[Pkg-roundcube-maintainers] Security issues in roundcube 1.3.16+dfsg.1-1~deb10u1 and 1.4.11+dfsg.1-4
Guilhem Moulin
guilhem at debian.org
Thu Nov 18 19:31:34 GMT 2021
Dear security team,
In a recent post [0] roundcube webmail upstream has announced the
following security fixes:
- Fix XSS issue in handling attachment filename extension in mimetype
mismatch warning
https://github.com/roundcube/roundcubemail/pull/8193
- Fix possible SQL injection via some session variables
Unfortunately upstream didn't assign CVEs (yet?); not sure whether the
latter warrants a DSA, but the former probably does. Both issues are
tracked as #1000156 in our BTS.
The package in Buster is currently following the 1.3 branch so I guess
it makes make sense to upload 1.3.17+dfsg.1-1~deb10u1 (roundcube-1.3.debdiff
attached).
Given 1.4 is nowadays a bugfix-only branch, I propose to do the same and
upload 1.4.12+dfsg.1-1~deb11u1. If the attached roundcube-1.4.debdiff
is beyond the scope of buster-security (it also contains a handful of
cosmetic bugfixes as well as documentation fixes) I'll just apply these
two commits:
https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a
https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1
(And ask the release team if the rest would be suitable for s-p-u.)
Both version have been tested. I would appreciate if you could take
care of the CVE assignment as upstream often doesn't follow up. I'll
hold the upload until the CVE are assigned so we have proper numbers in
d/changelog.
Cheers,
--
Guilhem.
[0] https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-released
-------------- next part --------------
diffstat for roundcube-1.3.16+dfsg.1 roundcube-1.3.17+dfsg.1
CHANGELOG | 5
debian/changelog | 12 +
debian/gbp.conf | 2
debian/patches/CVE-2018-1000071.patch | 4
debian/patches/Revert-Fix-jstz.min.js-dependency.patch | 4
debian/patches/correct_install_path.patch | 2
debian/patches/default-charset-utf8.patch | 2
debian/patches/retry_to_reach_imap_server.patch | 4
debian/patches/use_pspell.patch | 2
debian/upstream/signing-key.asc | 134 +++++++----------
index.php | 2
installer/index.php | 2
program/include/iniset.php | 2
program/lib/Roundcube/bootstrap.php | 2
program/steps/addressbook/export.inc | 6
program/steps/addressbook/func.inc | 8 -
program/steps/addressbook/search.inc | 7
program/steps/mail/get.inc | 27 ++-
program/steps/mail/list.inc | 3
program/steps/mail/list_contacts.inc | 8 -
program/steps/mail/search_contacts.inc | 4
public_html/index.php | 2
22 files changed, 128 insertions(+), 116 deletions(-)
diff -Nru roundcube-1.3.16+dfsg.1/CHANGELOG roundcube-1.3.17+dfsg.1/CHANGELOG
--- roundcube-1.3.16+dfsg.1/CHANGELOG 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/CHANGELOG 2021-11-12 22:12:27.000000000 +0100
@@ -1,6 +1,11 @@
CHANGELOG Roundcube Webmail
===========================
+RELEASE 1.3.17
+--------------
+- Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
+- Fix SQL injection via some session variables
+
RELEASE 1.3.16
--------------
- Security: Fix cross-site scripting (XSS) via HTML or Plain text messages with malicious content [CVE-2020-35730]
diff -Nru roundcube-1.3.16+dfsg.1/debian/changelog roundcube-1.3.17+dfsg.1/debian/changelog
--- roundcube-1.3.16+dfsg.1/debian/changelog 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/changelog 2021-11-18 19:52:34.000000000 +0100
@@ -1,3 +1,15 @@
+roundcube (1.3.17+dfsg.1-1~deb10u1) buster-security; urgency=high
+
+ * New bugfix/security upstream release (closes: #1000156):
+ + Fix XSS issue in handling attachment filename extension in mimetype
+ mismatch warning
+ + Fix possible SQL injection via some session variables
+ * Refresh d/patches.
+ * Refresh d/upstream/signing-key.asc.
+ * d/gbp.conf: Rename upstream branch to upstream/release-1.3.
+
+ -- Guilhem Moulin <guilhem at debian.org> Thu, 18 Nov 2021 19:52:34 +0100
+
roundcube (1.3.16+dfsg.1-1~deb10u1) buster-security; urgency=high
* New upstream bugfix release, with security fix for CVE-2020-35730:
diff -Nru roundcube-1.3.16+dfsg.1/debian/gbp.conf roundcube-1.3.17+dfsg.1/debian/gbp.conf
--- roundcube-1.3.16+dfsg.1/debian/gbp.conf 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/gbp.conf 2021-11-18 19:52:34.000000000 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
debian-branch=debian/buster
-upstream-branch=upstream-1.3.x
+upstream-branch=upstream/release-1.3
pristine-tar=True
compression=xz
diff -Nru roundcube-1.3.16+dfsg.1/debian/patches/correct_install_path.patch roundcube-1.3.17+dfsg.1/debian/patches/correct_install_path.patch
--- roundcube-1.3.16+dfsg.1/debian/patches/correct_install_path.patch 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/patches/correct_install_path.patch 2021-11-18 19:52:34.000000000 +0100
@@ -6,7 +6,7 @@
--- a/program/include/iniset.php
+++ b/program/include/iniset.php
-@@ -25,7 +25,7 @@ define('RCMAIL_VERSION', '1.3.11');
+@@ -25,7 +25,7 @@ define('RCMAIL_VERSION', '1.3.17');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.3.16+dfsg.1/debian/patches/CVE-2018-1000071.patch roundcube-1.3.17+dfsg.1/debian/patches/CVE-2018-1000071.patch
--- roundcube-1.3.16+dfsg.1/debian/patches/CVE-2018-1000071.patch 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/patches/CVE-2018-1000071.patch 2021-11-18 19:52:34.000000000 +0100
@@ -8,11 +8,11 @@
Added notes that it should be secured or not accessible from the web browser.
---
- plugins/enigma/README | 15 +++++++++++++--
+ plugins/enigma/README | 10 ++++++++++
plugins/enigma/config.inc.php.dist | 4 ++--
plugins/enigma/home/.htaccess | 7 -------
plugins/enigma/lib/enigma_driver_gnupg.php | 2 +-
- 4 files changed, 16 insertions(+), 12 deletions(-)
+ 4 files changed, 13 insertions(+), 10 deletions(-)
--- a/plugins/enigma/config.inc.php.dist
+++ b/plugins/enigma/config.inc.php.dist
diff -Nru roundcube-1.3.16+dfsg.1/debian/patches/default-charset-utf8.patch roundcube-1.3.17+dfsg.1/debian/patches/default-charset-utf8.patch
--- roundcube-1.3.16+dfsg.1/debian/patches/default-charset-utf8.patch 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/patches/default-charset-utf8.patch 2021-11-18 19:52:34.000000000 +0100
@@ -6,7 +6,7 @@
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
-@@ -1027,7 +1027,7 @@ $config['contact_search_name'] = '{name}
+@@ -1030,7 +1030,7 @@ $config['contact_search_name'] = '{name}
// ----------------------------------
// Use this charset as fallback for message decoding
diff -Nru roundcube-1.3.16+dfsg.1/debian/patches/retry_to_reach_imap_server.patch roundcube-1.3.17+dfsg.1/debian/patches/retry_to_reach_imap_server.patch
--- roundcube-1.3.16+dfsg.1/debian/patches/retry_to_reach_imap_server.patch 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/patches/retry_to_reach_imap_server.patch 2021-11-18 19:52:34.000000000 +0100
@@ -5,6 +5,10 @@
Last-Update: 2019-12-24
---
+---
+ program/lib/Roundcube/rcube_imap.php | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
--- a/program/lib/Roundcube/rcube_imap.php
+++ b/program/lib/Roundcube/rcube_imap.php
@@ -144,7 +144,11 @@ class rcube_imap extends rcube_storage
diff -Nru roundcube-1.3.16+dfsg.1/debian/patches/Revert-Fix-jstz.min.js-dependency.patch roundcube-1.3.17+dfsg.1/debian/patches/Revert-Fix-jstz.min.js-dependency.patch
--- roundcube-1.3.16+dfsg.1/debian/patches/Revert-Fix-jstz.min.js-dependency.patch 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/patches/Revert-Fix-jstz.min.js-dependency.patch 2021-11-18 19:52:34.000000000 +0100
@@ -4,11 +4,9 @@
This reverts upstream commit 435cfa116964e03a28499d5a4331dd76a7c07451.
---
- jsdeps.json | 9 +++++----
+ jsdeps.json | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
-diff --git a/jsdeps.json b/jsdeps.json
-index 16192e20d..8276d9e4e 100644
--- a/jsdeps.json
+++ b/jsdeps.json
@@ -14,13 +14,14 @@
diff -Nru roundcube-1.3.16+dfsg.1/debian/patches/use_pspell.patch roundcube-1.3.17+dfsg.1/debian/patches/use_pspell.patch
--- roundcube-1.3.16+dfsg.1/debian/patches/use_pspell.patch 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/patches/use_pspell.patch 2021-11-18 19:52:34.000000000 +0100
@@ -6,7 +6,7 @@
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
-@@ -737,7 +737,8 @@ $config['spellcheck_dictionary'] = false
+@@ -740,7 +740,8 @@ $config['spellcheck_dictionary'] = false
// Since Google shut down their public spell checking service, the default settings
// connect to http://spell.roundcube.net which is a hosted service provided by Roundcube.
