Projects
Kolab:16:TestingLinked
roundcubemail
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 108
View file
roundcubemail.spec
Changed
@@ -48,7 +48,7 @@ %global logdir /var/log/roundcubemail %global tmpdir /var/lib/roundcubemail -%global rc_version 1.4.9.3 +%global rc_version 1.4.10 #%%global rc_rel_suffix rc2.12 %global dot_rel_suffix %{?rc_rel_suffix:.%{rc_rel_suffix}} %global dash_rel_suffix %{?rc_rel_suffix:-%{rc_rel_suffix}} @@ -3448,6 +3448,9 @@ %defattr(-,root,root,-) %changelog +* Mon Dec 28 2020 Jeroen van Meeuwen <vanmeeuwen@kolabsys.com> - 1.4.10-1 +- Check in release 1.4.10 + * Fri Oct 16 2020 Jeroen van Meeuwen <vanmeeuwen@kolabsys.com> - 1.4.9.3-1 - Check in release 1.4.9.3
View file
debian.changelog
Changed
@@ -1,3 +1,9 @@ +roundcubemail (1.4.10-0~kolab1) unstable; urgency=low + + * Check in 1.4.10 + + -- Jeroen van Meeuwen <vanmeeuwen@kolabsys.com> Mon, 28 Dec 2020 11:11:11 +0200 + roundcubemail (1.4.9.3-0~kolab2) unstable; urgency=low * Check in 1.4.9.3
View file
roundcubemail-1.4.9.3.tar.gz/CHANGELOG -> roundcubemail-1.4.10.tar.gz/CHANGELOG
Changed
@@ -1,8 +1,13 @@ CHANGELOG Roundcube Webmail =========================== +RELEASE 1.4.10 +-------------- - Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655) - Fix folder list issue whan special folder is a subfolder (#7647) +- Fix Elastic's folder subscription toggle in search result (#7653) +- Fix state of subscription toggle on folders list after changing folder state from the search result (#7653) +- Security: Fix cross-site scripting (XSS) via HTML or Plain text messages with malicious content CVE-2020-35730 RELEASE 1.4.9 -------------
View file
roundcubemail-1.4.10.tar.gz/autogen.sh
Added
@@ -0,0 +1,15 @@ +#!/bin/bash + +git clean -d -f -x + +bin/install-jsdeps.sh +bin/install-jsdeps.sh + +pushd .. + +rm -rf roundcubemail-$1/ +cp -a roundcubemail.git roundcubemail-$1/ +rm -rf roundcubemail-$1/.git/ + +tar czvf roundcubemail-$1.tar.gz roundcubemail-$1 +
View file
roundcubemail-1.4.9.3.tar.gz/composer.json-dist -> roundcubemail-1.4.10.tar.gz/composer.json-dist
Changed
@@ -17,7 +17,7 @@ "pear/net_smtp": "~1.8.1", "pear/crypt_gpg": "~1.6.3", "pear/net_sieve": "~1.4.3", - "roundcube/plugin-installer": "~0.1.6", + "roundcube/plugin-installer": "~0.2.0", "masterminds/html5": "~2.5.0", "endroid/qr-code": "~1.6.5" },
View file
roundcubemail-1.4.9.3.tar.gz/index.php -> roundcubemail-1.4.10.tar.gz/index.php
Changed
@@ -2,7 +2,7 @@ /** +-------------------------------------------------------------------------+ | Roundcube Webmail IMAP Client | - | Version 1.4.9 | + | Version 1.4.10 | | | | Copyright (C) The Roundcube Dev Team | | |
View file
roundcubemail-1.4.9.3.tar.gz/installer/index.php -> roundcubemail-1.4.10.tar.gz/installer/index.php
Changed
@@ -3,7 +3,7 @@ /** +-------------------------------------------------------------------------+ | Roundcube Webmail setup tool | - | Version 1.4.9 | + | Version 1.4.10 | | | | Copyright (C) The Roundcube Dev Team | | |
View file
roundcubemail-1.4.9.3.tar.gz/program/include/iniset.php -> roundcubemail-1.4.10.tar.gz/program/include/iniset.php
Changed
@@ -20,7 +20,7 @@ */ // application constants -define('RCMAIL_VERSION', '1.4.9'); +define('RCMAIL_VERSION', '1.4.10'); define('RCMAIL_START', microtime(true)); if (!defined('INSTALL_PATH')) {
View file
roundcubemail-1.4.9.3.tar.gz/program/js/app.js -> roundcubemail-1.4.10.tar.gz/program/js/app.js
Changed
