Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package roundcubemail for openSUSE:Factory
checked in at 2023-11-06 21:14:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/roundcubemail (Old)
and /work/SRC/openSUSE:Factory/.roundcubemail.new.17445 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "roundcubemail"
Mon Nov 6 21:14:57 2023 rev:81 rq:1123659 version:1.6.5
Changes:
--------
--- /work/SRC/openSUSE:Factory/roundcubemail/roundcubemail.changes
2023-10-26 17:14:30.328459456 +0200
+++ /work/SRC/openSUSE:Factory/.roundcubemail.new.17445/roundcubemail.changes
2023-11-06 21:15:14.473391288 +0100
@@ -1,0 +2,20 @@
+Mon Nov 6 16:39:57 UTC 2023 - Lars Vogdt <l...@linux-schulserver.de>
+
+- update to 1.6.5 (bsc#1216895)
+ * Fix cross-site scripting (XSS) vulnerability in setting
+ Content-Type/Content-Disposition for attachment
+ preview/download CVE-2023-47272
+ Other changes
+ * Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
+ * Fix duplicated Inbox folder on IMAP servers that do not use Inbox
+ folder with all capital letters (#9166)
+ * Fix PHP warnings (#9174)
+ * Fix UI issue when dealing with an invalid managesieve_default_headers
+ value (#9175)
+ * Fix bug where images attached to application/smil messages
+ weren't displayed (#8870)
+ * Fix PHP string replacement error in utils/error.php (#9185)
+ * Fix regression where smtp_user did not allow pre/post strings
+ before/after %u placeholder (#9162)
+
+-------------------------------------------------------------------
Old:
----
roundcubemail-1.6.4-complete.tar.gz
roundcubemail-1.6.4-complete.tar.gz.asc
New:
----
roundcubemail-1.6.5-complete.tar.gz
roundcubemail-1.6.5-complete.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ roundcubemail.spec ++++++
--- /var/tmp/diff_new_pack.vZBJqB/_old 2023-11-06 21:15:15.285421179 +0100
+++ /var/tmp/diff_new_pack.vZBJqB/_new 2023-11-06 21:15:15.289421326 +0100
@@ -20,7 +20,7 @@
%define roundcubeconfigpath %{_sysconfdir}/%{name}
Name: roundcubemail
-Version: 1.6.4
+Version: 1.6.5
Release: 0
Summary: A browser-based multilingual IMAP client
License: BSD-3-Clause AND GPL-2.0-only AND GPL-3.0-or-later
++++++ roundcubemail-1.6.4-complete.tar.gz ->
roundcubemail-1.6.5-complete.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/roundcubemail-1.6.4/CHANGELOG.md
new/roundcubemail-1.6.5/CHANGELOG.md
--- old/roundcubemail-1.6.4/CHANGELOG.md 2023-10-16 11:23:06.000000000
+0200
+++ new/roundcubemail-1.6.5/CHANGELOG.md 2023-11-05 09:58:58.000000000
+0100
@@ -1,11 +1,22 @@
# Changelog Roundcube Webmail
+## Release 1.6.5
+
+- Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
+- Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder
with all capital letters (#9166)
+- Fix PHP warnings (#9174)
+- Fix UI issue when dealing with an invalid managesieve_default_headers value
(#9175)
+- Fix bug where images attached to application/smil messages weren't displayed
(#8870)
+- Fix PHP string replacement error in utils/error.php (#9185)
+- Fix regression where `smtp_user` did not allow pre/post strings before/after
`%u` placeholder (#9162)
+- Fix cross-site scripting (XSS) vulnerability in setting
Content-Type/Content-Disposition for attachment preview/download
+
## Release 1.6.4
- Fix PHP8 warnings (#9142, #9160)
- Fix default 'mime.types' path on Windows (#9113)
- Managesieve: Fix javascript error when relational or spamtest extension is
not enabled (#9139)
-- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML
messages (#9168)
+- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML
messages [CVE-2023-5631] (#9168)
## Release 1.6.3
@@ -24,7 +35,7 @@
- Fix "Show source" on mobile with x_frame_options = deny (#9084)
- Fix various PHP warnings (#9098)
