Projects
Kolab:16
roundcubemail
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 114
View file
roundcubemail.spec
Changed
@@ -48,7 +48,7 @@ %global logdir /var/log/roundcubemail %global tmpdir /var/lib/roundcubemail -%global rc_version 1.4.11.20 +%global rc_version 1.4.13 #%%global rc_rel_suffix rc2.12 %global dot_rel_suffix %{?rc_rel_suffix:.%{rc_rel_suffix}} %global dash_rel_suffix %{?rc_rel_suffix:-%{rc_rel_suffix}}
View file
debian.changelog
Changed
@@ -1,3 +1,9 @@ +roundcubemail (1.4.13-0~kolab1) unstable; urgency=low + + * Check in 1.4.13 + + -- Jeroen van Meeuwen <vanmeeuwen@kolabsys.com> Fri, 14 Jan 2022 11:11:11 +0200 + roundcubemail (1.4.11.20-0~kolab1) unstable; urgency=low * Check in 1.4.11.20
View file
roundcubemail-1.4.11.20.tar.gz/CHANGELOG -> roundcubemail-1.4.13.tar.gz/CHANGELOG
Changed
@@ -1,7 +1,12 @@ CHANGELOG Roundcube Webmail =========================== -- Disable the default spellchecker option using spell.roundcube.net (#8182) +RELEASE 1.4.13 +-------------- +- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content + +RELEASE 1.4.12 +-------------- - Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919) - Fix bug where contacts search didn't work with addressbook_search_mods set to an empty array (#7974) - Fix bug causing some HTML message content to be not centered in Elastic skin (#7911)
View file
roundcubemail-1.4.11.20.tar.gz/config/defaults.inc.php -> roundcubemail-1.4.13.tar.gz/config/defaults.inc.php
Changed
@@ -784,25 +784,28 @@ // if in your system 0 quota means no limit set this option to true $config['quota_zero_as_unlimited'] = false; -// Make use of the built-in spell checker. It is based on GoogieSpell. -$config['enable_spellcheck'] = false; +// Make use of the built-in spell checker. +$config['enable_spellcheck'] = true; // Enables spellchecker exceptions dictionary. // Setting it to 'shared' will make the dictionary shared by all users. $config['spellcheck_dictionary'] = false; // Set the spell checking engine. Possible values: -// - 'googie' - requires 'spellcheck_uri' option to be set (also used for connecting to Nox Spell Server) +// - 'googie' - the default (also used for connecting to Nox Spell Server, see 'spellcheck_uri' setting) // - 'pspell' - requires the PHP Pspell module and aspell installed // - 'enchant' - requires the PHP Enchant module // - 'atd' - install your own After the Deadline server or check with the people at http://www.afterthedeadline.com before using their API +// Since Google shut down their public spell checking service, the default settings +// connect to http://spell.roundcube.net which is a hosted service provided by Roundcube. // You can connect to any other googie-compliant service by setting 'spellcheck_uri' accordingly. $config['spellcheck_engine'] = 'googie'; // For locally installed Nox Spell Server or After the Deadline services, // please specify the URI to call it. -// Get Nox Spell Server from https://github.com/handwritingio/nox_spell_server or -// the After the Deadline package from http://www.afterthedeadline.com +// Get Nox Spell Server from http://orangoo.com/labs/?page_id=72 or +// the After the Deadline package from http://www.afterthedeadline.com. +// Leave empty to use the public API of service.afterthedeadline.com $config['spellcheck_uri'] = ''; // These languages can be selected for spell checking.
