[Pkg-roundcube-maintainers] Security issues in roundcube 1.2.3+dfsg.1-4+deb9u4 and 1.3.11+dfsg.1-1~deb10u1
Guilhem Moulin
guilhem at debian.org
Tue Jun 9 13:31:31 BST 2020
Hi Sébastien,
On Tue, 09 Jun 2020 at 07:54:28 +0200, Sébastien Delafond wrote:
> On 04/06 09:34, Sébastien Delafond wrote:
>> thanks for your effort; I will request the CVE and also review your
>> diffs, hopefully before the end of the week.
>
> The CVEs are as follows:
>
> CVE-2020-13965 [Cross-Site Scripting (XSS) vulnerability via malicious XML messages]
> - roundcube 1.4.5+dfsg.1-1 (bug #962124)
> CVE-2020-13964 [Cross-Site Scripting (XSS) vulnerability in template object 'username']
> - roundcube 1.4.5+dfsg.1-1 (bug #962123)
Thanks!
> The debdiff for buster looks good, but the one for stretch only
> mentions #962123 and not #962124.
Ooops my bad, I originally thought it wasn't affected; tweaked the
upstream patch once I noticed it actually was, but of course I forgot to
update the changelog :-P
> Once you fix that, and include the CVEs in both changelog, feel free
> to upload to security-master.
Done with the attached debdiffs. Note that meanwhile upstream has
released 1.3.13 which is what I just uploaded in the interest of
following the 1.3.x branch. I assume it's not controversial since it
only differs with a one-liner in installer/test.php (“regression in SMTP
test section”) which we don't use. Lemme know if you'd prefer we stick
to 1.3.12 for the time being :-)
Cheers,
--
Guilhem.
-------------- next part --------------
diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1
changelog | 10 +++++++
patches/CVE-2020-13964.patch | 22 +++++++++++++++++
patches/CVE-2020-13965.patch | 54 +++++++++++++++++++++++++++++++++++++++++++
patches/series | 2 +
4 files changed, 88 insertions(+)
diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog
--- roundcube-1.2.3+dfsg.1/debian/changelog 2020-05-04 14:50:42.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/changelog 2020-06-09 13:46:01.000000000 +0200
@@ -1,3 +1,13 @@
+roundcube (1.2.3+dfsg.1-4+deb9u5) stretch-security; urgency=high
+
+ * Backport security fixes from 1.3.12:
+ - CVE-2020-13964: Cross-Site Scripting (XSS) vulnerability in template
+ object 'username' (closes: #962124)
+ - CVE-2020-13965: Cross-Site Scripting (XSS) vulnerability via malicious
+ XML messages (closes: #962123)
+
+ -- Guilhem Moulin <guilhem at debian.org> Tue, 09 Jun 2020 13:46:01 +0200
+
roundcube (1.2.3+dfsg.1-4+deb9u4) stretch-security; urgency=high
* Backport security fixes from 1.2.10:
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-13964.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-13964.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-13964.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-13964.patch 2020-06-09 13:46:01.000000000 +0200
@@ -0,0 +1,22 @@
+From 37e2bc745723ef6322f0f785aefd0b9313a40f19 Mon Sep 17 00:00:00 2001
+From: Aleksander Machniak <alec at alec.pl>
+Date: Sat, 30 May 2020 08:28:05 +0200
+Subject: Security: Fix XSS issue in template object 'username' (#7406)
+
+---
+ program/include/rcmail_output_html.php | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/program/include/rcmail_output_html.php
++++ b/program/include/rcmail_output_html.php
+@@ -1768,7 +1768,9 @@ EOF;
+ $username = $this->app->user->get_username();
+ }
+
+- return rcube_utils::idn_to_utf8($username);
++ $username = rcube_utils::idn_to_utf8($username);
++
++ return html::quote($username);
+ }
+
+ /**
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-13965.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-13965.patch
--- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-13965.patch 1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-13965.patch 2020-06-09 13:46:01.000000000 +0200
@@ -0,0 +1,54 @@
+From 884eb611627ef2bd5a2e20e02009ebb1eceecdc3 Mon Sep 17 00:00:00 2001
+From: Aleksander Machniak <alec at alec.pl>
+Date: Sat, 30 May 2020 08:35:33 +0200
+Subject: Security: Fix cross-site scripting (XSS) via malicious XML
+ attachment
+
+---
+ config/defaults.inc.php | 9 ++++++---
+ program/lib/Roundcube/rcube_config.php | 2 +-
+ program/steps/mail/show.inc | 4 ++++
+ 3 files changed, 11 insertions(+), 4 deletions(-)
+
+--- a/config/defaults.inc.php
++++ b/config/defaults.inc.php
+@@ -577,9 +577,12 @@ $config['identities_level'] = 0;
+ $config['identity_image_size'] = 64;
+
+ // Mimetypes supported by the browser.
