Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
upstream releases only bugfix releases for the 1.3 branch. As they,
do not add any new feature IMO it would makes sense to ship the newest
1.3.10 for Debian Buster users. I have packaged 1.3.10 for Debian.
This was also requested for stetch, but I had not find time to do the
actual work: #887507.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500,
'oldstable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'),
(500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.3.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru roundcube-1.3.8+dfsg.1/CHANGELOG roundcube-1.3.10+dfsg.1/CHANGELOG
--- roundcube-1.3.8+dfsg.1/CHANGELOG 2018-10-23 13:12:53.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/CHANGELOG 2019-08-28 13:24:49.000000000 +0200
@@ -1,6 +1,40 @@
CHANGELOG Roundcube Webmail
===========================
+RELEASE 1.3.10
+--------------
+- Managesieve: Fix so "Create filter" option does not show up when Filters
menu is disabled (#6723)
+- Enigma: Fix bug where revoked users/keys were not greyed out in key info
+- Enigma: Fix error message when trying to encrypt with a revoked key (#6607)
+- Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638)
+- Fix compatibility with kolab/net_ldap3 > 1.0.7 (#6785)
+- Fix bug where bmp images couldn't be displayed on some systems (#6728)
+- Fix bug in parsing vCard data using PHP 7.3 due to an invalid regexp (#6744)
+- Fix bug where bold/strong text was converted to upper-case on html-to-text
conversion (6758)
+- Fix bug in rcube_utils::parse_hosts() where %t, %d, %z could return only tld
(#6746)
+- Fix bug where Next/Prev button in mail view didn't work with multi-folder
search result (#6793)
+- Fix bug where selection of columns on messages list wasn't working
+- Fix bug in converting multi-page Tiff images to Jpeg (#6824)
+- Fix wrong messages order after returning to a multi-folder search result
(#6836)
+- Fix PHP 7.4 deprecation: implode() wrong parameter order (#6866)
+- Fix bug where it was possible to bypass the position:fixed CSS check in
received messages (#6898)
+- Fix bug where some strict remote URIs in url() style were unintentionally
blocked (#6899)
+- Fix bug where it was possible to bypass the CSS jail in HTML messages using
:root pseudo-class (#6897)
+- Fix bug where it was possible to bypass href URI check with
data:application/xhtml+xml URIs (#6896)
+
+RELEASE 1.3.9
+-------------
+- Fix TinyMCE download location (#6694)
+- Fix bug where a message/rfc822 part without a filename wasn't listed on the
attachments list (#6494)
+- Fix handling of empty entries in vCard import (#6564)
+- Fix bug in parsing some IMAP command responses that include unsolicited
replies (#6577)
+- Fix PHP 7.2 compatibility in debug_logger plugin (#6586)
+- Fix so ANY record is not used for email domain validation, use A, MX, CNAME,
AAAA instead (#6581)
+- Fix so mime_content_type check in Installer uses files that should always be
available (i.e. from program/resources) (#6599)
+- Fix missing CSRF token on a link to download too-big message part (#6621)
+- Fix bug when aborting dragging with ESC key didn't stop the move action
(#6623)
+- Fix bug where next row wasn't selected after deleting a collapsed thread
(#6655)
+
RELEASE 1.3.8
-------------
- Fix PHP warnings on dummy QUOTA responses in Courier-IMAP 4.17.1 (#6374)
diff -Nru roundcube-1.3.8+dfsg.1/composer.json-dist
roundcube-1.3.10+dfsg.1/composer.json-dist
--- roundcube-1.3.8+dfsg.1/composer.json-dist 2018-10-23 13:12:54.000000000
+0200
+++ roundcube-1.3.10+dfsg.1/composer.json-dist 2019-08-28 13:24:50.000000000
+0200
@@ -30,6 +30,6 @@
},
"suggest": {
"pear/net_ldap2": "~2.2.0 required for connecting to LDAP",
- "kolab/Net_LDAP3": "dev-master required for connecting to LDAP"
+ "kolab/net_ldap3": "dev-master required for connecting to LDAP"
}
}
diff -Nru roundcube-1.3.8+dfsg.1/debian/changelog
roundcube-1.3.10+dfsg.1/debian/changelog
--- roundcube-1.3.8+dfsg.1/debian/changelog 2018-11-05 04:38:45.000000000
+0100
+++ roundcube-1.3.10+dfsg.1/debian/changelog 2019-12-23 22:59:40.000000000
+0100
@@ -1,3 +1,33 @@
+roundcube (1.3.10+dfsg.1-1~deb10u1) buster; urgency=medium
+
+ * d/control: revert bump of Standards-Version, as we want to release to
+ stable.