- Fix deprecated use of ldap_connect() in password's ldap_simple driver (#9060)
-- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in
plain text messages
+- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in
plain text messages [CVE-2023-43770]
## Release 1.6.2
@@ -180,7 +191,7 @@
- Fix locked SQLite database for the CLI tools (#8035)
- Fix Makefile on Linux (#8211)
- Fix so PHP warnings are ignored when resizing a malformed image attachment
(#8387)
-- Fix various PHP8 warnings (#8392)
+- Fix various PHP8 warnings (#8392, #9193)
- Fix mail headers injection via the subject field on mail compose (#8404)
- Fix bug where small message/rfc822 parts could not be decoded (#8408)
- Fix setting HTML mode on reply/forward of a signed message (#8405)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/roundcubemail-1.6.4/config/defaults.inc.php
new/roundcubemail-1.6.5/config/defaults.inc.php
--- old/roundcubemail-1.6.4/config/defaults.inc.php 2023-10-16
11:23:06.000000000 +0200
+++ new/roundcubemail-1.6.5/config/defaults.inc.php 2023-11-05
09:58:58.000000000 +0100
@@ -270,12 +270,12 @@
// of IMAP host (no prefix or port) and SMTP server e.g. ['imap.example.com'
=> 'smtp.example.net']
$config['smtp_host'] = 'localhost:587';
-// SMTP username (if required) if you use %u as the username Roundcube
-// will use the current username for login
+// SMTP username (if required)
+// Note: %u variable will be replaced with current user's username
$config['smtp_user'] = '%u';
-// SMTP password (if required) if you use %p as the password Roundcube
-// will use the current user's password for login
+// SMTP password (if required)
+// Note: When set to '%p' current user's password will be used
$config['smtp_pass'] = '%p';
// SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/roundcubemail-1.6.4/index.php
new/roundcubemail-1.6.5/index.php
--- old/roundcubemail-1.6.4/index.php 2023-10-16 11:23:06.000000000 +0200
+++ new/roundcubemail-1.6.5/index.php 2023-11-05 09:58:58.000000000 +0100
@@ -2,7 +2,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.6.4 |
+ | Version 1.6.5 |
| |
| Copyright (C) The Roundcube Dev Team |
| |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/roundcubemail-1.6.4/installer/index.php
new/roundcubemail-1.6.5/installer/index.php
--- old/roundcubemail-1.6.4/installer/index.php 2023-10-16 11:23:06.000000000
+0200
+++ new/roundcubemail-1.6.5/installer/index.php 2023-11-05 09:58:58.000000000
+0100
@@ -3,7 +3,7 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail setup tool |
- | Version 1.6-git |
+ | Version 1.6.5 |
| |
| Copyright (C) The Roundcube Dev Team |
| |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/roundcubemail-1.6.4/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
new/roundcubemail-1.6.5/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
---
old/roundcubemail-1.6.4/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
2023-10-16 11:23:06.000000000 +0200
+++
new/roundcubemail-1.6.5/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
2023-11-05 09:58:58.000000000 +0100
@@ -727,7 +727,7 @@
$this->form['tests'][$i]['type'] = $sizeop;
$this->form['tests'][$i]['arg'] = $sizetarget;
- if ($sizetarget == '') {
+ if ($sizetarget === '') {
$this->errors['tests'][$i]['sizetarget'] =
$this->plugin->gettext('cannotbeempty');
}
else if (!preg_match('/^[0-9]+(K|M|G)?$/i',
$sizetarget.$sizeitem, $m)) {
@@ -1067,8 +1067,8 @@
case 'redirect':
case 'redirect_copy':
- $target = $this->strip_value(isset($act_targets[$idx]) ?
$act_targets[$idx] : null);
- $domain = $this->strip_value(isset($domain_targets[$idx])
? $domain_targets[$idx] : null);
+ $target = $this->strip_value($act_targets[$idx] ?? null);
+ $domain = $this->strip_value($domain_targets[$idx] ??
