[Pkg-roundcube-maintainers] Security issues in roundcube 1.2.3+dfsg.1-4+deb9u4 and 1.3.11+dfsg.1-1~deb10u1

Guilhem Moulin guilhem at debian.org
Wed Jun 3 23:59:41 BST 2020


Dear security team,

In a recent post roundcube webmail upstream has announced the following
security fixes:

  - Cross-Site Scripting (XSS) vulnerability in template object 'username'
    https://github.com/roundcube/roundcubemail/issues/7406
  - Cross-Site Scripting (XSS) vulnerability via malicious XML messages

Plus two more that are are irrelevant for Debian as we don't use the
installer.
https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12

Unfortunately upstream didn't assign CVEs (yet?), however the issues are
respectively tracked in our BTS as #962123 and #962124.

For stretch-security I prepared 1.2.3+dfsg.1-4+deb9u5 with the attached
debdiff.

The package in buster is currently following the 1.3 branch so I guess
it makes make sense to upload 1.3.12+dfsg.1-1~deb10u1 with the second
debdiff attached.  If it's beyond the scope of buster-security I'll just
apply these two commits:

    https://github.com/roundcube/roundcubemail/commit/37e2bc745723ef6322f0f785aefd0b9313a40f19
    https://github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceecdc3

Both version have been tested.  I would appreciate if you could take
care of the CVE assignments as upstream often doesn't.  I'll hold the
upload until the CVE are assigned so we have proper numbers in
d/changelog.

Cheers,
-- 
Guilhem.
-------------- next part --------------
diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1

 changelog                                                         |    7 +
 patches/Security-Fix-XSS-issue-in-template-object-username.patch  |   22 ++++
 patches/Security-Fix-cross-site-scripting-XSS-via-malicious.patch |   54 ++++++++++
 patches/series                                                    |    2 
 4 files changed, 85 insertions(+)

diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog	2020-05-04 14:50:42.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/changelog	2020-06-04 00:15:26.000000000 +0200
@@ -1,3 +1,10 @@
+roundcube (1.2.3+dfsg.1-4+deb9u5) stretch-security; urgency=high
+
+  * Backport security fixes from 1.3.12: Cross-Site Scripting (XSS)
+    vulnerability in template object 'username' (closes: #962123).
+
+ -- Guilhem Moulin <guilhem at debian.org>  Thu, 04 Jun 2020 00:15:26 +0200
+
 roundcube (1.2.3+dfsg.1-4+deb9u4) stretch-security; urgency=high
 
