[Pkg-roundcube-maintainers] Security issues in roundcube 1.3.16+dfsg.1-1~deb10u1 and 1.4.11+dfsg.1-4
Guilhem Moulin
guilhem at debian.org
Tue Nov 23 15:46:19 GMT 2021
Hi Seb,
On Tue, 23 Nov 2021 at 08:48:27 +0100, Sébastien Delafond wrote:
> sorry for the delay in getting back to you.
No worries, thanks to you and the rest of the Security Team for your
awesome work!
>> But haven't submitted new debdiffs to avoid the noise at
>> security at debian.org :-)
>
> Thanks a lot for preparing roundcube updates. You can go ahead and
> submit those two new debdiffs to us by email, I'll be able to review
> them this week.
Attached roundcube-1.3.debdiff (against 1.3.16+dfsg.1-1~deb10u1), and
roundcube-1.4.debdiff (against 1.4.11+dfsg.1-4). They're identical to
the previous ones (Message-ID: <YZaqFoYeHo493O2G at debian.org>) except for
d/changelog.
Cheers
--
Guilhem.
-------------- next part --------------
diffstat for roundcube-1.3.16+dfsg.1 roundcube-1.3.17+dfsg.1
CHANGELOG | 5
debian/changelog | 12 +
debian/gbp.conf | 2
debian/patches/CVE-2018-1000071.patch | 4
debian/patches/Revert-Fix-jstz.min.js-dependency.patch | 4
debian/patches/correct_install_path.patch | 2
debian/patches/default-charset-utf8.patch | 2
debian/patches/retry_to_reach_imap_server.patch | 4
debian/patches/use_pspell.patch | 2
debian/upstream/signing-key.asc | 134 +++++++----------
index.php | 2
installer/index.php | 2
program/include/iniset.php | 2
program/lib/Roundcube/bootstrap.php | 2
program/steps/addressbook/export.inc | 6
program/steps/addressbook/func.inc | 8 -
program/steps/addressbook/search.inc | 7
program/steps/mail/get.inc | 27 ++-
program/steps/mail/list.inc | 3
program/steps/mail/list_contacts.inc | 8 -
program/steps/mail/search_contacts.inc | 4
public_html/index.php | 2
22 files changed, 128 insertions(+), 116 deletions(-)
diff -Nru roundcube-1.3.16+dfsg.1/CHANGELOG roundcube-1.3.17+dfsg.1/CHANGELOG
--- roundcube-1.3.16+dfsg.1/CHANGELOG 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/CHANGELOG 2021-11-12 22:12:27.000000000 +0100
@@ -1,6 +1,11 @@
CHANGELOG Roundcube Webmail
===========================
+RELEASE 1.3.17
+--------------
+- Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
+- Fix SQL injection via some session variables
+
RELEASE 1.3.16
--------------
- Security: Fix cross-site scripting (XSS) via HTML or Plain text messages with malicious content [CVE-2020-35730]
diff -Nru roundcube-1.3.16+dfsg.1/debian/changelog roundcube-1.3.17+dfsg.1/debian/changelog
--- roundcube-1.3.16+dfsg.1/debian/changelog 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/changelog 2021-11-18 19:52:34.000000000 +0100
@@ -1,3 +1,15 @@
+roundcube (1.3.17+dfsg.1-1~deb10u1) buster-security; urgency=high
+
+ * New bugfix/security upstream release (closes: #1000156), with fixes for:
+ + CVE-2021-44025: XSS issue in handling attachment filename extension in
+ mimetype mismatch warning; and
+ + CVE-2021-44026: possible SQL injection via some session variables.
+ * Refresh d/patches.
+ * Refresh d/upstream/signing-key.asc.
+ * d/gbp.conf: Rename upstream branch to upstream/release-1.3.
+
+ -- Guilhem Moulin <guilhem at debian.org> Thu, 18 Nov 2021 19:52:34 +0100
+
roundcube (1.3.16+dfsg.1-1~deb10u1) buster-security; urgency=high
* New upstream bugfix release, with security fix for CVE-2020-35730:
diff -Nru roundcube-1.3.16+dfsg.1/debian/gbp.conf roundcube-1.3.17+dfsg.1/debian/gbp.conf
--- roundcube-1.3.16+dfsg.1/debian/gbp.conf 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/gbp.conf 2021-11-18 19:52:34.000000000 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
debian-branch=debian/buster
-upstream-branch=upstream-1.3.x
+upstream-branch=upstream/release-1.3
pristine-tar=True
compression=xz
diff -Nru roundcube-1.3.16+dfsg.1/debian/patches/correct_install_path.patch roundcube-1.3.17+dfsg.1/debian/patches/correct_install_path.patch
--- roundcube-1.3.16+dfsg.1/debian/patches/correct_install_path.patch 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/patches/correct_install_path.patch 2021-11-18 19:52:34.000000000 +0100
@@ -6,7 +6,7 @@
--- a/program/include/iniset.php
+++ b/program/include/iniset.php
-@@ -25,7 +25,7 @@ define('RCMAIL_VERSION', '1.3.11');
+@@ -25,7 +25,7 @@ define('RCMAIL_VERSION', '1.3.17');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.3.16+dfsg.1/debian/patches/CVE-2018-1000071.patch roundcube-1.3.17+dfsg.1/debian/patches/CVE-2018-1000071.patch
--- roundcube-1.3.16+dfsg.1/debian/patches/CVE-2018-1000071.patch 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/patches/CVE-2018-1000071.patch 2021-11-18 19:52:34.000000000 +0100
@@ -8,11 +8,11 @@
Added notes that it should be secured or not accessible from the web browser.
---
- plugins/enigma/README | 15 +++++++++++++--
+ plugins/enigma/README | 10 ++++++++++
plugins/enigma/config.inc.php.dist | 4 ++--
plugins/enigma/home/.htaccess | 7 -------
plugins/enigma/lib/enigma_driver_gnupg.php | 2 +-
- 4 files changed, 16 insertions(+), 12 deletions(-)
+ 4 files changed, 13 insertions(+), 10 deletions(-)
--- a/plugins/enigma/config.inc.php.dist
+++ b/plugins/enigma/config.inc.php.dist
diff -Nru roundcube-1.3.16+dfsg.1/debian/patches/default-charset-utf8.patch roundcube-1.3.17+dfsg.1/debian/patches/default-charset-utf8.patch
--- roundcube-1.3.16+dfsg.1/debian/patches/default-charset-utf8.patch 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/patches/default-charset-utf8.patch 2021-11-18 19:52:34.000000000 +0100
@@ -6,7 +6,7 @@
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
-@@ -1027,7 +1027,7 @@ $config['contact_search_name'] = '{name}
+@@ -1030,7 +1030,7 @@ $config['contact_search_name'] = '{name}
// ----------------------------------
// Use this charset as fallback for message decoding
diff -Nru roundcube-1.3.16+dfsg.1/debian/patches/retry_to_reach_imap_server.patch roundcube-1.3.17+dfsg.1/debian/patches/retry_to_reach_imap_server.patch
--- roundcube-1.3.16+dfsg.1/debian/patches/retry_to_reach_imap_server.patch 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/patches/retry_to_reach_imap_server.patch 2021-11-18 19:52:34.000000000 +0100
@@ -5,6 +5,10 @@
Last-Update: 2019-12-24
---
+---
+ program/lib/Roundcube/rcube_imap.php | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
--- a/program/lib/Roundcube/rcube_imap.php
+++ b/program/lib/Roundcube/rcube_imap.php
@@ -144,7 +144,11 @@ class rcube_imap extends rcube_storage
diff -Nru roundcube-1.3.16+dfsg.1/debian/patches/Revert-Fix-jstz.min.js-dependency.patch roundcube-1.3.17+dfsg.1/debian/patches/Revert-Fix-jstz.min.js-dependency.patch
--- roundcube-1.3.16+dfsg.1/debian/patches/Revert-Fix-jstz.min.js-dependency.patch 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/patches/Revert-Fix-jstz.min.js-dependency.patch 2021-11-18 19:52:34.000000000 +0100
@@ -4,11 +4,9 @@
This reverts upstream commit 435cfa116964e03a28499d5a4331dd76a7c07451.
---
- jsdeps.json | 9 +++++----
+ jsdeps.json | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
-diff --git a/jsdeps.json b/jsdeps.json
-index 16192e20d..8276d9e4e 100644
--- a/jsdeps.json
+++ b/jsdeps.json
@@ -14,13 +14,14 @@
diff -Nru roundcube-1.3.16+dfsg.1/debian/patches/use_pspell.patch roundcube-1.3.17+dfsg.1/debian/patches/use_pspell.patch
--- roundcube-1.3.16+dfsg.1/debian/patches/use_pspell.patch 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/patches/use_pspell.patch 2021-11-18 19:52:34.000000000 +0100
@@ -6,7 +6,7 @@
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
-@@ -737,7 +737,8 @@ $config['spellcheck_dictionary'] = false
+@@ -740,7 +740,8 @@ $config['spellcheck_dictionary'] = false
// Since Google shut down their public spell checking service, the default settings
// connect to http://spell.roundcube.net which is a hosted service provided by Roundcube.