null);
// force one of the configured domains
$domains = (array)
$this->rc->config->get('managesieve_domains');
@@ -1082,7 +1082,7 @@
$this->form['actions'][$i]['target'] = $target;
- if ($target == '') {
+ if ($target === '') {
$this->errors['actions'][$i]['target'] =
$this->plugin->gettext('cannotbeempty');
}
else if (!rcube_utils::check_email($target)) {
@@ -2776,6 +2776,8 @@
return $str;
}
+ $str = (string) $str;
+
if (!$allow_html) {
$str = strip_tags($str);
}
@@ -3275,6 +3277,11 @@
{
$default = ['Subject', 'From', 'To'];
$headers = (array)
$this->rc->config->get('managesieve_default_headers', $default);
+
+ if (empty($headers) || $headers === ['']) {
+ $headers = $default;
+ }
+
$keys = array_map('strtolower', $headers);
$headers = array_combine($keys, $headers);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/roundcubemail-1.6.4/plugins/managesieve/localization/ja_JP.inc
new/roundcubemail-1.6.5/plugins/managesieve/localization/ja_JP.inc
--- old/roundcubemail-1.6.4/plugins/managesieve/localization/ja_JP.inc
2023-10-16 11:23:06.000000000 +0200
+++ new/roundcubemail-1.6.5/plugins/managesieve/localization/ja_JP.inc
2023-11-05 09:58:58.000000000 +0100
@@ -267,8 +267,8 @@
$messages['setcreated'] = 'ãã£ã«ã¿ã¼ã»ãããä½æãã¾ããã';
$messages['activateerror'] =
'é¸æãããã£ã«ã¿ã¼ãæå¹ã«ã§ãã¾ããããµã¼ãã¼ã§ã¨ã©ã¼ãçºçãã¾ããã';
$messages['deactivateerror'] =
'é¸æãããã£ã«ã¿ã¼ãç¡å¹ã«ã§ãã¾ããããµã¼ãã¼ã§ã¨ã©ã¼ãçºçãã¾ããã';
-$messages['deactivated'] = 'ãã£ã«ã¿ã¼ãæå¹ã«ãã¾ããã';
-$messages['activated'] = 'ãã£ã«ã¿ã¼ãç¡å¹ã«ãã¾ããã';
+$messages['deactivated'] = 'ãã£ã«ã¿ã¼ãç¡å¹ã«ãã¾ããã';
+$messages['activated'] = 'ãã£ã«ã¿ã¼ãæå¹ã«ãã¾ããã';
$messages['moved'] = 'ãã£ã«ã¿ã¼ã移åãã¾ããã';
$messages['moveerror'] =
'é¸æãããã£ã«ã¿ã¼ã移åã§ãã¾ããããµã¼ãã¼ã§ã¨ã©ã¼ãçºçãã¾ããã';
$messages['nametoolong'] = 'ååãé·ããã¾ãã';
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/roundcubemail-1.6.4/program/actions/mail/viewsource.php
new/roundcubemail-1.6.5/program/actions/mail/viewsource.php
--- old/roundcubemail-1.6.4/program/actions/mail/viewsource.php 2023-10-16
11:23:06.000000000 +0200
+++ new/roundcubemail-1.6.5/program/actions/mail/viewsource.php 2023-11-05
09:58:58.000000000 +0100
@@ -45,26 +45,30 @@
$headers = $rcmail->storage->get_message_headers($uid);
}
- $charset = $headers->charset ?:
$rcmail->config->get('default_charset', RCUBE_CHARSET);
+ $charset = $headers->charset ?:
$rcmail->config->get('default_charset', RCUBE_CHARSET);
+ $filename = '';
+ $params = [
+ 'type' => 'text/plain',
+ 'type_charset' => $charset,
+ ];
if (!empty($_GET['_save'])) {
$subject = rcube_mime::decode_header($headers->subject,
$headers->charset);
$filename = self::filename_from_subject(mb_substr($subject, 0,
128));
$filename = ($filename ?: $uid) . '.eml';
- $rcmail->output->download_headers($filename, [
- 'length' => $headers->size,
- 'type' => 'text/plain',
- 'type_charset' => $charset,
- ]);
+ $params['length'] = $headers->size;
+ $params['disposition'] = 'attachment';
}
else {
// Make sure it works in an iframe (#9084)
$rcmail->output->page_headers();
- header("Content-Type: text/plain; charset={$charset}");
+ $params['disposition'] = 'inline';
}
+ $rcmail->output->download_headers($filename, $params);
+
if (isset($part_id) && isset($message)) {
$message->get_part_body($part_id, empty($_GET['_save']), 0,
-1);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/roundcubemail-1.6.4/program/actions/utils/error.php
new/roundcubemail-1.6.5/program/actions/utils/error.php
--- old/roundcubemail-1.6.4/program/actions/utils/error.php 2023-10-16
11:23:06.000000000 +0200
+++ new/roundcubemail-1.6.5/program/actions/utils/error.php 2023-11-05
09:58:58.000000000 +0100
@@ -134,7 +134,6 @@
$output = '<!doctype html><html><head>'
. '<title>' . $product . ':: ERROR</title>'
- . '<link rel="stylesheet" type="text/css"
href="skins/$skin/common.css" />'
. '</head><body>'
. '<table border="0" cellspacing="0" cellpadding="0" width="100%"
height="80%">'
. '<tr><td align="center">' . $page_content . '</td></tr>'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/roundcubemail-1.6.4/program/include/iniset.php
new/roundcubemail-1.6.5/program/include/iniset.php
--- old/roundcubemail-1.6.4/program/include/iniset.php 2023-10-16
11:23:06.000000000 +0200
+++ new/roundcubemail-1.6.5/program/include/iniset.php 2023-11-05
09:58:58.000000000 +0100
@@ -24,7 +24,7 @@
}
// application constants
-define('RCMAIL_VERSION', '1.6.4');