+-// attachments of these types will open in a preview window
+-// either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
+-$config['client_mimetypes'] = null; # null == default
++// Attachments of these types will open in a preview window.
++// Either a comma-separated list or an array. Default list includes:
++// text/plain,text/html,
++// image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp,
++// application/x-javascript,application/pdf,application/x-shockwave-flash
++$config['client_mimetypes'] = null;
+
+ // Path to a local mime magic database file for PHPs finfo extension.
+ // Set to null if the default path should be used.
+--- a/program/lib/Roundcube/rcube_config.php
++++ b/program/lib/Roundcube/rcube_config.php
+@@ -393,7 +393,7 @@ class rcube_config
+ }
+ else if ($name == 'client_mimetypes') {
+ if (!$result && !$def) {
+- $result = 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,image/bmp,image/tiff,application/x-javascript,application/pdf,application/x-shockwave-flash';
++ $result = 'text/plain,text/html,image/jpeg,image/gif,image/png,image/bmp,image/tiff,application/x-javascript,application/pdf,application/x-shockwave-flash';
+ }
+ if ($result && is_string($result)) {
+ $result = explode(',', $result);
+--- a/program/steps/mail/show.inc
++++ b/program/steps/mail/show.inc
+@@ -100,6 +100,10 @@ if ($uid) {
+ if (empty($_SESSION['browser_caps']['flash']) && ($key = array_search('application/x-shockwave-flash', $mimetypes)) !== false) {
+ unset($mimetypes[$key]);
+ }
++ // We cannot securely preview XML files as we do not have a proper parser
++ if (($key = array_search('text/xml', $mimetypes)) !== false) {
++ unset($mimetypes[$key]);
++ }
+ if (empty($_SESSION['browser_caps']['tif']) && ($key = array_search('image/tiff', $mimetypes)) !== false) {
+ // we can convert tiff to jpeg
+ if (!rcube_image::is_convertable('image/tiff')) {
diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series
--- roundcube-1.2.3+dfsg.1/debian/patches/series 2020-05-04 14:50:42.000000000 +0200
+++ roundcube-1.2.3+dfsg.1/debian/patches/series 2020-06-09 13:46:01.000000000 +0200
@@ -18,3 +18,5 @@
CVE-2018-19206.patch
CVE-2020-12625.patch
CVE-2020-12626.patch
+CVE-2020-13964.patch
+CVE-2020-13965.patch
-------------- next part --------------
diffstat for roundcube-1.3.11+dfsg.1 roundcube-1.3.13+dfsg.1
CHANGELOG | 11 +++++++
INSTALL | 11 ++++++-
config/defaults.inc.php | 9 +++--
debian/changelog | 10 ++++++
index.php | 2 -
installer/index.php | 2 -
installer/test.php | 12 +++++--
program/include/iniset.php | 2 -
program/include/rcmail_output_html.php | 4 +-
program/lib/Roundcube/bootstrap.php | 2 -
program/lib/Roundcube/rcube_config.php | 2 -
program/lib/Roundcube/rcube_image.php | 50 +++++++++++++++++++++++++++------
program/steps/mail/func.inc | 5 +++
program/steps/mail/show.inc | 2 +
public_html/index.php | 2 -
15 files changed, 104 insertions(+), 22 deletions(-)
diff -Nru roundcube-1.3.11+dfsg.1/CHANGELOG roundcube-1.3.13+dfsg.1/CHANGELOG
--- roundcube-1.3.11+dfsg.1/CHANGELOG 2020-04-26 22:20:25.000000000 +0200
+++ roundcube-1.3.13+dfsg.1/CHANGELOG 2020-06-07 13:23:24.000000000 +0200
@@ -1,6 +1,17 @@
CHANGELOG Roundcube Webmail
===========================