// You can connect to any other googie-compliant service by setting 'spellcheck_uri' accordingly.
diff -Nru roundcube-1.3.16+dfsg.1/debian/upstream/signing-key.asc roundcube-1.3.17+dfsg.1/debian/upstream/signing-key.asc
--- roundcube-1.3.16+dfsg.1/debian/upstream/signing-key.asc 2020-12-28 02:49:49.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/debian/upstream/signing-key.asc 2021-11-18 19:52:34.000000000 +0100
@@ -23,80 +23,62 @@
/tc/WxZSYOzaudb6Bi/4FX2x8l6FGiIP/xI6Gpyjd5HwRWYnUqv7pBqyzs0Z15vG
roYcayLaFAhLCxBnBhUVbwVoRif4h9ihPc6PndZp/nOIAOpNGVqZbXcoXjz+Ugvb
icGKul/q7t1vl+3cf0bBT8O918TvzVXJIixnW/f9rdPAGT0KtsE7B7UXxOkV3xpC
-uh+kA0W8huJLaEWFZ5izBixkhzdLwITJD2VQ/TVuwHSI2A4kFnF5iQIiBBMBCAAM
-BQJXDWCdBYMHhh+AAAoJED5UKNAmLFT4KOoQAJ7qQ25imKrnebNVQ7unSCDIcZ7n
-wc7MGlOCmO0txGtDgaVZy2pvBd/zIliYtrGkbkDpMTTVds73/XofLJ+n41nNLPI7
-jDdVOnYpcu2bj74KUQRY+2WQ6riewsFUF52FtNOegsIj8JXmK58CPoW3M/uVZRdf
-ISVAUHkQuP9YWJoeToB/RXqICCRX3DfUgFSbHaEVRqpln+mnljopNBrDMe9ZthC2
-6Py8HwhshtBiwcP9NlaGTeG+Ks2A7Ujt2BUgBWyN4ouf8ehmyjD5D9RCxjPh7lof
-Ap8JhGpbd8Yu97Ax8bwZcHZ1ePx9NxcC+PFf6wK3jK464Vx7JTKk4gS3Ktk/+adA
-b9dasn+/OOaWwzHkpBTUJP7gW1pv8xhA+Op2VqwRNqB2WfiqOHyydQSZKJVncdA6
-/p3p4ABluPtbe8L1SE0ZDEOGjXwTMxH3ssDLlQ4BlqlWzhudeNv9Tizd8tlgtBvg
-VprEpWd++JovQs8MmEcoLaDS1DSglEsoRnrpCJ1vkacQZlN2wpv7PEEmH8SBaYU7
-xRZhRmc1arRFnelVo4OPzLTSMSFjZIdmMs8Lfzrw2fRGesrJGpb3DnVphwML1aXp
-mSFHKuXDqDVMW+Ey437KadG/Bd92q4FEeyCjjoHYa2C86dZG1yMfuVVMfvVz0A+v
-lSR6abLAK3f+VO1piQEcBBMBAgAGBQJXGG4NAAoJEL7mdKAZNZ3BLmkH/i03cRxM
-WU9baZgpZ7IkIz77tJJdcW51dZKy04FhbFKH6Qlp6WcGHEPy6EZWRdktJlSXTc+T
-/1lhlXeRPGesqvIAqnDfOayKf2rihBoAfPQCzxaJOAldt0KdDX6zGIYa4Xqappla
-kPLHeCSKhGm8eYf7IQjiq3AoMRvtGDtv8ygrA7sN8vc7Ftr1fg3s8UaB8QULLRD4
-INRgxfuPG9St5V5zYV/3Xf/61uOlNfxxikx5PCHle4jKJGkP+smXON4l8+XPyhSG
-US7aIGalr58acv0VZHFkTaCi+96s14df0XRENO5D4l5n18PiHQvh/th995ba96K/
-8jrcY7f8wjM0OYm5Ag0EVw1faQEQAPII9TY0LeEWP+4/FFQCBmgXR+aWjMK0O3fa
-BuPzL/VVHQJ3i41PvvP+Osb7BYPFTxPWkvVF2J1bLZfH1wFq+hMfEOkGMGtBFOP2
-VxWEYxMondktMhKDHT5EppPwqsZYPqlNz6Sk/bW81IXKtSG/hvPyBDv1+GaHZlz+
-NJrKjVlBN+6U4noM2P9n/QPCd5VmkZMWzCfbtmGZKHspOJswMhcW28YvMmYTK+0b
-ZcKCs2S2wgfM8d5EEeoYTXH6PqxfW3ezZXQ5ieM1sub59GnS+7gqxPEs+LyVQtxT
-7dgCnZQ73tmQP3pG2Zx0pKQHK/hZk8R6aEaYtV1QlfUI1TMG1eH+xHXGSWFnCbiX
-cGLltaLFBX11+qwF50FfYu8MRUM9rKW+ms2wBVmHuSGKgn0lglBGU2s/pPPw6Alu
-GWa289vGdnztoQyY33L3u/la0wCBbM/8JxZYZdmTq1iL0oYuPbn3axfa6JCX9CwC
-KQjOcJe8K+scRsSFI23M3ZySVgKpkOdhz9VfBZHTqMpbsTd8kNHBDu5J3C0v2NsV
-gJsqI5c3cVtaGPL2NVdfjZ668aXs89JA0Sc9Q1ppiDQX2ArNbq0ZRG4pGfAP3zA9
-6RyfHTgM9PZ5M4BReeWJCYQb6UI8Uw/NlUYsMMMbi8yqhIkXCY0U7I0ZKtVUSHSR
-W6gftdEhABEBAAGJAh8EGAEIAAkFAlcNX2kCGwwACgkQWrK6oUHE99XmpA/5AXxm
-SfeyUcUUaMH+n1EJt7lH6u8Tg4WxoSpSoF/GrArEBfdDGmUog2kR8cgyTFKjtiuP
-icCIapeezP2QMxWfm0TTITtFiHAUJZn0642SY4uXI/73Bwa0r5Vi1UevaFrRPkee
-0Jt3Tg45nvkUNQBuRK81Wr2o+EuNiMgssd78MHiWjllVptFg0GnfE1VUeMeM8Rwa
-QnVzVyYZbqe4jL20+QCba/zyrcQgcxZ/gtojADpPHojI2BQlsXnIhrSlXYXIDhmF
-SCG4+RdUq+JVI8vjO42bHA51gGyvZR7Fh7tcdU++U6wbhF5gkzB3v+NjHxwmcI/t
-pnrTP7nT1rZOUdyuKSJkcCUa3l8u+bqlxgQ3r+PJOXuW5Tn53HYkxdTSgzFwc9GS
-SvyTZnz/JYE241Yf14Vjn8fZqPsN+uplc4b42G08gQi0Juni7W5dPo3Jl+7MgXJR
-0vBtCEuZLJ49ZUpKwf0vS1aDDfMNA4ESs/TagIakUMGNH0tVsEm5YNMoNx9qZA3a
-rJT+ZhpZNFBW94QU3hQ+hbtyR/0rO8BGlpA0XLhNoPUNhgWMobgWAIA9kEQilm1Y
-tPDS5EHhsAiLi60/bIuti4T0nhxlgw+yfeb5kEnm5v5XYSj5w0XzfyGirfV80QP4
-7CE8GKy2q+e3xau15t/eVvMtYd2RDgykqIjvwtC5Ag0EVw1f/QEQAO2JeXBrzcBt
-TeUcPA70W9quirv4wnXtUTwAGRXklK/OaKPruPTPJIQu6qdimJO+p6KbWP4mD8b9
-t7mWilDpJO3omZKqMqCRqd+TPp0rzvHde1QhwCNIByCIkrTjcsq2JuGTSEME09Aa
-nOTE5/UeThTeXI+xvta63kpHgBolBunMUwPlde36KOUgWktr6NiCr3CQ1MtzDuBl
-wEAi1/K8/mkIU5SXmmC7NOKQVsK/HCpuhkT0fZY4RGIHlauIiOs8vXvJ9kajkvF+
-HJcmsQ/8GuMELVKi/V9BnObCCL49EykK5s5VEF4guQ4r3ElbS/PXvE4OXL+0vmBR
-YQFdVUdHNS36LErGzYIgghQIgDF1JS08EuoD86+fVHwwbupCp9SMQRWjrvWroipG
-Sk6K3BJfM9deZhuMH2j2ab4OleHZdJH+4PLIa+NwXMhuvKPJPKXmP5c1Seu7AyON
-hUQEU/lHEW03NvS4nh/ArM/za+dFplzSSaoUq8Qhr3AeyAVd+4PXgpbj7pIdfaBI
-IADx/uFYLLcc/whD/2C2t37h3TIjR18IS05aiGHDJyZ9eV2K/wf8kZ7Xq4ix+6Or
-Jt37g2/klHsvHo3kb+6XPpo263+pRj/bcA2vUA3c26cZ8nCsHu9K4aN4VN8DTTPS
-YYT9940OfRh8CRCNlcVerfbjNAE3fgnbABEBAAGJBD4EGAEIAAkFAlcNX/0CGwIC
-KQkQWrK6oUHE99XBXSAEGQEIAAYFAlcNX/0ACgkQwpRqlgnNVrRIXRAA48pg+pQG
-aqghqsVPtRt4yZy3zc0RDr5vV3r00Tqutg7l1J/8gNm9NayyBX0BEY+bKvNPeNjl
-gNkXCSH7eXX1mvUJuUUnbqJv+MT3roCcvLz6KLdQQdHarJSs4LmqF9/4NfHsSecg
-jq3Y9fsG5sNf/a7BraIcdlOq92t0DlpAmAtm10ywUXJPc1uAxqd/2QyfuPQE/eoR
-rmGnKR1W6FO1cAZYVWd3hyPAyr/EHHJonycpp8CKCe9CLu3iFXR8+GVq7ZiDVNk+
-MHMYg1Njfk3TY/UEUGXqFfTsD47S8fqEV/koWSSxTkSwPjwVP1z0yu9cV87ULeJN
-LDdwyFvmTrQv71YkAD12CchRymqLxtItSF1QMiHBFXTICreYGk41pS89KNshgFpe
-WfRq6WpPegUj1qdM/GJuBvSu7CTT2mpQQNk4maIIeUPcHRCA//H3WvXj3jMp3CFK
-S82YYDkUW/XWkWIRmpALrX8gSYlthKFf24RZZFrAd7NfSq1Hy0RjAwtm0+LsRTtT
-znzTUr2SocCEGqFjiczIJ/4zQ+25N2PPg1G5lCrIeE7VOifKD3jujMYiAEr6QUUm
-Vldw7Rn0tmJIiq0bc3MbadUxrT0PJXxOlQpfV2ZjM76gMpvvSCe6o6mckDT4sT3G
-4vfc02Pe4g4DYpVPlV/GE1T26NzK1Z3ONFzhLQ//abRaJKfy19+lNNJoGfGGLher
-AdymumxmGZf74wS6xAlP+LwJldUA8iidSxM0gR6bmw8q2SO7dqziGreaPaFVmeUB
-62rSXD0QSielIoRP1QZuD1ZO5tEZ2wxjcCnaBj2nG3bBj4RJ7FAD9CceSyPJFNYD
-n6cvslV/MGzacMtTTIwdFJmHaoU86heADWkYIFm/jndYX6b/IdJDNOYDYA4m+5S8
-ANQ3uOuaBMDo4sOAUCeophdjZeyne2kIWR7kmWis5kFf/Criy6u+yPs+a7kt+PbI
-2Uo1rmrNUiMiROkezbnZAEf/8wUi7KgRjZ6qfij/QM+0WMeUWu8NRqiS+KRLQIh7
-Y8f3u0ddlfGF7/UpAEXzv2KKpLO+SaUkvaatZucOD/hbDThqOVCtX7mQ03XTO9Pn
-SHVSxBsJse4Jn/n6oCt6FT7wMbh3IuZTeU7kiT9VO8+M/ehUS0sIbwwsYrdAT2Od
-/Txs7jWinvsuH/qsNFVDrxKKcFQi99m0Zm3IIo2DX5PUo9KvPO8xzZgFKQDOIKBw
-1PNQr0xRqbI1dsFcaN2yqF4hrYYmn4bDJCOMHV3gxltFaLU/rj7atdIWGOPzw/1N
-WQujs2OMoiJWTidcd/LTxbEvEDyS9vMiIXrAoadvRtBxmFqJfcmRhOrbKIcA4A65
-0dXJnhEe7eXkwBbfEzk=
-=lBKd
+uh+kA0W8huJLaEWFZ5izBixkhzdLwITJD2VQ/TVuwHSI2A4kFnF5uQINBFcNX2kB
+EADyCPU2NC3hFj/uPxRUAgZoF0fmlozCtDt32gbj8y/1VR0Cd4uNT77z/jrG+wWD
+xU8T1pL1RdidWy2Xx9cBavoTHxDpBjBrQRTj9lcVhGMTKJ3ZLTISgx0+RKaT8KrG