// You can connect to any other googie-compliant service by setting 'spellcheck_uri' accordingly.
diff -Nru roundcube-1.3.16+dfsg.1/debian/upstream/signing-key.asc roundcube-1.3.17+dfsg.1/debian/upstream/signing-key.asc
--- roundcube-1.3.16+dfsg.1/debian/upstream/signing-key.asc 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/upstream/signing-key.asc 2021-11-18 19:52:34.000000000 +0100
@@ -23,80 +23,62 @@
/tc/WxZSYOzaudb6Bi/4FX2x8l6FGiIP/xI6Gpyjd5HwRWYnUqv7pBqyzs0Z15vG
roYcayLaFAhLCxBnBhUVbwVoRif4h9ihPc6PndZp/nOIAOpNGVqZbXcoXjz+Ugvb
icGKul/q7t1vl+3cf0bBT8O918TvzVXJIixnW/f9rdPAGT0KtsE7B7UXxOkV3xpC
-uh+kA0W8huJLaEWFZ5izBixkhzdLwITJD2VQ/TVuwHSI2A4kFnF5iQIiBBMBCAAM
-BQJXDWCdBYMHhh+AAAoJED5UKNAmLFT4KOoQAJ7qQ25imKrnebNVQ7unSCDIcZ7n
-wc7MGlOCmO0txGtDgaVZy2pvBd/zIliYtrGkbkDpMTTVds73/XofLJ+n41nNLPI7
-jDdVOnYpcu2bj74KUQRY+2WQ6riewsFUF52FtNOegsIj8JXmK58CPoW3M/uVZRdf
-ISVAUHkQuP9YWJoeToB/RXqICCRX3DfUgFSbHaEVRqpln+mnljopNBrDMe9ZthC2
-6Py8HwhshtBiwcP9NlaGTeG+Ks2A7Ujt2BUgBWyN4ouf8ehmyjD5D9RCxjPh7lof
-Ap8JhGpbd8Yu97Ax8bwZcHZ1ePx9NxcC+PFf6wK3jK464Vx7JTKk4gS3Ktk/+adA
-b9dasn+/OOaWwzHkpBTUJP7gW1pv8xhA+Op2VqwRNqB2WfiqOHyydQSZKJVncdA6
-/p3p4ABluPtbe8L1SE0ZDEOGjXwTMxH3ssDLlQ4BlqlWzhudeNv9Tizd8tlgtBvg
-VprEpWd++JovQs8MmEcoLaDS1DSglEsoRnrpCJ1vkacQZlN2wpv7PEEmH8SBaYU7
-xRZhRmc1arRFnelVo4OPzLTSMSFjZIdmMs8Lfzrw2fRGesrJGpb3DnVphwML1aXp
-mSFHKuXDqDVMW+Ey437KadG/Bd92q4FEeyCjjoHYa2C86dZG1yMfuVVMfvVz0A+v
-lSR6abLAK3f+VO1piQEcBBMBAgAGBQJXGG4NAAoJEL7mdKAZNZ3BLmkH/i03cRxM
-WU9baZgpZ7IkIz77tJJdcW51dZKy04FhbFKH6Qlp6WcGHEPy6EZWRdktJlSXTc+T
-/1lhlXeRPGesqvIAqnDfOayKf2rihBoAfPQCzxaJOAldt0KdDX6zGIYa4Xqappla
-kPLHeCSKhGm8eYf7IQjiq3AoMRvtGDtv8ygrA7sN8vc7Ftr1fg3s8UaB8QULLRD4
-INRgxfuPG9St5V5zYV/3Xf/61uOlNfxxikx5PCHle4jKJGkP+smXON4l8+XPyhSG
-US7aIGalr58acv0VZHFkTaCi+96s14df0XRENO5D4l5n18PiHQvh/th995ba96K/
-8jrcY7f8wjM0OYm5Ag0EVw1faQEQAPII9TY0LeEWP+4/FFQCBmgXR+aWjMK0O3fa
-BuPzL/VVHQJ3i41PvvP+Osb7BYPFTxPWkvVF2J1bLZfH1wFq+hMfEOkGMGtBFOP2
-VxWEYxMondktMhKDHT5EppPwqsZYPqlNz6Sk/bW81IXKtSG/hvPyBDv1+GaHZlz+
-NJrKjVlBN+6U4noM2P9n/QPCd5VmkZMWzCfbtmGZKHspOJswMhcW28YvMmYTK+0b
-ZcKCs2S2wgfM8d5EEeoYTXH6PqxfW3ezZXQ5ieM1sub59GnS+7gqxPEs+LyVQtxT
-7dgCnZQ73tmQP3pG2Zx0pKQHK/hZk8R6aEaYtV1QlfUI1TMG1eH+xHXGSWFnCbiX
-cGLltaLFBX11+qwF50FfYu8MRUM9rKW+ms2wBVmHuSGKgn0lglBGU2s/pPPw6Alu
-GWa289vGdnztoQyY33L3u/la0wCBbM/8JxZYZdmTq1iL0oYuPbn3axfa6JCX9CwC
-KQjOcJe8K+scRsSFI23M3ZySVgKpkOdhz9VfBZHTqMpbsTd8kNHBDu5J3C0v2NsV
-gJsqI5c3cVtaGPL2NVdfjZ668aXs89JA0Sc9Q1ppiDQX2ArNbq0ZRG4pGfAP3zA9
-6RyfHTgM9PZ5M4BReeWJCYQb6UI8Uw/NlUYsMMMbi8yqhIkXCY0U7I0ZKtVUSHSR
-W6gftdEhABEBAAGJAh8EGAEIAAkFAlcNX2kCGwwACgkQWrK6oUHE99XmpA/5AXxm
-SfeyUcUUaMH+n1EJt7lH6u8Tg4WxoSpSoF/GrArEBfdDGmUog2kR8cgyTFKjtiuP
-icCIapeezP2QMxWfm0TTITtFiHAUJZn0642SY4uXI/73Bwa0r5Vi1UevaFrRPkee
-0Jt3Tg45nvkUNQBuRK81Wr2o+EuNiMgssd78MHiWjllVptFg0GnfE1VUeMeM8Rwa
-QnVzVyYZbqe4jL20+QCba/zyrcQgcxZ/gtojADpPHojI2BQlsXnIhrSlXYXIDhmF
-SCG4+RdUq+JVI8vjO42bHA51gGyvZR7Fh7tcdU++U6wbhF5gkzB3v+NjHxwmcI/t
-pnrTP7nT1rZOUdyuKSJkcCUa3l8u+bqlxgQ3r+PJOXuW5Tn53HYkxdTSgzFwc9GS
-SvyTZnz/JYE241Yf14Vjn8fZqPsN+uplc4b42G08gQi0Juni7W5dPo3Jl+7MgXJR
-0vBtCEuZLJ49ZUpKwf0vS1aDDfMNA4ESs/TagIakUMGNH0tVsEm5YNMoNx9qZA3a
-rJT+ZhpZNFBW94QU3hQ+hbtyR/0rO8BGlpA0XLhNoPUNhgWMobgWAIA9kEQilm1Y
-tPDS5EHhsAiLi60/bIuti4T0nhxlgw+yfeb5kEnm5v5XYSj5w0XzfyGirfV80QP4
-7CE8GKy2q+e3xau15t/eVvMtYd2RDgykqIjvwtC5Ag0EVw1f/QEQAO2JeXBrzcBt
-TeUcPA70W9quirv4wnXtUTwAGRXklK/OaKPruPTPJIQu6qdimJO+p6KbWP4mD8b9
-t7mWilDpJO3omZKqMqCRqd+TPp0rzvHde1QhwCNIByCIkrTjcsq2JuGTSEME09Aa
-nOTE5/UeThTeXI+xvta63kpHgBolBunMUwPlde36KOUgWktr6NiCr3CQ1MtzDuBl
-wEAi1/K8/mkIU5SXmmC7NOKQVsK/HCpuhkT0fZY4RGIHlauIiOs8vXvJ9kajkvF+
-HJcmsQ/8GuMELVKi/V9BnObCCL49EykK5s5VEF4guQ4r3ElbS/PXvE4OXL+0vmBR
-YQFdVUdHNS36LErGzYIgghQIgDF1JS08EuoD86+fVHwwbupCp9SMQRWjrvWroipG
-Sk6K3BJfM9deZhuMH2j2ab4OleHZdJH+4PLIa+NwXMhuvKPJPKXmP5c1Seu7AyON
-hUQEU/lHEW03NvS4nh/ArM/za+dFplzSSaoUq8Qhr3AeyAVd+4PXgpbj7pIdfaBI
-IADx/uFYLLcc/whD/2C2t37h3TIjR18IS05aiGHDJyZ9eV2K/wf8kZ7Xq4ix+6Or
-Jt37g2/klHsvHo3kb+6XPpo263+pRj/bcA2vUA3c26cZ8nCsHu9K4aN4VN8DTTPS
-YYT9940OfRh8CRCNlcVerfbjNAE3fgnbABEBAAGJBD4EGAEIAAkFAlcNX/0CGwIC
-KQkQWrK6oUHE99XBXSAEGQEIAAYFAlcNX/0ACgkQwpRqlgnNVrRIXRAA48pg+pQG
-aqghqsVPtRt4yZy3zc0RDr5vV3r00Tqutg7l1J/8gNm9NayyBX0BEY+bKvNPeNjl
-gNkXCSH7eXX1mvUJuUUnbqJv+MT3roCcvLz6KLdQQdHarJSs4LmqF9/4NfHsSecg
-jq3Y9fsG5sNf/a7BraIcdlOq92t0DlpAmAtm10ywUXJPc1uAxqd/2QyfuPQE/eoR
-rmGnKR1W6FO1cAZYVWd3hyPAyr/EHHJonycpp8CKCe9CLu3iFXR8+GVq7ZiDVNk+
-MHMYg1Njfk3TY/UEUGXqFfTsD47S8fqEV/koWSSxTkSwPjwVP1z0yu9cV87ULeJN
-LDdwyFvmTrQv71YkAD12CchRymqLxtItSF1QMiHBFXTICreYGk41pS89KNshgFpe
-WfRq6WpPegUj1qdM/GJuBvSu7CTT2mpQQNk4maIIeUPcHRCA//H3WvXj3jMp3CFK
-S82YYDkUW/XWkWIRmpALrX8gSYlthKFf24RZZFrAd7NfSq1Hy0RjAwtm0+LsRTtT
-znzTUr2SocCEGqFjiczIJ/4zQ+25N2PPg1G5lCrIeE7VOifKD3jujMYiAEr6QUUm
-Vldw7Rn0tmJIiq0bc3MbadUxrT0PJXxOlQpfV2ZjM76gMpvvSCe6o6mckDT4sT3G
-4vfc02Pe4g4DYpVPlV/GE1T26NzK1Z3ONFzhLQ//abRaJKfy19+lNNJoGfGGLher
-AdymumxmGZf74wS6xAlP+LwJldUA8iidSxM0gR6bmw8q2SO7dqziGreaPaFVmeUB
-62rSXD0QSielIoRP1QZuD1ZO5tEZ2wxjcCnaBj2nG3bBj4RJ7FAD9CceSyPJFNYD
-n6cvslV/MGzacMtTTIwdFJmHaoU86heADWkYIFm/jndYX6b/IdJDNOYDYA4m+5S8
-ANQ3uOuaBMDo4sOAUCeophdjZeyne2kIWR7kmWis5kFf/Criy6u+yPs+a7kt+PbI
-2Uo1rmrNUiMiROkezbnZAEf/8wUi7KgRjZ6qfij/QM+0WMeUWu8NRqiS+KRLQIh7
-Y8f3u0ddlfGF7/UpAEXzv2KKpLO+SaUkvaatZucOD/hbDThqOVCtX7mQ03XTO9Pn
-SHVSxBsJse4Jn/n6oCt6FT7wMbh3IuZTeU7kiT9VO8+M/ehUS0sIbwwsYrdAT2Od
-/Txs7jWinvsuH/qsNFVDrxKKcFQi99m0Zm3IIo2DX5PUo9KvPO8xzZgFKQDOIKBw
-1PNQr0xRqbI1dsFcaN2yqF4hrYYmn4bDJCOMHV3gxltFaLU/rj7atdIWGOPzw/1N
-WQujs2OMoiJWTidcd/LTxbEvEDyS9vMiIXrAoadvRtBxmFqJfcmRhOrbKIcA4A65
-0dXJnhEe7eXkwBbfEzk=
-=lBKd
+uh+kA0W8huJLaEWFZ5izBixkhzdLwITJD2VQ/TVuwHSI2A4kFnF5uQINBFcNX2kB
+EADyCPU2NC3hFj/uPxRUAgZoF0fmlozCtDt32gbj8y/1VR0Cd4uNT77z/jrG+wWD
+xU8T1pL1RdidWy2Xx9cBavoTHxDpBjBrQRTj9lcVhGMTKJ3ZLTISgx0+RKaT8KrG