+define('RCMAIL_VERSION', '1.6.5');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/roundcubemail-1.6.4/program/lib/Roundcube/bootstrap.php
new/roundcubemail-1.6.5/program/lib/Roundcube/bootstrap.php
--- old/roundcubemail-1.6.4/program/lib/Roundcube/bootstrap.php 2023-10-16
11:23:06.000000000 +0200
+++ new/roundcubemail-1.6.5/program/lib/Roundcube/bootstrap.php 2023-11-05
09:58:58.000000000 +0100
@@ -58,7 +58,7 @@
}
// framework constants
-define('RCUBE_VERSION', '1.6.4');
+define('RCUBE_VERSION', '1.6.5');
define('RCUBE_CHARSET', 'UTF-8');
define('RCUBE_TEMP_FILE_PREFIX', 'RCMTEMP');
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_charset.php
new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_charset.php
--- old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_charset.php
2023-10-16 11:23:06.000000000 +0200
+++ new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_charset.php
2023-11-05 09:58:58.000000000 +0100
@@ -179,6 +179,18 @@
];
/**
+ * Validate character set identifier.
+ *
+ * @param string $input Character set identifier
+ *
+ * @return bool True if valid, False if not valid
+ */
+ public static function is_valid($input)
+ {
+ return is_string($input) && preg_match('|^[a-zA-Z0-9_./:#-]{2,32}$|',
$input) > 0;
+ }
+
+ /**
* Parse and validate charset name string.
* Sometimes charset string is malformed, there are also charset aliases,
* but we need strict names for charset conversion (specially utf8 class)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_imap.php
new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_imap.php
--- old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_imap.php
2023-10-16 11:23:06.000000000 +0200
+++ new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_imap.php
2023-11-05 09:58:58.000000000 +0100
@@ -2163,8 +2163,13 @@
$struct->charset = $mime_headers->charset;
}
+ // Sanitize charset for security
+ if ($struct->charset && !rcube_charset::is_valid($struct->charset)) {
+ $struct->charset = '';
+ }
+
// read content encoding
- if (!empty($part[5])) {
+ if (!empty($part[5]) && !is_array($part[5])) {
$struct->encoding = strtolower($part[5]);
$struct->headers['content-transfer-encoding'] = $struct->encoding;
}
@@ -2234,6 +2239,7 @@
if (!empty($part[3])) {
$struct->content_id = $struct->headers['content-id'] =
trim($part[3]);
+ // FIXME: This is not the best idea. We should get rid of this at
some point
if (empty($struct->disposition)) {
$struct->disposition = 'inline';
}
@@ -2862,11 +2868,6 @@
return false;
}
- if (!$this->conn->data['READ-WRITE']) {
- $this->conn->setError(rcube_imap_generic::ERROR_READONLY, "Folder
is read-only");
- return false;
- }
-
// CLOSE(+SELECT) should be faster than EXPUNGE
if (empty($uids) || !empty($all_mode)) {
$result = $this->conn->close();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_imap_generic.php
new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_imap_generic.php
--- old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_imap_generic.php
2023-10-16 11:23:06.000000000 +0200
+++ new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_imap_generic.php
2023-11-05 09:58:58.000000000 +0100
@@ -1650,6 +1650,18 @@
$mailbox = rtrim($mailbox, $delim);
}
+ // Make it easier for the client to deal with INBOX folder
+ // by always returning the word with all capital letters
+ if (strlen($mailbox) == 5
+ && ($mailbox[0] == 'i' || $mailbox[0] == 'I')
+ && ($mailbox[1] == 'n' || $mailbox[1] == 'N')
+ && ($mailbox[2] == 'b' || $mailbox[2] == 'B')
+ && ($mailbox[3] == 'o' || $mailbox[3] == 'O')
+ && ($mailbox[4] == 'x' || $mailbox[4] == 'X')
+ ) {
+ $mailbox = 'INBOX';
+ }
+
// Add to result array
if (!$lstatus) {
$folders[] = $mailbox;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_message.php
new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_message.php
--- old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_message.php
2023-10-16 11:23:06.000000000 +0200
+++ new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_message.php
2023-11-05 09:58:58.000000000 +0100
@@ -932,6 +932,16 @@
$mail_part->content_location .=
$mail_part->headers['content-location'];
}
+ // application/smil message's are known to use inline
images that aren't really inline (#8870)
+ // TODO: This code probably does not belong here. I.e. we
should not default to
+ // disposition=inline in rcube_imap::structure_part().