@@ -7689,20 +7689,28 @@ this.subscribe = function(folder) { - if (folder) { - var lock = this.display_message('foldersubscribing', 'loading'); - this.http_post('subscribe', {_mbox: folder}, lock); - } + this.change_subscription_state(folder, true); }; this.unsubscribe = function(folder) { + this.change_subscription_state(folder, false); + }; + + this.change_subscription_state = function(folder, state) + { if (folder) { - var lock = this.display_message('folderunsubscribing', 'loading'); - this.http_post('unsubscribe', {_mbox: folder}, lock); + var prefix = state ? '' : 'un', + lock = this.display_message('folder' + prefix + 'subscribing', 'loading'); + + this.http_post(prefix + 'subscribe', {_mbox: folder}, lock); + + // in case this was a list of search results, update also the main list + $(this.gui_objects.subscriptionlist).find('inputvalue="' + folder + '"').prop('checked', state); } }; + // when user select a folder in manager this.show_folder = function(folder, path, force) {
View file
roundcubemail-1.4.9.3.tar.gz/program/js/treelist.js -> roundcubemail-1.4.10.tar.gz/program/js/treelist.js
Changed
@@ -623,7 +623,14 @@ // append all elements like links and inputs, but not sub-trees .append(li.children(':not(div.treetoggle,ul)').clone(true, true)) .appendTo(container); - hits.push(node.id); + + // let skins to do their magic, e.g. Elastic will fix pretty checkbox + rcmail.triggerEvent('clonerow', { + id: node.id, + row: sli.get(0) + }); + + hits.push(node.id); } if (node.children && node.children.length) {
View file
roundcubemail-1.4.9.3.tar.gz/program/lib/Roundcube/bootstrap.php -> roundcubemail-1.4.10.tar.gz/program/lib/Roundcube/bootstrap.php
Changed
@@ -58,7 +58,7 @@ } // framework constants -define('RCUBE_VERSION', '1.4.9'); +define('RCUBE_VERSION', '1.4.10'); define('RCUBE_CHARSET', 'UTF-8'); define('RCUBE_TEMP_FILE_PREFIX', 'RCMTEMP');
View file
roundcubemail-1.4.9.3.tar.gz/program/lib/Roundcube/rcube_string_replacer.php -> roundcubemail-1.4.10.tar.gz/program/lib/Roundcube/rcube_string_replacer.php
Changed
@@ -25,7 +25,7 @@ */ class rcube_string_replacer { - public static $pattern = '/##str_replacement_(\d+)##/'; + public $pattern; public $mailto_pattern; public $link_pattern; public $linkref_index; @@ -45,6 +45,10 @@ */ function __construct($options = array()) { + // Create hard-to-guess replacement string + $uniq_ident = sprintf('%010d%010d', mt_rand(), mt_rand()); + $this->pattern = '/##' . $uniq_ident . '##(\d+)##/'; + // Simplified domain expression for UTF8 characters handling // Support unicode/punycode in top-level domain part $utf_domain = '^?&@"\'\\/()<>\s\r\t\n+\\.?(^\\x00-\\x2f\\x3b-\\x40\\x5b-\\x60\\x7b-\\x7f{2,}|xn--a-zA-Z0-9{2,})'; @@ -55,7 +59,7 @@ $link_prefix = "(\w+:\/\/|{$this->noword}WwWwWw\.|^WwWwWw\.)"; $this->options = $options; - $this->linkref_index = '/\(^\#+)\(:?\s*##str_replacement_(\d+)##)/'; + $this->linkref_index = '/\(^\#+)\(:?\s*' . substr($this->pattern, 1, -1) . ')/'; $this->linkref_pattern = '/\(^\#+)\/'; $this->link_pattern = "/$link_prefix($utf_domain($url1*$url2+)*)/"; $this->mailto_pattern = "/(" @@ -88,7 +92,7 @@ */ public function get_replacement($i) { - return '##str_replacement_' . $i . '##'; + return str_replace('(\d+)', $i, substr($this->pattern, 1, -1)); } /** @@ -135,7 +139,7 @@ public function linkref_addindex($matches) { $key = $matches1; - $this->linkrefs$key = $this->urls$matches3; + $this->linkrefs$key = isset($this->urls$matches3) ? $this->urls$matches3 : null; return $this->get_replacement($this->add(''.$key.'')) . $matches2; } @@ -185,7 +189,7 @@ */ public function replace_callback($matches) { - return $this->values$matches1; + return isset($this->values$matches1) ? $this->values$matches1 : null; } /** @@ -216,7 +220,7 @@ */ public function resolve($str) { - return preg_replace_callback(self::$pattern, array($this, 'replace_callback'), $str); + return preg_replace_callback($this->pattern, array($this, 'replace_callback'), $str); } /**