   * Backport security fixes from 1.2.10:
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/Security-Fix-cross-site-scripting-XSS-via-malicious.patch roundcube-1.2.3+dfsg.1/debian/patches/Security-Fix-cross-site-scripting-XSS-via-malicious.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/Security-Fix-cross-site-scripting-XSS-via-malicious.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/Security-Fix-cross-site-scripting-XSS-via-malicious.patch	2020-06-04 00:15:26.000000000 +0200
@@ -0,0 +1,54 @@
+From 884eb611627ef2bd5a2e20e02009ebb1eceecdc3 Mon Sep 17 00:00:00 2001
+From: Aleksander Machniak <alec at alec.pl>
+Date: Sat, 30 May 2020 08:35:33 +0200
+Subject: Security: Fix cross-site scripting (XSS) via malicious XML
+ attachment
+
+---
+ config/defaults.inc.php                |    9 ++++++---
+ program/lib/Roundcube/rcube_config.php |    2 +-
+ program/steps/mail/show.inc            |    4 ++++
+ 3 files changed, 11 insertions(+), 4 deletions(-)
+
+--- a/config/defaults.inc.php
++++ b/config/defaults.inc.php
+@@ -577,9 +577,12 @@ $config['identities_level'] = 0;
+ $config['identity_image_size'] = 64;
+ 
+ // Mimetypes supported by the browser.
+-// attachments of these types will open in a preview window
+-// either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
+-$config['client_mimetypes'] = null;  # null == default
++// Attachments of these types will open in a preview window.
++// Either a comma-separated list or an array. Default list includes:
++//     text/plain,text/html,
++//     image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp,
++//     application/x-javascript,application/pdf,application/x-shockwave-flash
++$config['client_mimetypes'] = null;
+ 
+ // Path to a local mime magic database file for PHPs finfo extension.
+ // Set to null if the default path should be used.
+--- a/program/lib/Roundcube/rcube_config.php
++++ b/program/lib/Roundcube/rcube_config.php
+@@ -393,7 +393,7 @@ class rcube_config
+         }
+         else if ($name == 'client_mimetypes') {
+             if (!$result && !$def) {
+-                $result = 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,image/bmp,image/tiff,application/x-javascript,application/pdf,application/x-shockwave-flash';
++                $result = 'text/plain,text/html,image/jpeg,image/gif,image/png,image/bmp,image/tiff,application/x-javascript,application/pdf,application/x-shockwave-flash';
+             }
+             if ($result && is_string($result)) {
+                 $result = explode(',', $result);
+--- a/program/steps/mail/show.inc
++++ b/program/steps/mail/show.inc
+@@ -100,6 +100,10 @@ if ($uid) {
+     if (empty($_SESSION['browser_caps']['flash']) && ($key = array_search('application/x-shockwave-flash', $mimetypes)) !== false) {
+         unset($mimetypes[$key]);
+     }
++    // We cannot securely preview XML files as we do not have a proper parser
++    if (($key = array_search('text/xml', $mimetypes)) !== false) {
++        unset($mimetypes[$key]);
++    }
+     if (empty($_SESSION['browser_caps']['tif']) && ($key = array_search('image/tiff', $mimetypes)) !== false) {
+         // we can convert tiff to jpeg
+         if (!rcube_image::is_convertable('image/tiff')) {
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/Security-Fix-XSS-issue-in-template-object-username.patch roundcube-1.2.3+dfsg.1/debian/patches/Security-Fix-XSS-issue-in-template-object-username.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/Security-Fix-XSS-issue-in-template-object-username.patch	1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/Security-Fix-XSS-issue-in-template-object-username.patch	2020-06-04 00:15:26.000000000 +0200
@@ -0,0 +1,22 @@
+From 37e2bc745723ef6322f0f785aefd0b9313a40f19 Mon Sep 17 00:00:00 2001
+From: Aleksander Machniak <alec at alec.pl>
+Date: Sat, 30 May 2020 08:28:05 +0200
+Subject: Security: Fix XSS issue in template object 'username' (#7406)
+
+---
+ program/include/rcmail_output_html.php |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/program/include/rcmail_output_html.php
++++ b/program/include/rcmail_output_html.php
+@@ -1768,7 +1768,9 @@ EOF;
+             $username = $this->app->user->get_username();
+         }
+ 
+-        return rcube_utils::idn_to_utf8($username);
++        $username = rcube_utils::idn_to_utf8($username);
++
++        return html::quote($username);
+     }
+ 
+     /**
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series	2020-05-04 14:50:42.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/patches/series	2020-06-04 00:15:26.000000000 +0200
@@ -18,3 +18,5 @@
 CVE-2018-19206.patch
 CVE-2020-12625.patch
 CVE-2020-12626.patch
+Security-Fix-XSS-issue-in-template-object-username.patch
+Security-Fix-cross-site-scripting-XSS-via-malicious.patch
-------------- next part --------------
diffstat for roundcube-1.3.11+dfsg.1 roundcube-1.3.12+dfsg.1