+WD6pTc+kpP21vNSFyrUhv4bz8gQ79fhmh2Zc/jSayo1ZQTfulOJ6DNj/Z/0DwneV
+ZpGTFswn27ZhmSh7KTibMDIXFtvGLzJmEyvtG2XCgrNktsIHzPHeRBHqGE1x+j6s
+X1t3s2V0OYnjNbLm+fRp0vu4KsTxLPi8lULcU+3YAp2UO97ZkD96RtmcdKSkByv4
+WZPEemhGmLVdUJX1CNUzBtXh/sR1xklhZwm4l3Bi5bWixQV9dfqsBedBX2LvDEVD
+PaylvprNsAVZh7khioJ9JYJQRlNrP6Tz8OgJbhlmtvPbxnZ87aEMmN9y97v5WtMA
+gWzP/CcWWGXZk6tYi9KGLj2592sX2uiQl/QsAikIznCXvCvrHEbEhSNtzN2cklYC
+qZDnYc/VXwWR06jKW7E3fJDRwQ7uSdwtL9jbFYCbKiOXN3FbWhjy9jVXX42euvGl
+7PPSQNEnPUNaaYg0F9gKzW6tGURuKRnwD98wPekcnx04DPT2eTOAUXnliQmEG+lC
+PFMPzZVGLDDDG4vMqoSJFwmNFOyNGSrVVEh0kVuoH7XRIQARAQABiQIfBBgBCAAJ
+BQJXDV9pAhsMAAoJEFqyuqFBxPfV5qQP+QF8Zkn3slHFFGjB/p9RCbe5R+rvE4OF
+saEqUqBfxqwKxAX3QxplKINpEfHIMkxSo7Yrj4nAiGqXnsz9kDMVn5tE0yE7RYhw
+FCWZ9OuNkmOLlyP+9wcGtK+VYtVHr2ha0T5HntCbd04OOZ75FDUAbkSvNVq9qPhL
+jYjILLHe/DB4lo5ZVabRYNBp3xNVVHjHjPEcGkJ1c1cmGW6nuIy9tPkAm2v88q3E
+IHMWf4LaIwA6Tx6IyNgUJbF5yIa0pV2FyA4ZhUghuPkXVKviVSPL4zuNmxwOdYBs
+r2UexYe7XHVPvlOsG4ReYJMwd7/jYx8cJnCP7aZ60z+509a2TlHcrikiZHAlGt5f
+Lvm6pcYEN6/jyTl7luU5+dx2JMXU0oMxcHPRkkr8k2Z8/yWBNuNWH9eFY5/H2aj7
+DfrqZXOG+NhtPIEItCbp4u1uXT6NyZfuzIFyUdLwbQhLmSyePWVKSsH9L0tWgw3z
+DQOBErP02oCGpFDBjR9LVbBJuWDTKDcfamQN2qyU/mYaWTRQVveEFN4UPoW7ckf9
+KzvARpaQNFy4TaD1DYYFjKG4FgCAPZBEIpZtWLTw0uRB4bAIi4utP2yLrYuE9J4c
+ZYMPsn3m+ZBJ5ub+V2Eo+cNF838hoq31fNED+OwhPBistqvnt8Wrtebf3lbzLWHd
+kQ4MpKiI78LQuQINBFcNX/0BEADtiXlwa83AbU3lHDwO9Fvaroq7+MJ17VE8ABkV
+5JSvzmij67j0zySELuqnYpiTvqeim1j+Jg/G/be5lopQ6STt6JmSqjKgkanfkz6d
+K87x3XtUIcAjSAcgiJK043LKtibhk0hDBNPQGpzkxOf1Hk4U3lyPsb7Wut5KR4Aa
+JQbpzFMD5XXt+ijlIFpLa+jYgq9wkNTLcw7gZcBAItfyvP5pCFOUl5pguzTikFbC
+vxwqboZE9H2WOERiB5WriIjrPL17yfZGo5LxfhyXJrEP/BrjBC1Sov1fQZzmwgi+
+PRMpCubOVRBeILkOK9xJW0vz17xODly/tL5gUWEBXVVHRzUt+ixKxs2CIIIUCIAx
+dSUtPBLqA/Ovn1R8MG7qQqfUjEEVo671q6IqRkpOitwSXzPXXmYbjB9o9mm+DpXh
+2XSR/uDyyGvjcFzIbryjyTyl5j+XNUnruwMjjYVEBFP5RxFtNzb0uJ4fwKzP82vn
+RaZc0kmqFKvEIa9wHsgFXfuD14KW4+6SHX2gSCAA8f7hWCy3HP8IQ/9gtrd+4d0y
+I0dfCEtOWohhwycmfXldiv8H/JGe16uIsfujqybd+4Nv5JR7Lx6N5G/ulz6aNut/
+qUY/23ANr1AN3NunGfJwrB7vSuGjeFTfA00z0mGE/feNDn0YfAkQjZXFXq324zQB
+N34J2wARAQABiQQ+BBgBCAAJBQJXDV/9AhsCAikJEFqyuqFBxPfVwV0gBBkBCAAG
+BQJXDV/9AAoJEMKUapYJzVa0SF0QAOPKYPqUBmqoIarFT7UbeMmct83NEQ6+b1d6
+9NE6rrYO5dSf/IDZvTWssgV9ARGPmyrzT3jY5YDZFwkh+3l19Zr1CblFJ26ib/jE
+966AnLy8+ii3UEHR2qyUrOC5qhff+DXx7EnnII6t2PX7BubDX/2uwa2iHHZTqvdr
+dA5aQJgLZtdMsFFyT3NbgManf9kMn7j0BP3qEa5hpykdVuhTtXAGWFVnd4cjwMq/
+xBxyaJ8nKafAignvQi7t4hV0fPhlau2Yg1TZPjBzGINTY35N02P1BFBl6hX07A+O
+0vH6hFf5KFkksU5EsD48FT9c9MrvXFfO1C3iTSw3cMhb5k60L+9WJAA9dgnIUcpq
+i8bSLUhdUDIhwRV0yAq3mBpONaUvPSjbIYBaXln0aulqT3oFI9anTPxibgb0ruwk
+09pqUEDZOJmiCHlD3B0QgP/x91r1494zKdwhSkvNmGA5FFv11pFiEZqQC61/IEmJ
+bYShX9uEWWRawHezX0qtR8tEYwMLZtPi7EU7U85801K9kqHAhBqhY4nMyCf+M0Pt
+uTdjz4NRuZQqyHhO1Tonyg947ozGIgBK+kFFJlZXcO0Z9LZiSIqtG3NzG2nVMa09
+DyV8TpUKX1dmYzO+oDKb70gnuqOpnJA0+LE9xuL33NNj3uIOA2KVT5VfxhNU9ujc
+ytWdzjRc4S0P/2m0WiSn8tffpTTSaBnxhi4XqwHcprpsZhmX++MEusQJT/i8CZXV
+APIonUsTNIEem5sPKtkju3as4hq3mj2hVZnlAetq0lw9EEonpSKET9UGbg9WTubR
+GdsMY3Ap2gY9pxt2wY+ESexQA/QnHksjyRTWA5+nL7JVfzBs2nDLU0yMHRSZh2qF
+POoXgA1pGCBZv453WF+m/yHSQzTmA2AOJvuUvADUN7jrmgTA6OLDgFAnqKYXY2Xs
+p3tpCFke5JlorOZBX/wq4survsj7Pmu5Lfj2yNlKNa5qzVIjIkTpHs252QBH//MF
+IuyoEY2eqn4o/0DPtFjHlFrvDUaokvikS0CIe2PH97tHXZXxhe/1KQBF879iiqSz
+vkmlJL2mrWbnDg/4Ww04ajlQrV+5kNN10zvT50h1UsQbCbHuCZ/5+qArehU+8DG4
+dyLmU3lO5Ik/VTvPjP3oVEtLCG8MLGK3QE9jnf08bO41op77Lh/6rDRVQ68SinBU
+IvfZtGZtyCKNg1+T1KPSrzzvMc2YBSkAziCgcNTzUK9MUamyNXbBXGjdsqheIa2G
+Jp+GwyQjjB1d4MZbRWi1P64+2rXSFhjj88P9TVkLo7NjjKIiVk4nXHfy08WxLxA8
+kvbzIiF6wKGnb0bQcZhaiX3JkYTq2yiHAOAOudHVyZ4RHu3l5MAW3xM5
+=gMjp
-----END PGP PUBLIC KEY BLOCK-----
diff -Nru roundcube-1.3.16+dfsg.1/index.php roundcube-1.3.17+dfsg.1/index.php
--- roundcube-1.3.16+dfsg.1/index.php 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/index.php 2021-11-12 22:12:27.000000000 +0100
@@ -2,7 +2,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.3.16 |
+ | Version 1.3.17 |
| |
| Copyright (C) 2005-2019, The Roundcube Dev Team |
| |
diff -Nru roundcube-1.3.16+dfsg.1/installer/index.php roundcube-1.3.17+dfsg.1/installer/index.php
--- roundcube-1.3.16+dfsg.1/installer/index.php 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/installer/index.php 2021-11-12 22:12:28.000000000 +0100
@@ -3,7 +3,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail setup tool |
- | Version 1.3.16 |
+ | Version 1.3.17 |
| |
| Copyright (C) 2009-2019, The Roundcube Dev Team |
| |
diff -Nru roundcube-1.3.16+dfsg.1/program/include/iniset.php roundcube-1.3.17+dfsg.1/program/include/iniset.php
--- roundcube-1.3.16+dfsg.1/program/include/iniset.php 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/include/iniset.php 2021-11-12 22:12:27.000000000 +0100
@@ -21,7 +21,7 @@
*/
// application constants
-define('RCMAIL_VERSION', '1.3.16');
+define('RCMAIL_VERSION', '1.3.17');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.3.16+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.3.17+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.3.16+dfsg.1/program/lib/Roundcube/bootstrap.php 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/lib/Roundcube/bootstrap.php 2021-11-12 22:12:27.000000000 +0100
@@ -53,7 +53,7 @@
}
// framework constants
-define('RCUBE_VERSION', '1.3.16');
+define('RCUBE_VERSION', '1.3.17');
define('RCUBE_CHARSET', 'UTF-8');
if (!defined('RCUBE_LIB_DIR')) {
diff -Nru roundcube-1.3.16+dfsg.1/program/steps/addressbook/export.inc roundcube-1.3.17+dfsg.1/program/steps/addressbook/export.inc
--- roundcube-1.3.16+dfsg.1/program/steps/addressbook/export.inc 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/steps/addressbook/export.inc 2021-11-12 22:12:27.000000000 +0100
@@ -24,9 +24,11 @@
$RCMAIL->request_security_check(rcube_utils::INPUT_GET);