+WD6pTc+kpP21vNSFyrUhv4bz8gQ79fhmh2Zc/jSayo1ZQTfulOJ6DNj/Z/0DwneV
+ZpGTFswn27ZhmSh7KTibMDIXFtvGLzJmEyvtG2XCgrNktsIHzPHeRBHqGE1x+j6s
+X1t3s2V0OYnjNbLm+fRp0vu4KsTxLPi8lULcU+3YAp2UO97ZkD96RtmcdKSkByv4
+WZPEemhGmLVdUJX1CNUzBtXh/sR1xklhZwm4l3Bi5bWixQV9dfqsBedBX2LvDEVD
+PaylvprNsAVZh7khioJ9JYJQRlNrP6Tz8OgJbhlmtvPbxnZ87aEMmN9y97v5WtMA
+gWzP/CcWWGXZk6tYi9KGLj2592sX2uiQl/QsAikIznCXvCvrHEbEhSNtzN2cklYC
+qZDnYc/VXwWR06jKW7E3fJDRwQ7uSdwtL9jbFYCbKiOXN3FbWhjy9jVXX42euvGl
+7PPSQNEnPUNaaYg0F9gKzW6tGURuKRnwD98wPekcnx04DPT2eTOAUXnliQmEG+lC
+PFMPzZVGLDDDG4vMqoSJFwmNFOyNGSrVVEh0kVuoH7XRIQARAQABiQIfBBgBCAAJ
+BQJXDV9pAhsMAAoJEFqyuqFBxPfV5qQP+QF8Zkn3slHFFGjB/p9RCbe5R+rvE4OF
+saEqUqBfxqwKxAX3QxplKINpEfHIMkxSo7Yrj4nAiGqXnsz9kDMVn5tE0yE7RYhw
+FCWZ9OuNkmOLlyP+9wcGtK+VYtVHr2ha0T5HntCbd04OOZ75FDUAbkSvNVq9qPhL
+jYjILLHe/DB4lo5ZVabRYNBp3xNVVHjHjPEcGkJ1c1cmGW6nuIy9tPkAm2v88q3E
+IHMWf4LaIwA6Tx6IyNgUJbF5yIa0pV2FyA4ZhUghuPkXVKviVSPL4zuNmxwOdYBs
+r2UexYe7XHVPvlOsG4ReYJMwd7/jYx8cJnCP7aZ60z+509a2TlHcrikiZHAlGt5f
+Lvm6pcYEN6/jyTl7luU5+dx2JMXU0oMxcHPRkkr8k2Z8/yWBNuNWH9eFY5/H2aj7
+DfrqZXOG+NhtPIEItCbp4u1uXT6NyZfuzIFyUdLwbQhLmSyePWVKSsH9L0tWgw3z
+DQOBErP02oCGpFDBjR9LVbBJuWDTKDcfamQN2qyU/mYaWTRQVveEFN4UPoW7ckf9
+KzvARpaQNFy4TaD1DYYFjKG4FgCAPZBEIpZtWLTw0uRB4bAIi4utP2yLrYuE9J4c
+ZYMPsn3m+ZBJ5ub+V2Eo+cNF838hoq31fNED+OwhPBistqvnt8Wrtebf3lbzLWHd
+kQ4MpKiI78LQuQINBFcNX/0BEADtiXlwa83AbU3lHDwO9Fvaroq7+MJ17VE8ABkV
+5JSvzmij67j0zySELuqnYpiTvqeim1j+Jg/G/be5lopQ6STt6JmSqjKgkanfkz6d
+K87x3XtUIcAjSAcgiJK043LKtibhk0hDBNPQGpzkxOf1Hk4U3lyPsb7Wut5KR4Aa
+JQbpzFMD5XXt+ijlIFpLa+jYgq9wkNTLcw7gZcBAItfyvP5pCFOUl5pguzTikFbC
+vxwqboZE9H2WOERiB5WriIjrPL17yfZGo5LxfhyXJrEP/BrjBC1Sov1fQZzmwgi+
+PRMpCubOVRBeILkOK9xJW0vz17xODly/tL5gUWEBXVVHRzUt+ixKxs2CIIIUCIAx
+dSUtPBLqA/Ovn1R8MG7qQqfUjEEVo671q6IqRkpOitwSXzPXXmYbjB9o9mm+DpXh
+2XSR/uDyyGvjcFzIbryjyTyl5j+XNUnruwMjjYVEBFP5RxFtNzb0uJ4fwKzP82vn
+RaZc0kmqFKvEIa9wHsgFXfuD14KW4+6SHX2gSCAA8f7hWCy3HP8IQ/9gtrd+4d0y
+I0dfCEtOWohhwycmfXldiv8H/JGe16uIsfujqybd+4Nv5JR7Lx6N5G/ulz6aNut/
+qUY/23ANr1AN3NunGfJwrB7vSuGjeFTfA00z0mGE/feNDn0YfAkQjZXFXq324zQB
+N34J2wARAQABiQQ+BBgBCAAJBQJXDV/9AhsCAikJEFqyuqFBxPfVwV0gBBkBCAAG
+BQJXDV/9AAoJEMKUapYJzVa0SF0QAOPKYPqUBmqoIarFT7UbeMmct83NEQ6+b1d6
+9NE6rrYO5dSf/IDZvTWssgV9ARGPmyrzT3jY5YDZFwkh+3l19Zr1CblFJ26ib/jE
+966AnLy8+ii3UEHR2qyUrOC5qhff+DXx7EnnII6t2PX7BubDX/2uwa2iHHZTqvdr
+dA5aQJgLZtdMsFFyT3NbgManf9kMn7j0BP3qEa5hpykdVuhTtXAGWFVnd4cjwMq/
+xBxyaJ8nKafAignvQi7t4hV0fPhlau2Yg1TZPjBzGINTY35N02P1BFBl6hX07A+O
+0vH6hFf5KFkksU5EsD48FT9c9MrvXFfO1C3iTSw3cMhb5k60L+9WJAA9dgnIUcpq
+i8bSLUhdUDIhwRV0yAq3mBpONaUvPSjbIYBaXln0aulqT3oFI9anTPxibgb0ruwk
+09pqUEDZOJmiCHlD3B0QgP/x91r1494zKdwhSkvNmGA5FFv11pFiEZqQC61/IEmJ
+bYShX9uEWWRawHezX0qtR8tEYwMLZtPi7EU7U85801K9kqHAhBqhY4nMyCf+M0Pt
+uTdjz4NRuZQqyHhO1Tonyg947ozGIgBK+kFFJlZXcO0Z9LZiSIqtG3NzG2nVMa09
+DyV8TpUKX1dmYzO+oDKb70gnuqOpnJA0+LE9xuL33NNj3uIOA2KVT5VfxhNU9ujc
+ytWdzjRc4S0P/2m0WiSn8tffpTTSaBnxhi4XqwHcprpsZhmX++MEusQJT/i8CZXV
+APIonUsTNIEem5sPKtkju3as4hq3mj2hVZnlAetq0lw9EEonpSKET9UGbg9WTubR
+GdsMY3Ap2gY9pxt2wY+ESexQA/QnHksjyRTWA5+nL7JVfzBs2nDLU0yMHRSZh2qF
+POoXgA1pGCBZv453WF+m/yHSQzTmA2AOJvuUvADUN7jrmgTA6OLDgFAnqKYXY2Xs
+p3tpCFke5JlorOZBX/wq4survsj7Pmu5Lfj2yNlKNa5qzVIjIkTpHs252QBH//MF
+IuyoEY2eqn4o/0DPtFjHlFrvDUaokvikS0CIe2PH97tHXZXxhe/1KQBF879iiqSz
+vkmlJL2mrWbnDg/4Ww04ajlQrV+5kNN10zvT50h1UsQbCbHuCZ/5+qArehU+8DG4
+dyLmU3lO5Ik/VTvPjP3oVEtLCG8MLGK3QE9jnf08bO41op77Lh/6rDRVQ68SinBU
+IvfZtGZtyCKNg1+T1KPSrzzvMc2YBSkAziCgcNTzUK9MUamyNXbBXGjdsqheIa2G
+Jp+GwyQjjB1d4MZbRWi1P64+2rXSFhjj88P9TVkLo7NjjKIiVk4nXHfy08WxLxA8
+kvbzIiF6wKGnb0bQcZhaiX3JkYTq2yiHAOAOudHVyZ4RHu3l5MAW3xM5
+=gMjp
-----END PGP PUBLIC KEY BLOCK-----
diff -Nru roundcube-1.3.16+dfsg.1/index.php roundcube-1.3.17+dfsg.1/index.php
--- roundcube-1.3.16+dfsg.1/index.php 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/index.php 2021-11-12 22:12:27.000000000 +0100
@@ -2,7 +2,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.3.16 |
+ | Version 1.3.17 |
| |
| Copyright (C) 2005-2019, The Roundcube Dev Team |
| |
diff -Nru roundcube-1.3.16+dfsg.1/installer/index.php roundcube-1.3.17+dfsg.1/installer/index.php
--- roundcube-1.3.16+dfsg.1/installer/index.php 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/installer/index.php 2021-11-12 22:12:28.000000000 +0100
@@ -3,7 +3,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail setup tool |
- | Version 1.3.16 |
+ | Version 1.3.17 |
| |
| Copyright (C) 2009-2019, The Roundcube Dev Team |
| |
diff -Nru roundcube-1.3.16+dfsg.1/program/include/iniset.php roundcube-1.3.17+dfsg.1/program/include/iniset.php
--- roundcube-1.3.16+dfsg.1/program/include/iniset.php 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/include/iniset.php 2021-11-12 22:12:27.000000000 +0100
@@ -21,7 +21,7 @@
*/
// application constants
-define('RCMAIL_VERSION', '1.3.16');
+define('RCMAIL_VERSION', '1.3.17');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.3.16+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.3.17+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.3.16+dfsg.1/program/lib/Roundcube/bootstrap.php 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/lib/Roundcube/bootstrap.php 2021-11-12 22:12:27.000000000 +0100
@@ -53,7 +53,7 @@
}
// framework constants
-define('RCUBE_VERSION', '1.3.16');
+define('RCUBE_VERSION', '1.3.17');
define('RCUBE_CHARSET', 'UTF-8');
if (!defined('RCUBE_LIB_DIR')) {
diff -Nru roundcube-1.3.16+dfsg.1/program/steps/addressbook/export.inc roundcube-1.3.17+dfsg.1/program/steps/addressbook/export.inc
--- roundcube-1.3.16+dfsg.1/program/steps/addressbook/export.inc 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/steps/addressbook/export.inc 2021-11-12 22:12:27.000000000 +0100
@@ -24,9 +24,11 @@
$RCMAIL->request_security_check(rcube_utils::INPUT_GET);