+ * d/upstream/signing-key.asc: revert Minimize OpenPGP certificate.
+ * Add patch to Fix "Retry to connect to IMAP server" (Closes: #947320)
+
+ -- Sandro Knauß <he...@debian.org> Mon, 23 Dec 2019 22:59:40 +0100
+
+roundcube (1.3.10+dfsg.1-1) unstable; urgency=medium
+
+ * New upstream release: (Closes: #927713)
+ - Fixes CVE-2019-10740
+
+ [ Guilhem Moulin ]
+ * Backport fix for CVE-2018-1000071: Insecure Permissions vulnerability in
+ enigma plugin that can result in exfiltration of gpg private key.
+ https://github.com/roundcube/roundcubemail/issues/6173 (Closes: #897014)
+ * New upstream release (1.3.9). (Closes: #898068)
+ * d/roundcube-core.config: Honor debconf setting roundcube/language, by
+ skipping the relevant part at pre-configure stage. (Closes: #923142)
+ * d/roundcube-core.postinst: Create temporary configuration file atomically.
+ * d/upstream/signing-key.asc: Minimize OpenPGP certificate.
+ * Add new plugins to roundcube-plugins: 'attachment_reminder' (closes:
+ #918126), 'example_addressbook', 'identicon', 'identity_select' and
+ 'redundant_attachments'.
+ * d/control: Bump Standards-Version to 4.3.0 (no changes needed).
+
+ -- Beowulf <beow...@netzguerilla.net> Wed, 18 Dec 2019 00:26:48 +0100
+
roundcube (1.3.8+dfsg.1-2) unstable; urgency=medium
* debian/roundcube-plugins.maintscript:
diff -Nru roundcube-1.3.8+dfsg.1/debian/copyright
roundcube-1.3.10+dfsg.1/debian/copyright
--- roundcube-1.3.8+dfsg.1/debian/copyright 2018-11-05 04:38:45.000000000
+0100
+++ roundcube-1.3.10+dfsg.1/debian/copyright 2019-12-18 01:11:49.000000000
+0100
@@ -50,9 +50,10 @@
License: LGPL-2.1
Comment: Source - see debian/missing-sources/README
-Files: plugins/enigma/enigma.php
- plugins/enigma/lib/*
- plugins/redundant_attachments/redundant_attachments.php
+Files: plugins/additional_message_headers/*
+ plugins/database_attachments/*
+ plugins/debug_logger/*
+ plugins/redundant_attachments/*
Copyright: Copyright (C) 2011, Kolab Systems AG
Copyright (C) 2011, The Roundcube Dev Team
License: GPL-2
diff -Nru roundcube-1.3.8+dfsg.1/debian/gbp.conf
roundcube-1.3.10+dfsg.1/debian/gbp.conf
--- roundcube-1.3.8+dfsg.1/debian/gbp.conf 2018-11-05 04:38:45.000000000
+0100
+++ roundcube-1.3.10+dfsg.1/debian/gbp.conf 2019-12-18 01:15:30.000000000
+0100
@@ -1,3 +1,5 @@
[DEFAULT]
-debian-branch=master
-upstream-branch=upstream
+debian-branch=debian/buster
+upstream-branch=upstream-1.3.x
+pristine-tar=True
+compression=xz
diff -Nru roundcube-1.3.8+dfsg.1/debian/patches/correct_install_path.patch
roundcube-1.3.10+dfsg.1/debian/patches/correct_install_path.patch
--- roundcube-1.3.8+dfsg.1/debian/patches/correct_install_path.patch
2018-11-05 04:38:45.000000000 +0100
+++ roundcube-1.3.10+dfsg.1/debian/patches/correct_install_path.patch
2019-12-18 01:11:49.000000000 +0100