 CHANGELOG                              |    7 ++++
 INSTALL                                |   11 ++++++-
 config/defaults.inc.php                |    9 +++--
 debian/changelog                       |   10 ++++++
 index.php                              |    2 -
 installer/index.php                    |    2 -
 installer/test.php                     |   10 +++---
 program/include/iniset.php             |    2 -
 program/include/rcmail_output_html.php |    4 +-
 program/lib/Roundcube/bootstrap.php    |    2 -
 program/lib/Roundcube/rcube_config.php |    2 -
 program/lib/Roundcube/rcube_image.php  |   50 +++++++++++++++++++++++++++------
 program/steps/mail/func.inc            |    5 +++
 program/steps/mail/show.inc            |    2 +
 public_html/index.php                  |    2 -
 15 files changed, 96 insertions(+), 24 deletions(-)

diff -Nru roundcube-1.3.11+dfsg.1/CHANGELOG roundcube-1.3.12+dfsg.1/CHANGELOG
--- roundcube-1.3.11+dfsg.1/CHANGELOG	2020-04-26 22:20:25.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/CHANGELOG	2020-06-02 22:19:19.000000000 +0200
@@ -1,6 +1,13 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+RELEASE 1.3.12
+--------------
+- Security: Better fix for CVE-2020-12641
+- Security: Fix XSS issue in template object 'username' (#7406)
+- Security: Fix couple of XSS issues in Installer (#7406)
+- Security: Fix cross-site scripting (XSS) via malicious XML attachment
+
 RELEASE 1.3.11
 --------------
 - Enigma: Fix compatibility with Mail_Mime >= 1.10.5
diff -Nru roundcube-1.3.11+dfsg.1/config/defaults.inc.php roundcube-1.3.12+dfsg.1/config/defaults.inc.php
--- roundcube-1.3.11+dfsg.1/config/defaults.inc.php	2020-04-26 22:20:25.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/config/defaults.inc.php	2020-06-02 22:19:19.000000000 +0200
@@ -589,9 +589,12 @@
 $config['identity_image_size'] = 64;
 
 // Mimetypes supported by the browser.
-// attachments of these types will open in a preview window
-// either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
-$config['client_mimetypes'] = null;  # null == default
+// Attachments of these types will open in a preview window.
+// Either a comma-separated list or an array. Default list includes:
+//     text/plain,text/html,
+//     image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp,
+//     application/x-javascript,application/pdf,application/x-shockwave-flash
+$config['client_mimetypes'] = null;
 
 // Path to a local mime magic database file for PHPs finfo extension.
 // Set to null if the default path should be used.
diff -Nru roundcube-1.3.11+dfsg.1/debian/changelog roundcube-1.3.12+dfsg.1/debian/changelog
--- roundcube-1.3.11+dfsg.1/debian/changelog	2020-05-04 14:19:18.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/debian/changelog	2020-06-03 23:11:38.000000000 +0200
@@ -1,3 +1,13 @@
+roundcube (1.3.12+dfsg.1-1~deb10u1) buster-security; urgency=high
+
+  * New security upstream release, with fixes for:
+    - Cross-Site Scripting (XSS) vulnerability via malicious XML messages
+      (Closes: #962123)
+    - Cross-Site Scripting (XSS) vulnerability in template object 'username'
+      (Closes: #962124)
+
+ -- Guilhem Moulin <guilhem at debian.org>  Wed, 03 Jun 2020 23:11:38 +0200
+
 roundcube (1.3.11+dfsg.1-1~deb10u1) buster-security; urgency=high
 
   * New security upstream release, with fixes for:
diff -Nru roundcube-1.3.11+dfsg.1/index.php roundcube-1.3.12+dfsg.1/index.php
--- roundcube-1.3.11+dfsg.1/index.php	2020-04-26 22:20:25.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/index.php	2020-06-02 22:19:19.000000000 +0200
@@ -2,7 +2,7 @@
 /**
  +-------------------------------------------------------------------------+
  | Roundcube Webmail IMAP Client                                           |
- | Version 1.3.11                                                          |
+ | Version 1.3.12                                                          |
  |                                                                         |
  | Copyright (C) 2005-2019, The Roundcube Dev Team                         |
  |                                                                         |
diff -Nru roundcube-1.3.11+dfsg.1/INSTALL roundcube-1.3.12+dfsg.1/INSTALL
--- roundcube-1.3.11+dfsg.1/INSTALL	2020-04-26 22:20:25.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/INSTALL	2020-06-02 22:19:19.000000000 +0200
@@ -60,7 +60,16 @@
 5. Point your browser to http://url-to-roundcube/installer/
 6. Follow the instructions of the install script (or see MANUAL CONFIGURATION)
 7. After creating and testing the configuration, remove the installer directory
-8. Check Known Issues section of this file
+   ------------------------------------------
+   IMPORTANT: REMOVE THE INSTALLER DIRECTORY!
+   ------------------------------------------
+8. If you use git sources compile css files for the Elastic skin (required
+   lessc >= 1.5.0):
+   $ cd skins/elastic
+   $ lessc -x styles/styles.less > styles/styles.css
+   $ lessc -x styles/print.less > styles/print.css
+   $ lessc -x styles/embed.less > styles/embed.css
+9. Check Known Issues section of this file
 