// Use search result
-if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']])) {
+if (!empty($_REQUEST['_search']) && isset($_SESSION['contact_search'][$_REQUEST['_search']])
+ && is_array($_SESSION['contact_search'][$_REQUEST['_search']])
+) {
$sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
- $search = (array)$_SESSION['search'][$_REQUEST['_search']];
+ $search = $_SESSION['contact_search'][$_REQUEST['_search']];
$records = array();
// Get records from all sources
diff -Nru roundcube-1.3.16+dfsg.1/program/steps/addressbook/func.inc roundcube-1.3.17+dfsg.1/program/steps/addressbook/func.inc
--- roundcube-1.3.16+dfsg.1/program/steps/addressbook/func.inc 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/steps/addressbook/func.inc 2021-11-12 22:12:27.000000000 +0100
@@ -885,8 +885,10 @@
{
global $RCMAIL;
- if (($search_request = $_REQUEST['_search']) && isset($_SESSION['search'][$search_request])) {
- $search = (array)$_SESSION['search'][$search_request];
+ if (($search_request = $_REQUEST['_search']) && isset($_SESSION['contact_search'][$search_request])
+ && is_array($_SESSION['contact_search'][$search_request])
+ ) {
+ $search = $_SESSION['contact_search'][$search_request];
$sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
$afields = $return ? $RCMAIL->config->get('contactlist_fields') : array('name', 'email');
$records = array();
@@ -919,7 +921,7 @@
$search[$s] = $source->get_search_set();
}
- $_SESSION['search'][$search_request] = $search;
+ $_SESSION['contact_search'][$search_request] = $search;
return $records;
}
diff -Nru roundcube-1.3.16+dfsg.1/program/steps/addressbook/search.inc roundcube-1.3.17+dfsg.1/program/steps/addressbook/search.inc
--- roundcube-1.3.16+dfsg.1/program/steps/addressbook/search.inc 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/steps/addressbook/search.inc 2021-11-12 22:12:27.000000000 +0100
@@ -25,8 +25,7 @@
$id = rcube_utils::get_input_value('_search', rcube_utils::INPUT_POST);
$name = rcube_utils::get_input_value('_name', rcube_utils::INPUT_POST, true);
- if (($params = $_SESSION['search_params']) && $params['id'] == $id) {
-
+ if (($params = $_SESSION['contact_search_params']) && $params['id'] == $id) {
$data = array(
'type' => rcube_user::SEARCH_ADDRESSBOOK,
'name' => $name,
@@ -213,8 +212,8 @@
.(is_array($search) ? implode(',', $search) : $search));
// save search settings in session
- $_SESSION['search'][$search_request] = $search_set;
- $_SESSION['search_params'] = array('id' => $search_request, 'data' => array($fields, $search));
+ $_SESSION['contact_search'][$search_request] = $search_set;
+ $_SESSION['contact_search_params'] = array('id' => $search_request, 'data' => array($fields, $search));
$_SESSION['page'] = 1;
if ($adv)
diff -Nru roundcube-1.3.16+dfsg.1/program/steps/mail/get.inc roundcube-1.3.17+dfsg.1/program/steps/mail/get.inc
--- roundcube-1.3.16+dfsg.1/program/steps/mail/get.inc 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/steps/mail/get.inc 2021-11-12 22:12:27.000000000 +0100
@@ -184,21 +184,26 @@
else { // html warning with a button to load the file anyway
$OUTPUT = new rcmail_html_page();
$OUTPUT->write(html::tag('html', null, html::tag('body', 'embed',
- html::div(array('class' => 'rcmail-inline-message rcmail-inline-warning'),
- $RCMAIL->gettext(array(
- 'name' => 'attachmentvalidationerror',
- 'vars' => array(
- 'expected' => $mimetype . ($file_extension ? " (.$file_extension)" : ''),
- 'detected' => $real_mimetype . ($extensions[0] ? " (.$extensions[0])" : ''),
+ html::div(
+ array('class' => 'rcmail-inline-message rcmail-inline-warning'),
+ $RCMAIL->gettext(
+ array(
+ 'name' => 'attachmentvalidationerror',
+ 'vars' => array(
+ 'expected' => $mimetype . (!empty($file_extension) ? rcube::Q(" (.{$file_extension})") : ''),
+ 'detected' => $real_mimetype . (!empty($extensions[0]) ? " (.{$extensions[0]})" : ''),
+ )
)
- ))
- . html::p(array('class' => 'rcmail-inline-buttons'),
- html::tag('button', array(
+ )
+ )
+ . html::p(array('class' => 'rcmail-inline-buttons'),
+ html::tag('button', array(
'onclick' => "location.href='" . $RCMAIL->url(array_merge($_GET, array('_nocheck' => 1))) . "'"
),
- $RCMAIL->gettext('showanyway'))
+ $RCMAIL->gettext('showanyway')
)
- ))));
+ )
+ )));
}
exit;
diff -Nru roundcube-1.3.16+dfsg.1/program/steps/mail/list_contacts.inc roundcube-1.3.17+dfsg.1/program/steps/mail/list_contacts.inc
--- roundcube-1.3.16+dfsg.1/program/steps/mail/list_contacts.inc 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/steps/mail/list_contacts.inc 2021-11-12 22:12:27.000000000 +0100
@@ -26,9 +26,11 @@
$jsresult = array();
// Use search result
-if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']])) {
- $search = (array)$_SESSION['search'][$_REQUEST['_search']];
- $sparam = $_SESSION['search_params']['id'] == $_REQUEST['_search'] ? $_SESSION['search_params']['data'] : array();
+if (!empty($_REQUEST['_search']) && isset($_SESSION['contact_search'][$_REQUEST['_search']])
+ && is_array($_SESSION['contact_search'][$_REQUEST['_search']])
+) {
+ $search = $_SESSION['contact_search'][$_REQUEST['_search']];
+ $sparam = $_SESSION['contact_search_params']['id'] == $_REQUEST['_search'] ? $_SESSION['contact_search_params']['data'] : array();
// get records from all sources
foreach ($search as $s => $set) {
diff -Nru roundcube-1.3.16+dfsg.1/program/steps/mail/list.inc roundcube-1.3.17+dfsg.1/program/steps/mail/list.inc
--- roundcube-1.3.16+dfsg.1/program/steps/mail/list.inc 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/steps/mail/list.inc 2021-11-12 22:12:27.000000000 +0100
@@ -27,7 +27,8 @@
$dont_override = (array) $RCMAIL->config->get('dont_override');
// is there a sort type for this request?