+RELEASE 1.3.13
+--------------
+- Installer: Fix regression in SMTP test section (#7417)
+
+RELEASE 1.3.12
+--------------
+- Security: Better fix for CVE-2020-12641
+- Security: Fix XSS issue in template object 'username' (#7406)
+- Security: Fix couple of XSS issues in Installer (#7406)
+- Security: Fix cross-site scripting (XSS) via malicious XML attachment
+
RELEASE 1.3.11
--------------
- Enigma: Fix compatibility with Mail_Mime >= 1.10.5
diff -Nru roundcube-1.3.11+dfsg.1/config/defaults.inc.php roundcube-1.3.13+dfsg.1/config/defaults.inc.php
--- roundcube-1.3.11+dfsg.1/config/defaults.inc.php 2020-04-26 22:20:25.000000000 +0200
+++ roundcube-1.3.13+dfsg.1/config/defaults.inc.php 2020-06-07 13:23:24.000000000 +0200
@@ -589,9 +589,12 @@
$config['identity_image_size'] = 64;
// Mimetypes supported by the browser.
-// attachments of these types will open in a preview window
-// either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
-$config['client_mimetypes'] = null; # null == default
+// Attachments of these types will open in a preview window.
+// Either a comma-separated list or an array. Default list includes:
+// text/plain,text/html,
+// image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp,
+// application/x-javascript,application/pdf,application/x-shockwave-flash
+$config['client_mimetypes'] = null;
// Path to a local mime magic database file for PHPs finfo extension.
// Set to null if the default path should be used.
diff -Nru roundcube-1.3.11+dfsg.1/debian/changelog roundcube-1.3.13+dfsg.1/debian/changelog
--- roundcube-1.3.11+dfsg.1/debian/changelog 2020-05-04 14:19:18.000000000 +0200
+++ roundcube-1.3.13+dfsg.1/debian/changelog 2020-06-09 13:29:14.000000000 +0200
@@ -1,3 +1,13 @@
+roundcube (1.3.13+dfsg.1-1~deb10u1) buster-security; urgency=high
+
+ * New security upstream release, with fixes for:
+ - CVE-2020-13964: Cross-Site Scripting (XSS) vulnerability in template
+ object 'username' (Closes: #962124)
+ - CVE-2020-13965: Cross-Site Scripting (XSS) vulnerability via malicious
+ XML messages (Closes: #962123)
+
+ -- Guilhem Moulin <guilhem at debian.org> Tue, 09 Jun 2020 13:29:14 +0200
+
roundcube (1.3.11+dfsg.1-1~deb10u1) buster-security; urgency=high
* New security upstream release, with fixes for:
diff -Nru roundcube-1.3.11+dfsg.1/index.php roundcube-1.3.13+dfsg.1/index.php
--- roundcube-1.3.11+dfsg.1/index.php 2020-04-26 22:20:25.000000000 +0200
+++ roundcube-1.3.13+dfsg.1/index.php 2020-06-07 13:23:24.000000000 +0200
@@ -2,7 +2,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.3.11 |
+ | Version 1.3.13 |
| |
| Copyright (C) 2005-2019, The Roundcube Dev Team |
| |
diff -Nru roundcube-1.3.11+dfsg.1/INSTALL roundcube-1.3.13+dfsg.1/INSTALL
--- roundcube-1.3.11+dfsg.1/INSTALL 2020-04-26 22:20:25.000000000 +0200
+++ roundcube-1.3.13+dfsg.1/INSTALL 2020-06-07 13:23:24.000000000 +0200
@@ -60,7 +60,16 @@
5. Point your browser to http://url-to-roundcube/installer/
6. Follow the instructions of the install script (or see MANUAL CONFIGURATION)
7. After creating and testing the configuration, remove the installer directory
-8. Check Known Issues section of this file
+ ------------------------------------------
+ IMPORTANT: REMOVE THE INSTALLER DIRECTORY!
