Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package roundcubemail for openSUSE:Factory checked in at 2023-11-06 21:14:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/roundcubemail (Old) and /work/SRC/openSUSE:Factory/.roundcubemail.new.17445 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "roundcubemail" Mon Nov 6 21:14:57 2023 rev:81 rq:1123659 version:1.6.5 Changes: -------- --- /work/SRC/openSUSE:Factory/roundcubemail/roundcubemail.changes 2023-10-26 17:14:30.328459456 +0200 +++ /work/SRC/openSUSE:Factory/.roundcubemail.new.17445/roundcubemail.changes 2023-11-06 21:15:14.473391288 +0100 @@ -1,0 +2,20 @@ +Mon Nov 6 16:39:57 UTC 2023 - Lars Vogdt <l...@linux-schulserver.de> + +- update to 1.6.5 (bsc#1216895) + * Fix cross-site scripting (XSS) vulnerability in setting + Content-Type/Content-Disposition for attachment + preview/download CVE-2023-47272 + Other changes + * Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171) + * Fix duplicated Inbox folder on IMAP servers that do not use Inbox + folder with all capital letters (#9166) + * Fix PHP warnings (#9174) + * Fix UI issue when dealing with an invalid managesieve_default_headers + value (#9175) + * Fix bug where images attached to application/smil messages + weren't displayed (#8870) + * Fix PHP string replacement error in utils/error.php (#9185) + * Fix regression where smtp_user did not allow pre/post strings + before/after %u placeholder (#9162) + +------------------------------------------------------------------- Old: ---- roundcubemail-1.6.4-complete.tar.gz roundcubemail-1.6.4-complete.tar.gz.asc New: ---- roundcubemail-1.6.5-complete.tar.gz roundcubemail-1.6.5-complete.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ roundcubemail.spec ++++++ --- /var/tmp/diff_new_pack.vZBJqB/_old 2023-11-06 21:15:15.285421179 +0100 +++ /var/tmp/diff_new_pack.vZBJqB/_new 2023-11-06 21:15:15.289421326 +0100 @@ -20,7 +20,7 @@ %define roundcubeconfigpath %{_sysconfdir}/%{name} Name: roundcubemail -Version: 1.6.4 +Version: 1.6.5 Release: 0 Summary: A browser-based multilingual IMAP client License: BSD-3-Clause AND GPL-2.0-only AND GPL-3.0-or-later ++++++ roundcubemail-1.6.4-complete.tar.gz -> roundcubemail-1.6.5-complete.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/CHANGELOG.md new/roundcubemail-1.6.5/CHANGELOG.md --- old/roundcubemail-1.6.4/CHANGELOG.md 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/CHANGELOG.md 2023-11-05 09:58:58.000000000 +0100 @@ -1,11 +1,22 @@ # Changelog Roundcube Webmail +## Release 1.6.5 + +- Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171) +- Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder with all capital letters (#9166) +- Fix PHP warnings (#9174) +- Fix UI issue when dealing with an invalid managesieve_default_headers value (#9175) +- Fix bug where images attached to application/smil messages weren't displayed (#8870) +- Fix PHP string replacement error in utils/error.php (#9185) +- Fix regression where `smtp_user` did not allow pre/post strings before/after `%u` placeholder (#9162) +- Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download + ## Release 1.6.4 - Fix PHP8 warnings (#9142, #9160) - Fix default 'mime.types' path on Windows (#9113) - Managesieve: Fix javascript error when relational or spamtest extension is not enabled (#9139) -- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168) +- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages [CVE-2023-5631] (#9168) ## Release 1.6.3 @@ -24,7 +35,7 @@ - Fix "Show source" on mobile with x_frame_options = deny (#9084) - Fix various PHP warnings (#9098) - Fix deprecated use of ldap_connect() in password's ldap_simple driver (#9060) -- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages +- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages [CVE-2023-43770] ## Release 1.6.2 @@ -180,7 +191,7 @@ - Fix locked SQLite database for the CLI tools (#8035) - Fix Makefile on Linux (#8211) - Fix so PHP warnings are ignored when resizing a malformed image attachment (#8387) -- Fix various PHP8 warnings (#8392) +- Fix various PHP8 warnings (#8392, #9193) - Fix mail headers injection via the subject field on mail compose (#8404) - Fix bug where small message/rfc822 parts could not be decoded (#8408) - Fix setting HTML mode on reply/forward of a signed message (#8405) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/config/defaults.inc.php new/roundcubemail-1.6.5/config/defaults.inc.php --- old/roundcubemail-1.6.4/config/defaults.inc.php 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/config/defaults.inc.php 2023-11-05 09:58:58.000000000 +0100 @@ -270,12 +270,12 @@ // of IMAP host (no prefix or port) and SMTP server e.g. ['imap.example.com' => 'smtp.example.net'] $config['smtp_host'] = 'localhost:587'; -// SMTP username (if required) if you use %u as the username Roundcube -// will use the current username for login +// SMTP username (if required) +// Note: %u variable will be replaced with current user's username $config['smtp_user'] = '%u'; -// SMTP password (if required) if you use %p as the password Roundcube -// will use the current user's password for login +// SMTP password (if required) +// Note: When set to '%p' current user's password will be used $config['smtp_pass'] = '%p'; // SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/index.php new/roundcubemail-1.6.5/index.php --- old/roundcubemail-1.6.4/index.php 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/index.php 2023-11-05 09:58:58.000000000 +0100 @@ -2,7 +2,7 @@ /** +-------------------------------------------------------------------------+ | Roundcube Webmail IMAP Client | - | Version 1.6.4 | + | Version 1.6.5 | | | | Copyright (C) The Roundcube Dev Team | | | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/installer/index.php new/roundcubemail-1.6.5/installer/index.php --- old/roundcubemail-1.6.4/installer/index.php 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/installer/index.php 2023-11-05 09:58:58.000000000 +0100 @@ -3,7 +3,7 @@ /** +-------------------------------------------------------------------------+ | Roundcube Webmail setup tool | - | Version 1.6-git | + | Version 1.6.5 | | | | Copyright (C) The Roundcube Dev Team | | | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php new/roundcubemail-1.6.5/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php --- old/roundcubemail-1.6.4/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php 2023-11-05 09:58:58.000000000 +0100 @@ -727,7 +727,7 @@ $this->form['tests'][$i]['type'] = $sizeop; $this->form['tests'][$i]['arg'] = $sizetarget; - if ($sizetarget == '') { + if ($sizetarget === '') { $this->errors['tests'][$i]['sizetarget'] = $this->plugin->gettext('cannotbeempty'); } else if (!preg_match('/^[0-9]+(K|M|G)?$/i', $sizetarget.$sizeitem, $m)) { @@ -1067,8 +1067,8 @@ case 'redirect': case 'redirect_copy': - $target = $this->strip_value(isset($act_targets[$idx]) ? $act_targets[$idx] : null); - $domain = $this->strip_value(isset($domain_targets[$idx]) ? $domain_targets[$idx] : null); + $target = $this->strip_value($act_targets[$idx] ?? null); + $domain = $this->strip_value($domain_targets[$idx] ?? null); // force one of the configured domains $domains = (array) $this->rc->config->get('managesieve_domains'); @@ -1082,7 +1082,7 @@ $this->form['actions'][$i]['target'] = $target; - if ($target == '') { + if ($target === '') { $this->errors['actions'][$i]['target'] = $this->plugin->gettext('cannotbeempty'); } else if (!rcube_utils::check_email($target)) { @@ -2776,6 +2776,8 @@ return $str; } + $str = (string) $str; + if (!$allow_html) { $str = strip_tags($str); } @@ -3275,6 +3277,11 @@ { $default = ['Subject', 'From', 'To']; $headers = (array) $this->rc->config->get('managesieve_default_headers', $default); + + if (empty($headers) || $headers === ['']) { + $headers = $default; + } + $keys = array_map('strtolower', $headers); $headers = array_combine($keys, $headers); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/plugins/managesieve/localization/ja_JP.inc new/roundcubemail-1.6.5/plugins/managesieve/localization/ja_JP.inc --- old/roundcubemail-1.6.4/plugins/managesieve/localization/ja_JP.inc 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/plugins/managesieve/localization/ja_JP.inc 2023-11-05 09:58:58.000000000 +0100 @@ -267,8 +267,8 @@ $messages['setcreated'] = 'ãã£ã«ã¿ã¼ã»ãããä½æãã¾ããã'; $messages['activateerror'] = 'é¸æãããã£ã«ã¿ã¼ãæå¹ã«ã§ãã¾ããããµã¼ãã¼ã§ã¨ã©ã¼ãçºçãã¾ããã'; $messages['deactivateerror'] = 'é¸æãããã£ã«ã¿ã¼ãç¡å¹ã«ã§ãã¾ããããµã¼ãã¼ã§ã¨ã©ã¼ãçºçãã¾ããã'; -$messages['deactivated'] = 'ãã£ã«ã¿ã¼ãæå¹ã«ãã¾ããã'; -$messages['activated'] = 'ãã£ã«ã¿ã¼ãç¡å¹ã«ãã¾ããã'; +$messages['deactivated'] = 'ãã£ã«ã¿ã¼ãç¡å¹ã«ãã¾ããã'; +$messages['activated'] = 'ãã£ã«ã¿ã¼ãæå¹ã«ãã¾ããã'; $messages['moved'] = 'ãã£ã«ã¿ã¼ã移åãã¾ããã'; $messages['moveerror'] = 'é¸æãããã£ã«ã¿ã¼ã移åã§ãã¾ããããµã¼ãã¼ã§ã¨ã©ã¼ãçºçãã¾ããã'; $messages['nametoolong'] = 