php roundcube-1.3.11+dfsg.1/program/include/iniset.php
--- roundcube-1.3.10+dfsg.1/program/include/iniset.php 2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/include/iniset.php 2020-04-26 22:20:26.000000000 +0200
@@ -21,7 +21,7 @@
*/
// application constants
-define('RCMAIL_VERSION', '1.3.10');
+define('RCMAIL_VERSION', '1.3.11');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.3.10+dfsg.1/program/include/rcmail_install.php roundcube-1.3.11+dfsg.1/program/include/rcmail_install.php
--- roundcube-1.3.10+dfsg.1/program/include/rcmail_install.php 2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/include/rcmail_install.php 2020-04-26 22:20:26.000000000 +0200
@@ -218,7 +218,7 @@
else if ($prop == 'db_dsnw' && !empty($_POST['_dbtype'])) {
if ($_POST['_dbtype'] == 'sqlite') {
$value = sprintf('%s://%s?mode=0646', $_POST['_dbtype'],
- $_POST['_dbname']{0} == '/' ? '/' . $_POST['_dbname'] : $_POST['_dbname']);
+ $_POST['_dbname'][0] == '/' ? '/' . $_POST['_dbname'] : $_POST['_dbname']);
}
else if ($_POST['_dbtype']) {
$value = sprintf('%s://%s:%s@%s/%s', $_POST['_dbtype'],
diff -Nru roundcube-1.3.10+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.3.11+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.3.10+dfsg.1/program/lib/Roundcube/bootstrap.php 2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/lib/Roundcube/bootstrap.php 2020-04-26 22:20:26.000000000 +0200
@@ -53,7 +53,7 @@
}
// framework constants
-define('RCUBE_VERSION', '1.3.10');
+define('RCUBE_VERSION', '1.3.11');
define('RCUBE_CHARSET', 'UTF-8');
if (!defined('RCUBE_LIB_DIR')) {
diff -Nru roundcube-1.3.10+dfsg.1/program/lib/Roundcube/html.php roundcube-1.3.11+dfsg.1/program/lib/Roundcube/html.php
--- roundcube-1.3.10+dfsg.1/program/lib/Roundcube/html.php 2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/lib/Roundcube/html.php 2020-04-26 22:20:26.000000000 +0200
@@ -751,6 +751,10 @@
$cell->attrib = $attr;
$cell->content = $cont;
+ if (!isset($this->rows[$this->rowindex])) {
+ $this->rows[$this->rowindex] = new stdClass;
+ }
+
$this->rows[$this->rowindex]->cells[$this->colindex] = $cell;
$this->colindex += max(1, intval($attr['colspan']));
diff -Nru roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_image.php roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_image.php
--- roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_image.php 2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_image.php 2020-04-26 22:20:26.000000000 +0200
@@ -159,7 +159,8 @@
'size' => $width . 'x' . $height,
);
- $result = rcube::exec($convert . ' 2>&1 -flatten -auto-orient -colorspace sRGB -strip'
+ $result = rcube::exec(escapeshellcmd($convert)
+ . ' 2>&1 -flatten -auto-orient -colorspace sRGB -strip'
. ' -quality {quality} -resize {size} {intype}:{in} {type}:{out}', $p);
}
// use PHP's Imagick class
@@ -324,7 +325,8 @@
$p['out'] = $filename;
$p['type'] = self::$extensions[$type];
- $result = rcube::exec($convert . ' 2>&1 -colorspace sRGB -strip -flatten -quality 75 {in} {type}:{out}', $p);
+ $result = rcube::exec(escapeshellcmd($convert)
+ . ' 2>&1 -colorspace sRGB -strip -flatten -quality 75 {in} {type}:{out}', $p);
if ($result === '') {
chmod($filename, 0600);
@@ -418,7 +420,7 @@
// use ImageMagick in command line
if ($cmd = $rcube->config->get('im_identify_path')) {
$args = array('in' => $this->image_file, 'format' => "%m %[fx:w] %[fx:h]");
- $id = rcube::exec($cmd. ' 2>/dev/null -format {format} {in}', $args);
+ $id = rcube::exec(escapeshellcmd($cmd) . ' 2>/dev/null -format {format} {in}', $args);
if ($id) {
return explode(' ', strtolower($id));
diff -Nru roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_imap.php roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_imap.php
--- roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_imap.php 2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_imap.php 2020-04-26 22:20:26.000000000 +0200
@@ -2135,8 +2135,7 @@
// get part ID
if (!empty($part[3])) {
- $struct->content_id = $part[3];
- $struct->headers['content-id'] = $part[3];
+ $struct->content_id = $struct->headers['content-id'] = trim($part[3]);
if (empty($struct->disposition)) {
$struct->disposition = 'inline';
diff -Nru roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_ldap_generic.php roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_ldap_generic.php
--- roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_ldap_generic.php 2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_ldap_generic.php 2020-04-26 22:20:26.000000000 +0200
@@ -70,7 +70,7 @@
}
break;
- case LOG_EMERGE:
+ case LOG_EMERG:
case LOG_ALERT:
case LOG_CRIT:
rcube::raise_error($msg, true, true);
diff -Nru roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_plugin_api.php roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_plugin_api.php
--- roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_plugin_api.php 2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_plugin_api.php 2020-04-26 22:20:26.000000000 +0200
@@ -163,6 +163,14 @@
$plugins_dir = unslashify($dir->path);
}
+ // Validate the plugin name to prevent from path traversal
+ if (preg_match('/[^a-zA-Z0-9_-]/', $plugin_name)) {
+ rcube::raise_error(array('code' => 520,
+ 'file' => __FILE__, 'line' => __LINE__,
+ 'message' => "Invalid plugin name: $plugin_name"), true, false);
+ return false;
+ }
+
// plugin already loaded?