// Use search result
-if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']])) {
+if (!empty($_REQUEST['_search']) && isset($_SESSION['contact_search'][$_REQUEST['_search']])
+ && is_array($_SESSION['contact_search'][$_REQUEST['_search']])
+) {
$sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
- $search = (array)$_SESSION['search'][$_REQUEST['_search']];
+ $search = $_SESSION['contact_search'][$_REQUEST['_search']];
$records = array();
// Get records from all sources
diff -Nru roundcube-1.3.16+dfsg.1/program/steps/addressbook/func.inc roundcube-1.3.17+dfsg.1/program/steps/addressbook/func.inc
--- roundcube-1.3.16+dfsg.1/program/steps/addressbook/func.inc 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/steps/addressbook/func.inc 2021-11-12 22:12:27.000000000 +0100
@@ -885,8 +885,10 @@
{
global $RCMAIL;
- if (($search_request = $_REQUEST['_search']) && isset($_SESSION['search'][$search_request])) {
- $search = (array)$_SESSION['search'][$search_request];
+ if (($search_request = $_REQUEST['_search']) && isset($_SESSION['contact_search'][$search_request])
+ && is_array($_SESSION['contact_search'][$search_request])
+ ) {
+ $search = $_SESSION['contact_search'][$search_request];
$sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
$afields = $return ? $RCMAIL->config->get('contactlist_fields') : array('name', 'email');
$records = array();
@@ -919,7 +921,7 @@
$search[$s] = $source->get_search_set();
}
- $_SESSION['search'][$search_request] = $search;
+ $_SESSION['contact_search'][$search_request] = $search;
return $records;
}
diff -Nru roundcube-1.3.16+dfsg.1/program/steps/addressbook/search.inc roundcube-1.3.17+dfsg.1/program/steps/addressbook/search.inc
--- roundcube-1.3.16+dfsg.1/program/steps/addressbook/search.inc 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/steps/addressbook/search.inc 2021-11-12 22:12:27.000000000 +0100
@@ -25,8 +25,7 @@
$id = rcube_utils::get_input_value('_search', rcube_utils::INPUT_POST);
$name = rcube_utils::get_input_value('_name', rcube_utils::INPUT_POST, true);
- if (($params = $_SESSION['search_params']) && $params['id'] == $id) {
-
+ if (($params = $_SESSION['contact_search_params']) && $params['id'] == $id) {
$data = array(
'type' => rcube_user::SEARCH_ADDRESSBOOK,
'name' => $name,
@@ -213,8 +212,8 @@
.(is_array($search) ? implode(',', $search) : $search));
// save search settings in session
- $_SESSION['search'][$search_request] = $search_set;
- $_SESSION['search_params'] = array('id' => $search_request, 'data' => array($fields, $search));
+ $_SESSION['contact_search'][$search_request] = $search_set;
+ $_SESSION['contact_search_params'] = array('id' => $search_request, 'data' => array($fields, $search));
$_SESSION['page'] = 1;
if ($adv)
diff -Nru roundcube-1.3.16+dfsg.1/program/steps/mail/get.inc roundcube-1.3.17+dfsg.1/program/steps/mail/get.inc
--- roundcube-1.3.16+dfsg.1/program/steps/mail/get.inc 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/steps/mail/get.inc 2021-11-12 22:12:27.000000000 +0100
@@ -184,21 +184,26 @@
else { // html warning with a button to load the file anyway
$OUTPUT = new rcmail_html_page();
$OUTPUT->write(html::tag('html', null, html::tag('body', 'embed',
- html::div(array('class' => 'rcmail-inline-message rcmail-inline-warning'),
- $RCMAIL->gettext(array(
- 'name' => 'attachmentvalidationerror',
- 'vars' => array(
- 'expected' => $mimetype . ($file_extension ? " (.$file_extension)" : ''),
- 'detected' => $real_mimetype . ($extensions[0] ? " (.$extensions[0])" : ''),
+ html::div(
+ array('class' => 'rcmail-inline-message rcmail-inline-warning'),
+ $RCMAIL->gettext(
+ array(
+ 'name' => 'attachmentvalidationerror',
+ 'vars' => array(
+ 'expected' => $mimetype . (!empty($file_extension) ? rcube::Q(" (.{$file_extension})") : ''),
+ 'detected' => $real_mimetype . (!empty($extensions[0]) ? " (.{$extensions[0]})" : ''),
+ )
)
- ))
- . html::p(array('class' => 'rcmail-inline-buttons'),
- html::tag('button', array(
+ )
+ )
+ . html::p(array('class' => 'rcmail-inline-buttons'),
+ html::tag('button', array(
'onclick' => "location.href='" . $RCMAIL->url(array_merge($_GET, array('_nocheck' => 1))) . "'"
),
- $RCMAIL->gettext('showanyway'))
+ $RCMAIL->gettext('showanyway')
)
- ))));
+ )
+ )));
}
exit;
diff -Nru roundcube-1.3.16+dfsg.1/program/steps/mail/list_contacts.inc roundcube-1.3.17+dfsg.1/program/steps/mail/list_contacts.inc
--- roundcube-1.3.16+dfsg.1/program/steps/mail/list_contacts.inc 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/steps/mail/list_contacts.inc 2021-11-12 22:12:27.000000000 +0100
@@ -26,9 +26,11 @@
$jsresult = array();
// Use search result
-if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']])) {
- $search = (array)$_SESSION['search'][$_REQUEST['_search']];
- $sparam = $_SESSION['search_params']['id'] == $_REQUEST['_search'] ? $_SESSION['search_params']['data'] : array();
+if (!empty($_REQUEST['_search']) && isset($_SESSION['contact_search'][$_REQUEST['_search']])
+ && is_array($_SESSION['contact_search'][$_REQUEST['_search']])
+) {
+ $search = $_SESSION['contact_search'][$_REQUEST['_search']];
+ $sparam = $_SESSION['contact_search_params']['id'] == $_REQUEST['_search'] ? $_SESSION['contact_search_params']['data'] : array();
// get records from all sources
foreach ($search as $s => $set) {
diff -Nru roundcube-1.3.16+dfsg.1/program/steps/mail/list.inc roundcube-1.3.17+dfsg.1/program/steps/mail/list.inc
--- roundcube-1.3.16+dfsg.1/program/steps/mail/list.inc 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/steps/mail/list.inc 2021-11-12 22:12:27.000000000 +0100
@@ -27,7 +27,8 @@
$dont_override = (array) $RCMAIL->config->get('dont_override');
// is there a sort type for this request?