View file
roundcubemail-1.4.9.3.tar.gz/program/lib/Roundcube/rcube_utils.php -> roundcubemail-1.4.10.tar.gz/program/lib/Roundcube/rcube_utils.php
Changed
@@ -435,10 +435,10 @@ // add #container to each tag selector and prefix to id/class identifiers if ($container_id || $prefix) { - // (?!##str) below is to not match with ##str_replacement_0## - // from rcube_string_replacer used above, this is needed for - // cases like @media { body { position: fixed; } } (#5811) - $regexp = '/(^\s*|,\s*|\}\s*|\{\s*)((?!##str):?a-z0-9\._#\*\a-z0-9\._:\(\)#=~ \\"\|\>\+\$\^-*)/im'; + // Exclude rcube_string_replacer pattern matches, this is needed + // for cases like @media { body { position: fixed; } } (#5811) + $excl = '(?!' . substr($replacements->pattern, 1, -1) . ')'; + $regexp = '/(^\s*|,\s*|\}\s*|\{\s*)(' . $excl . ':?a-z0-9\._#\*\a-z0-9\._:\(\)#=~ \\"\|\>\+\$\^-*)/im'; $callback = function($matches) use ($container_id, $prefix) { $replace = $matches2;
View file
roundcubemail-1.4.9.3.tar.gz/public_html/index.php -> roundcubemail-1.4.10.tar.gz/public_html/index.php
Changed
@@ -3,7 +3,7 @@ /* +-----------------------------------------------------------------------+ | Roundcube Webmail IMAP Client | - | Version 1.4.9 | + | Version 1.4.10 | | | | Copyright (C) The Roundcube Dev Team | | |
View file
roundcubemail-1.4.9.3.tar.gz/tests/Framework/Text2Html.php -> roundcubemail-1.4.10.tar.gz/tests/Framework/Text2Html.php
Changed
@@ -120,4 +120,21 @@ $this->assertEquals($output, $html); } + + /** + * Test XSS issue + */ + function test_text2html_xss() + { + $input = "\n<script>evil</script>:##str_replacement_0##\n"; + $t2h = new rcube_text2html($input); + + $html = $t2h->get_html(); + + $expected = "<div class=\"pre\"><br>\n" + . "<script>evil</script>:##str_replacement_0##<br>\n" + . "</div>"; + + $this->assertEquals($expected, $html); + } }
View file
roundcubemail-1.4.9.3.tar.gz/0001-Fix-extra-angle-brackets-in-In-Reply-To-header-deriv.patch
Deleted
@@ -1,40 +0,0 @@ -From 26b4dc3cf73da9c1b57bb78c98d9ce23efd0ed4d Mon Sep 17 00:00:00 2001 -From: Aleksander Machniak <alec@alec.pl> -Date: Mon, 5 Oct 2020 18:15:47 +0200 -Subject: PATCH 1/3 Fix extra angle brackets in In-Reply-To header derived - from mailto: params (#7655) - ---- - CHANGELOG | 2 ++ - program/steps/mail/compose.inc | 2 +- - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/CHANGELOG b/CHANGELOG -index 8a8d31d1e..30d881be9 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -1,6 +1,8 @@ - CHANGELOG Roundcube Webmail - =========================== - -+- Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655) -+ - RELEASE 1.4.9 - ------------- - - Fix HTML editor in latest Chrome 85.0.4183.102, update to TinyMCE 4.9.11 (#7615) -diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc -index 10cc78ae9..73be67b36 100644 ---- a/program/steps/mail/compose.inc -+++ b/program/steps/mail/compose.inc -@@ -246,7 +246,7 @@ else { - - // apply mailto: URL parameters - if (!empty($COMPOSE'param''in-reply-to')) { -- $COMPOSE'reply_msgid' = '<' . $COMPOSE'param''in-reply-to' . '>'; -+ $COMPOSE'reply_msgid' = '<' . trim($COMPOSE'param''in-reply-to', '<> ') . '>'; - } - - if (!empty($COMPOSE'param''references')) { --- -2.25.4 -