+ ------------------------------------------
+8. If you use git sources compile css files for the Elastic skin (required
+ lessc >= 1.5.0):
+ $ cd skins/elastic
+ $ lessc -x styles/styles.less > styles/styles.css
+ $ lessc -x styles/print.less > styles/print.css
+ $ lessc -x styles/embed.less > styles/embed.css
+9. Check Known Issues section of this file
CONFIGURATION HINTS
diff -Nru roundcube-1.3.11+dfsg.1/installer/index.php roundcube-1.3.13+dfsg.1/installer/index.php
--- roundcube-1.3.11+dfsg.1/installer/index.php 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.13+dfsg.1/installer/index.php 2020-06-07 13:23:25.000000000 +0200
@@ -3,7 +3,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail setup tool |
- | Version 1.3.11 |
+ | Version 1.3.13 |
| |
| Copyright (C) 2009-2019, The Roundcube Dev Team |
| |
diff -Nru roundcube-1.3.11+dfsg.1/installer/test.php roundcube-1.3.13+dfsg.1/installer/test.php
--- roundcube-1.3.11+dfsg.1/installer/test.php 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.13+dfsg.1/installer/test.php 2020-06-07 13:23:25.000000000 +0200
@@ -126,7 +126,7 @@
else {
$RCI->fail('DSN (write)', $db_error_msg);
echo '<p class="hint">Make sure that the configured database exists and that the user has write privileges<br />';
- echo 'DSN: ' . $RCI->config['db_dsnw'] . '</p>';
+ echo 'DSN: ' . rcube::Q($RCI->config['db_dsnw']) . '</p>';
}
}
else {
@@ -247,10 +247,16 @@
$user_field = new html_inputfield(array('name' => '_smtp_user', 'id' => 'smtp_user'));
$user = $user_field->show($_POST['_smtp_user']);
}
+else {
+ $user = html::quote($user);
+}
if ($pass == '%p') {
$pass_field = new html_passwordfield(array('name' => '_smtp_pass', 'id' => 'smtp_pass'));
$pass = $pass_field->show();
}
+else {
+ $pass = html::quote($pass);
+}
?>
@@ -261,11 +267,11 @@
<tbody>
<tr>
<td><label for="smtp_server">Server</label></td>
- <td><?php echo rcube_utils::parse_host($RCI->getprop('smtp_server', 'localhost')); ?></td>
+ <td><?php echo rcube::Q(rcube_utils::parse_host($RCI->getprop('smtp_server', 'localhost'))); ?></td>
</tr>
<tr>
<td><label for="smtp_port">Port</label></td>
- <td><?php echo $RCI->getprop('smtp_port'); ?></td>
+ <td><?php echo rcube::Q($RCI->getprop('smtp_port')); ?></td>
</tr>
<tr>
<td><label for="smtp_user">Username</label></td>
diff -Nru roundcube-1.3.11+dfsg.1/program/include/iniset.php roundcube-1.3.13+dfsg.1/program/include/iniset.php
--- roundcube-1.3.11+dfsg.1/program/include/iniset.php 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.13+dfsg.1/program/include/iniset.php 2020-06-07 13:23:25.000000000 +0200
@@ -21,7 +21,7 @@
*/
// application constants
-define('RCMAIL_VERSION', '1.3.11');
+define('RCMAIL_VERSION', '1.3.13');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.3.11+dfsg.1/program/include/rcmail_output_html.php roundcube-1.3.13+dfsg.1/program/include/rcmail_output_html.php
--- roundcube-1.3.11+dfsg.1/program/include/rcmail_output_html.php 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.13+dfsg.1/program/include/rcmail_output_html.php 2020-06-07 13:23:25.000000000 +0200
@@ -1823,7 +1823,9 @@
$username = $this->app->user->get_username();
}
- return rcube_utils::idn_to_utf8($username);
+ $username = rcube_utils::idn_to_utf8($username);
+
+ return html::quote($username);
}
/**