'ååãé·ããã¾ãã'; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/program/actions/mail/viewsource.php new/roundcubemail-1.6.5/program/actions/mail/viewsource.php --- old/roundcubemail-1.6.4/program/actions/mail/viewsource.php 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/program/actions/mail/viewsource.php 2023-11-05 09:58:58.000000000 +0100 @@ -45,26 +45,30 @@ $headers = $rcmail->storage->get_message_headers($uid); } - $charset = $headers->charset ?: $rcmail->config->get('default_charset', RCUBE_CHARSET); + $charset = $headers->charset ?: $rcmail->config->get('default_charset', RCUBE_CHARSET); + $filename = ''; + $params = [ + 'type' => 'text/plain', + 'type_charset' => $charset, + ]; if (!empty($_GET['_save'])) { $subject = rcube_mime::decode_header($headers->subject, $headers->charset); $filename = self::filename_from_subject(mb_substr($subject, 0, 128)); $filename = ($filename ?: $uid) . '.eml'; - $rcmail->output->download_headers($filename, [ - 'length' => $headers->size, - 'type' => 'text/plain', - 'type_charset' => $charset, - ]); + $params['length'] = $headers->size; + $params['disposition'] = 'attachment'; } else { // Make sure it works in an iframe (#9084) $rcmail->output->page_headers(); - header("Content-Type: text/plain; charset={$charset}"); + $params['disposition'] = 'inline'; } + $rcmail->output->download_headers($filename, $params); + if (isset($part_id) && isset($message)) { $message->get_part_body($part_id, empty($_GET['_save']), 0, -1); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/program/actions/utils/error.php new/roundcubemail-1.6.5/program/actions/utils/error.php --- old/roundcubemail-1.6.4/program/actions/utils/error.php 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/program/actions/utils/error.php 2023-11-05 09:58:58.000000000 +0100 @@ -134,7 +134,6 @@ $output = '<!doctype html><html><head>' . '<title>' . $product . ':: ERROR</title>' - . '<link rel="stylesheet" type="text/css" href="skins/$skin/common.css" />' . '</head><body>' . '<table border="0" cellspacing="0" cellpadding="0" width="100%" height="80%">' . '<tr><td align="center">' . $page_content . '</td></tr>' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/program/include/iniset.php new/roundcubemail-1.6.5/program/include/iniset.php --- old/roundcubemail-1.6.4/program/include/iniset.php 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/program/include/iniset.php 2023-11-05 09:58:58.000000000 +0100 @@ -24,7 +24,7 @@ } // application constants -define('RCMAIL_VERSION', '1.6.4'); +define('RCMAIL_VERSION', '1.6.5'); define('RCMAIL_START', microtime(true)); if (!defined('INSTALL_PATH')) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/program/lib/Roundcube/bootstrap.php new/roundcubemail-1.6.5/program/lib/Roundcube/bootstrap.php --- old/roundcubemail-1.6.4/program/lib/Roundcube/bootstrap.php 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/program/lib/Roundcube/bootstrap.php 2023-11-05 09:58:58.000000000 +0100 @@ -58,7 +58,7 @@ } // framework constants -define('RCUBE_VERSION', '1.6.4'); +define('RCUBE_VERSION', '1.6.5'); define('RCUBE_CHARSET', 'UTF-8'); define('RCUBE_TEMP_FILE_PREFIX', 'RCMTEMP'); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_charset.php new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_charset.php --- old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_charset.php 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_charset.php 2023-11-05 09:58:58.000000000 +0100 @@ -179,6 +179,18 @@ ]; /** + * Validate character set identifier. + * + * @param string $input Character set identifier + * + * @return bool True if valid, False if not valid + */ + public static function is_valid($input) + { + return is_string($input) && preg_match('|^[a-zA-Z0-9_./:#-]{2,32}$|', $input) > 0; + } + + /** * Parse and validate charset name string. * Sometimes charset string is malformed, there are also charset aliases, * but we need strict names for charset conversion (specially utf8 class) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_imap.php new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_imap.php --- old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_imap.php 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_imap.php 2023-11-05 09:58:58.000000000 +0100 @@ -2163,8 +2163,13 @@ $struct->charset = $mime_headers->charset; } + // Sanitize charset for security + if ($struct->charset && !rcube_charset::is_valid($struct->charset)) { + $struct->charset = ''; + } + // read content encoding - if (!empty($part[5])) { + if (!empty($part[5]) && !is_array($part[5])) { $struct->encoding = strtolower($part[5]); $struct->headers['content-transfer-encoding'] = $struct->encoding; } @@ -2234,6 +2239,7 @@ if (!empty($part[3])) { $struct->content_id = $struct->headers['content-id'] = trim($part[3]); + // FIXME: This is not the best idea. We should get rid of this at some point if (empty($struct->disposition)) { $struct->disposition = 'inline'; } @@ -2862,11 +2868,6 @@ return false; } - if (!