-if ($sort = rcube_utils::get_input_value('_sort', rcube_utils::INPUT_GET)) {
+$sort = rcube_utils::get_input_value('_sort', rcube_utils::INPUT_GET);
+if ($sort && preg_match('/^[a-zA-Z_-]+$/', $sort)) {
// yes, so set the sort vars
list($sort_col, $sort_order) = explode('_', $sort);
diff -Nru roundcube-1.3.16+dfsg.1/program/steps/mail/search_contacts.inc roundcube-1.3.17+dfsg.1/program/steps/mail/search_contacts.inc
--- roundcube-1.3.16+dfsg.1/program/steps/mail/search_contacts.inc 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/steps/mail/search_contacts.inc 2021-11-12 22:12:27.000000000 +0100
@@ -99,8 +99,8 @@
$search_request = md5('composeaddr' . $search);
// save search settings in session
- $_SESSION['search'][$search_request] = $search_set;
- $_SESSION['search_params'] = array('id' => $search_request, 'data' => array($afields, $search));
+ $_SESSION['contact_search'][$search_request] = $search_set;
+ $_SESSION['contact_search_params'] = array('id' => $search_request, 'data' => array($afields, $search));
$OUTPUT->show_message('contactsearchsuccessful', 'confirmation', array('nr' => $result->count));
diff -Nru roundcube-1.3.16+dfsg.1/public_html/index.php roundcube-1.3.17+dfsg.1/public_html/index.php
--- roundcube-1.3.16+dfsg.1/public_html/index.php 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/public_html/index.php 2021-11-12 22:12:27.000000000 +0100
@@ -3,7 +3,7 @@
/*
+-----------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.3.16 |
+ | Version 1.3.17 |
| |
| Copyright (C) 2005-2017, The Roundcube Dev Team |
| |
-------------- next part --------------
diffstat for roundcube-1.4.11+dfsg.1 roundcube-1.4.12+dfsg.1
CHANGELOG | 14 ++
config/defaults.inc.php | 2
debian/changelog | 12 +
debian/gbp.conf | 2
debian/patches/default-charset-utf8.patch | 2
debian/patches/fix-install-path.patch | 4
debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch | 2
debian/patches/update-jsdeps.patch | 2
debian/patches/update-script.patch | 2
debian/patches/use-pspell.patch | 2
debian/salsa-ci.yml | 3
index.php | 2
installer/index.php | 2
plugins/enigma/lib/enigma_engine.php | 13 +-
plugins/password/localization/nl_NL.inc | 2
program/include/iniset.php | 2
program/include/rcmail_output_html.php | 7 -
program/include/rcmail_sendmail.php | 19 +--
program/js/app.js | 5
program/lib/Roundcube/bootstrap.php | 2
program/lib/Roundcube/rcube_imap.php | 2
program/lib/Roundcube/rcube_ldap.php | 3
program/lib/Roundcube/rcube_message.php | 63 +++++++++-
program/lib/Roundcube/rcube_tnef_decoder.php | 4
program/steps/addressbook/export.inc | 6
program/steps/addressbook/func.inc | 8 -
program/steps/addressbook/search.inc | 11 -
program/steps/mail/get.inc | 4
program/steps/mail/list.inc | 3
program/steps/mail/list_contacts.inc | 8 -
program/steps/mail/search_contacts.inc | 4
public_html/index.php | 2
public_html/plugins/enigma/lib/enigma_engine.php | 13 +-
public_html/plugins/password/localization/nl_NL.inc | 2
public_html/program/js/app.js | 5
public_html/skins/elastic/styles/styles.less | 2
public_html/skins/elastic/styles/widgets/buttons.less | 21 +--
public_html/skins/elastic/ui.js | 4
skins/elastic/styles/styles.less | 2
skins/elastic/styles/widgets/buttons.less | 21 +--
skins/elastic/ui.js | 4
41 files changed, 207 insertions(+), 86 deletions(-)
diff -Nru roundcube-1.4.11+dfsg.1/CHANGELOG roundcube-1.4.12+dfsg.1/CHANGELOG
--- roundcube-1.4.11+dfsg.1/CHANGELOG 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/CHANGELOG 2021-11-12 22:35:37.000000000 +0100
@@ -1,6 +1,20 @@
CHANGELOG Roundcube Webmail
===========================
+RELEASE 1.4.12
+--------------
+- Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919)
+- Fix bug where contacts search didn't work with addressbook_search_mods set to an empty array (#7974)
+- Fix bug causing some HTML message content to be not centered in Elastic skin (#7911)
+- Fix bug where consecutive LDAP searches could return wrong results (#8064)
+- Fix bug where plus characters in attachment filename could have been ignored (#8074)
+- Fix displaying HTML body with inline images encapsulated using TNEF format (winmail.dat)
+- Fix handling of custom sender addresses with names (#8106)
+- Fix shift + drag'n'drop menu not working in Elastic skin with Chrome browser (#8107)
+- Fix Firefox infinate loading display on mail screen (#8128)
+- Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
+- Fix SQL injection via some session variables
+
RELEASE 1.4.11
--------------
- Display a nice error informing about no PHP8 support
diff -Nru roundcube-1.4.11+dfsg.1/config/defaults.inc.php roundcube-1.4.12+dfsg.1/config/defaults.inc.php
--- roundcube-1.4.11+dfsg.1/config/defaults.inc.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/config/defaults.inc.php 2021-11-12 22:35:37.000000000 +0100
@@ -784,7 +784,7 @@
// if in your system 0 quota means no limit set this option to true
$config['quota_zero_as_unlimited'] = false;
-// Make use of the built-in spell checker. It is based on GoogieSpell.
+// Make use of the built-in spell checker.
$config['enable_spellcheck'] = true;
// Enables spellchecker exceptions dictionary.
diff -Nru roundcube-1.4.11+dfsg.1/debian/changelog roundcube-1.4.12+dfsg.1/debian/changelog
--- roundcube-1.4.11+dfsg.1/debian/changelog 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/changelog 2021-11-18 20:07:03.000000000 +0100
@@ -1,3 +1,15 @@
+roundcube (1.4.12+dfsg.1-1~deb11u1) bullseye-security; urgency=high
+
+ * New bugfix/security upstream release (closes: #1000156):
+ + Fix XSS issue in handling attachment filename extension in mimetype
+ mismatch warning
+ + Fix possible SQL injection via some session variables
+ * d/gbp.conf: Rename upstream branch to upstream/release-1.4.
+ * d/salsa-ci.yml: Set RELEASE=bullseye.
+ * Refresh d/patches.
+
+ -- Guilhem Moulin <guilhem at debian.org> Thu, 18 Nov 2021 20:07:03 +0100
+
roundcube (1.4.11+dfsg.1-4) unstable; urgency=medium
* d/roundcube-core.postinst: Remove the roundcube lighttpd module after it
diff -Nru roundcube-1.4.11+dfsg.1/debian/gbp.conf roundcube-1.4.12+dfsg.1/debian/gbp.conf
--- roundcube-1.4.11+dfsg.1/debian/gbp.conf 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/gbp.conf 2021-11-18 20:07:03.000000000 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bullseye
upstream-branch = upstream/release-1.4
pristine-tar = True
components = ["tinymce", "tinymce-langs"]
diff -Nru roundcube-1.4.11+dfsg.1/debian/patches/default-charset-utf8.patch roundcube-1.4.12+dfsg.1/debian/patches/default-charset-utf8.patch
--- roundcube-1.4.11+dfsg.1/debian/patches/default-charset-utf8.patch 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/patches/default-charset-utf8.patch 2021-11-18 20:07:03.000000000 +0100
@@ -8,7 +8,7 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/defaults.inc.php b/config/defaults.inc.php
-index c1d9c0b..20ce139 100644
+index 9b95e2b..ef0d022 100644
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
@@ -1083,7 +1083,7 @@ $config['contact_search_name'] = '{name} <{email}>';
diff -Nru roundcube-1.4.11+dfsg.1/debian/patches/fix-install-path.patch roundcube-1.4.12+dfsg.1/debian/patches/fix-install-path.patch
--- roundcube-1.4.11+dfsg.1/debian/patches/fix-install-path.patch 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/patches/fix-install-path.patch 2021-11-18 20:07:03.000000000 +0100
@@ -161,10 +161,10 @@
require_once INSTALL_PATH . 'program/include/clisetup.php';
diff --git a/program/include/iniset.php b/program/include/iniset.php
-index a81f515..1d9d057 100644
+index 5394031..2659c2d 100644
--- a/program/include/iniset.php
+++ b/program/include/iniset.php
-@@ -28,7 +28,7 @@ define('RCMAIL_VERSION', '1.4.11');
+@@ -28,7 +28,7 @@ define('RCMAIL_VERSION', '1.4.12');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.4.11+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch roundcube-1.4.12+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch
--- roundcube-1.4.11+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch 2021-11-18 20:07:03.000000000 +0100
@@ -15,7 +15,7 @@
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/program/include/iniset.php b/program/include/iniset.php
-index 0e247ac..449a414 100644
+index bf4cc11..8bc6f71 100644
--- a/program/include/iniset.php
+++ b/program/include/iniset.php
@@ -20,7 +20,9 @@
diff -Nru roundcube-1.4.11+dfsg.1/debian/patches/update-jsdeps.patch roundcube-1.4.12+dfsg.1/debian/patches/update-jsdeps.patch
--- roundcube-1.4.11+dfsg.1/debian/patches/update-jsdeps.patch 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/patches/update-jsdeps.patch 2021-11-18 20:07:03.000000000 +0100
@@ -13,7 +13,7 @@
1 file changed, 2 insertions(+), 102 deletions(-)
diff --git a/jsdeps.json b/jsdeps.json
-index cd37700..64bd5b4 100644
+index cd37700..64bd5b48 100644
--- a/jsdeps.json
+++ b/jsdeps.json
@@ -1,27 +1,5 @@
diff -Nru roundcube-1.4.11+dfsg.1/debian/patches/update-script.patch roundcube-1.4.12+dfsg.1/debian/patches/update-script.patch
--- roundcube-1.4.11+dfsg.1/debian/patches/update-script.patch 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/patches/update-script.patch 2021-11-18 20:07:03.000000000 +0100
@@ -88,7 +88,7 @@
// update composer dependencies
diff --git a/program/include/iniset.php b/program/include/iniset.php