@@ -6,7 +6,7 @@
--- a/program/include/iniset.php
+++ b/program/include/iniset.php
-@@ -25,7 +25,7 @@ define('RCMAIL_VERSION', '1.3.3');
+@@ -25,7 +25,7 @@ define('RCMAIL_VERSION', '1.3.9');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.3.8+dfsg.1/debian/patches/CVE-2018-1000071.patch
roundcube-1.3.10+dfsg.1/debian/patches/CVE-2018-1000071.patch
--- roundcube-1.3.8+dfsg.1/debian/patches/CVE-2018-1000071.patch
1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.3.10+dfsg.1/debian/patches/CVE-2018-1000071.patch
2019-12-18 01:15:30.000000000 +0100
@@ -0,0 +1,72 @@
+commit 48417c5fc9f6eb4b90500c09596606d489c700b5
+Author: Aleksander Machniak <a...@alec.pl>
+Date: Sun Mar 4 09:14:43 2018 +0100
+
+ Remove default for enigma_pgp_homedir (#6173)
+
+ To make the default installation more secure force users to set the folder.
+ Added notes that it should be secured or not accessible from the web
browser.
+
+---
+ plugins/enigma/README | 15 +++++++++++++--
+ plugins/enigma/config.inc.php.dist | 4 ++--
+ plugins/enigma/home/.htaccess | 7 -------
+ plugins/enigma/lib/enigma_driver_gnupg.php | 2 +-
+ 4 files changed, 16 insertions(+), 12 deletions(-)
+
+--- a/plugins/enigma/config.inc.php.dist
++++ b/plugins/enigma/config.inc.php.dist
+@@ -12,8 +12,8 @@ $config['enigma_smime_driver'] = 'phpssl
+ // Enables logging of enigma operations (including Crypt_GPG debug info)
+ $config['enigma_debug'] = false;
+
+-// Keys directory for all users. Default 'enigma/home'.
+-// Must be writeable by PHP process
++// REQUIRED! Keys directory for all users.
++// Must be writeable by PHP process, and not in the web server document root
+ $config['enigma_pgp_homedir'] = null;
+
+ // Location of gpg binary. By default it will be auto-detected.
+--- a/plugins/enigma/home/.htaccess
++++ /dev/null
+@@ -1,7 +0,0 @@
+-# deny webserver access to this directory
+-<ifModule mod_authz_core.c>
+- Require all denied
+-</ifModule>
+-<ifModule !mod_authz_core.c>
+- Deny from all
+-</ifModule>
+--- a/plugins/enigma/lib/enigma_driver_gnupg.php
++++ b/plugins/enigma/lib/enigma_driver_gnupg.php
+@@ -40,7 +40,7 @@ class enigma_driver_gnupg extends enigma
+ */
+ function init()
+ {
+- $homedir = $this->rc->config->get('enigma_pgp_homedir', INSTALL_PATH
. 'plugins/enigma/home');
++ $homedir = $this->rc->config->get('enigma_pgp_homedir');
+ $debug = $this->rc->config->get('enigma_debug');
+ $binary = $this->rc->config->get('enigma_pgp_binary');
+ $agent = $this->rc->config->get('enigma_pgp_agent');
+--- a/plugins/enigma/README
++++ b/plugins/enigma/README
+@@ -21,9 +21,19 @@ Implemented features:
+ + Attaching public keys to email
+ + Key server(s) support (search, import)
+
++INSTALLATION
++------------
++
++1. Rename config.inc.php.dist to config.inc.php.
