[Pkg-roundcube-maintainers] Security issues in roundcube 1.2.3+dfsg.1-4+deb9u4 and 1.3.11+dfsg.1-1~deb10u1
Guilhem Moulin
guilhem at debian.org
Wed Jun 3 23:59:41 BST 2020
Dear security team,
In a recent post roundcube webmail upstream has announced the following
security fixes:
- Cross-Site Scripting (XSS) vulnerability in template object 'username'
https://github.com/roundcube/roundcubemail/issues/7406
- Cross-Site Scripting (XSS) vulnerability via malicious XML messages
Plus two more that are are irrelevant for Debian as we don't use the
installer.
https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12
Unfortunately upstream didn't assign CVEs (yet?), however the issues are
respectively tracked in our BTS as #962123 and #962124.
For stretch-security I prepared 1.2.3+dfsg.1-4+deb9u5 with the attached
debdiff.
The package in buster is currently following the 1.3 branch so I guess
it makes make sense to upload 1.3.12+dfsg.1-1~deb10u1 with the second
debdiff attached. If it's beyond the scope of buster-security I'll just
apply these two commits:
https://github.com/roundcube/roundcubemail/commit/37e2bc745723ef6322f0f785aefd0b9313a40f19
https://github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceecdc3
Both version have been tested. I would appreciate if you could take
care of the CVE assignments as upstream often doesn't. I'll hold the
upload until the CVE are assigned so we have proper numbers in
d/changelog.
Cheers,
--
Guilhem.
-------------- next part --------------
diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1
changelog | 7 +
patches/Security-Fix-XSS-issue-in-template-object-username.patch | 22 ++++
patches/Security-Fix-cross-site-scripting-XSS-via-malicious.patch | 54 ++++++++++
patches/series | 2
4 files changed, 85 insertions(+)
diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog 2020-05-04 14:50:42.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/changelog 2020-06-04 00:15:26.000000000 +0200
@@ -1,3 +1,10 @@
+roundcube (1.2.3+dfsg.1-4+deb9u5) stretch-security; urgency=high
+
+ * Backport security fixes from 1.3.12: Cross-Site Scripting (XSS)
+ vulnerability in template object 'username' (closes: #962123).
+
+ -- Guilhem Moulin <guilhem at debian.org> Thu, 04 Jun 2020 00:15:26 +0200
+
roundcube (1.2.3+dfsg.1-4+deb9u4) stretch-security; urgency=high
* Backport security fixes from 1.2.10:
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/Security-Fix-cross-site-scripting-XSS-via-malicious.patch roundcube-1.2.3+dfsg.1/debian/patches/Security-Fix-cross-site-scripting-XSS-via-malicious.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/Security-Fix-cross-site-scripting-XSS-via-malicious.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/Security-Fix-cross-site-scripting-XSS-via-malicious.patch 2020-06-04 00:15:26.000000000 +0200
@@ -0,0 +1,54 @@
+From 884eb611627ef2bd5a2e20e02009ebb1eceecdc3 Mon Sep 17 00:00:00 2001
+From: Aleksander Machniak <alec at alec.pl>
+Date: Sat, 30 May 2020 08:35:33 +0200
+Subject: Security: Fix cross-site scripting (XSS) via malicious XML
+ attachment
+
+---
+ config/defaults.inc.php | 9 ++++++---
+ program/lib/Roundcube/rcube_config.php | 2 +-
+ program/steps/mail/show.inc | 4 ++++
+ 3 files changed, 11 insertions(+), 4 deletions(-)
+
+--- a/config/defaults.inc.php
++++ b/config/defaults.inc.php
+@@ -577,9 +577,12 @@ $config['identities_level'] = 0;
+ $config['identity_image_size'] = 64;
+
+ // Mimetypes supported by the browser.
+-// attachments of these types will open in a preview window
+-// either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
+-$config['client_mimetypes'] = null; # null == default
++// Attachments of these types will open in a preview window.
++// Either a comma-separated list or an array. Default list includes:
++// text/plain,text/html,
++// image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp,
++// application/x-javascript,application/pdf,application/x-shockwave-flash
++$config['client_mimetypes'] = null;
+
+ // Path to a local mime magic database file for PHPs finfo extension.
+ // Set to null if the default path should be used.