View file
roundcubemail-1.4.11.20.tar.gz/index.php -> roundcubemail-1.4.13.tar.gz/index.php
Changed
@@ -2,7 +2,7 @@ /** +-------------------------------------------------------------------------+ | Roundcube Webmail IMAP Client | - | Version 1.4.11 | + | Version 1.4.13 | | | | Copyright (C) The Roundcube Dev Team | | |
View file
roundcubemail-1.4.11.20.tar.gz/installer/index.php -> roundcubemail-1.4.13.tar.gz/installer/index.php
Changed
@@ -3,7 +3,7 @@ /** +-------------------------------------------------------------------------+ | Roundcube Webmail setup tool | - | Version 1.4.11 | + | Version 1.4.13 | | | | Copyright (C) The Roundcube Dev Team | | |
View file
roundcubemail-1.4.11.20.tar.gz/program/include/iniset.php -> roundcubemail-1.4.13.tar.gz/program/include/iniset.php
Changed
@@ -24,7 +24,7 @@ } // application constants -define('RCMAIL_VERSION', '1.4.11'); +define('RCMAIL_VERSION', '1.4.13'); define('RCMAIL_START', microtime(true)); if (!defined('INSTALL_PATH')) {
View file
roundcubemail-1.4.11.20.tar.gz/program/lib/Roundcube/bootstrap.php -> roundcubemail-1.4.13.tar.gz/program/lib/Roundcube/bootstrap.php
Changed
@@ -58,7 +58,7 @@ } // framework constants -define('RCUBE_VERSION', '1.4.11'); +define('RCUBE_VERSION', '1.4.13'); define('RCUBE_CHARSET', 'UTF-8'); define('RCUBE_TEMP_FILE_PREFIX', 'RCMTEMP');
View file
roundcubemail-1.4.11.20.tar.gz/program/lib/Roundcube/rcube_washtml.php -> roundcubemail-1.4.13.tar.gz/program/lib/Roundcube/rcube_washtml.php
Changed
@@ -338,7 +338,7 @@ if ($url = $this->wash_uri($match[2])) { $result .= ' ' . $attr->nodeName . '="' . $match[1] . '(' . htmlspecialchars($url, ENT_QUOTES, $this->config['charset']) . ')' - . substr($val, strlen($match[0])) . '"'; + . htmlspecialchars(substr($val, strlen($match[0])), ENT_QUOTES, $this->config['charset']) . '"'; continue; } }
View file
roundcubemail-1.4.11.20.tar.gz/program/lib/Roundcube/spellchecker/googie.php -> roundcubemail-1.4.13.tar.gz/program/lib/Roundcube/spellchecker/googie.php
Changed
@@ -26,6 +26,9 @@ */ class rcube_spellchecker_googie extends rcube_spellchecker_engine { + const GOOGIE_HOST = 'ssl://spell.roundcube.net'; + const GOOGIE_PORT = 443; + private $matches = array(); private $content; @@ -68,8 +71,9 @@ $path = $a_uri['path'] . ($a_uri['query'] ? '?'.$a_uri['query'] : '') . $this->lang; } else { - $this->error = "Missing 'spellcheck_uri' config option"; - return $this->matches = array(); + $host = self::GOOGIE_HOST; + $port = self::GOOGIE_PORT; + $path = '/tbproxy/spell?lang=' . $this->lang; } $path .= sprintf('&key=%06d', $_SESSION['user_id']);
View file
roundcubemail-1.4.11.20.tar.gz/public_html/index.php -> roundcubemail-1.4.13.tar.gz/public_html/index.php
Changed
@@ -3,7 +3,7 @@ /* +-----------------------------------------------------------------------+ | Roundcube Webmail IMAP Client | - | Version 1.4.11 | + | Version 1.4.13 | | | | Copyright (C) The Roundcube Dev Team | | |
View file
roundcubemail-1.4.11.20.tar.gz/tests/Framework/Washtml.php -> roundcubemail-1.4.13.tar.gz/tests/Framework/Washtml.php
Changed
@@ -448,6 +448,10 @@ '<!-- html ignored --><body x-washed="background"></body>' ], [ + '<html><body><img fill=\'asd:url(#asd)" src="x" onerror="alert(1)\' />', + '<body><img fill="asd:url(#asd)" src="x" onerror="alert(1)" /></body>' + ], + [ '<html><math href="javascript:alert(location);"><mi>clickme</mi></math>', '<!-- html ignored --><body><math x-washed="href"><mi>clickme</mi></math></body>', ],
View file
roundcubemail.dsc
Changed
@@ -2,7 +2,7 @@ Source: roundcubemail Binary: roundcubemail Architecture: all -Version: 1:1.4.11.20-0~kolab1 +Version: 1:1.4.13-0~kolab1 Maintainer: Jeroen van Meeuwen <vanmeeuwen@kolabsys.com> Uploaders: Jeroen van Meeuwen <vanmeeuwen@kolabsys.com> Homepage: http://www.roundcube.net/ @@ -14,5 +14,5 @@ roundcubemail deb web extra roundcubemail-core deb web extra Files: - 00000000000000000000000000000000 0 roundcubemail-1.4.11.20.tar.gz + 00000000000000000000000000000000 0 roundcubemail-1.4.13.tar.gz 00000000000000000000000000000000 0 debian.tar.gz
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.