-index 1d9d057..0e247ac 100644
+index 2659c2d..bf4cc11 100644
--- a/program/include/iniset.php
+++ b/program/include/iniset.php
@@ -39,6 +39,10 @@ if (!defined('RCUBE_LOCALIZATION_DIR')) {
diff -Nru roundcube-1.4.11+dfsg.1/debian/patches/use-pspell.patch roundcube-1.4.12+dfsg.1/debian/patches/use-pspell.patch
--- roundcube-1.4.11+dfsg.1/debian/patches/use-pspell.patch 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/patches/use-pspell.patch 2021-11-18 20:07:03.000000000 +0100
@@ -8,7 +8,7 @@
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/config/defaults.inc.php b/config/defaults.inc.php
-index 167fccd..c1d9c0b 100644
+index 20c1c6f..9b95e2b 100644
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
@@ -799,7 +799,8 @@ $config['spellcheck_dictionary'] = false;
diff -Nru roundcube-1.4.11+dfsg.1/debian/salsa-ci.yml roundcube-1.4.12+dfsg.1/debian/salsa-ci.yml
--- roundcube-1.4.11+dfsg.1/debian/salsa-ci.yml 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/salsa-ci.yml 2021-11-18 20:07:03.000000000 +0100
@@ -2,3 +2,6 @@
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'bullseye'
diff -Nru roundcube-1.4.11+dfsg.1/index.php roundcube-1.4.12+dfsg.1/index.php
--- roundcube-1.4.11+dfsg.1/index.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/index.php 2021-11-12 22:35:37.000000000 +0100
@@ -2,7 +2,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.4.11 |
+ | Version 1.4.12 |
| |
| Copyright (C) The Roundcube Dev Team |
| |
diff -Nru roundcube-1.4.11+dfsg.1/installer/index.php roundcube-1.4.12+dfsg.1/installer/index.php
--- roundcube-1.4.11+dfsg.1/installer/index.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/installer/index.php 2021-11-12 22:35:37.000000000 +0100
@@ -3,7 +3,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail setup tool |
- | Version 1.4.11 |
+ | Version 1.4.12 |
| |
| Copyright (C) The Roundcube Dev Team |
| |
diff -Nru roundcube-1.4.11+dfsg.1/plugins/enigma/lib/enigma_engine.php roundcube-1.4.12+dfsg.1/plugins/enigma/lib/enigma_engine.php
--- roundcube-1.4.11+dfsg.1/plugins/enigma/lib/enigma_engine.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/plugins/enigma/lib/enigma_engine.php 2021-11-12 22:35:37.000000000 +0100
@@ -874,6 +874,10 @@
private function pgp_verify(&$msg_body, $sig_body = null)
{
// @TODO: Handle big bodies using (temp) files
+
+ // Get rid of possible non-ascii characters (#5962)
+ $sig_body = preg_replace('/[^\x00-\x7F]/', '', $sig_body);
+
$sig = $this->pgp_driver->verify($msg_body, $sig_body);
if (($sig instanceof enigma_error) && $sig->getCode() != enigma_error::KEYNOTFOUND) {
@@ -894,6 +898,10 @@
private function pgp_decrypt(&$msg_body, &$signature = null)
{
// @TODO: Handle big bodies using (temp) files
+
+ // Get rid of possible non-ascii characters (#5962)
+ $msg_body = preg_replace('/[^\x00-\x7F]/', '', $msg_body);
+
$keys = $this->get_passwords();
$result = $this->pgp_driver->decrypt($msg_body, $keys, $signature);
@@ -1227,11 +1235,6 @@
}
else {
$body = $msg->get_part_body($part->mime_id, false);
-
- // Convert charset to get rid of possible non-ascii characters (#5962)
- if ($part->charset && stripos($part->charset, 'ASCII') === false) {
- $body = rcube_charset::convert($body, $part->charset, 'US-ASCII');
- }
}
return $body;
diff -Nru roundcube-1.4.11+dfsg.1/plugins/password/localization/nl_NL.inc roundcube-1.4.12+dfsg.1/plugins/password/localization/nl_NL.inc
--- roundcube-1.4.11+dfsg.1/plugins/password/localization/nl_NL.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/plugins/password/localization/nl_NL.inc 2021-11-12 22:35:37.000000000 +0100
@@ -35,6 +35,6 @@
$messages['disablednotice'] = 'Het systeem is momenteel in onderhoud en wachtwoord wijzigen is op dit moment dus niet mogelijk. Alles werkt binnenkort weer naar behoren. Onze excuses voor het ongemak.';
$messages['passwinhistory'] = 'Dit wachtwoord is al eerder gebruikt.';
$messages['samepasswd'] = 'Het nieuwe paswoord dient verschillend ten opzichte van de oude te zijn.';
-$messages['passwdexpirewarning'] = 'Waarschuwing! je wachtwoord verloopt binnenkort, Wijzig het voor $vervaldatum.';
+$messages['passwdexpirewarning'] = 'Waarschuwing! je wachtwoord verloopt binnenkort, Wijzig het voor $expirationdatetime.';
$messages['passwdexpired'] = 'Je wachtwoord is verlopen, je dient het nu te wijzigen!';
$messages['passwdconstraintviolation'] = 'Wachtwoord voldoet niet aan beleid. Waarschijnlijk te zwak.';
diff -Nru roundcube-1.4.11+dfsg.1/program/include/iniset.php roundcube-1.4.12+dfsg.1/program/include/iniset.php
--- roundcube-1.4.11+dfsg.1/program/include/iniset.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/include/iniset.php 2021-11-12 22:35:37.000000000 +0100
@@ -24,7 +24,7 @@
}
// application constants
-define('RCMAIL_VERSION', '1.4.11');
+define('RCMAIL_VERSION', '1.4.12');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.4.11+dfsg.1/program/include/rcmail_output_html.php roundcube-1.4.12+dfsg.1/program/include/rcmail_output_html.php
--- roundcube-1.4.11+dfsg.1/program/include/rcmail_output_html.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/include/rcmail_output_html.php 2021-11-12 22:35:37.000000000 +0100
@@ -1576,8 +1576,7 @@
*/
public function button($attrib)
{
- static $s_button_count = 100;
- static $disabled_actions = null;
+ static $s_button_count = 100;
// these commands can be called directly via url
$a_static_commands = array('compose', 'list', 'preferences', 'folders', 'identities');
@@ -1609,9 +1608,7 @@
$element = ($this->env['task'] ? $this->env['task'] . '.' : '') . $action;
}
- if ($disabled_actions === null) {
- $disabled_actions = (array) $this->config->get('disabled_actions');
- }
+ $disabled_actions = (array) $this->config->get('disabled_actions');
// remove buttons for disabled actions
if (in_array($element, $disabled_actions) || in_array($action, $disabled_actions)) {
diff -Nru roundcube-1.4.11+dfsg.1/program/include/rcmail_sendmail.php roundcube-1.4.12+dfsg.1/program/include/rcmail_sendmail.php
--- roundcube-1.4.11+dfsg.1/program/include/rcmail_sendmail.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/include/rcmail_sendmail.php 2021-11-12 22:35:37.000000000 +0100
@@ -136,15 +136,18 @@
$from = null;
}
}
- // ... if there is no identity record, this might be a custom from
- else if (($from_string = $this->email_input_format($from))
- && preg_match('/(\S+@\S+)/', $from_string, $m)
- ) {
- $from = trim($m[1], '<>');
- }
- // ... otherwise it's empty or invalid
else {
- $from = null;
+ // ... if there is no identity record, this might be a custom from
+ $from_addresses = rcube_mime::decode_address_list($from);
+
+ if (count($from_addresses) == 1) {
+ $from = $from_addresses[1]['mailto'];
+ $from_string = $from_addresses[1]['string'];
+ }
+ // ... otherwise it's empty or invalid
+ else {
+ $from = null;
+ }
}
// check 'From' address (identity may be incomplete)
diff -Nru roundcube-1.4.11+dfsg.1/program/js/app.js roundcube-1.4.12+dfsg.1/program/js/app.js
--- roundcube-1.4.11+dfsg.1/program/js/app.js 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/js/app.js 2021-11-12 22:35:37.000000000 +0100
@@ -9992,7 +9992,10 @@
})
.on('load error', function(e) {
ref.env.browser_capabilities.pdf = e.type == 'load' ? 1 : 0;
- $(this).remove();
+
+ // add a short delay before attempting to remove element (#8128)
+ var obj = this;
+ window.setTimeout(function() { $(obj).remove(); }, 10);
})
.appendTo(document.body);
}, 10);
diff -Nru roundcube-1.4.11+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.4.12+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.4.11+dfsg.1/program/lib/Roundcube/bootstrap.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/lib/Roundcube/bootstrap.php 2021-11-12 22:35:37.000000000 +0100
@@ -58,7 +58,7 @@
}
// framework constants
-define('RCUBE_VERSION', '1.4.11');
+define('RCUBE_VERSION', '1.4.12');
define('RCUBE_CHARSET', 'UTF-8');
define('RCUBE_TEMP_FILE_PREFIX', 'RCMTEMP');
diff -Nru roundcube-1.4.11+dfsg.1/program/lib/Roundcube/rcube_imap.php roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_imap.php
--- roundcube-1.4.11+dfsg.1/program/lib/Roundcube/rcube_imap.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_imap.php 2021-11-12 22:35:37.000000000 +0100
@@ -2356,7 +2356,7 @@
$filename_encoded = $fmatches[2];
}
- $part->filename = rcube_charset::convert(urldecode($filename_encoded), $filename_charset);
+ $part->filename = rcube_charset::convert(rawurldecode($filename_encoded), $filename_charset);
}
}
diff -Nru roundcube-1.4.11+dfsg.1/program/lib/Roundcube/rcube_ldap.php roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_ldap.php
--- roundcube-1.4.11+dfsg.1/program/lib/Roundcube/rcube_ldap.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_ldap.php 2021-11-12 22:35:37.000000000 +0100
@@ -884,6 +884,9 @@
$filter = 'e:' . $filter;
}
+ // Reset the previous search result
+ $this->reset();
+
// set filter string and execute search
$this->set_search_set($filter);
diff -Nru roundcube-1.4.11+dfsg.1/program/lib/Roundcube/rcube_message.php roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_message.php
--- roundcube-1.4.11+dfsg.1/program/lib/Roundcube/rcube_message.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_message.php 2021-11-12 22:35:37.000000000 +0100