diff -Nru roundcube-1.3.11+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.3.13+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.3.11+dfsg.1/program/lib/Roundcube/bootstrap.php 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.13+dfsg.1/program/lib/Roundcube/bootstrap.php 2020-06-07 13:23:25.000000000 +0200
@@ -53,7 +53,7 @@
}
// framework constants
-define('RCUBE_VERSION', '1.3.11');
+define('RCUBE_VERSION', '1.3.13');
define('RCUBE_CHARSET', 'UTF-8');
if (!defined('RCUBE_LIB_DIR')) {
diff -Nru roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_config.php roundcube-1.3.13+dfsg.1/program/lib/Roundcube/rcube_config.php
--- roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_config.php 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.13+dfsg.1/program/lib/Roundcube/rcube_config.php 2020-06-07 13:23:25.000000000 +0200
@@ -397,7 +397,7 @@
}
else if ($name == 'client_mimetypes') {
if (!$result && !$def) {
- $result = 'text/plain,text/html,text/xml'
+ $result = 'text/plain,text/html'
. ',image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp'
. ',application/x-javascript,application/pdf,application/x-shockwave-flash';
}
diff -Nru roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_image.php roundcube-1.3.13+dfsg.1/program/lib/Roundcube/rcube_image.php
--- roundcube-1.3.11+dfsg.1/program/lib/Roundcube/rcube_image.php 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.13+dfsg.1/program/lib/Roundcube/rcube_image.php 2020-06-07 13:23:25.000000000 +0200
@@ -100,7 +100,7 @@
{
$result = false;
$rcube = rcube::get_instance();
- $convert = $rcube->config->get('im_convert_path', false);
+ $convert = self::getCommand('im_convert_path');
$props = $this->props();
if (empty($props)) {
@@ -159,7 +159,7 @@
'size' => $width . 'x' . $height,
);
- $result = rcube::exec(escapeshellcmd($convert)
+ $result = rcube::exec($convert
. ' 2>&1 -flatten -auto-orient -colorspace sRGB -strip'
. ' -quality {quality} -resize {size} {intype}:{in} {type}:{out}', $p);
}
@@ -308,7 +308,7 @@
public function convert($type, $filename = null)
{
$rcube = rcube::get_instance();
- $convert = $rcube->config->get('im_convert_path', false);
+ $convert = self::getCommand('im_convert_path');
if (!$filename) {
$filename = $this->image_file;
@@ -325,8 +325,7 @@
$p['out'] = $filename;
$p['type'] = self::$extensions[$type];
- $result = rcube::exec(escapeshellcmd($convert)
- . ' 2>&1 -colorspace sRGB -strip -flatten -quality 75 {in} {type}:{out}', $p);
+ $result = rcube::exec($convert . ' 2>&1 -colorspace sRGB -strip -flatten -quality 75 {in} {type}:{out}', $p);
if ($result === '') {
chmod($filename, 0600);
@@ -407,7 +406,7 @@
$rcube = rcube::get_instance();
// @TODO: check if specified mimetype is really supported
- return class_exists('Imagick', false) || $rcube->config->get('im_convert_path');
+ return class_exists('Imagick', false) || self::getCommand('im_convert_path');
}
/**
@@ -418,9 +417,9 @@
$rcube = rcube::get_instance();
// use ImageMagick in command line
- if ($cmd = $rcube->config->get('im_identify_path')) {
+ if ($cmd = self::getCommand('im_identify_path')) {
$args = array('in' => $this->image_file, 'format' => "%m %[fx:w] %[fx:h]");
- $id = rcube::exec(escapeshellcmd($cmd) . ' 2>/dev/null -format {format} {in}', $args);
+ $id = rcube::exec($cmd . ' 2>/dev/null -format {format} {in}', $args);
if ($id) {
return explode(' ', strtolower($id));
@@ -459,4 +458,39 @@
$size = $props['width'] * $props['height'] * $multip;
return rcube_utils::mem_check($size);
}
+
+ /**
+ * Get the configured command and make sure it is safe to use.