++2. Create a directory for keys storage that is writeable for the PHP process.
++ This directory should be out of the document root, so it is not accessible
++ from the web browser. Set it's location in $config['enigma_pgp_homedir'].
++3. Make sure GnuPG is installed.
++
+
+ TODO:
+ -----
++
+ - Handling of big messages with temp files (? - security)
+ - Key info in contact details page (optional)
+ - Extended key management:
diff -Nru
roundcube-1.3.8+dfsg.1/debian/patches/retry_to_reach_imap_server.patch
roundcube-1.3.10+dfsg.1/debian/patches/retry_to_reach_imap_server.patch
--- roundcube-1.3.8+dfsg.1/debian/patches/retry_to_reach_imap_server.patch
1970-01-01 01:00:00.000000000 +0100
+++ roundcube-1.3.10+dfsg.1/debian/patches/retry_to_reach_imap_server.patch
2019-12-23 22:59:40.000000000 +0100
@@ -0,0 +1,31 @@
+Description: Retries to connect to IMAP server.
+ As it may happen, that an IMAP server will have temporally issues and answers
+ with "Empty startup greeting".
+Author: Hefee <he...@debian.org>
+Last-Update: 2019-12-24
+
+---
+--- a/program/lib/Roundcube/rcube_imap.php
++++ b/program/lib/Roundcube/rcube_imap.php
+@@ -144,7 +144,11 @@ class rcube_imap extends rcube_storage
+
+ $attempt = 0;
+ do {
+- $data = $this->plugins->exec_hook('storage_connect',
++ if ($attempt > 0) {
++ usleep(rand(1000, 100000));
++ }
++ rcube::write_log('imap','Connecting to IMAP server
attempt:'.$attempt);
++ $data = $this->plugins->exec_hook('storage_connect',
+ array_merge($this->options, array('host' => $host, 'user' =>
$user,
+ 'attempt' => ++$attempt)));
+
+@@ -156,7 +160,7 @@ class rcube_imap extends rcube_storage
+ rcube_utils::parse_socket_options($data['socket_options'],
$data['host']);
+
+ $this->conn->connect($data['host'], $data['user'], $pass, $data);
+- } while(!$this->conn->connected() && $data['retry']);
++ } while(!$this->conn->connected() && $data['attempt'] < 6);
+
+ $config = array(
+ 'host' => $data['host'],
diff -Nru roundcube-1.3.8+dfsg.1/debian/patches/series
roundcube-1.3.10+dfsg.1/debian/patches/series
--- roundcube-1.3.8+dfsg.1/debian/patches/series 2018-11-05
04:38:45.000000000 +0100
+++ roundcube-1.3.10+dfsg.1/debian/patches/series 2019-12-23
22:59:40.000000000 +0100
@@ -13,3 +13,5 @@
upstream-Add-get-and-extract-arguments-and-CACHEDIR-env-varia.patch
update_jsdeps.json
htaccess-assume-php7.patch
+CVE-2018-1000071.patch
+retry_to_reach_imap_server.patch
diff -Nru roundcube-1.3.8+dfsg.1/debian/patches/update_composer.patch
roundcube-1.3.10+dfsg.1/debian/patches/update_composer.patch
--- roundcube-1.3.8+dfsg.1/debian/patches/update_composer.patch 2018-11-05
04:38:45.000000000 +0100
+++ roundcube-1.3.10+dfsg.1/debian/patches/update_composer.patch
2019-12-18 01:11:49.000000000 +0100
@@ -45,6 +45,6 @@
- "pear/net_ldap2": "~2.2.0 required for connecting to LDAP",
+ "pear-pear.php.net/net_ldap2": ">=2.2.0",
+ "pear-pear.php.net/crypt_gpg": ">=1.6.0",
- "kolab/Net_LDAP3": "dev-master required for connecting to LDAP"