-if ($sort = rcube_utils::get_input_value('_sort', rcube_utils::INPUT_GET)) {
+$sort = rcube_utils::get_input_value('_sort', rcube_utils::INPUT_GET);
+if ($sort && preg_match('/^[a-zA-Z_-]+$/', $sort)) {
// yes, so set the sort vars
list($sort_col, $sort_order) = explode('_', $sort);
diff -Nru roundcube-1.3.16+dfsg.1/program/steps/mail/search_contacts.inc roundcube-1.3.17+dfsg.1/program/steps/mail/search_contacts.inc
--- roundcube-1.3.16+dfsg.1/program/steps/mail/search_contacts.inc 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/program/steps/mail/search_contacts.inc 2021-11-12 22:12:27.000000000 +0100
@@ -99,8 +99,8 @@
$search_request = md5('composeaddr' . $search);
// save search settings in session
- $_SESSION['search'][$search_request] = $search_set;
- $_SESSION['search_params'] = array('id' => $search_request, 'data' => array($afields, $search));
+ $_SESSION['contact_search'][$search_request] = $search_set;
+ $_SESSION['contact_search_params'] = array('id' => $search_request, 'data' => array($afields, $search));
$OUTPUT->show_message('contactsearchsuccessful', 'confirmation', array('nr' => $result->count));
diff -Nru roundcube-1.3.16+dfsg.1/public_html/index.php roundcube-1.3.17+dfsg.1/public_html/index.php
--- roundcube-1.3.16+dfsg.1/public_html/index.php 2020-12-28 02:13:08.000000000 +0100
+++ roundcube-1.3.17+dfsg.1/public_html/index.php 2021-11-12 22:12:27.000000000 +0100
@@ -3,7 +3,7 @@
/*
+-----------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.3.16 |
+ | Version 1.3.17 |
| |
| Copyright (C) 2005-2017, The Roundcube Dev Team |
| |
-------------- next part --------------
diffstat for roundcube-1.4.11+dfsg.1 roundcube-1.4.12+dfsg.1
CHANGELOG | 14 ++
config/defaults.inc.php | 2
debian/changelog | 12 +
debian/gbp.conf | 2
debian/patches/default-charset-utf8.patch | 2
debian/patches/fix-install-path.patch | 4
debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch | 2
debian/patches/update-jsdeps.patch | 2
debian/patches/update-script.patch | 2
debian/patches/use-pspell.patch | 2
debian/salsa-ci.yml | 3
index.php | 2
installer/index.php | 2
plugins/enigma/lib/enigma_engine.php | 13 +-
plugins/password/localization/nl_NL.inc | 2
program/include/iniset.php | 2
program/include/rcmail_output_html.php | 7 -
program/include/rcmail_sendmail.php | 19 +--
program/js/app.js | 5
program/lib/Roundcube/bootstrap.php | 2
program/lib/Roundcube/rcube_imap.php | 2
program/lib/Roundcube/rcube_ldap.php | 3
program/lib/Roundcube/rcube_message.php | 63 +++++++++-
program/lib/Roundcube/rcube_tnef_decoder.php | 4
program/steps/addressbook/export.inc | 6
program/steps/addressbook/func.inc | 8 -
program/steps/addressbook/search.inc | 11 -
program/steps/mail/get.inc | 4
program/steps/mail/list.inc | 3
program/steps/mail/list_contacts.inc | 8 -
program/steps/mail/search_contacts.inc | 4
public_html/index.php | 2
public_html/plugins/enigma/lib/enigma_engine.php | 13 +-
public_html/plugins/password/localization/nl_NL.inc | 2
public_html/program/js/app.js | 5
public_html/skins/elastic/styles/styles.less | 2
public_html/skins/elastic/styles/widgets/buttons.less | 21 +--
public_html/skins/elastic/ui.js | 4
skins/elastic/styles/styles.less | 2
skins/elastic/styles/widgets/buttons.less | 21 +--
skins/elastic/ui.js | 4
41 files changed, 207 insertions(+), 86 deletions(-)
diff -Nru roundcube-1.4.11+dfsg.1/CHANGELOG roundcube-1.4.12+dfsg.1/CHANGELOG
--- roundcube-1.4.11+dfsg.1/CHANGELOG 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/CHANGELOG 2021-11-12 22:35:37.000000000 +0100
@@ -1,6 +1,20 @@
CHANGELOG Roundcube Webmail
===========================
+RELEASE 1.4.12
+--------------
+- Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919)
+- Fix bug where contacts search didn't work with addressbook_search_mods set to an empty array (#7974)
+- Fix bug causing some HTML message content to be not centered in Elastic skin (#7911)
+- Fix bug where consecutive LDAP searches could return wrong results (#8064)
+- Fix bug where plus characters in attachment filename could have been ignored (#8074)
+- Fix displaying HTML body with inline images encapsulated using TNEF format (winmail.dat)
+- Fix handling of custom sender addresses with names (#8106)
+- Fix shift + drag'n'drop menu not working in Elastic skin with Chrome browser (#8107)
+- Fix Firefox infinate loading display on mail screen (#8128)
+- Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
+- Fix SQL injection via some session variables
+
RELEASE 1.4.11
--------------
- Display a nice error informing about no PHP8 support
diff -Nru roundcube-1.4.11+dfsg.1/config/defaults.inc.php roundcube-1.4.12+dfsg.1/config/defaults.inc.php
--- roundcube-1.4.11+dfsg.1/config/defaults.inc.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/config/defaults.inc.php 2021-11-12 22:35:37.000000000 +0100
@@ -784,7 +784,7 @@
// if in your system 0 quota means no limit set this option to true
$config['quota_zero_as_unlimited'] = false;
-// Make use of the built-in spell checker. It is based on GoogieSpell.
+// Make use of the built-in spell checker.
$config['enable_spellcheck'] = true;
// Enables spellchecker exceptions dictionary.
diff -Nru roundcube-1.4.11+dfsg.1/debian/changelog roundcube-1.4.12+dfsg.1/debian/changelog
--- roundcube-1.4.11+dfsg.1/debian/changelog 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/changelog 2021-11-18 20:07:03.000000000 +0100
@@ -1,3 +1,15 @@
+roundcube (1.4.12+dfsg.1-1~deb11u1) bullseye-security; urgency=high
+
+ * New bugfix/security upstream release (closes: #1000156), with fixes for:
+ + CVE-2021-44025: XSS issue in handling attachment filename extension in
+ mimetype mismatch warning; and
+ + CVE-2021-44026: possible SQL injection via some session variables.
+ * d/gbp.conf: Rename upstream branch to upstream/release-1.4.
+ * d/salsa-ci.yml: Set RELEASE=bullseye.
+ * Refresh d/patches.
+
+ -- Guilhem Moulin <guilhem at debian.org> Thu, 18 Nov 2021 20:07:03 +0100
+
roundcube (1.4.11+dfsg.1-4) unstable; urgency=medium
* d/roundcube-core.postinst: Remove the roundcube lighttpd module after it
diff -Nru roundcube-1.4.11+dfsg.1/debian/gbp.conf roundcube-1.4.12+dfsg.1/debian/gbp.conf
--- roundcube-1.4.11+dfsg.1/debian/gbp.conf 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/gbp.conf 2021-11-18 20:07:03.000000000 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/latest
+debian-branch = debian/bullseye
upstream-branch = upstream/release-1.4
pristine-tar = True
components = ["tinymce", "tinymce-langs"]
diff -Nru roundcube-1.4.11+dfsg.1/debian/patches/default-charset-utf8.patch roundcube-1.4.12+dfsg.1/debian/patches/default-charset-utf8.patch
--- roundcube-1.4.11+dfsg.1/debian/patches/default-charset-utf8.patch 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/patches/default-charset-utf8.patch 2021-11-18 20:07:03.000000000 +0100
@@ -8,7 +8,7 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/defaults.inc.php b/config/defaults.inc.php
-index c1d9c0b..20ce139 100644
+index 9b95e2b..ef0d022 100644
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
@@ -1083,7 +1083,7 @@ $config['contact_search_name'] = '{name} <{email}>';
diff -Nru roundcube-1.4.11+dfsg.1/debian/patches/fix-install-path.patch roundcube-1.4.12+dfsg.1/debian/patches/fix-install-path.patch
--- roundcube-1.4.11+dfsg.1/debian/patches/fix-install-path.patch 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/patches/fix-install-path.patch 2021-11-18 20:07:03.000000000 +0100
@@ -161,10 +161,10 @@
require_once INSTALL_PATH . 'program/include/clisetup.php';
diff --git a/program/include/iniset.php b/program/include/iniset.php
-index a81f515..1d9d057 100644
+index 5394031..2659c2d 100644
--- a/program/include/iniset.php
+++ b/program/include/iniset.php
-@@ -28,7 +28,7 @@ define('RCMAIL_VERSION', '1.4.11');
+@@ -28,7 +28,7 @@ define('RCMAIL_VERSION', '1.4.12');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.4.11+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch roundcube-1.4.12+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch
--- roundcube-1.4.11+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch 2021-11-18 20:07:03.000000000 +0100
@@ -15,7 +15,7 @@
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/program/include/iniset.php b/program/include/iniset.php
-index 0e247ac..449a414 100644
+index bf4cc11..8bc6f71 100644
--- a/program/include/iniset.php
+++ b/program/include/iniset.php
@@ -20,7 +20,9 @@
diff -Nru roundcube-1.4.11+dfsg.1/debian/patches/update-jsdeps.patch roundcube-1.4.12+dfsg.1/debian/patches/update-jsdeps.patch
--- roundcube-1.4.11+dfsg.1/debian/patches/update-jsdeps.patch 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/patches/update-jsdeps.patch 2021-11-18 20:07:03.000000000 +0100
@@ -13,7 +13,7 @@
1 file changed, 2 insertions(+), 102 deletions(-)
diff --git a/jsdeps.json b/jsdeps.json
-index cd37700..64bd5b4 100644
+index cd37700..64bd5b48 100644
--- a/jsdeps.json
+++ b/jsdeps.json
@@ -1,27 +1,5 @@
diff -Nru roundcube-1.4.11+dfsg.1/debian/patches/update-script.patch roundcube-1.4.12+dfsg.1/debian/patches/update-script.patch
--- roundcube-1.4.11+dfsg.1/debian/patches/update-script.patch 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/patches/update-script.patch 2021-11-18 20:07:03.000000000 +0100
@@ -88,7 +88,7 @@
// update composer dependencies