+ if ($primary_type === 'image'
+ && !empty($structure->ctype_parameters['type'])
+ && $structure->ctype_parameters['type'] ===
'application/smil'
+ ) {
+ $mail_part->disposition = 'attachment';
+ }
+
// part belongs to a related message and is linked
// Note: mixed is not supposed to contain inline images,
but we've found such examples (#5905)
if (
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_message_part.php
new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_message_part.php
--- old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_message_part.php
2023-10-16 11:23:06.000000000 +0200
+++ new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_message_part.php
2023-11-05 09:58:58.000000000 +0100
@@ -56,6 +56,13 @@
public $mimetype = 'text/plain';
/**
+ * Real content type (for fake parts)
+ *
+ * @var string|null
+ */
+ public $realtype;
+
+ /**
* Real content type of a message/rfc822 part
*
* @var string
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_output.php
new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_output.php
--- old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_output.php
2023-10-16 11:23:06.000000000 +0200
+++ new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_output.php
2023-11-05 09:58:58.000000000 +0100
@@ -212,7 +212,7 @@
}
/**
- * Send headers related to file downloads
+ * Send headers related to file downloads.
*
* @param string $filename File name
* @param array $params Optional parameters:
@@ -225,34 +225,54 @@
*/
public function download_headers($filename, $params = [])
{
+ // For security reasons we validate type, filename and charset params.
+ // Some HTTP servers might drop a header that is malformed or very
long, this then
+ // can lead to web browsers unintentionally executing javascript code
in the body.
+
if (empty($params['disposition'])) {
$params['disposition'] = 'attachment';
}
- if ($params['disposition'] == 'inline' && stripos($params['type'],
'text') === 0) {
- $params['type'] .= '; charset=' . ($params['type_charset'] ?:
$this->charset);
+ $ctype = 'application/octet-stream';
+ $disposition = $params['disposition'];
+
+ if (!empty($params['type']) && is_string($params['type']) &&
strlen($params['type']) < 256
+ && preg_match('/^[a-z0-9!#$&.+^_-]+\/[a-z0-9!#$&.+^_-]+$/i',
$params['type'])
+ ) {
+ $ctype = $params['type'];
}
- header("Content-Type: " . (!empty($params['type']) ? $params['type'] :
"application/octet-stream"));
+ if ($disposition == 'inline' && stripos($ctype, 'text') === 0) {
+ $charset = $this->charset;
+ if (!empty($params['type_charset']) &&
rcube_charset::is_valid($params['type_charset'])) {
+ $charset = $params['type_charset'];
+ }
- if ($params['disposition'] == 'attachment' && $this->browser->ie) {
- header("Content-Type: application/force-download");
+ $ctype .= "; charset={$charset}";
}
- $disposition = "Content-Disposition: " . $params['disposition'];
+ if (is_string($filename) && strlen($filename) > 0 && strlen($filename)
<= 1024) {
+ // For non-ascii characters we'll use RFC2231 syntax
+ if (!preg_match('/[^a-zA-Z0-9_.:,?;@+ -]/', $filename)) {
+ $disposition .= "; filename=\"{$filename}\"";
+ }
+ else {
+ $filename = rawurlencode($filename);
+ $charset = $this->charset;
+ if (!empty($params['charset']) &&
rcube_charset::is_valid($params['charset'])) {
+ $charset = $params['charset'];