+ "kolab/net_ldap3": "dev-master required for connecting to LDAP"
}
}
diff -Nru roundcube-1.3.8+dfsg.1/debian/roundcube-core.config
roundcube-1.3.10+dfsg.1/debian/roundcube-core.config
--- roundcube-1.3.8+dfsg.1/debian/roundcube-core.config 2018-11-05
04:38:45.000000000 +0100
+++ roundcube-1.3.10+dfsg.1/debian/roundcube-core.config 2019-12-18
01:01:02.000000000 +0100
@@ -7,38 +7,42 @@
db_input medium roundcube/hosts || true
db_go || true
-# Retrieve all available languages
-instd_langs=$(echo /usr/share/roundcube/program/localization/*/messages.inc | \
- sed 's+[^ ]*/\([^ ]*\)/messages.inc+\1,+g' | sed 's+,$++')
-db_subst roundcube/language languages $instd_langs
-# First try to get the current choice in case of preseeding or if the
-# question has already been asked
+if [ "$1" = "configure" -a "$DPKG_MAINTSCRIPT_NAME" = "postinst" ] || \
+ [ "$1" = "reconfigure" ]; then
+ # Retrieve all available languages
+ instd_langs=$(echo
/usr/share/roundcube/program/localization/*/messages.inc | \
+ sed 's+[^ ]*/\([^ ]*\)/messages.inc+\1,+g' | sed 's+,$++')
+ db_subst roundcube/language languages $instd_langs
+ # First try to get the current choice in case of preseeding or if the
+ # question has already been asked
db_get roundcube/language || true
locale="$RET"
-if [ -n "$locale" -a -d "/usr/share/roundcube/program/localization/$locale" ];
then
- # We get our answer (db_set should be useless in fact)
- db_set roundcube/language $locale
-else
- # Either we never answered the question or the locale does not
- # exist any more. In both cases, we do as if we never seen the
- # question.
- db_fset roundcube/language seen false
- # Try to guess the locale
- locale=$(echo $LANG | sed 's/[@\.].*//')
- if [ -d /usr/share/roundcube/program/localization/$locale ]; then
- db_set roundcube/language $locale
+ if [ -n "$locale" ] && [ -d
"/usr/share/roundcube/program/localization/$locale" ]; then
+ # We get our answer (db_set should be useless in fact)
+ db_set roundcube/language $locale
else
- locale=$(echo $locale | sed 's/_.*//')
- if [ -d /usr/share/roundcube/program/localization/$locale ]; then
- db_set roundcube/language $locale
- else
- db_set roundcube/language en_US
- fi
+ # Either we never answered the question or the locale does not
+ # exist any more. In both cases, we do as if we never seen the
+ # question.
+ db_fset roundcube/language seen false
+ # Try to guess the locale
+ locale=$(echo $LANG | sed 's/[@\.].*//')
+ if [ -d /usr/share/roundcube/program/localization/$locale ]; then
+ db_set roundcube/language $locale
+ else
+ locale=$(echo $locale | sed 's/_.*//')
+ if [ -d /usr/share/roundcube/program/localization/$locale ]; then
+ db_set roundcube/language $locale
+ else
+ db_set roundcube/language en_US
+ fi
+ fi
fi
+ # Ask the question
+ db_input medium roundcube/language || true
+ db_go || true
fi
-# Ask the question
-db_input medium roundcube/language || true
-db_go || true
+