 
 CONFIGURATION HINTS
diff -Nru roundcube-1.3.11+dfsg.1/installer/index.php roundcube-1.3.12+dfsg.1/installer/index.php
--- roundcube-1.3.11+dfsg.1/installer/index.php	2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/installer/index.php	2020-06-02 22:19:21.000000000 +0200
@@ -3,7 +3,7 @@
 /**
  +-------------------------------------------------------------------------+
  | Roundcube Webmail setup tool                                            |
- | Version 1.3.11                                                          |
+ | Version 1.3.12                                                          |
  |                                                                         |
  | Copyright (C) 2009-2019, The Roundcube Dev Team                         |
  |                                                                         |
diff -Nru roundcube-1.3.11+dfsg.1/installer/test.php roundcube-1.3.12+dfsg.1/installer/test.php
--- roundcube-1.3.11+dfsg.1/installer/test.php	2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/installer/test.php	2020-06-02 22:19:21.000000000 +0200
@@ -126,7 +126,7 @@
         else {
             $RCI->fail('DSN (write)', $db_error_msg);
             echo '<p class="hint">Make sure that the configured database exists and that the user has write privileges<br />';
-            echo 'DSN: ' . $RCI->config['db_dsnw'] . '</p>';
+            echo 'DSN: ' . rcube::Q($RCI->config['db_dsnw']) . '</p>';
         }
     }
     else {
@@ -261,19 +261,19 @@
 <tbody>
   <tr>
     <td><label for="smtp_server">Server</label></td>
-    <td><?php echo rcube_utils::parse_host($RCI->getprop('smtp_server', 'localhost')); ?></td>
+    <td><?php echo rcube::Q(rcube_utils::parse_host($RCI->getprop('smtp_server', 'localhost'))); ?></td>
   </tr>
   <tr>
     <td><label for="smtp_port">Port</label></td>
-    <td><?php echo $RCI->getprop('smtp_port'); ?></td>
+    <td><?php echo rcube::Q($RCI->getprop('smtp_port')); ?></td>
   </tr>
   <tr>
     <td><label for="smtp_user">Username</label></td>
-    <td><?php echo $user; ?></td>
+    <td><?php echo rcube::Q($user); ?></td>
   </tr>
   <tr>
     <td><label for="smtp_pass">Password</label></td>
-    <td><?php echo $pass; ?></td>
+    <td><?php echo rcube::Q($pass); ?></td>
   </tr>
 </tbody>
 </table>
diff -Nru roundcube-1.3.11+dfsg.1/program/include/iniset.php roundcube-1.3.12+dfsg.1/program/include/iniset.php
--- roundcube-1.3.11+dfsg.1/program/include/iniset.php	2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/program/include/iniset.php	2020-06-02 22:19:21.000000000 +0200
@@ -21,7 +21,7 @@
 */
 
 // application constants
-define('RCMAIL_VERSION', '1.3.11');
+define('RCMAIL_VERSION', '1.3.12');
 define('RCMAIL_START', microtime(true));
 
 if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.3.11+dfsg.1/program/include/rcmail_output_html.php roundcube-1.3.12+dfsg.1/program/include/rcmail_output_html.php
--- roundcube-1.3.11+dfsg.1/program/include/rcmail_output_html.php	2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/program/include/rcmail_output_html.php	2020-06-02 22:19:21.000000000 +0200
@@ -1823,7 +1823,9 @@
             $username = $this->app->user->get_username();
         }
 