@@ -49,6 +49,7 @@
private $mime;
private $opt = array();
private $parse_alternative = false;
+ private $tnef_decode = false;
public $uid;
public $folder;
@@ -104,6 +105,8 @@
return;
}
+ $this->tnef_decode = (bool) $this->app->config->get('tnef_decode', true);
+
$this->set_safe($is_safe || $_SESSION['safe_messages'][$this->folder.':'.$uid]);
$this->opt = array(
'safe' => $this->is_safe,
@@ -378,7 +381,13 @@
$last = $parent->real_mimetype ?: $parent->mimetype;
if (!preg_match('/^multipart\/(alternative|related|signed|encrypted|mixed)$/', $last)
- || ($last == 'multipart/mixed' && $parent_depth < $max_delta)) {
+ || ($last == 'multipart/mixed' && $parent_depth < $max_delta)
+ ) {
+ // The HTML body part extracted from a winmail.dat attachment part
+ if (strpos($part->mime_id, 'winmail.') === 0) {
+ return true;
+ }
+
continue 2;
}
}
@@ -817,11 +826,35 @@
continue;
}
// part is Microsoft Outlook TNEF (winmail.dat)
- else if ($part_mimetype == 'application/ms-tnef') {
+ else if ($part_mimetype == 'application/ms-tnef' && $this->tnef_decode) {
$tnef_parts = (array) $this->tnef_decode($mail_part);
+ $tnef_body = '';
+
foreach ($tnef_parts as $tpart) {
$this->mime_parts[$tpart->mime_id] = $tpart;
- $this->add_part($tpart, 'attachment');
+
+ if (strpos($tpart->mime_id, '.html')) {
+ $tnef_body = $tpart->body;
+ if ($this->opt['prefer_html']) {
+ $tpart->type = 'content';
+
+ // Reset type on the plain text part that usually is added to winmail.dat messages
+ // (on the same level in the structure as the attachment itself)
+ $level = count(explode('.', $mail_part->mime_id));
+ foreach ($this->parts as $p) {
+ if ($p->type == 'content' && $p->mimetype == 'text/plain'
+ && count(explode('.', $p->mime_id)) == $level
+ ) {
+ $p->type = null;
+ }
+ }
+ }
+ $this->add_part($tpart);
+ }
+ else {
+ $inline = !empty($tpart->content_id) && strpos($tnef_body, "cid:{$tpart->content_id}") !== false;
+ $this->add_part($tpart, $inline ? 'inline' : 'attachment');
+ }
}
// add winmail.dat to the list if it's content is unknown
@@ -1002,6 +1035,26 @@
unset($body);
+ // HTML body
+ if (
+ !empty($tnef_arr['message'])
+ && !empty($tnef_arr['message']['size'])
+ && $tnef_arr['message']['subtype'] == 'html'
+ ) {
+ $tpart = new rcube_message_part;
+
+ $tpart->encoding = 'stream';
+ $tpart->ctype_primary = 'text';
+ $tpart->ctype_secondary = 'html';
+ $tpart->mimetype = 'text/html';
+ $tpart->mime_id = 'winmail.' . $part->mime_id . '.html';
+ $tpart->size = $tnef_arr['message']['size'];
+ $tpart->body = $tnef_arr['message']['stream'];
+
+ $parts[] = $tpart;
+ }
+
+ // Attachments
foreach ($tnef_arr['attachments'] as $pid => $winatt) {
$tpart = new rcube_message_part;
@@ -1014,6 +1067,10 @@
$tpart->size = $winatt['size'];
$tpart->body = $winatt['stream'];
+ if (!empty($winatt['content-id'])) {
+ $tpart->content_id = $winatt['content-id'];
+ }
+
$parts[] = $tpart;
unset($tnef_arr[$pid]);
}
diff -Nru roundcube-1.4.11+dfsg.1/program/lib/Roundcube/rcube_tnef_decoder.php roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_tnef_decoder.php
--- roundcube-1.4.11+dfsg.1/program/lib/Roundcube/rcube_tnef_decoder.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_tnef_decoder.php 2021-11-12 22:35:37.000000000 +0100
@@ -362,6 +362,10 @@
$result['subtype'] = $value[1];
break;
+ case self::MAPI_ATTACH_CONTENT_ID:
+ $result['content-id'] = $value;
+ break;
+
case self::MAPI_ATTACH_DATA:
$this->_getx($value, 16);
$att = new rcube_tnef_decoder;
diff -Nru roundcube-1.4.11+dfsg.1/program/steps/addressbook/export.inc roundcube-1.4.12+dfsg.1/program/steps/addressbook/export.inc
--- roundcube-1.4.11+dfsg.1/program/steps/addressbook/export.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/steps/addressbook/export.inc 2021-11-12 22:35:37.000000000 +0100
@@ -22,9 +22,11 @@
$RCMAIL->request_security_check(rcube_utils::INPUT_GET);
// Use search result
-if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']])) {
+if (!empty($_REQUEST['_search']) && isset($_SESSION['contact_search'][$_REQUEST['_search']])
+ && is_array($_SESSION['contact_search'][$_REQUEST['_search']])
+) {
$sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
- $search = (array)$_SESSION['search'][$_REQUEST['_search']];
+ $search = $_SESSION['contact_search'][$_REQUEST['_search']];
$records = array();
// Get records from all sources
diff -Nru roundcube-1.4.11+dfsg.1/program/steps/addressbook/func.inc roundcube-1.4.12+dfsg.1/program/steps/addressbook/func.inc
--- roundcube-1.4.11+dfsg.1/program/steps/addressbook/func.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/steps/addressbook/func.inc 2021-11-12 22:35:37.000000000 +0100
@@ -985,8 +985,10 @@
{
global $RCMAIL;
- if (($search_request = $_REQUEST['_search']) && isset($_SESSION['search'][$search_request])) {
- $search = (array)$_SESSION['search'][$search_request];
+ if (($search_request = $_REQUEST['_search']) && isset($_SESSION['contact_search'][$search_request])
+ && is_array($_SESSION['contact_search'][$search_request])
+ ) {
+ $search = $_SESSION['contact_search'][$search_request];
$sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
$afields = $return ? $RCMAIL->config->get('contactlist_fields') : array('name', 'email');
$records = array();
@@ -1019,7 +1021,7 @@
$search[$s] = $source->get_search_set();
}
- $_SESSION['search'][$search_request] = $search;
+ $_SESSION['contact_search'][$search_request] = $search;
return $records;
}
diff -Nru roundcube-1.4.11+dfsg.1/program/steps/addressbook/search.inc roundcube-1.4.12+dfsg.1/program/steps/addressbook/search.inc
--- roundcube-1.4.11+dfsg.1/program/steps/addressbook/search.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/steps/addressbook/search.inc 2021-11-12 22:35:37.000000000 +0100
@@ -23,8 +23,7 @@
$id = rcube_utils::get_input_value('_search', rcube_utils::INPUT_POST);
$name = rcube_utils::get_input_value('_name', rcube_utils::INPUT_POST, true);
- if (($params = $_SESSION['search_params']) && $params['id'] == $id) {
-
+ if (($params = $_SESSION['contact_search_params']) && $params['id'] == $id) {
$data = array(
'type' => rcube_user::SEARCH_ADDRESSBOOK,
'name' => $name,
@@ -114,13 +113,13 @@
// quick-search
else {
$search = trim(rcube_utils::get_input_value('_q', rcube_utils::INPUT_GET, true));
- $fields = explode(',', rcube_utils::get_input_value('_headers', rcube_utils::INPUT_GET));
+ $fields = rcube_utils::get_input_value('_headers', rcube_utils::INPUT_GET);
if (empty($fields)) {
$fields = array_keys($SEARCH_MODS_DEFAULT);
}
else {
- $fields = array_filter($fields);
+ $fields = array_filter(explode(',', $fields));
}
// update search_mods setting
@@ -211,8 +210,8 @@
.(is_array($search) ? implode(',', $search) : $search));
// save search settings in session
- $_SESSION['search'][$search_request] = $search_set;
- $_SESSION['search_params'] = array('id' => $search_request, 'data' => array($fields, $search));
+ $_SESSION['contact_search'][$search_request] = $search_set;
+ $_SESSION['contact_search_params'] = array('id' => $search_request, 'data' => array($fields, $search));
$_SESSION['page'] = 1;
if ($adv)
diff -Nru roundcube-1.4.11+dfsg.1/program/steps/mail/get.inc roundcube-1.4.12+dfsg.1/program/steps/mail/get.inc
--- roundcube-1.4.11+dfsg.1/program/steps/mail/get.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/steps/mail/get.inc 2021-11-12 22:35:37.000000000 +0100
@@ -187,8 +187,8 @@
$RCMAIL->gettext(array(
'name' => 'attachmentvalidationerror',
'vars' => array(
- 'expected' => $mimetype . ($file_extension ? " (.$file_extension)" : ''),
- 'detected' => $real_mimetype . ($extensions[0] ? " (.$extensions[0])" : ''),
+ 'expected' => $mimetype . (!empty($file_extension) ? rcube::Q(" (.{$file_extension})") : ''),
+ 'detected' => $real_mimetype . (!empty($extensions[0]) ? " (.{$extensions[0]})" : ''),
)
)
),
diff -Nru roundcube-1.4.11+dfsg.1/program/steps/mail/list_contacts.inc roundcube-1.4.12+dfsg.1/program/steps/mail/list_contacts.inc
--- roundcube-1.4.11+dfsg.1/program/steps/mail/list_contacts.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/steps/mail/list_contacts.inc 2021-11-12 22:35:37.000000000 +0100
@@ -24,9 +24,11 @@
$jsresult = array();
// Use search result
-if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']])) {
- $search = (array)$_SESSION['search'][$_REQUEST['_search']];
- $sparam = $_SESSION['search_params']['id'] == $_REQUEST['_search'] ? $_SESSION['search_params']['data'] : array();
+if (!empty($_REQUEST['_search']) && isset($_SESSION['contact_search'][$_REQUEST['_search']])
+ && is_array($_SESSION['contact_search'][$_REQUEST['_search']])
+) {
+ $search = $_SESSION['contact_search'][$_REQUEST['_search']];
+ $sparam = $_SESSION['contact_search_params']['id'] == $_REQUEST['_search'] ? $_SESSION['contact_search_params']['data'] : array();
// get records from all sources
foreach ($search as $s => $set) {
diff -Nru roundcube-1.4.11+dfsg.1/program/steps/mail/list.inc roundcube-1.4.12+dfsg.1/program/steps/mail/list.inc
--- roundcube-1.4.11+dfsg.1/program/steps/mail/list.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/steps/mail/list.inc 2021-11-12 22:35:37.000000000 +0100
@@ -25,7 +25,8 @@
$dont_override = (array) $RCMAIL->config->get('dont_override');
// is there a sort type for this request?