diff --git a/program/include/iniset.php b/program/include/iniset.php
-index 1d9d057..0e247ac 100644
+index 2659c2d..bf4cc11 100644
--- a/program/include/iniset.php
+++ b/program/include/iniset.php
@@ -39,6 +39,10 @@ if (!defined('RCUBE_LOCALIZATION_DIR')) {
diff -Nru roundcube-1.4.11+dfsg.1/debian/patches/use-pspell.patch roundcube-1.4.12+dfsg.1/debian/patches/use-pspell.patch
--- roundcube-1.4.11+dfsg.1/debian/patches/use-pspell.patch 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/patches/use-pspell.patch 2021-11-18 20:07:03.000000000 +0100
@@ -8,7 +8,7 @@
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/config/defaults.inc.php b/config/defaults.inc.php
-index 167fccd..c1d9c0b 100644
+index 20c1c6f..9b95e2b 100644
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
@@ -799,7 +799,8 @@ $config['spellcheck_dictionary'] = false;
diff -Nru roundcube-1.4.11+dfsg.1/debian/salsa-ci.yml roundcube-1.4.12+dfsg.1/debian/salsa-ci.yml
--- roundcube-1.4.11+dfsg.1/debian/salsa-ci.yml 2021-05-17 20:45:48.000000000 +0200
+++ roundcube-1.4.12+dfsg.1/debian/salsa-ci.yml 2021-11-18 20:07:03.000000000 +0100
@@ -2,3 +2,6 @@
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'bullseye'
diff -Nru roundcube-1.4.11+dfsg.1/index.php roundcube-1.4.12+dfsg.1/index.php
--- roundcube-1.4.11+dfsg.1/index.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/index.php 2021-11-12 22:35:37.000000000 +0100
@@ -2,7 +2,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.4.11 |
+ | Version 1.4.12 |
| |
| Copyright (C) The Roundcube Dev Team |
| |
diff -Nru roundcube-1.4.11+dfsg.1/installer/index.php roundcube-1.4.12+dfsg.1/installer/index.php
--- roundcube-1.4.11+dfsg.1/installer/index.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/installer/index.php 2021-11-12 22:35:37.000000000 +0100
@@ -3,7 +3,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail setup tool |
- | Version 1.4.11 |
+ | Version 1.4.12 |
| |
| Copyright (C) The Roundcube Dev Team |
| |
diff -Nru roundcube-1.4.11+dfsg.1/plugins/enigma/lib/enigma_engine.php roundcube-1.4.12+dfsg.1/plugins/enigma/lib/enigma_engine.php
--- roundcube-1.4.11+dfsg.1/plugins/enigma/lib/enigma_engine.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/plugins/enigma/lib/enigma_engine.php 2021-11-12 22:35:37.000000000 +0100
@@ -874,6 +874,10 @@
private function pgp_verify(&$msg_body, $sig_body = null)
{
// @TODO: Handle big bodies using (temp) files
+
+ // Get rid of possible non-ascii characters (#5962)
+ $sig_body = preg_replace('/[^\x00-\x7F]/', '', $sig_body);
+
$sig = $this->pgp_driver->verify($msg_body, $sig_body);
if (($sig instanceof enigma_error) && $sig->getCode() != enigma_error::KEYNOTFOUND) {
@@ -894,6 +898,10 @@
private function pgp_decrypt(&$msg_body, &$signature = null)
{
// @TODO: Handle big bodies using (temp) files
+
+ // Get rid of possible non-ascii characters (#5962)
+ $msg_body = preg_replace('/[^\x00-\x7F]/', '', $msg_body);
+
$keys = $this->get_passwords();
$result = $this->pgp_driver->decrypt($msg_body, $keys, $signature);
@@ -1227,11 +1235,6 @@
}
else {
$body = $msg->get_part_body($part->mime_id, false);
-
- // Convert charset to get rid of possible non-ascii characters (#5962)
- if ($part->charset && stripos($part->charset, 'ASCII') === false) {
- $body = rcube_charset::convert($body, $part->charset, 'US-ASCII');
- }
}
return $body;
diff -Nru roundcube-1.4.11+dfsg.1/plugins/password/localization/nl_NL.inc roundcube-1.4.12+dfsg.1/plugins/password/localization/nl_NL.inc
--- roundcube-1.4.11+dfsg.1/plugins/password/localization/nl_NL.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/plugins/password/localization/nl_NL.inc 2021-11-12 22:35:37.000000000 +0100
@@ -35,6 +35,6 @@
$messages['disablednotice'] = 'Het systeem is momenteel in onderhoud en wachtwoord wijzigen is op dit moment dus niet mogelijk. Alles werkt binnenkort weer naar behoren. Onze excuses voor het ongemak.';
$messages['passwinhistory'] = 'Dit wachtwoord is al eerder gebruikt.';
$messages['samepasswd'] = 'Het nieuwe paswoord dient verschillend ten opzichte van de oude te zijn.';
-$messages['passwdexpirewarning'] = 'Waarschuwing! je wachtwoord verloopt binnenkort, Wijzig het voor $vervaldatum.';
+$messages['passwdexpirewarning'] = 'Waarschuwing! je wachtwoord verloopt binnenkort, Wijzig het voor $expirationdatetime.';
$messages['passwdexpired'] = 'Je wachtwoord is verlopen, je dient het nu te wijzigen!';
$messages['passwdconstraintviolation'] = 'Wachtwoord voldoet niet aan beleid. Waarschijnlijk te zwak.';
diff -Nru roundcube-1.4.11+dfsg.1/program/include/iniset.php roundcube-1.4.12+dfsg.1/program/include/iniset.php
--- roundcube-1.4.11+dfsg.1/program/include/iniset.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/include/iniset.php 2021-11-12 22:35:37.000000000 +0100
@@ -24,7 +24,7 @@
}
// application constants
-define('RCMAIL_VERSION', '1.4.11');
+define('RCMAIL_VERSION', '1.4.12');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.4.11+dfsg.1/program/include/rcmail_output_html.php roundcube-1.4.12+dfsg.1/program/include/rcmail_output_html.php
--- roundcube-1.4.11+dfsg.1/program/include/rcmail_output_html.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/include/rcmail_output_html.php 2021-11-12 22:35:37.000000000 +0100
@@ -1576,8 +1576,7 @@
*/
public function button($attrib)
{
- static $s_button_count = 100;
- static $disabled_actions = null;
+ static $s_button_count = 100;
// these commands can be called directly via url
$a_static_commands = array('compose', 'list', 'preferences', 'folders', 'identities');
@@ -1609,9 +1608,7 @@
$element = ($this->env['task'] ? $this->env['task'] . '.' : '') . $action;
}
- if ($disabled_actions === null) {
- $disabled_actions = (array) $this->config->get('disabled_actions');
- }
+ $disabled_actions = (array) $this->config->get('disabled_actions');
// remove buttons for disabled actions
if (in_array($element, $disabled_actions) || in_array($action, $disabled_actions)) {
diff -Nru roundcube-1.4.11+dfsg.1/program/include/rcmail_sendmail.php roundcube-1.4.12+dfsg.1/program/include/rcmail_sendmail.php
--- roundcube-1.4.11+dfsg.1/program/include/rcmail_sendmail.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/include/rcmail_sendmail.php 2021-11-12 22:35:37.000000000 +0100
@@ -136,15 +136,18 @@
$from = null;
}
}
- // ... if there is no identity record, this might be a custom from
- else if (($from_string = $this->email_input_format($from))
- && preg_match('/(\S+@\S+)/', $from_string, $m)
- ) {
- $from = trim($m[1], '<>');
- }
- // ... otherwise it's empty or invalid
else {
- $from = null;
+ // ... if there is no identity record, this might be a custom from
+ $from_addresses = rcube_mime::decode_address_list($from);
+
+ if (count($from_addresses) == 1) {
+ $from = $from_addresses[1]['mailto'];
+ $from_string = $from_addresses[1]['string'];
+ }
+ // ... otherwise it's empty or invalid
+ else {
+ $from = null;
+ }
}
// check 'From' address (identity may be incomplete)
diff -Nru roundcube-1.4.11+dfsg.1/program/js/app.js roundcube-1.4.12+dfsg.1/program/js/app.js
--- roundcube-1.4.11+dfsg.1/program/js/app.js 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/js/app.js 2021-11-12 22:35:37.000000000 +0100
@@ -9992,7 +9992,10 @@
})
.on('load error', function(e) {
ref.env.browser_capabilities.pdf = e.type == 'load' ? 1 : 0;
- $(this).remove();
+
+ // add a short delay before attempting to remove element (#8128)
+ var obj = this;
+ window.setTimeout(function() { $(obj).remove(); }, 10);
})
.appendTo(document.body);
}, 10);
diff -Nru roundcube-1.4.11+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.4.12+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.4.11+dfsg.1/program/lib/Roundcube/bootstrap.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/lib/Roundcube/bootstrap.php 2021-11-12 22:35:37.000000000 +0100
@@ -58,7 +58,7 @@
}
// framework constants
-define('RCUBE_VERSION', '1.4.11');
+define('RCUBE_VERSION', '1.4.12');
define('RCUBE_CHARSET', 'UTF-8');
define('RCUBE_TEMP_FILE_PREFIX', 'RCMTEMP');
diff -Nru roundcube-1.4.11+dfsg.1/program/lib/Roundcube/rcube_imap.php roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_imap.php
--- roundcube-1.4.11+dfsg.1/program/lib/Roundcube/rcube_imap.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_imap.php 2021-11-12 22:35:37.000000000 +0100
@@ -2356,7 +2356,7 @@
$filename_encoded = $fmatches[2];
}
- $part->filename = rcube_charset::convert(urldecode($filename_encoded), $filename_charset);
+ $part->filename = rcube_charset::convert(rawurldecode($filename_encoded), $filename_charset);
}
}
diff -Nru roundcube-1.4.11+dfsg.1/program/lib/Roundcube/rcube_ldap.php roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_ldap.php
--- roundcube-1.4.11+dfsg.1/program/lib/Roundcube/rcube_ldap.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_ldap.php 2021-11-12 22:35:37.000000000 +0100
@@ -884,6 +884,9 @@
$filter = 'e:' . $filter;
}
+ // Reset the previous search result
+ $this->reset();
+
// set filter string and execute search
$this->set_search_set($filter);
diff -Nru roundcube-1.4.11+dfsg.1/program/lib/Roundcube/rcube_message.php roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_message.php
--- roundcube-1.4.11+dfsg.1/program/lib/Roundcube/rcube_message.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_message.php 2021-11-12 22:35:37.000000000 +0100