$this->conn->data['READ-WRITE']) { - $this->conn->setError(rcube_imap_generic::ERROR_READONLY, "Folder is read-only"); - return false; - } - // CLOSE(+SELECT) should be faster than EXPUNGE if (empty($uids) || !empty($all_mode)) { $result = $this->conn->close(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_imap_generic.php new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_imap_generic.php --- old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_imap_generic.php 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_imap_generic.php 2023-11-05 09:58:58.000000000 +0100 @@ -1650,6 +1650,18 @@ $mailbox = rtrim($mailbox, $delim); } + // Make it easier for the client to deal with INBOX folder + // by always returning the word with all capital letters + if (strlen($mailbox) == 5 + && ($mailbox[0] == 'i' || $mailbox[0] == 'I') + && ($mailbox[1] == 'n' || $mailbox[1] == 'N') + && ($mailbox[2] == 'b' || $mailbox[2] == 'B') + && ($mailbox[3] == 'o' || $mailbox[3] == 'O') + && ($mailbox[4] == 'x' || $mailbox[4] == 'X') + ) { + $mailbox = 'INBOX'; + } + // Add to result array if (!$lstatus) { $folders[] = $mailbox; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_message.php new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_message.php --- old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_message.php 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_message.php 2023-11-05 09:58:58.000000000 +0100 @@ -932,6 +932,16 @@ $mail_part->content_location .= $mail_part->headers['content-location']; } + // application/smil message's are known to use inline images that aren't really inline (#8870) + // TODO: This code probably does not belong here. I.e. we should not default to + // disposition=inline in rcube_imap::structure_part(). + if ($primary_type === 'image' + && !empty($structure->ctype_parameters['type']) + && $structure->ctype_parameters['type'] === 'application/smil' + ) { + $mail_part->disposition = 'attachment'; + } + // part belongs to a related message and is linked // Note: mixed is not supposed to contain inline images, but we've found such examples (#5905) if ( diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_message_part.php new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_message_part.php --- old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_message_part.php 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_message_part.php 2023-11-05 09:58:58.000000000 +0100 @@ -56,6 +56,13 @@ public $mimetype = 'text/plain'; /** + * Real content type (for fake parts) + * + * @var string|null + */ + public $realtype; + + /** * Real content type of a message/rfc822 part * * @var string diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_output.php new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_output.php --- old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_output.php 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_output.php 2023-11-05 09:58:58.000000000 +0100 @@ -212,7 +212,7 @@ } /** - * Send headers related to file downloads + * Send headers related to file downloads. * * @param string $filename File name * @param array $params Optional parameters: @@ -225,34 +225,54 @@ */ public function download_headers($filename, $params = []) { + // For security reasons we validate type, filename and charset params. + // Some HTTP servers might drop a header that is malformed or very long, this then + // can lead to web browsers unintentionally executing javascript code in the body. + if (empty($params['disposition'])) { $params['disposition'] = 'attachment'; } - if ($params['disposition'] == 'inline' && stripos($params['type'], 'text') === 0) { - $params['type'] .= '; charset=' . ($params['type_charset'] ?: $this->charset); + $ctype = 'application/octet-stream'; + $disposition = $params['disposition']; + + if (!empty($params['type']) && is_string($params['type']) && strlen($params['type']) < 256 + && preg_match('/^[a-z0-9!