-if ($sort = rcube_utils::get_input_value('_sort', rcube_utils::INPUT_GET)) {
+$sort = rcube_utils::get_input_value('_sort', rcube_utils::INPUT_GET);
+if ($sort && preg_match('/^[a-zA-Z_-]+$/', $sort)) {
// yes, so set the sort vars
list($sort_col, $sort_order) = explode('_', $sort);
diff -Nru roundcube-1.4.11+dfsg.1/program/steps/mail/search_contacts.inc roundcube-1.4.12+dfsg.1/program/steps/mail/search_contacts.inc
--- roundcube-1.4.11+dfsg.1/program/steps/mail/search_contacts.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/steps/mail/search_contacts.inc 2021-11-12 22:35:37.000000000 +0100
@@ -97,8 +97,8 @@
$search_request = md5('composeaddr' . $search);
// save search settings in session
- $_SESSION['search'][$search_request] = $search_set;
- $_SESSION['search_params'] = array('id' => $search_request, 'data' => array($afields, $search));
+ $_SESSION['contact_search'][$search_request] = $search_set;
+ $_SESSION['contact_search_params'] = array('id' => $search_request, 'data' => array($afields, $search));
$OUTPUT->show_message('contactsearchsuccessful', 'confirmation', array('nr' => $result->count));
diff -Nru roundcube-1.4.11+dfsg.1/public_html/index.php roundcube-1.4.12+dfsg.1/public_html/index.php
--- roundcube-1.4.11+dfsg.1/public_html/index.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/public_html/index.php 2021-11-12 22:35:37.000000000 +0100
@@ -3,7 +3,7 @@
/*
+-----------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.4.11 |
+ | Version 1.4.12 |
| |
| Copyright (C) The Roundcube Dev Team |
| |
diff -Nru roundcube-1.4.11+dfsg.1/public_html/plugins/enigma/lib/enigma_engine.php roundcube-1.4.12+dfsg.1/public_html/plugins/enigma/lib/enigma_engine.php
--- roundcube-1.4.11+dfsg.1/public_html/plugins/enigma/lib/enigma_engine.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/public_html/plugins/enigma/lib/enigma_engine.php 2021-11-12 22:35:37.000000000 +0100
@@ -874,6 +874,10 @@
private function pgp_verify(&$msg_body, $sig_body = null)
{
// @TODO: Handle big bodies using (temp) files
+
+ // Get rid of possible non-ascii characters (#5962)
+ $sig_body = preg_replace('/[^\x00-\x7F]/', '', $sig_body);
+
$sig = $this->pgp_driver->verify($msg_body, $sig_body);
if (($sig instanceof enigma_error) && $sig->getCode() != enigma_error::KEYNOTFOUND) {
@@ -894,6 +898,10 @@
private function pgp_decrypt(&$msg_body, &$signature = null)
{
// @TODO: Handle big bodies using (temp) files
+
+ // Get rid of possible non-ascii characters (#5962)
+ $msg_body = preg_replace('/[^\x00-\x7F]/', '', $msg_body);
+
$keys = $this->get_passwords();
$result = $this->pgp_driver->decrypt($msg_body, $keys, $signature);
@@ -1227,11 +1235,6 @@
}
else {
$body = $msg->get_part_body($part->mime_id, false);
-
- // Convert charset to get rid of possible non-ascii characters (#5962)
- if ($part->charset && stripos($part->charset, 'ASCII') === false) {
- $body = rcube_charset::convert($body, $part->charset, 'US-ASCII');
- }
}
return $body;
diff -Nru roundcube-1.4.11+dfsg.1/public_html/plugins/password/localization/nl_NL.inc roundcube-1.4.12+dfsg.1/public_html/plugins/password/localization/nl_NL.inc
--- roundcube-1.4.11+dfsg.1/public_html/plugins/password/localization/nl_NL.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/public_html/plugins/password/localization/nl_NL.inc 2021-11-12 22:35:37.000000000 +0100
@@ -35,6 +35,6 @@
$messages['disablednotice'] = 'Het systeem is momenteel in onderhoud en wachtwoord wijzigen is op dit moment dus niet mogelijk. Alles werkt binnenkort weer naar behoren. Onze excuses voor het ongemak.';
$messages['passwinhistory'] = 'Dit wachtwoord is al eerder gebruikt.';
$messages['samepasswd'] = 'Het nieuwe paswoord dient verschillend ten opzichte van de oude te zijn.';
-$messages['passwdexpirewarning'] = 'Waarschuwing! je wachtwoord verloopt binnenkort, Wijzig het voor $vervaldatum.';
+$messages['passwdexpirewarning'] = 'Waarschuwing! je wachtwoord verloopt binnenkort, Wijzig het voor $expirationdatetime.';
$messages['passwdexpired'] = 'Je wachtwoord is verlopen, je dient het nu te wijzigen!';
$messages['passwdconstraintviolation'] = 'Wachtwoord voldoet niet aan beleid. Waarschijnlijk te zwak.';
diff -Nru roundcube-1.4.11+dfsg.1/public_html/program/js/app.js roundcube-1.4.12+dfsg.1/public_html/program/js/app.js
--- roundcube-1.4.11+dfsg.1/public_html/program/js/app.js 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/public_html/program/js/app.js 2021-11-12 22:35:37.000000000 +0100
@@ -9992,7 +9992,10 @@
})
.on('load error', function(e) {
ref.env.browser_capabilities.pdf = e.type == 'load' ? 1 : 0;
- $(this).remove();
+
+ // add a short delay before attempting to remove element (#8128)
+ var obj = this;
+ window.setTimeout(function() { $(obj).remove(); }, 10);
})
.appendTo(document.body);
}, 10);
diff -Nru roundcube-1.4.11+dfsg.1/public_html/skins/elastic/styles/styles.less roundcube-1.4.12+dfsg.1/public_html/skins/elastic/styles/styles.less
--- roundcube-1.4.11+dfsg.1/public_html/skins/elastic/styles/styles.less 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/public_html/skins/elastic/styles/styles.less 2021-11-12 22:35:37.000000000 +0100
@@ -272,7 +272,7 @@
div.rcmBody {
// Remove margins that can be set by the mail message styles
- margin: 0 !important;
+ margin: 0 auto !important;
}
blockquote {
diff -Nru roundcube-1.4.11+dfsg.1/public_html/skins/elastic/styles/widgets/buttons.less roundcube-1.4.12+dfsg.1/public_html/skins/elastic/styles/widgets/buttons.less
--- roundcube-1.4.11+dfsg.1/public_html/skins/elastic/styles/widgets/buttons.less 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/public_html/skins/elastic/styles/widgets/buttons.less 2021-11-12 22:35:37.000000000 +0100
@@ -224,6 +224,8 @@
border-color: @color-btn-secondary-background;
&:focus {
+ background: darken(@color-btn-secondary-background, 5%);
+ border-color: darken(@color-btn-secondary-background, 7%);
box-shadow: 0 0 0 .2rem fade(@color-btn-secondary-background, 50%);
}
@@ -234,9 +236,8 @@
&.disabled,
&:disabled {
- background: lighten(@color-btn-secondary-background, 20%);
- border-color: lighten(@color-btn-secondary-background, 20%);
- opacity: 1;
+ background: @color-btn-secondary-background;
+ border-color: @color-btn-secondary-background;
}
&:not(:disabled):not(.disabled) {
@@ -258,6 +259,8 @@
border-color: @color-btn-primary-background;
&:focus {
+ background: darken(@color-btn-primary-background, 5%);
+ border-color: darken(@color-btn-primary-background, 7%);
box-shadow: 0 0 0 .2rem fade(@color-btn-primary-background, 50%);
}
@@ -268,9 +271,8 @@
&.disabled,
&:disabled {
- background: lighten(@color-btn-primary-background, 20%);
- border-color: lighten(@color-btn-primary-background, 20%);
- opacity: 1;
+ background: @color-btn-primary-background;
+ border-color: @color-btn-primary-background;
}
&:not(:disabled):not(.disabled) {
@@ -292,6 +294,8 @@
border-color: @color-btn-danger-background;
&:focus {
+ background: darken(@color-btn-danger-background, 5%);
+ border-color: darken(@color-btn-danger-background, 7%);
box-shadow: 0 0 0 .2rem fade(@color-btn-danger-background, 50%);
}
@@ -302,9 +306,8 @@
&.disabled,
&:disabled {
- background: lighten(@color-btn-danger-background, 20%);
- border-color: lighten(@color-btn-danger-background, 20%);
- opacity: 1;
+ background: @color-btn-danger-background;
+ border-color: @color-btn-danger-background;
}
&:not(:disabled):not(.disabled) {
diff -Nru roundcube-1.4.11+dfsg.1/public_html/skins/elastic/ui.js roundcube-1.4.12+dfsg.1/public_html/skins/elastic/ui.js
--- roundcube-1.4.11+dfsg.1/public_html/skins/elastic/ui.js 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/public_html/skins/elastic/ui.js 2021-11-12 22:35:37.000000000 +0100
@@ -2533,7 +2533,9 @@
}
menus[p.name] = {target: target};
- $(target).popover('show');
+
+ // setTimeout fixes Shift + drag'n'drop menu in Chrome (#8107)
+ setTimeout(function() { $(target).popover('show'); }, 1);
}
fn();
diff -Nru roundcube-1.4.11+dfsg.1/skins/elastic/styles/styles.less roundcube-1.4.12+dfsg.1/skins/elastic/styles/styles.less
--- roundcube-1.4.11+dfsg.1/skins/elastic/styles/styles.less 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/skins/elastic/styles/styles.less 2021-11-12 22:35:37.000000000 +0100
@@ -272,7 +272,7 @@
div.rcmBody {
// Remove margins that can be set by the mail message styles
- margin: 0 !important;
+ margin: 0 auto !important;
}
blockquote {
diff -Nru roundcube-1.4.11+dfsg.1/skins/elastic/styles/widgets/buttons.less roundcube-1.4.12+dfsg.1/skins/elastic/styles/widgets/buttons.less
--- roundcube-1.4.11+dfsg.1/skins/elastic/styles/widgets/buttons.less 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/skins/elastic/styles/widgets/buttons.less 2021-11-12 22:35:37.000000000 +0100
@@ -224,6 +224,8 @@
border-color: @color-btn-secondary-background;
&:focus {
+ background: darken(@color-btn-secondary-background, 5%);
+ border-color: darken(@color-btn-secondary-background, 7%);
box-shadow: 0 0 0 .2rem fade(@color-btn-secondary-background, 50%);
}
@@ -234,9 +236,8 @@
&.disabled,
&:disabled {
- background: lighten(@color-btn-secondary-background, 20%);
- border-color: lighten(@color-btn-secondary-background, 20%);
- opacity: 1;
+ background: @color-btn-secondary-background;
+ border-color: @color-btn-secondary-background;
}
&:not(:disabled):not(.disabled) {
@@ -258,6 +259,8 @@
border-color: @color-btn-primary-background;
&:focus {
+ background: darken(@color-btn-primary-background, 5%);
+ border-color: darken(@color-btn-primary-background, 7%);
box-shadow: 0 0 0 .2rem fade(@color-btn-primary-background, 50%);
}
@@ -268,9 +271,8 @@
&.disabled,
&:disabled {
- background: lighten(@color-btn-primary-background, 20%);
- border-color: lighten(@color-btn-primary-background, 20%);
- opacity: 1;
+ background: @color-btn-primary-background;
+ border-color: @color-btn-primary-background;
}
&:not(:disabled):not(.disabled) {
@@ -292,6 +294,8 @@
border-color: @color-btn-danger-background;
&:focus {
+ background: darken(@color-btn-danger-background, 5%);
+ border-color: darken(@color-btn-danger-background, 7%);
box-shadow: 0 0 0 .2rem fade(@color-btn-danger-background, 50%);
}
@@ -302,9 +306,8 @@
&.disabled,
&:disabled {
- background: lighten(@color-btn-danger-background, 20%);
- border-color: lighten(@color-btn-danger-background, 20%);
- opacity: 1;
+ background: @color-btn-danger-background;
+ border-color: @color-btn-danger-background;
}
&:not(:disabled):not(.disabled) {
diff -Nru roundcube-1.4.11+dfsg.1/skins/elastic/ui.js roundcube-1.4.12+dfsg.1/skins/elastic/ui.js
--- roundcube-1.4.11+dfsg.1/skins/elastic/ui.js 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/skins/elastic/ui.js 2021-11-12 22:35:37.000000000 +0100
@@ -2533,7 +2533,9 @@
}
menus[p.name] = {target: target};
- $(target).popover('show');
+
+ // setTimeout fixes Shift + drag'n'drop menu in Chrome (#8107)
+ setTimeout(function() { $(target).popover('show'); }, 1);
}
fn();
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20211118/0bd7b14b/attachment-0001.sig>
More information about the Pkg-roundcube-maintainers
mailing list