if [ -f /usr/share/dbconfig-common/dpkg/config ]; then
dbc_dbtypes="mysql, pgsql, sqlite3"
diff -Nru roundcube-1.3.8+dfsg.1/debian/roundcube-core.postinst
roundcube-1.3.10+dfsg.1/debian/roundcube-core.postinst
--- roundcube-1.3.8+dfsg.1/debian/roundcube-core.postinst 2018-11-05
04:38:45.000000000 +0100
+++ roundcube-1.3.10+dfsg.1/debian/roundcube-core.postinst 2019-12-18
01:11:49.000000000 +0100
@@ -164,9 +164,6 @@
hosts="''"
fi
- db_get roundcube/language || true
- language="$RET"
-
# Get current 3DES key from config file
[ -f /etc/roundcube/config.inc.php ] && {
deskey=$(sed -n "s+^\$config\['des_key'\] = '\(.*\)';\$+\1+p" \
@@ -181,12 +178,10 @@
done
#create config.inc.php
- touch $CONFFILE.ucftmp
- chmod 640 $CONFFILE.ucftmp
- chown root:www-data $CONFFILE.ucftmp
+ install -oroot -gwww-data -m0640 /dev/null "$CONFFILE.ucftmp"
# Put hosts, language and key in config file
- cat $BASEFILE | while read line; do
+ while read line; do
case "$line" in
"\$config['default_host'] = "*)
printf "\$config['default_host'] = %s;\n" "${hosts}"
@@ -194,14 +189,18 @@
"\$config['des_key'] = "*)
printf "\$config['des_key'] = '%s';\n" "${deskey}"
;;
- "\$config['language'] = "*)
- printf "\$config['language'] = '%s';\n" "${language}"
- ;;
*)
printf "%s\n" "$line"
;;
esac
- done >> $CONFFILE.ucftmp
+ done <"$BASEFILE" >"$CONFFILE.ucftmp"
+
+ if db_fget roundcube/language seen && [ "$RET" = "true" ] && \
+ db_get roundcube/language && [ -n "$RET" ]; then
+ echo "// the default locale setting (leave empty for auto-detection)"
+ echo "// RFC1766 formatted language name like en_US, de_DE, de_CH,
fr_FR, pt_BR"
+ printf "\$config['language'] = '%s';\n" "$RET"
+ fi >>"$CONFFILE.ucftmp"
# Register new config file
if [ ! -f /etc/roundcube/config.inc.php ]; then
diff -Nru roundcube-1.3.8+dfsg.1/debian/roundcube-plugins.install
roundcube-1.3.10+dfsg.1/debian/roundcube-plugins.install
--- roundcube-1.3.8+dfsg.1/debian/roundcube-plugins.install 2018-11-05
04:38:45.000000000 +0100
+++ roundcube-1.3.10+dfsg.1/debian/roundcube-plugins.install 2019-12-18
01:01:02.000000000 +0100
@@ -1,20 +1,25 @@
plugins/acl/ usr/share/roundcube/plugins
plugins/additional_message_headers/ usr/share/roundcube/plugins
plugins/archive/ usr/share/roundcube/plugins
+plugins/attachment_reminder/ usr/share/roundcube/plugins
plugins/autologon/ usr/share/roundcube/plugins
plugins/database_attachments/ usr/share/roundcube/plugins
plugins/debug_logger/ usr/share/roundcube/plugins
plugins/emoticons/ usr/share/roundcube/plugins
plugins/enigma/ usr/share/roundcube/plugins
+plugins/example_addressbook/ usr/share/roundcube/plugins
plugins/help/ usr/share/roundcube/plugins
plugins/hide_blockquote/ usr/share/roundcube/plugins
plugins/http_authentication/ usr/share/roundcube/plugins
+plugins/identicon/ usr/share/roundcube/plugins
+plugins/identity_select/ usr/share/roundcube/plugins
plugins/managesieve/ usr/share/roundcube/plugins
plugins/markasjunk/ usr/share/roundcube/plugins
plugins/new_user_dialog/ usr/share/roundcube/plugins