View file
roundcubemail-1.4.9.3.tar.gz/0002-Fix-folder-list-issue-whan-special-folder-is-a-subfo.patch
Deleted
@@ -1,132 +0,0 @@ -From e87ca843b8ee70116e5bf5d9aadce0b464771112 Mon Sep 17 00:00:00 2001 -From: Sebastian Abshoff <sebastian@abshoff.it> -Date: Mon, 12 Oct 2020 20:28:11 +0200 -Subject: PATCH 2/3 Fix folder list issue whan special folder is a subfolder - (#7647) - -* Fix incorrect folders settings - -If a special folder was located within some subfolder, then the folders settings view was broken. It added a virtual folder for an existing folder which itself was not displayed. This bugfix puts special folders at the root level and removes any parent folder. ---- - program/steps/settings/folders.inc | 45 +++++++++++++++--------------- - 1 file changed, 23 insertions(+), 22 deletions(-) - -diff --git a/program/steps/settings/folders.inc b/program/steps/settings/folders.inc -index dd0198241..850fb60bf 100644 ---- a/program/steps/settings/folders.inc -+++ b/program/steps/settings/folders.inc -@@ -224,8 +224,9 @@ function rcmail_folder_subscriptions($attrib) - $folder = $STORAGE->mod_folder($folder); - $foldersplit = explode($delimiter, $folder); - $name = rcube_charset::convert(array_pop($foldersplit), 'UTF7-IMAP'); -- $parent_folder = join($delimiter, $foldersplit); -- $level = count($foldersplit); -+ $is_special = isset($special_folders$folder_id); -+ $parent_folder = $is_special ? '' : join($delimiter, $foldersplit); -+ $level = $is_special ? 0 : count($foldersplit); - - // add any necessary "virtual" parent folders - if ($parent_folder && !isset($seen$parent_folder)) { -@@ -271,41 +272,41 @@ function rcmail_folder_subscriptions($attrib) - - // create list of available folders - foreach ($list_folders as $i => $folder) { -- $sub_key = array_search($folder'id', $a_subscribed); -- $subscribed = $sub_key !== false; -- $special = $folder'id' == 'INBOX' || isset($special_folders$folder'id'); -- $protected = $folder'id' == 'INBOX' || ($protect_default && $special); -- $noselect = false; -- $classes = array(); -+ $sub_key = array_search($folder'id', $a_subscribed); -+ $is_subscribed = $sub_key !== false; -+ $is_special = isset($special_folders$folder'id'); -+ $is_protected = $folder'id' == 'INBOX' || ($protect_default && $is_special); -+ $noselect = false; -+ $classes = array(); - - $folder_utf8 = rcube_charset::convert($folder'id', 'UTF7-IMAP'); -- $display_folder = rcube::Q($special ? $RCMAIL->localize_foldername($folder'id', false, true) : $folder'name'); -+ $display_folder = rcube::Q($is_special ? $RCMAIL->localize_foldername($folder'id', false, true) : $folder'name'); - - if ($folder'virtual') { - $classes = 'virtual'; - } - - // Check \Noselect flag (of existing folder) -- if (!$protected && in_array($folder'id', $a_unsubscribed)) { -+ if (!$is_protected && in_array($folder'id', $a_unsubscribed)) { - $attrs = $STORAGE->folder_attributes($folder'id'); - $noselect = in_array_nocase('\\Noselect', $attrs); - } - -- $disabled = (($protected && $subscribed) || $noselect); -+ $is_disabled = (($is_protected && $is_subscribed) || $noselect); - - // Below we will disable subscription option for "virtual" folders - // according to namespaces, but only if they aren't already subscribed. - // User should be able to unsubscribe from the folder - // even if it doesn't exists or is not accessible (OTRS:1000059) -- if (!$subscribed && !$disabled && !empty($namespace) && $folder'virtual') { -+ if (!$is_subscribed && !