+--- a/program/lib/Roundcube/rcube_config.php
++++ b/program/lib/Roundcube/rcube_config.php
+@@ -393,7 +393,7 @@ class rcube_config
+ }
+ else if ($name == 'client_mimetypes') {
+ if (!$result && !$def) {
+- $result = 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,image/bmp,image/tiff,application/x-javascript,application/pdf,application/x-shockwave-flash';
++ $result = 'text/plain,text/html,image/jpeg,image/gif,image/png,image/bmp,image/tiff,application/x-javascript,application/pdf,application/x-shockwave-flash';
+ }
+ if ($result && is_string($result)) {
+ $result = explode(',', $result);
+--- a/program/steps/mail/show.inc
++++ b/program/steps/mail/show.inc
+@@ -100,6 +100,10 @@ if ($uid) {
+ if (empty($_SESSION['browser_caps']['flash']) && ($key = array_search('application/x-shockwave-flash', $mimetypes)) !== false) {
+ unset($mimetypes[$key]);
+ }
++ // We cannot securely preview XML files as we do not have a proper parser
++ if (($key = array_search('text/xml', $mimetypes)) !== false) {
++ unset($mimetypes[$key]);
++ }
+ if (empty($_SESSION['browser_caps']['tif']) && ($key = array_search('image/tiff', $mimetypes)) !== false) {
+ // we can convert tiff to jpeg
+ if (!rcube_image::is_convertable('image/tiff')) {
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/Security-Fix-XSS-issue-in-template-object-username.patch roundcube-1.2.3+dfsg.1/debian/patches/Security-Fix-XSS-issue-in-template-object-username.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/Security-Fix-XSS-issue-in-template-object-username.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/Security-Fix-XSS-issue-in-template-object-username.patch 2020-06-04 00:15:26.000000000 +0200
@@ -0,0 +1,22 @@
+From 37e2bc745723ef6322f0f785aefd0b9313a40f19 Mon Sep 17 00:00:00 2001
+From: Aleksander Machniak <alec at alec.pl>
+Date: Sat, 30 May 2020 08:28:05 +0200
+Subject: Security: Fix XSS issue in template object 'username' (#7406)
+
+---
+ program/include/rcmail_output_html.php | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/program/include/rcmail_output_html.php
++++ b/program/include/rcmail_output_html.php
+@@ -1768,7 +1768,9 @@ EOF;
+ $username = $this->app->user->get_username();
+ }
+
+- return rcube_utils::idn_to_utf8($username);
++ $username = rcube_utils::idn_to_utf8($username);
++
++ return html::quote($username);
+ }
+
+ /**
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series 2020-05-04 14:50:42.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/patches/series 2020-06-04 00:15:26.000000000 +0200
@@ -18,3 +18,5 @@
CVE-2018-19206.patch
CVE-2020-12625.patch
CVE-2020-12626.patch
+Security-Fix-XSS-issue-in-template-object-username.patch
+Security-Fix-cross-site-scripting-XSS-via-malicious.patch
-------------- next part --------------
diffstat for roundcube-1.3.11+dfsg.1 roundcube-1.3.12+dfsg.1
CHANGELOG | 7 ++++
INSTALL | 11 ++++++-
config/defaults.inc.php | 9 +++--
debian/changelog | 10 ++++++
index.php | 2 -
installer/index.php | 2 -
installer/test.php | 10 +++---
program/include/iniset.php | 2 -
program/include/rcmail_output_html.php | 4 +-
program/lib/Roundcube/bootstrap.php | 2 -
program/lib/Roundcube/rcube_config.php | 2 -
program/lib/Roundcube/rcube_image.php | 50 +++++++++++++++++++++++++++------
program/steps/mail/func.inc | 5 +++
program/steps/mail/show.inc | 2 +
public_html/index.php | 2 -
15 files changed, 96 insertions(+), 24 deletions(-)
diff -Nru roundcube-1.3.11+dfsg.1/CHANGELOG roundcube-1.3.12+dfsg.1/CHANGELOG
--- roundcube-1.3.11+dfsg.1/CHANGELOG 2020-04-26 22:20:25.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/CHANGELOG 2020-06-02 22:19:19.000000000 +0200
@@ -1,6 +1,13 @@
CHANGELOG Roundcube Webmail
===========================
+RELEASE 1.3.12
+--------------
+- Security: Better fix for CVE-2020-12641
+- Security: Fix XSS issue in template object 'username' (#7406)
+- Security: Fix couple of XSS issues in Installer (#7406)
+- Security: Fix cross-site scripting (XSS) via malicious XML attachment
+
RELEASE 1.3.11
--------------
- Enigma: Fix compatibility with Mail_Mime >= 1.10.5
diff -Nru roundcube-1.3.11+dfsg.1/config/defaults.inc.php roundcube-1.3.12+dfsg.1/config/defaults.inc.php
--- roundcube-1.3.11+dfsg.1/config/defaults.inc.php 2020-04-26 22:20:25.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/config/defaults.inc.php 2020-06-02 22:19:19.000000000 +0200
@@ -589,9 +589,12 @@
$config['identity_image_size'] = 64;
// Mimetypes supported by the browser.