if (!$this->plugins[$plugin_name]) {
$fn = "$plugins_dir/$plugin_name/$plugin_name.php";
@@ -282,6 +290,14 @@
$fn = unslashify($dir->path) . "/$plugin_name/$plugin_name.php";
$info = false;
+ // Validate the plugin name to prevent from path traversal
+ if (preg_match('/[^a-zA-Z0-9_-]/', $plugin_name)) {
+ rcube::raise_error(array('code' => 520,
+ 'file' => __FILE__, 'line' => __LINE__,
+ 'message' => "Invalid plugin name: $plugin_name"), true, false);
+ return false;
+ }
+
if (!class_exists($plugin_name, false)) {
if (is_readable($fn)) {
include($fn);
diff -Nru roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_session_redis.php roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_session_redis.php
--- roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_session_redis.php 2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_session_redis.php 2020-04-26 22:20:26.000000000 +0200
@@ -72,7 +72,7 @@
$port = ($port !== null) ? $port : 6379;
$database = ($database !== null) ? $database : 0;
- if ($this->redis->connect($host, $port) === false) {
+ if ($this->redis->connect($host, (int) $port) === false) {
rcube::raise_error(
array(
'code' => 604,
@@ -100,7 +100,7 @@
);
}
- if ($database != 0 && $this->redis->select($database) === false) {
+ if ($database && $this->redis->select($database) === false) {
rcube::raise_error(
array(
'code' => 604,
diff -Nru roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_washtml.php roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_washtml.php
--- roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_washtml.php 2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_washtml.php 2020-04-26 22:20:26.000000000 +0200
@@ -497,9 +497,6 @@
break;
case XML_CDATA_SECTION_NODE:
- $dump .= $node->nodeValue;
- break;
-
case XML_TEXT_NODE:
$dump .= htmlspecialchars($node->nodeValue);
break;
diff -Nru roundcube-1.3.10+dfsg.1/program/steps/mail/sendmail.inc roundcube-1.3.11+dfsg.1/program/steps/mail/sendmail.inc
--- roundcube-1.3.10+dfsg.1/program/steps/mail/sendmail.inc 2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/program/steps/mail/sendmail.inc 2020-04-26 22:20:26.000000000 +0200
@@ -354,7 +354,7 @@
unset($COMPOSE['attachments'][$idx]);
}
- $COMPOSE['attachments'] = array_merge(array_filter($files), $COMPOSE['attachments']);
+ $COMPOSE['attachments'] = array_merge(array_filter($files), (array) $COMPOSE['attachments']);
}
// set line length for body wrapping
diff -Nru roundcube-1.3.10+dfsg.1/public_html/index.php roundcube-1.3.11+dfsg.1/public_html/index.php
--- roundcube-1.3.10+dfsg.1/public_html/index.php 2019-08-28 13:24:49.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/public_html/index.php 2020-04-26 22:20:25.000000000 +0200
@@ -3,7 +3,7 @@
/*
+-----------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.3.10 |
+ | Version 1.3.11 |
| |
| Copyright (C) 2005-2017, The Roundcube Dev Team |
| |
diff -Nru roundcube-1.3.10+dfsg.1/public_html/plugins/enigma/lib/enigma_mime_message.php roundcube-1.3.11+dfsg.1/public_html/plugins/enigma/lib/enigma_mime_message.php
--- roundcube-1.3.10+dfsg.1/public_html/plugins/enigma/lib/enigma_mime_message.php 2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/public_html/plugins/enigma/lib/enigma_mime_message.php 2020-04-26 22:20:25.000000000 +0200
@@ -243,8 +243,6 @@
}
$this->headers = array_merge($this->headers, $headers);
-
- return;
}
else {
$output = $message->encode($boundary, $skip_head);
@@ -254,9 +252,16 @@
}
$this->headers = array_merge($this->headers, $output['headers']);
+ }
- return $output['body'];
+ // remember the boundary used, in case we'd handle headers() call later
+ if (empty($boundary) && !empty($this->headers['Content-Type'])) {
+ if (preg_match('/boundary="([^"]+)/', $this->headers['Content-Type'], $m)) {
+ $this->build_params['boundary'] = $m[1];
+ }
}
+
+ return $filename ? null : $output['body'];
}
/**
diff -Nru roundcube-1.3.10+dfsg.1/.travis.yml roundcube-1.3.11+dfsg.1/.travis.yml
--- roundcube-1.3.10+dfsg.1/.travis.yml 2019-08-28 13:24:50.000000000 +0200
+++ roundcube-1.3.11+dfsg.1/.travis.yml 2020-04-26 22:20:26.000000000 +0200
@@ -2,6 +2,8 @@
sudo: false
+dist: trusty
+
matrix:
fast_finish: true
include:
@@ -10,6 +12,8 @@
- php: 5.6
- php: 7.0
- php: 7.1
+ - php: 7.2
+ - php: 7.3
env: CODE_COVERAGE=1
cache:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20200430/b74838da/attachment-0001.sig>
More information about the Pkg-roundcube-maintainers
mailing list