$is_disabled && !empty($namespace) && $folder'virtual') { - // check if the folder is a namespace prefix, then disable subscription option on it -- if (!$disabled && $folder'level' == 0) { -+ if (!$is_disabled && $folder'level' == 0) { - $fname = $folder'id' . $delimiter; - foreach ($namespace as $ns) { - if (is_array($ns)) { - foreach ($ns as $item) { - if ($item0 === $fname) { -- $disabled = true; -+ $is_disabled = true; - break 2; - } - } -@@ -313,22 +314,22 @@ function rcmail_folder_subscriptions($attrib) - } - } - // check if the folder is an other users virtual-root folder, then disable subscription option on it -- if (!$disabled && $folder'level' == 1 && !empty($namespace'other')) { -+ if (!$is_disabled && $folder'level' == 1 && !empty($namespace'other')) { - $parts = explode($delimiter, $folder'id'); - $fname = $parts0 . $delimiter; - foreach ($namespace'other' as $item) { - if ($item0 === $fname) { -- $disabled = true; -+ $is_disabled = true; - break; - } - } - } - // check if the folder is shared, then disable subscription option on it (if not subscribed already) -- if (!$disabled) { -+ if (!$is_disabled) { - $tmp_ns = array_merge((array)$namespace'other', (array)$namespace'shared'); - foreach ($tmp_ns as $item) { - if (strlen($item0) && strpos($folder'id', $item0) === 0) { -- $disabled = true; -+ $is_disabled = true; - break; - } - } -@@ -347,14 +348,14 @@ function rcmail_folder_subscriptions($attrib) - 'folder_imap' => $folder'id', - 'folder' => $folder_utf8, - 'display' => $display_folder, -- 'protected' => $protected || $folder'virtual', -+ 'protected' => $is_protected || $folder'virtual', - 'class' => join(' ', $classes), -- 'subscribed' => $subscribed, -+ 'subscribed' => $is_subscribed, - 'level' => $folder'level', - 'collapsed' => $is_collapsed, - 'content' => html::a(array('href' => '#'), $display_folder) -- . $checkbox_subscribe->show(($subscribed ? $folder'id' : ''), -- array('value' => $folder'id', 'disabled' => $disabled ? 'disabled' : '')) -+ . $checkbox_subscribe->show(($is_subscribed ? $folder'id' : ''), -+ array('value' => $folder'id', 'disabled' => $is_disabled ? 'disabled' : '')) - ); - } - --- -2.25.4 -
View file
roundcubemail-1.4.9.3.tar.gz/0003-Update-changelog.patch
Deleted
@@ -1,25 +0,0 @@ -From 722b278f04e3ee457bb3f75ae8264b0978f751ac Mon Sep 17 00:00:00 2001 -From: Aleksander Machniak <alec@alec.pl> -Date: Mon, 12 Oct 2020 20:31:07 +0200 -Subject: PATCH 3/3 Update changelog - -skip ci ---- - CHANGELOG | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/CHANGELOG b/CHANGELOG -index 30d881be9..e04d7e271 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -2,6 +2,7 @@ CHANGELOG Roundcube Webmail - =========================== - - - Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655) -+- Fix folder list issue whan special folder is a subfolder (#7647) - - RELEASE 1.4.9 - ------------- --- -2.25.4 -
View file
roundcubemail.dsc
Changed
@@ -2,7 +2,7 @@ Source: roundcubemail Binary: roundcubemail Architecture: all -Version: 1:1.4.9.3-0~kolab2 +Version: 1:1.4.10-0~kolab1 Maintainer: Jeroen van Meeuwen <vanmeeuwen@kolabsys.com> Uploaders: Jeroen van Meeuwen <vanmeeuwen@kolabsys.com> Homepage: http://www.roundcube.net/ @@ -14,5 +14,5 @@ roundcubemail deb web extra roundcubemail-core deb web extra Files: - 00000000000000000000000000000000 0 roundcubemail-1.4.9.3.tar.gz + 00000000000000000000000000000000 0 roundcubemail-1.4.10.tar.gz 00000000000000000000000000000000 0 debian.tar.gz
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.