@@ -49,6 +49,7 @@
private $mime;
private $opt = array();
private $parse_alternative = false;
+ private $tnef_decode = false;
public $uid;
public $folder;
@@ -104,6 +105,8 @@
return;
}
+ $this->tnef_decode = (bool) $this->app->config->get('tnef_decode', true);
+
$this->set_safe($is_safe || $_SESSION['safe_messages'][$this->folder.':'.$uid]);
$this->opt = array(
'safe' => $this->is_safe,
@@ -378,7 +381,13 @@
$last = $parent->real_mimetype ?: $parent->mimetype;
if (!preg_match('/^multipart\/(alternative|related|signed|encrypted|mixed)$/', $last)
- || ($last == 'multipart/mixed' && $parent_depth < $max_delta)) {
+ || ($last == 'multipart/mixed' && $parent_depth < $max_delta)
+ ) {
+ // The HTML body part extracted from a winmail.dat attachment part
+ if (strpos($part->mime_id, 'winmail.') === 0) {
+ return true;
+ }
+
continue 2;
}
}
@@ -817,11 +826,35 @@
continue;
}
// part is Microsoft Outlook TNEF (winmail.dat)
- else if ($part_mimetype == 'application/ms-tnef') {
+ else if ($part_mimetype == 'application/ms-tnef' && $this->tnef_decode) {
$tnef_parts = (array) $this->tnef_decode($mail_part);
+ $tnef_body = '';
+
foreach ($tnef_parts as $tpart) {
$this->mime_parts[$tpart->mime_id] = $tpart;
- $this->add_part($tpart, 'attachment');
+
+ if (strpos($tpart->mime_id, '.html')) {
+ $tnef_body = $tpart->body;
+ if ($this->opt['prefer_html']) {
+ $tpart->type = 'content';
+
+ // Reset type on the plain text part that usually is added to winmail.dat messages
+ // (on the same level in the structure as the attachment itself)
+ $level = count(explode('.', $mail_part->mime_id));
+ foreach ($this->parts as $p) {
+ if ($p->type == 'content' && $p->mimetype == 'text/plain'
+ && count(explode('.', $p->mime_id)) == $level
+ ) {
+ $p->type = null;
+ }
+ }
+ }
+ $this->add_part($tpart);
+ }
+ else {
+ $inline = !empty($tpart->content_id) && strpos($tnef_body, "cid:{$tpart->content_id}") !== false;
+ $this->add_part($tpart, $inline ? 'inline' : 'attachment');
+ }
}
// add winmail.dat to the list if it's content is unknown
@@ -1002,6 +1035,26 @@
unset($body);
+ // HTML body
+ if (
+ !empty($tnef_arr['message'])
+ && !empty($tnef_arr['message']['size'])
+ && $tnef_arr['message']['subtype'] == 'html'
+ ) {
+ $tpart = new rcube_message_part;
+
+ $tpart->encoding = 'stream';
+ $tpart->ctype_primary = 'text';
+ $tpart->ctype_secondary = 'html';
+ $tpart->mimetype = 'text/html';
+ $tpart->mime_id = 'winmail.' . $part->mime_id . '.html';
+ $tpart->size = $tnef_arr['message']['size'];
+ $tpart->body = $tnef_arr['message']['stream'];
+
+ $parts[] = $tpart;
+ }
+
+ // Attachments
foreach ($tnef_arr['attachments'] as $pid => $winatt) {
$tpart = new rcube_message_part;
@@ -1014,6 +1067,10 @@
$tpart->size = $winatt['size'];
$tpart->body = $winatt['stream'];
+ if (!empty($winatt['content-id'])) {
+ $tpart->content_id = $winatt['content-id'];
+ }
+
$parts[] = $tpart;
unset($tnef_arr[$pid]);
}
diff -Nru roundcube-1.4.11+dfsg.1/program/lib/Roundcube/rcube_tnef_decoder.php roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_tnef_decoder.php
--- roundcube-1.4.11+dfsg.1/program/lib/Roundcube/rcube_tnef_decoder.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/lib/Roundcube/rcube_tnef_decoder.php 2021-11-12 22:35:37.000000000 +0100
@@ -362,6 +362,10 @@
$result['subtype'] = $value[1];
break;
+ case self::MAPI_ATTACH_CONTENT_ID:
+ $result['content-id'] = $value;
+ break;
+
case self::MAPI_ATTACH_DATA:
$this->_getx($value, 16);
$att = new rcube_tnef_decoder;
diff -Nru roundcube-1.4.11+dfsg.1/program/steps/addressbook/export.inc roundcube-1.4.12+dfsg.1/program/steps/addressbook/export.inc
--- roundcube-1.4.11+dfsg.1/program/steps/addressbook/export.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/steps/addressbook/export.inc 2021-11-12 22:35:37.000000000 +0100
@@ -22,9 +22,11 @@
$RCMAIL->request_security_check(rcube_utils::INPUT_GET);
// Use search result
-if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']])) {
+if (!empty($_REQUEST['_search']) && isset($_SESSION['contact_search'][$_REQUEST['_search']])
+ && is_array($_SESSION['contact_search'][$_REQUEST['_search']])
+) {
$sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
- $search = (array)$_SESSION['search'][$_REQUEST['_search']];
+ $search = $_SESSION['contact_search'][$_REQUEST['_search']];
$records = array();
// Get records from all sources
diff -Nru roundcube-1.4.11+dfsg.1/program/steps/addressbook/func.inc roundcube-1.4.12+dfsg.1/program/steps/addressbook/func.inc
--- roundcube-1.4.11+dfsg.1/program/steps/addressbook/func.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/steps/addressbook/func.inc 2021-11-12 22:35:37.000000000 +0100
@@ -985,8 +985,10 @@
{
global $RCMAIL;
- if (($search_request = $_REQUEST['_search']) && isset($_SESSION['search'][$search_request])) {
- $search = (array)$_SESSION['search'][$search_request];
+ if (($search_request = $_REQUEST['_search']) && isset($_SESSION['contact_search'][$search_request])
+ && is_array($_SESSION['contact_search'][$search_request])
+ ) {
+ $search = $_SESSION['contact_search'][$search_request];
$sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
$afields = $return ? $RCMAIL->config->get('contactlist_fields') : array('name', 'email');
$records = array();
@@ -1019,7 +1021,7 @@
$search[$s] = $source->get_search_set();
}
- $_SESSION['search'][$search_request] = $search;
+ $_SESSION['contact_search'][$search_request] = $search;
return $records;
}
diff -Nru roundcube-1.4.11+dfsg.1/program/steps/addressbook/search.inc roundcube-1.4.12+dfsg.1/program/steps/addressbook/search.inc
--- roundcube-1.4.11+dfsg.1/program/steps/addressbook/search.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/steps/addressbook/search.inc 2021-11-12 22:35:37.000000000 +0100
@@ -23,8 +23,7 @@
$id = rcube_utils::get_input_value('_search', rcube_utils::INPUT_POST);
$name = rcube_utils::get_input_value('_name', rcube_utils::INPUT_POST, true);
- if (($params = $_SESSION['search_params']) && $params['id'] == $id) {
-
+ if (($params = $_SESSION['contact_search_params']) && $params['id'] == $id) {
$data = array(
'type' => rcube_user::SEARCH_ADDRESSBOOK,
'name' => $name,
@@ -114,13 +113,13 @@
// quick-search
else {
$search = trim(rcube_utils::get_input_value('_q', rcube_utils::INPUT_GET, true));
- $fields = explode(',', rcube_utils::get_input_value('_headers', rcube_utils::INPUT_GET));
+ $fields = rcube_utils::get_input_value('_headers', rcube_utils::INPUT_GET);
if (empty($fields)) {
$fields = array_keys($SEARCH_MODS_DEFAULT);
}
else {
- $fields = array_filter($fields);
+ $fields = array_filter(explode(',', $fields));
}
// update search_mods setting
@@ -211,8 +210,8 @@
.(is_array($search) ? implode(',', $search) : $search));
// save search settings in session
- $_SESSION['search'][$search_request] = $search_set;
- $_SESSION['search_params'] = array('id' => $search_request, 'data' => array($fields, $search));
+ $_SESSION['contact_search'][$search_request] = $search_set;
+ $_SESSION['contact_search_params'] = array('id' => $search_request, 'data' => array($fields, $search));
$_SESSION['page'] = 1;
if ($adv)
diff -Nru roundcube-1.4.11+dfsg.1/program/steps/mail/get.inc roundcube-1.4.12+dfsg.1/program/steps/mail/get.inc
--- roundcube-1.4.11+dfsg.1/program/steps/mail/get.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/steps/mail/get.inc 2021-11-12 22:35:37.000000000 +0100
@@ -187,8 +187,8 @@
$RCMAIL->gettext(array(
'name' => 'attachmentvalidationerror',
'vars' => array(
- 'expected' => $mimetype . ($file_extension ? " (.$file_extension)" : ''),
- 'detected' => $real_mimetype . ($extensions[0] ? " (.$extensions[0])" : ''),
+ 'expected' => $mimetype . (!empty($file_extension) ? rcube::Q(" (.{$file_extension})") : ''),
+ 'detected' => $real_mimetype . (!empty($extensions[0]) ? " (.{$extensions[0]})" : ''),
)
)
),
diff -Nru roundcube-1.4.11+dfsg.1/program/steps/mail/list_contacts.inc roundcube-1.4.12+dfsg.1/program/steps/mail/list_contacts.inc
--- roundcube-1.4.11+dfsg.1/program/steps/mail/list_contacts.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/steps/mail/list_contacts.inc 2021-11-12 22:35:37.000000000 +0100
@@ -24,9 +24,11 @@
$jsresult = array();
// Use search result
-if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']])) {
- $search = (array)$_SESSION['search'][$_REQUEST['_search']];
- $sparam = $_SESSION['search_params']['id'] == $_REQUEST['_search'] ? $_SESSION['search_params']['data'] : array();
+if (!empty($_REQUEST['_search']) && isset($_SESSION['contact_search'][$_REQUEST['_search']])
+ && is_array($_SESSION['contact_search'][$_REQUEST['_search']])
+) {
+ $search = $_SESSION['contact_search'][$_REQUEST['_search']];
+ $sparam = $_SESSION['contact_search_params']['id'] == $_REQUEST['_search'] ? $_SESSION['contact_search_params']['data'] : array();
// get records from all sources
foreach ($search as $s => $set) {
diff -Nru roundcube-1.4.11+dfsg.1/program/steps/mail/list.inc roundcube-1.4.12+dfsg.1/program/steps/mail/list.inc
--- roundcube-1.4.11+dfsg.1/program/steps/mail/list.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/steps/mail/list.inc 2021-11-12 22:35:37.000000000 +0100
@@ -25,7 +25,8 @@
$dont_override = (array) $RCMAIL->config->get('dont_override');
// is there a sort type for this request?