#$&.+^_-]+\/[a-z0-9!#$&.+^_-]+$/i', $params['type']) + ) { + $ctype = $params['type']; } - header("Content-Type: " . (!empty($params['type']) ? $params['type'] : "application/octet-stream")); + if ($disposition == 'inline' && stripos($ctype, 'text') === 0) { + $charset = $this->charset; + if (!empty($params['type_charset']) && rcube_charset::is_valid($params['type_charset'])) { + $charset = $params['type_charset']; + } - if ($params['disposition'] == 'attachment' && $this->browser->ie) { - header("Content-Type: application/force-download"); + $ctype .= "; charset={$charset}"; } - $disposition = "Content-Disposition: " . $params['disposition']; + if (is_string($filename) && strlen($filename) > 0 && strlen($filename) <= 1024) { + // For non-ascii characters we'll use RFC2231 syntax + if (!preg_match('/[^a-zA-Z0-9_.:,?;@+ -]/', $filename)) { + $disposition .= "; filename=\"{$filename}\""; + } + else { + $filename = rawurlencode($filename); + $charset = $this->charset; + if (!empty($params['charset']) && rcube_charset::is_valid($params['charset'])) { + $charset = $params['charset']; + } - // For non-ascii characters we'll use RFC2231 syntax - if (!preg_match('/[^a-zA-Z0-9_.:,?;@+ -]/', $filename)) { - $disposition .= sprintf("; filename=\"%s\"", $filename); - } - else { - $disposition .= sprintf("; filename*=%s''%s", - !empty($params['charset']) ? $params['charset'] : $this->charset, - rawurlencode($filename) - ); + $disposition .= "; filename*={$charset}''{$filename}"; + } } - header($disposition); + header("Content-Disposition: {$disposition}"); + header("Content-Type: {$ctype}"); + + if ($params['disposition'] == 'attachment' && $this->browser->ie) { + header("Content-Type: application/force-download"); + } if (isset($params['length'])) { header("Content-Length: " . $params['length']); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_smtp.php new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_smtp.php --- old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_smtp.php 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_smtp.php 2023-11-05 09:58:58.000000000 +0100 @@ -170,18 +170,13 @@ } } - if ($CONFIG['smtp_user'] == '%u') { - $smtp_user = (string) $rcube->get_user_name(); - } else { - $smtp_user = $CONFIG['smtp_user']; - } - if ($CONFIG['smtp_pass'] == '%p') { $smtp_pass = (string) $rcube->get_user_password(); } else { $smtp_pass = $CONFIG['smtp_pass']; } + $smtp_user = str_replace('%u', (string) $rcube->get_user_name(), $CONFIG['smtp_user']); $smtp_auth_type = $CONFIG['smtp_auth_type'] ?: null; $smtp_authz = null; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/public_html/index.php new/roundcubemail-1.6.5/public_html/index.php --- old/roundcubemail-1.6.4/public_html/index.php 2023-10-16 11:23:06.000000000 +0200 +++ new/roundcubemail-1.6.5/public_html/index.php 2023-11-05 09:58:58.000000000 +0100 @@ -3,7 +3,7 @@ /* +-----------------------------------------------------------------------+ | Roundcube Webmail IMAP Client | - | Version 1.6.4 | + | Version 1.6.5 | | | | Copyright (C) The Roundcube Dev Team | | | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/vendor/autoload.php new/roundcubemail-1.6.5/vendor/autoload.php --- old/roundcubemail-1.6.4/vendor/autoload.php 2023-10-16 11:23:28.000000000 +0200 +++ new/roundcubemail-1.6.5/vendor/autoload.php 2023-11-05 09:59:19.000000000 +0100 @@ -23,4 +23,4 @@ require_once __DIR__ . '/composer/autoload_real.php'; return ComposerAutoloaderInit2fa8c65c978e32885e0df78c109b5aaf::getLoader(); -// generated by Roundcube install 1.6.4 +// generated by Roundcube install 1.6.5 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roundcubemail-1.6.4/vendor/composer/include_paths.php new/roundcubemail-1.6.5/vendor/composer/include_paths.php --- old/roundcubemail-1.6.4/vendor/composer/include_paths.php 2023-10-16 11:23:09.000000000 +0200 +++ new/roundcubemail-1.6.5/vendor/composer/include_paths.php 2023-11-05 09:59:01.000000000 +0100 @@ -8,12 +8,12 @@ return array( $vendorDir . '/pear/pear_exception', $vendorDir . '/pear/console_getopt', + $vendorDir . '/pear/console_commandline', $vendorDir . '/pear/pear-core-minimal/src', + $vendorDir . '/pear/net_socket', $vendorDir . '/pear/net_ldap2', $vendorDir . '/pear/auth_sasl', - $vendorDir . '/pear/console_commandline', $vendorDir . '/pear/crypt_gpg', $vendorDir . '/pear/mail_mime', - $vendorDir . '/pear/net_socket', $vendorDir . '/pear/net_smtp', );