plugins/new_user_identity/ usr/share/roundcube/plugins
plugins/newmail_notifier/ usr/share/roundcube/plugins
-plugins/password /usr/share/roundcube/plugins
+plugins/password/ /usr/share/roundcube/plugins
+plugins/redundant_attachments/ usr/share/roundcube/plugins
plugins/show_additional_headers/ usr/share/roundcube/plugins
plugins/squirrelmail_usercopy/ usr/share/roundcube/plugins
plugins/subscriptions_option/ usr/share/roundcube/plugins
diff -Nru roundcube-1.3.8+dfsg.1/debian/salsa-ci.yml
roundcube-1.3.10+dfsg.1/debian/salsa-ci.yml
--- roundcube-1.3.8+dfsg.1/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000
+0100
+++ roundcube-1.3.10+dfsg.1/debian/salsa-ci.yml 2019-12-18 01:15:30.000000000
+0100
@@ -0,0 +1,7 @@
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ -
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'buster'
diff -Nru roundcube-1.3.8+dfsg.1/index.php roundcube-1.3.10+dfsg.1/index.php
--- roundcube-1.3.8+dfsg.1/index.php 2018-10-23 13:12:53.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/index.php 2019-08-28 13:24:49.000000000 +0200
@@ -2,9 +2,9 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.3.8 |
+ | Version 1.3.10 |
| |
- | Copyright (C) 2005-2018, The Roundcube Dev Team |
+ | Copyright (C) 2005-2019, The Roundcube Dev Team |
| |
| This program is free software: you can redistribute it and/or modify |
| it under the terms of the GNU General Public License (with exceptions |
diff -Nru roundcube-1.3.8+dfsg.1/installer/index.php
roundcube-1.3.10+dfsg.1/installer/index.php
--- roundcube-1.3.8+dfsg.1/installer/index.php 2018-10-23 13:12:54.000000000
+0200
+++ roundcube-1.3.10+dfsg.1/installer/index.php 2019-08-28 13:24:50.000000000
+0200
@@ -3,9 +3,9 @@
/**
+-------------------------------------------------------------------------+
| Roundcube Webmail setup tool |
- | Version 1.3.8 |
+ | Version 1.3.10 |
| |
- | Copyright (C) 2009-2015, The Roundcube Dev Team |
+ | Copyright (C) 2009-2019, The Roundcube Dev Team |
| |
| This program is free software: you can redistribute it and/or modify |
| it under the terms of the GNU General Public License (with exceptions |
diff -Nru roundcube-1.3.8+dfsg.1/installer/test.php
roundcube-1.3.10+dfsg.1/installer/test.php
--- roundcube-1.3.8+dfsg.1/installer/test.php 2018-10-23 13:12:54.000000000
+0200
+++ roundcube-1.3.10+dfsg.1/installer/test.php 2019-08-28 13:24:50.000000000
+0200
@@ -165,7 +165,7 @@
echo '<ul style="margin:0"><li>' . join("</li>\n<li>", $err) .
"</li></ul>";
$select = $RCI->versions_select(array('name' => 'version'));
$select->add('0.9 or newer', '');
- echo '<p class="suggestion">You should run the update queries to get
the schema fixed.<br/><br/>Version to update from: ' . $select->show() .
' <input type="submit" name="updatedb" value="Update" /></p>';
+ echo '<p class="suggestion">You should run the update queries to get
the schema fixed.<br/><br/>Version to update from: ' . $select->show('') .