-// attachments of these types will open in a preview window
-// either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
-$config['client_mimetypes'] = null; # null == default
+// Attachments of these types will open in a preview window.
+// Either a comma-separated list or an array. Default list includes:
+// text/plain,text/html,
+// image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp,
+// application/x-javascript,application/pdf,application/x-shockwave-flash
+$config['client_mimetypes'] = null;
// Path to a local mime magic database file for PHPs finfo extension.
// Set to null if the default path should be used.
diff -Nru roundcube-1.3.11+dfsg.1/debian/changelog roundcube-1.3.12+dfsg.1/debian/changelog
--- roundcube-1.3.11+dfsg.1/debian/changelog 2020-05-04 14:19:18.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/debian/changelog 2020-06-03 23:11:38.000000000 +0200
@@ -1,3 +1,13 @@
+roundcube (1.3.12+dfsg.1-1~deb10u1) buster-security; urgency=high
+
+ * New security upstream release, with fixes for:
+ - Cross-Site Scripting (XSS) vulnerability via malicious XML messages
+ (Closes: #962123)
+ - Cross-Site Scripting (XSS) vulnerability in template object 'username'
+ (Closes: #962124)
+
+ -- Guilhem Moulin <guilhem at debian.org> Wed, 03 Jun 2020 23:11:38 +0200
+
roundcube (1.3.11+dfsg.1-1~deb10u1) buster-security; urgency=high
* New security upstream release, with fixes for:
diff -Nru roundcube-1.3.11+dfsg.1/index.php roundcube-1.3.12+dfsg.1/index.php
--- roundcube-1.3.11+dfsg.1/index.php 2020-04-26 22:20:25.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/index.php 2020-06-02 22:19:19.000000000 +0200
@@ -2,7 +2,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.3.11 |
+ | Version 1.3.12 |
| |
| Copyright (C) 2005-2019, The Roundcube Dev Team |
| |
diff -Nru roundcube-1.3.11+dfsg.1/INSTALL roundcube-1.3.12+dfsg.1/INSTALL
--- roundcube-1.3.11+dfsg.1/INSTALL 2020-04-26 22:20:25.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/INSTALL 2020-06-02 22:19:19.000000000 +0200
@@ -60,7 +60,16 @@
5. Point your browser to http://url-to-roundcube/installer/
6. Follow the instructions of the install script (or see MANUAL CONFIGURATION)
7. After creating and testing the configuration, remove the installer directory
-8. Check Known Issues section of this file
+ ------------------------------------------
+ IMPORTANT: REMOVE THE INSTALLER DIRECTORY!
+ ------------------------------------------
+8. If you use git sources compile css files for the Elastic skin (required
+ lessc >= 1.5.0):
+ $ cd skins/elastic
+ $ lessc -x styles/styles.less > styles/styles.css
+ $ lessc -x styles/print.less > styles/print.css
+ $ lessc -x styles/embed.less > styles/embed.css
+9. Check Known Issues section of this file
CONFIGURATION HINTS
diff -Nru roundcube-1.3.11+dfsg.1/installer/index.php roundcube-1.3.12+dfsg.1/installer/index.php
--- roundcube-1.3.11+dfsg.1/installer/index.php 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/installer/index.php 2020-06-02 22:19:21.000000000 +0200
@@ -3,7 +3,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail setup tool |
- | Version 1.3.11 |
+ | Version 1.3.12 |
| |
| Copyright (C) 2009-2019, The Roundcube Dev Team |
| |
diff -Nru roundcube-1.3.11+dfsg.1/installer/test.php roundcube-1.3.12+dfsg.1/installer/test.php
--- roundcube-1.3.11+dfsg.1/installer/test.php 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/installer/test.php 2020-06-02 22:19:21.000000000 +0200
@@ -126,7 +126,7 @@
else {
$RCI->fail('DSN (write)', $db_error_msg);
echo '<p class="hint">Make sure that the configured database exists and that the user has write privileges<br />';
- echo 'DSN: ' . $RCI->config['db_dsnw'] . '</p>';
+ echo 'DSN: ' . rcube::Q($RCI->config['db_dsnw']) . '</p>';
}
}
else {
@@ -261,19 +261,19 @@
<tbody>
<tr>
<td><label for="smtp_server">Server</label></td>
- <td><?php echo rcube_utils::parse_host($RCI->getprop('smtp_server', 'localhost')); ?></td>
+ <td><?php echo rcube::Q(rcube_utils::parse_host($RCI->getprop('smtp_server', 'localhost'))); ?></td>
</tr>
<tr>
<td><label for="smtp_port">Port</label></td>
- <td><?php echo $RCI->getprop('smtp_port'); ?></td>
+ <td><?php echo rcube::Q($RCI->getprop('smtp_port')); ?></td>
</tr>
<tr>
<td><label for="smtp_user">Username</label></td>
- <td><?php echo $user; ?></td>
+ <td><?php echo rcube::Q($user); ?></td>
</tr>
<tr>
<td><label for="smtp_pass">Password</label></td>
- <td><?php echo $pass; ?></td>
+ <td><?php echo rcube::Q($pass); ?></td>
</tr>
</tbody>
</table>