+ * We cannot trust configuration, and escapeshellcmd() is useless.
+ *
+ * @param string $opt_name Configuration option name
+ *
+ * @return bool|string The command or False if not set or invalid
+ */
+ private static function getCommand($opt_name)
+ {
+ static $error = [];
+
+ $cmd = rcube::get_instance()->config->get($opt_name);
+
+ if (empty($cmd)) {
+ return false;
+ }
+
+ if (preg_match('/^(convert|identify)(\.exe)?$/i', $cmd)) {
+ return $cmd;
+ }
+
+ // Executable must exist, also disallow network shares on Windows
+ if ($cmd[0] != "\\" && file_exists($cmd)) {
+ return $cmd;
+ }
+
+ if (empty($error[$opt_name])) {
+ rcube::raise_error("Invalid $opt_name: $cmd", true, false);
+ $error[$opt_name] = true;
+ }
+
+ return false;
+ }
}
diff -Nru roundcube-1.3.11+dfsg.1/program/steps/mail/func.inc roundcube-1.3.13+dfsg.1/program/steps/mail/func.inc
--- roundcube-1.3.11+dfsg.1/program/steps/mail/func.inc 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.13+dfsg.1/program/steps/mail/func.inc 2020-06-07 13:23:25.000000000 +0200
@@ -2359,6 +2359,11 @@
unset($mimetypes[$key]);
}
+ // We cannot securely preview XML files as we do not have a proper parser
+ if (($key = array_search('text/xml', $mimetypes)) !== false) {
+ unset($mimetypes[$key]);
+ }
+
foreach (array('tiff', 'webp') as $type) {
if (empty($_SESSION['browser_caps'][$type]) && ($key = array_search('image/' . $type, $mimetypes)) !== false) {
// can we convert it to jpeg?
diff -Nru roundcube-1.3.11+dfsg.1/program/steps/mail/show.inc roundcube-1.3.13+dfsg.1/program/steps/mail/show.inc
--- roundcube-1.3.11+dfsg.1/program/steps/mail/show.inc 2020-04-26 22:20:26.000000000 +0200
+++ roundcube-1.3.13+dfsg.1/program/steps/mail/show.inc 2020-06-07 13:23:25.000000000 +0200
@@ -72,6 +72,8 @@
$OUTPUT->set_env('mailbox', $mbox_name);
$OUTPUT->set_env('username', $RCMAIL->get_user_name());
$OUTPUT->set_env('permaurl', $RCMAIL->url(array('_action' => 'show', '_uid' => $msg_id, '_mbox' => $mbox_name)));
+ $OUTPUT->set_env('delimiter', $RCMAIL->storage->get_hierarchy_delimiter());
+ $OUTPUT->set_env('mimetypes', rcmail_supported_mimetypes());
if ($MESSAGE->headers->get('list-post', false)) {
$OUTPUT->set_env('list_post', true);
diff -Nru roundcube-1.3.11+dfsg.1/public_html/index.php roundcube-1.3.13+dfsg.1/public_html/index.php
--- roundcube-1.3.11+dfsg.1/public_html/index.php 2020-04-26 22:20:25.000000000 +0200
+++ roundcube-1.3.13+dfsg.1/public_html/index.php 2020-06-07 13:23:24.000000000 +0200
@@ -3,7 +3,7 @@
/*
+-----------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.3.11 |
+ | Version 1.3.13 |
| |
| Copyright (C) 2005-2017, The Roundcube Dev Team |
| |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20200609/68d62afc/attachment.sig>
More information about the Pkg-roundcube-maintainers
mailing list