-if ($sort = rcube_utils::get_input_value('_sort', rcube_utils::INPUT_GET)) {
+$sort = rcube_utils::get_input_value('_sort', rcube_utils::INPUT_GET);
+if ($sort && preg_match('/^[a-zA-Z_-]+$/', $sort)) {
// yes, so set the sort vars
list($sort_col, $sort_order) = explode('_', $sort);
diff -Nru roundcube-1.4.11+dfsg.1/program/steps/mail/search_contacts.inc roundcube-1.4.12+dfsg.1/program/steps/mail/search_contacts.inc
--- roundcube-1.4.11+dfsg.1/program/steps/mail/search_contacts.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/program/steps/mail/search_contacts.inc 2021-11-12 22:35:37.000000000 +0100
@@ -97,8 +97,8 @@
$search_request = md5('composeaddr' . $search);
// save search settings in session
- $_SESSION['search'][$search_request] = $search_set;
- $_SESSION['search_params'] = array('id' => $search_request, 'data' => array($afields, $search));
+ $_SESSION['contact_search'][$search_request] = $search_set;
+ $_SESSION['contact_search_params'] = array('id' => $search_request, 'data' => array($afields, $search));
$OUTPUT->show_message('contactsearchsuccessful', 'confirmation', array('nr' => $result->count));
diff -Nru roundcube-1.4.11+dfsg.1/public_html/index.php roundcube-1.4.12+dfsg.1/public_html/index.php
--- roundcube-1.4.11+dfsg.1/public_html/index.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/public_html/index.php 2021-11-12 22:35:37.000000000 +0100
@@ -3,7 +3,7 @@
/*
+-----------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.4.11 |
+ | Version 1.4.12 |
| |
| Copyright (C) The Roundcube Dev Team |
| |
diff -Nru roundcube-1.4.11+dfsg.1/public_html/plugins/enigma/lib/enigma_engine.php roundcube-1.4.12+dfsg.1/public_html/plugins/enigma/lib/enigma_engine.php
--- roundcube-1.4.11+dfsg.1/public_html/plugins/enigma/lib/enigma_engine.php 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/public_html/plugins/enigma/lib/enigma_engine.php 2021-11-12 22:35:37.000000000 +0100
@@ -874,6 +874,10 @@
private function pgp_verify(&$msg_body, $sig_body = null)
{
// @TODO: Handle big bodies using (temp) files
+
+ // Get rid of possible non-ascii characters (#5962)
+ $sig_body = preg_replace('/[^\x00-\x7F]/', '', $sig_body);
+
$sig = $this->pgp_driver->verify($msg_body, $sig_body);
if (($sig instanceof enigma_error) && $sig->getCode() != enigma_error::KEYNOTFOUND) {
@@ -894,6 +898,10 @@
private function pgp_decrypt(&$msg_body, &$signature = null)
{
// @TODO: Handle big bodies using (temp) files
+
+ // Get rid of possible non-ascii characters (#5962)
+ $msg_body = preg_replace('/[^\x00-\x7F]/', '', $msg_body);
+
$keys = $this->get_passwords();
$result = $this->pgp_driver->decrypt($msg_body, $keys, $signature);
@@ -1227,11 +1235,6 @@
}
else {
$body = $msg->get_part_body($part->mime_id, false);
-
- // Convert charset to get rid of possible non-ascii characters (#5962)
- if ($part->charset && stripos($part->charset, 'ASCII') === false) {
- $body = rcube_charset::convert($body, $part->charset, 'US-ASCII');
- }
}
return $body;
diff -Nru roundcube-1.4.11+dfsg.1/public_html/plugins/password/localization/nl_NL.inc roundcube-1.4.12+dfsg.1/public_html/plugins/password/localization/nl_NL.inc
--- roundcube-1.4.11+dfsg.1/public_html/plugins/password/localization/nl_NL.inc 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/public_html/plugins/password/localization/nl_NL.inc 2021-11-12 22:35:37.000000000 +0100
@@ -35,6 +35,6 @@
$messages['disablednotice'] = 'Het systeem is momenteel in onderhoud en wachtwoord wijzigen is op dit moment dus niet mogelijk. Alles werkt binnenkort weer naar behoren. Onze excuses voor het ongemak.';
$messages['passwinhistory'] = 'Dit wachtwoord is al eerder gebruikt.';
$messages['samepasswd'] = 'Het nieuwe paswoord dient verschillend ten opzichte van de oude te zijn.';
-$messages['passwdexpirewarning'] = 'Waarschuwing! je wachtwoord verloopt binnenkort, Wijzig het voor $vervaldatum.';
+$messages['passwdexpirewarning'] = 'Waarschuwing! je wachtwoord verloopt binnenkort, Wijzig het voor $expirationdatetime.';
$messages['passwdexpired'] = 'Je wachtwoord is verlopen, je dient het nu te wijzigen!';
$messages['passwdconstraintviolation'] = 'Wachtwoord voldoet niet aan beleid. Waarschijnlijk te zwak.';
diff -Nru roundcube-1.4.11+dfsg.1/public_html/program/js/app.js roundcube-1.4.12+dfsg.1/public_html/program/js/app.js
--- roundcube-1.4.11+dfsg.1/public_html/program/js/app.js 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/public_html/program/js/app.js 2021-11-12 22:35:37.000000000 +0100
@@ -9992,7 +9992,10 @@
})
.on('load error', function(e) {
ref.env.browser_capabilities.pdf = e.type == 'load' ? 1 : 0;
- $(this).remove();
+
+ // add a short delay before attempting to remove element (#8128)
+ var obj = this;
+ window.setTimeout(function() { $(obj).remove(); }, 10);
})
.appendTo(document.body);
}, 10);
diff -Nru roundcube-1.4.11+dfsg.1/public_html/skins/elastic/styles/styles.less roundcube-1.4.12+dfsg.1/public_html/skins/elastic/styles/styles.less
--- roundcube-1.4.11+dfsg.1/public_html/skins/elastic/styles/styles.less 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/public_html/skins/elastic/styles/styles.less 2021-11-12 22:35:37.000000000 +0100
@@ -272,7 +272,7 @@
div.rcmBody {
// Remove margins that can be set by the mail message styles
- margin: 0 !important;
+ margin: 0 auto !important;
}
blockquote {
diff -Nru roundcube-1.4.11+dfsg.1/public_html/skins/elastic/styles/widgets/buttons.less roundcube-1.4.12+dfsg.1/public_html/skins/elastic/styles/widgets/buttons.less
--- roundcube-1.4.11+dfsg.1/public_html/skins/elastic/styles/widgets/buttons.less 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/public_html/skins/elastic/styles/widgets/buttons.less 2021-11-12 22:35:37.000000000 +0100
@@ -224,6 +224,8 @@
border-color: @color-btn-secondary-background;
&:focus {
+ background: darken(@color-btn-secondary-background, 5%);
+ border-color: darken(@color-btn-secondary-background, 7%);
box-shadow: 0 0 0 .2rem fade(@color-btn-secondary-background, 50%);
}
@@ -234,9 +236,8 @@
&.disabled,
&:disabled {
- background: lighten(@color-btn-secondary-background, 20%);
- border-color: lighten(@color-btn-secondary-background, 20%);
- opacity: 1;
+ background: @color-btn-secondary-background;
+ border-color: @color-btn-secondary-background;
}
&:not(:disabled):not(.disabled) {
@@ -258,6 +259,8 @@
border-color: @color-btn-primary-background;
&:focus {
+ background: darken(@color-btn-primary-background, 5%);
+ border-color: darken(@color-btn-primary-background, 7%);
box-shadow: 0 0 0 .2rem fade(@color-btn-primary-background, 50%);
}
@@ -268,9 +271,8 @@
&.disabled,
&:disabled {
- background: lighten(@color-btn-primary-background, 20%);
- border-color: lighten(@color-btn-primary-background, 20%);
- opacity: 1;
+ background: @color-btn-primary-background;
+ border-color: @color-btn-primary-background;
}
&:not(:disabled):not(.disabled) {
@@ -292,6 +294,8 @@
border-color: @color-btn-danger-background;
&:focus {
+ background: darken(@color-btn-danger-background, 5%);
+ border-color: darken(@color-btn-danger-background, 7%);
box-shadow: 0 0 0 .2rem fade(@color-btn-danger-background, 50%);
}
@@ -302,9 +306,8 @@
&.disabled,
&:disabled {
- background: lighten(@color-btn-danger-background, 20%);
- border-color: lighten(@color-btn-danger-background, 20%);
- opacity: 1;
+ background: @color-btn-danger-background;
+ border-color: @color-btn-danger-background;
}
&:not(:disabled):not(.disabled) {
diff -Nru roundcube-1.4.11+dfsg.1/public_html/skins/elastic/ui.js roundcube-1.4.12+dfsg.1/public_html/skins/elastic/ui.js
--- roundcube-1.4.11+dfsg.1/public_html/skins/elastic/ui.js 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/public_html/skins/elastic/ui.js 2021-11-12 22:35:37.000000000 +0100
@@ -2533,7 +2533,9 @@
}
menus[p.name] = {target: target};
- $(target).popover('show');
+
+ // setTimeout fixes Shift + drag'n'drop menu in Chrome (#8107)
+ setTimeout(function() { $(target).popover('show'); }, 1);
}
fn();
diff -Nru roundcube-1.4.11+dfsg.1/skins/elastic/styles/styles.less roundcube-1.4.12+dfsg.1/skins/elastic/styles/styles.less
--- roundcube-1.4.11+dfsg.1/skins/elastic/styles/styles.less 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/skins/elastic/styles/styles.less 2021-11-12 22:35:37.000000000 +0100
@@ -272,7 +272,7 @@
div.rcmBody {
// Remove margins that can be set by the mail message styles
- margin: 0 !important;
+ margin: 0 auto !important;
}
blockquote {
diff -Nru roundcube-1.4.11+dfsg.1/skins/elastic/styles/widgets/buttons.less roundcube-1.4.12+dfsg.1/skins/elastic/styles/widgets/buttons.less
--- roundcube-1.4.11+dfsg.1/skins/elastic/styles/widgets/buttons.less 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/skins/elastic/styles/widgets/buttons.less 2021-11-12 22:35:37.000000000 +0100
@@ -224,6 +224,8 @@
border-color: @color-btn-secondary-background;
&:focus {
+ background: darken(@color-btn-secondary-background, 5%);
+ border-color: darken(@color-btn-secondary-background, 7%);
box-shadow: 0 0 0 .2rem fade(@color-btn-secondary-background, 50%);
}
@@ -234,9 +236,8 @@
&.disabled,
&:disabled {
- background: lighten(@color-btn-secondary-background, 20%);
- border-color: lighten(@color-btn-secondary-background, 20%);
- opacity: 1;
+ background: @color-btn-secondary-background;
+ border-color: @color-btn-secondary-background;
}
&:not(:disabled):not(.disabled) {
@@ -258,6 +259,8 @@
border-color: @color-btn-primary-background;
&:focus {
+ background: darken(@color-btn-primary-background, 5%);
+ border-color: darken(@color-btn-primary-background, 7%);
box-shadow: 0 0 0 .2rem fade(@color-btn-primary-background, 50%);
}
@@ -268,9 +271,8 @@
&.disabled,
&:disabled {
- background: lighten(@color-btn-primary-background, 20%);
- border-color: lighten(@color-btn-primary-background, 20%);
- opacity: 1;
+ background: @color-btn-primary-background;
+ border-color: @color-btn-primary-background;
}
&:not(:disabled):not(.disabled) {
@@ -292,6 +294,8 @@
border-color: @color-btn-danger-background;
&:focus {
+ background: darken(@color-btn-danger-background, 5%);
+ border-color: darken(@color-btn-danger-background, 7%);
box-shadow: 0 0 0 .2rem fade(@color-btn-danger-background, 50%);
}
@@ -302,9 +306,8 @@
&.disabled,
&:disabled {
- background: lighten(@color-btn-danger-background, 20%);
- border-color: lighten(@color-btn-danger-background, 20%);
- opacity: 1;
+ background: @color-btn-danger-background;
+ border-color: @color-btn-danger-background;
}
&:not(:disabled):not(.disabled) {
diff -Nru roundcube-1.4.11+dfsg.1/skins/elastic/ui.js roundcube-1.4.12+dfsg.1/skins/elastic/ui.js
--- roundcube-1.4.11+dfsg.1/skins/elastic/ui.js 2021-02-08 20:17:07.000000000 +0100
+++ roundcube-1.4.12+dfsg.1/skins/elastic/ui.js 2021-11-12 22:35:37.000000000 +0100
@@ -2533,7 +2533,9 @@
}
menus[p.name] = {target: target};
- $(target).popover('show');
+
+ // setTimeout fixes Shift + drag'n'drop menu in Chrome (#8107)
+ setTimeout(function() { $(target).popover('show'); }, 1);
}
fn();
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-roundcube-maintainers/attachments/20211123/8523828e/attachment-0001.sig>
More information about the Pkg-roundcube-maintainers
mailing list