diff -Nru roundcube-1.3.11+dfsg.1/program/include/iniset.php roundcube-1.3.12+dfsg.1/program/include/iniset.php
--- roundcube-1.3.11+dfsg.1/program/include/iniset.php 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/program/include/iniset.php 2020-06-02 22:19:21.000000000 +0200
@@ -21,7 +21,7 @@
*/
// application constants
-define('RCMAIL_VERSION', '1.3.11');
+define('RCMAIL_VERSION', '1.3.12');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.3.11+dfsg.1/program/include/rcmail_output_html.php roundcube-1.3.12+dfsg.1/program/include/rcmail_output_html.php
--- roundcube-1.3.11+dfsg.1/program/include/rcmail_output_html.php 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/program/include/rcmail_output_html.php 2020-06-02 22:19:21.000000000 +0200
@@ -1823,7 +1823,9 @@
$username = $this->app->user->get_username();
}
- return rcube_utils::idn_to_utf8($username);
+ $username = rcube_utils::idn_to_utf8($username);
+
+ return html::quote($username);
}
/**
diff -Nru roundcube-1.3.11+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.3.12+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.3.11+dfsg.1/program/lib/Roundcube/bootstrap.php 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/program/lib/Roundcube/bootstrap.php 2020-06-02 22:19:21.000000000 +0200
@@ -53,7 +53,7 @@
}
// framework constants
-define('RCUBE_VERSION', '1.3.11');
+define('RCUBE_VERSION', '1.3.12');
define('RCUBE_CHARSET', 'UTF-8');
if (!defined('RCUBE_LIB_DIR')) {
diff -Nru roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_config.php roundcube-1.3.12+dfsg.1/program/lib/Roundcube/rcube_config.php
--- roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_config.php 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/program/lib/Roundcube/rcube_config.php 2020-06-02 22:19:21.000000000 +0200
@@ -397,7 +397,7 @@
}
else if ($name == 'client_mimetypes') {
if (!$result && !$def) {
- $result = 'text/plain,text/html,text/xml'
+ $result = 'text/plain,text/html'
. ',image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp'
. ',application/x-javascript,application/pdf,application/x-shockwave-flash';
}
diff -Nru roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_image.php roundcube-1.3.12+dfsg.1/program/lib/Roundcube/rcube_image.php
--- roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_image.php 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/program/lib/Roundcube/rcube_image.php 2020-06-02 22:19:21.000000000 +0200
@@ -100,7 +100,7 @@
{
$result = false;
$rcube = rcube::get_instance();
- $convert = $rcube->config->get('im_convert_path', false);
+ $convert = self::getCommand('im_convert_path');
$props = $this->props();
if (empty($props)) {
@@ -159,7 +159,7 @@
'size' => $width . 'x' . $height,
);
- $result = rcube::exec(escapeshellcmd($convert)
+ $result = rcube::exec($convert
. ' 2>&1 -flatten -auto-orient -colorspace sRGB -strip'
. ' -quality {quality} -resize {size} {intype}:{in} {type}:{out}', $p);
}
@@ -308,7 +308,7 @@
public function convert($type, $filename = null)
{
$rcube = rcube::get_instance();
- $convert = $rcube->config->get('im_convert_path', false);
+ $convert = self::getCommand('im_convert_path');
if (!$filename) {
$filename = $this->image_file;
@@ -325,8 +325,7 @@
$p['out'] = $filename;
$p['type'] = self::$extensions[$type];
- $result = rcube::exec(escapeshellcmd($convert)
- . ' 2>&1 -colorspace sRGB -strip -flatten -quality 75 {in} {type}:{out}', $p);
+ $result = rcube::exec($convert . ' 2>&1 -colorspace sRGB -strip -flatten -quality 75 {in} {type}:{out}', $p);
if ($result === '') {
chmod($filename, 0600);
@@ -407,7 +406,7 @@
$rcube = rcube::get_instance();
// @TODO: check if specified mimetype is really supported
- return class_exists('Imagick', false) || $rcube->config->get('im_convert_path');
+ return class_exists('Imagick', false) || self::getCommand('im_convert_path');
}
/**
@@ -418,9 +417,9 @@
$rcube = rcube::get_instance();
// use ImageMagick in command line
- if ($cmd = $rcube->config->get('im_identify_path')) {
+ if ($cmd = self::getCommand('im_identify_path')) {
$args = array('in' => $this->image_file, 'format' => "%m %[fx:w] %[fx:h]");
- $id = rcube::exec(escapeshellcmd($cmd) . ' 2>/dev/null -format {format} {in}', $args);
+ $id = rcube::exec($cmd . ' 2>/dev/null -format {format} {in}', $args);
if ($id) {
return explode(' ', strtolower($id));
@@ -459,4 +458,39 @@
$size = $props['width'] * $props['height'] * $multip;
return rcube_utils::mem_check($size);
}
+
+ /**
+ * Get the configured command and make sure it is safe to use.