-        return rcube_utils::idn_to_utf8($username);
+        $username = rcube_utils::idn_to_utf8($username);
+
+        return html::quote($username);
     }
 
     /**
diff -Nru roundcube-1.3.11+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.3.12+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.3.11+dfsg.1/program/lib/Roundcube/bootstrap.php	2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/program/lib/Roundcube/bootstrap.php	2020-06-02 22:19:21.000000000 +0200
@@ -53,7 +53,7 @@
 }
 
 // framework constants
-define('RCUBE_VERSION', '1.3.11');
+define('RCUBE_VERSION', '1.3.12');
 define('RCUBE_CHARSET', 'UTF-8');
 
 if (!defined('RCUBE_LIB_DIR')) {
diff -Nru roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_config.php roundcube-1.3.12+dfsg.1/program/lib/Roundcube/rcube_config.php
--- roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_config.php	2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/program/lib/Roundcube/rcube_config.php	2020-06-02 22:19:21.000000000 +0200
@@ -397,7 +397,7 @@
         }
         else if ($name == 'client_mimetypes') {
             if (!$result && !$def) {
-                $result = 'text/plain,text/html,text/xml'
+                $result = 'text/plain,text/html'
                     . ',image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp'
                     . ',application/x-javascript,application/pdf,application/x-shockwave-flash';
             }
diff -Nru roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_image.php roundcube-1.3.12+dfsg.1/program/lib/Roundcube/rcube_image.php
--- roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_image.php	2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/program/lib/Roundcube/rcube_image.php	2020-06-02 22:19:21.000000000 +0200
@@ -100,7 +100,7 @@
     {
         $result  = false;
         $rcube   = rcube::get_instance();
-        $convert = $rcube->config->get('im_convert_path', false);
+        $convert = self::getCommand('im_convert_path');
         $props   = $this->props();
 
         if (empty($props)) {
@@ -159,7 +159,7 @@
                             'size'    => $width . 'x' . $height,
                         );
 
-                        $result = rcube::exec(escapeshellcmd($convert)
+                        $result = rcube::exec($convert
                             . ' 2>&1 -flatten -auto-orient -colorspace sRGB -strip'
                             . ' -quality {quality} -resize {size} {intype}:{in} {type}:{out}', $p);
                     }
@@ -308,7 +308,7 @@
     public function convert($type, $filename = null)
     {
         $rcube   = rcube::get_instance();
-        $convert = $rcube->config->get('im_convert_path', false);
+        $convert = self::getCommand('im_convert_path');
 
         if (!$filename) {
             $filename = $this->image_file;
@@ -325,8 +325,7 @@
             $p['out']  = $filename;
             $p['type'] = self::$extensions[$type];
 
-            $result = rcube::exec(escapeshellcmd($convert)
-                . ' 2>&1 -colorspace sRGB -strip -flatten -quality 75 {in} {type}:{out}', $p);
+            $result = rcube::exec($convert . ' 2>&1 -colorspace sRGB -strip -flatten -quality 75 {in} {type}:{out}', $p);
 
             if ($result === '') {
                 chmod($filename, 0600);
@@ -407,7 +406,7 @@
         $rcube = rcube::get_instance();
 
         // @TODO: check if specified mimetype is really supported
-        return class_exists('Imagick', false) || $rcube->config->get('im_convert_path');
+        return class_exists('Imagick', false) || self::getCommand('im_convert_path');
     }
 
     /**
@@ -418,9 +417,9 @@
         $rcube = rcube::get_instance();
 