+ }
- // For non-ascii characters we'll use RFC2231 syntax
- if (!preg_match('/[^a-zA-Z0-9_.:,?;@+ -]/', $filename)) {
- $disposition .= sprintf("; filename=\"%s\"", $filename);
- }
- else {
- $disposition .= sprintf("; filename*=%s''%s",
- !empty($params['charset']) ? $params['charset'] :
$this->charset,
- rawurlencode($filename)
- );
+ $disposition .= "; filename*={$charset}''{$filename}";
+ }
}
- header($disposition);
+ header("Content-Disposition: {$disposition}");
+ header("Content-Type: {$ctype}");
+
+ if ($params['disposition'] == 'attachment' && $this->browser->ie) {
+ header("Content-Type: application/force-download");
+ }
if (isset($params['length'])) {
header("Content-Length: " . $params['length']);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_smtp.php
new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_smtp.php
--- old/roundcubemail-1.6.4/program/lib/Roundcube/rcube_smtp.php
2023-10-16 11:23:06.000000000 +0200
+++ new/roundcubemail-1.6.5/program/lib/Roundcube/rcube_smtp.php
2023-11-05 09:58:58.000000000 +0100
@@ -170,18 +170,13 @@
}
}
- if ($CONFIG['smtp_user'] == '%u') {
- $smtp_user = (string) $rcube->get_user_name();
- } else {
- $smtp_user = $CONFIG['smtp_user'];
- }
-
if ($CONFIG['smtp_pass'] == '%p') {
$smtp_pass = (string) $rcube->get_user_password();
} else {
$smtp_pass = $CONFIG['smtp_pass'];
}
+ $smtp_user = str_replace('%u', (string) $rcube->get_user_name(),
$CONFIG['smtp_user']);
$smtp_auth_type = $CONFIG['smtp_auth_type'] ?: null;
$smtp_authz = null;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/roundcubemail-1.6.4/public_html/index.php
new/roundcubemail-1.6.5/public_html/index.php
--- old/roundcubemail-1.6.4/public_html/index.php 2023-10-16
11:23:06.000000000 +0200
+++ new/roundcubemail-1.6.5/public_html/index.php 2023-11-05
09:58:58.000000000 +0100
@@ -3,7 +3,7 @@
/*
+-----------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.6.4 |
+ | Version 1.6.5 |
| |
| Copyright (C) The Roundcube Dev Team |
| |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/roundcubemail-1.6.4/vendor/autoload.php
new/roundcubemail-1.6.5/vendor/autoload.php
--- old/roundcubemail-1.6.4/vendor/autoload.php 2023-10-16 11:23:28.000000000
+0200
+++ new/roundcubemail-1.6.5/vendor/autoload.php 2023-11-05 09:59:19.000000000
+0100
@@ -23,4 +23,4 @@
require_once __DIR__ . '/composer/autoload_real.php';
return ComposerAutoloaderInit2fa8c65c978e32885e0df78c109b5aaf::getLoader();
-// generated by Roundcube install 1.6.4
+// generated by Roundcube install 1.6.5
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/roundcubemail-1.6.4/vendor/composer/include_paths.php
new/roundcubemail-1.6.5/vendor/composer/include_paths.php
--- old/roundcubemail-1.6.4/vendor/composer/include_paths.php 2023-10-16
11:23:09.000000000 +0200
+++ new/roundcubemail-1.6.5/vendor/composer/include_paths.php 2023-11-05
09:59:01.000000000 +0100
@@ -8,12 +8,12 @@
return array(
$vendorDir . '/pear/pear_exception',
$vendorDir . '/pear/console_getopt',
+ $vendorDir . '/pear/console_commandline',
$vendorDir . '/pear/pear-core-minimal/src',
+ $vendorDir . '/pear/net_socket',
$vendorDir . '/pear/net_ldap2',
$vendorDir . '/pear/auth_sasl',
- $vendorDir . '/pear/console_commandline',
$vendorDir . '/pear/crypt_gpg',
$vendorDir . '/pear/mail_mime',
- $vendorDir . '/pear/net_socket',
$vendorDir . '/pear/net_smtp',
);