+ * We cannot trust configuration, and escapeshellcmd() is useless.
+ *
+ * @param string $opt_name Configuration option name
+ *
+ * @return bool|string The command or False if not set or invalid
+ */
+ private static function getCommand($opt_name)
+ {
+ static $error = [];
+
+ $cmd = rcube::get_instance()->config->get($opt_name);
+
+ if (empty($cmd)) {
+ return false;
+ }
+
+ if (preg_match('/^(convert|identify)(\.exe)?$/i', $cmd)) {
+ return $cmd;
+ }
+
+ // Executable must exist, also disallow network shares on Windows
+ if ($cmd[0] != "\\" && file_exists($cmd)) {
+ return $cmd;
+ }
+
+ if (empty($error[$opt_name])) {
+ rcube::raise_error("Invalid $opt_name: $cmd", true, false);
+ $error[$opt_name] = true;
+ }
+
+ return false;
+ }
}
diff -Nru roundcube-1.3.11+dfsg.1/program/steps/mail/func.inc roundcube-1.3.12+dfsg.1/program/steps/mail/func.inc
--- roundcube-1.3.11+dfsg.1/program/steps/mail/func.inc 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/program/steps/mail/func.inc 2020-06-02 22:19:21.000000000 +0200
@@ -2359,6 +2359,11 @@
unset($mimetypes[$key]);
}
+ // We cannot securely preview XML files as we do not have a proper parser
+ if (($key = array_search('text/xml', $mimetypes)) !== false) {
+ unset($mimetypes[$key]);
+ }
+
foreach (array('tiff', 'webp') as $type) {
if (empty($_SESSION['browser_caps'][$type]) && ($key = array_search('image/' . $type, $mimetypes)) !== false) {
// can we convert it to jpeg?
diff -Nru roundcube-1.3.11+dfsg.1/program/steps/mail/show.inc roundcube-1.3.12+dfsg.1/program/steps/mail/show.inc
--- roundcube-1.3.11+dfsg.1/program/steps/mail/show.inc 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/program/steps/mail/show.inc 2020-06-02 22:19:21.000000000 +0200
@@ -72,6 +72,8 @@
$OUTPUT->set_env('mailbox', $mbox_name);
$OUTPUT->set_env('username', $RCMAIL->get_user_name());
$OUTPUT->set_env('permaurl', $RCMAIL->url(array('_action' => 'show', '_uid' => $msg_id, '_mbox' => $mbox_name)));
+ $OUTPUT->set_env('delimiter', $RCMAIL->storage->get_hierarchy_delimiter());
+ $OUTPUT->set_env('mimetypes', rcmail_supported_mimetypes());
if ($MESSAGE->headers->get('list-post', false)) {
$OUTPUT->set_env('list_post', true);
diff -Nru roundcube-1.3.11+dfsg.1/public_html/index.php roundcube-1.3.12+dfsg.1/public_html/index.php
--- roundcube-1.3.11+dfsg.1/public_html/index.php 2020-04-26 22:20:25.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/public_html/index.php 2020-06-02 22:19:19.000000000 +0200
@@ -3,7 +3,7 @@
/*
+-----------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.3.11 |
+ | Version 1.3.12 |
| |
| Copyright (C) 2005-2017, The Roundcube Dev Team |
| |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20200604/8d90b0b4/attachment-0001.sig>
More information about the Pkg-roundcube-maintainers
mailing list