         // use ImageMagick in command line
-        if ($cmd = $rcube->config->get('im_identify_path')) {
+        if ($cmd = self::getCommand('im_identify_path')) {
             $args = array('in' => $this->image_file, 'format' => "%m %[fx:w] %[fx:h]");
-            $id   = rcube::exec(escapeshellcmd($cmd) . ' 2>/dev/null -format {format} {in}', $args);
+            $id   = rcube::exec($cmd . ' 2>/dev/null -format {format} {in}', $args);
 
             if ($id) {
                 return explode(' ', strtolower($id));
@@ -459,4 +458,39 @@
         $size = $props['width'] * $props['height'] * $multip;
         return rcube_utils::mem_check($size);
     }
+
+    /**
+     * Get the configured command and make sure it is safe to use.
+     * We cannot trust configuration, and escapeshellcmd() is useless.
+     *
+     * @param string $opt_name Configuration option name
+     *
+     * @return bool|string The command or False if not set or invalid
+     */
+    private static function getCommand($opt_name)
+    {
+        static $error = [];
+
+        $cmd = rcube::get_instance()->config->get($opt_name);
+
+        if (empty($cmd)) {
+            return false;
+        }
+
+        if (preg_match('/^(convert|identify)(\.exe)?$/i', $cmd)) {
+            return $cmd;
+        }
+
+        // Executable must exist, also disallow network shares on Windows
+        if ($cmd[0] != "\\" && file_exists($cmd)) {
+            return $cmd;
+        }
+
+        if (empty($error[$opt_name])) {
+            rcube::raise_error("Invalid $opt_name: $cmd", true, false);
+            $error[$opt_name] = true;
+        }
+
+        return false;
+    }
 }
diff -Nru roundcube-1.3.11+dfsg.1/program/steps/mail/func.inc roundcube-1.3.12+dfsg.1/program/steps/mail/func.inc
--- roundcube-1.3.11+dfsg.1/program/steps/mail/func.inc	2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/program/steps/mail/func.inc	2020-06-02 22:19:21.000000000 +0200
@@ -2359,6 +2359,11 @@
         unset($mimetypes[$key]);
     }
 
+    // We cannot securely preview XML files as we do not have a proper parser
+    if (($key = array_search('text/xml', $mimetypes)) !== false) {
+        unset($mimetypes[$key]);
+    }
+
     foreach (array('tiff', 'webp') as $type) {
         if (empty($_SESSION['browser_caps'][$type]) && ($key = array_search('image/' . $type, $mimetypes)) !== false) {
             // can we convert it to jpeg?
diff -Nru roundcube-1.3.11+dfsg.1/program/steps/mail/show.inc roundcube-1.3.12+dfsg.1/program/steps/mail/show.inc
--- roundcube-1.3.11+dfsg.1/program/steps/mail/show.inc	2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/program/steps/mail/show.inc	2020-06-02 22:19:21.000000000 +0200
@@ -72,6 +72,8 @@
     $OUTPUT->set_env('mailbox', $mbox_name);
     $OUTPUT->set_env('username', $RCMAIL->get_user_name());
     $OUTPUT->set_env('permaurl', $RCMAIL->url(array('_action' => 'show', '_uid' => $msg_id, '_mbox' => $mbox_name)));
+    $OUTPUT->set_env('delimiter', $RCMAIL->storage->get_hierarchy_delimiter());
+    $OUTPUT->set_env('mimetypes', rcmail_supported_mimetypes());
 
     if ($MESSAGE->headers->get('list-post', false)) {
         $OUTPUT->set_env('list_post', true);
diff -Nru roundcube-1.3.11+dfsg.1/public_html/index.php roundcube-1.3.12+dfsg.1/public_html/index.php
--- roundcube-1.3.11+dfsg.1/public_html/index.php	2020-04-26 22:20:25.000000000 +0200
+++ roundcube-1.3.12+dfsg.1/public_html/index.php	2020-06-02 22:19:19.000000000 +0200
@@ -3,7 +3,7 @@
 /*
  +-----------------------------------------------------------------------+
  | Roundcube Webmail IMAP Client                                         |
- | Version 1.3.11                                                        |
+ | Version 1.3.12                                                        |
  |                                                                       |
  | Copyright (C) 2005-2017, The Roundcube Dev Team                       |
  |                                                                       |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20200604/8d90b0b4/attachment-0001.sig>


More information about the Pkg-roundcube-maintainers mailing list