' <input type="submit" name="updatedb" value="Update" /></p>';
$db_working = false;
}
else {
@@ -288,8 +288,8 @@
echo '<p>Trying to send email...<br />';
- $from = idn_to_ascii(trim($_POST['_from']));
- $to = idn_to_ascii(trim($_POST['_to']));
+ $from = rcube_utils::idn_to_ascii(trim($_POST['_from']));
+ $to = rcube_utils::idn_to_ascii(trim($_POST['_to']));
if (preg_match('/^' . $RCI->email_pattern . '$/i', $from) &&
preg_match('/^' . $RCI->email_pattern . '$/i', $to)
@@ -413,8 +413,8 @@
$imap_port = 993;
}
- $imap_host = idn_to_ascii($imap_host);
- $imap_user = idn_to_ascii($_POST['_user']);
+ $imap_host = rcube_utils::idn_to_ascii($imap_host);
+ $imap_user = rcube_utils::idn_to_ascii($_POST['_user']);
$imap = new rcube_imap(null);
$imap->set_options(array(
diff -Nru roundcube-1.3.8+dfsg.1/jsdeps.json roundcube-1.3.10+dfsg.1/jsdeps.json
--- roundcube-1.3.8+dfsg.1/jsdeps.json 2018-10-23 13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/jsdeps.json 2019-08-28 13:24:50.000000000 +0200
@@ -36,7 +36,7 @@
{
"lib": "tinymce",
"version": "4.5.8",
- "url": "http://download.ephox.com/tinymce/community/tinymce_4.5.8.zip";,
+ "url": "https://download.tiny.cloud/tinymce/community/tinymce_4.5.8.zip";,
"dest": "program/js",
"sha1": "08b0757264adb86066940bbafb7aa9ec0c7c6685",
"license": "LGPL",
@@ -56,7 +56,7 @@
{
"lib": "tinymce-langs",
"version": "4.5.8",
- "url":
"https://tinymce-services.azurewebsites.net/1/i18n/download?langs=ar,hy,az,eu,be,bs,bg_BG,ca,zh_CN,zh_TW,hr,cs,cs_CZ,da,nl,en_CA,en_GB,eo,et,fo,fi,fr_FR,fr_CH,gd,gl,ka_GE,de,de_AT,el,he_IL,hi_IN,hu_HU,is_IS,id,ga,it,ja,kab,km_KH,ko_KR,ku,ku_IQ,lv,lt,lb,mk_MK,ml_IN,nb_NO,oc,fa,fa_IR,pl,pt_BR,pt_PT,ro,ru,sk,sl_SI,es,es_MX,sv_SE,tg,ta,ta_IN,tt,th_TH,tr,tr_TR,ug,uk,uk_UA,vi,vi_VN,cy";,
+ "url": "https://www.tiny.cloud/docs-4x/language/tinymce4x_languages.zip";,
"dest": "program/js/tinymce"
},
{
diff -Nru roundcube-1.3.8+dfsg.1/plugins/debug_logger/runlog/runlog.php
roundcube-1.3.10+dfsg.1/plugins/debug_logger/runlog/runlog.php
--- roundcube-1.3.8+dfsg.1/plugins/debug_logger/runlog/runlog.php
2018-10-23 13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/plugins/debug_logger/runlog/runlog.php
2019-08-28 13:24:50.000000000 +0200
@@ -19,7 +19,7 @@
public $timestamp = "d-M-Y H:i:s O";
public $max_line_size = 150;
- function runlog()
+ function __construct()
{
$this->start_time = microtime(true);
}
@@ -71,9 +71,6 @@
foreach ($this->tag_count as $tag => $count){
$tag_report .= "$tag: $count, ";
}
- if (!empty($tag_report)) {
-// $tag_report = "\n$tag_report\n";
- }
$end_txt = sprintf("end: $name - %0.4f seconds $tag_report",
$this->run_log[$lastk]['duration']);
$this->print_to_console($end_txt, $this->run_log[$lastk]['tag'],
'end');
$this->print_to_file($end_txt, $this->run_log[$lastk]['tag'],
'end');
@@ -223,7 +220,6 @@
return $buf;
}
-
function __destruct()
{
foreach ($this->file_handles as $handle) {
diff -Nru roundcube-1.3.8+dfsg.1/plugins/enigma/lib/enigma_engine.php
roundcube-1.3.10+dfsg.1/plugins/enigma/lib/enigma_engine.php
--- roundcube-1.3.8+dfsg.1/plugins/enigma/lib/enigma_engine.php 2018-10-23
13:12:53.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/plugins/enigma/lib/enigma_engine.php
2019-08-28 13:24:50.000000000 +0200
@@ -266,10 +266,6 @@
$recipients = array_merge($recipients, $mime->getRecipients());
}
- if (empty($recipients)) {
- return new enigma_error(enigma_error::KEYNOTFOUND);
- }
-
$recipients = array_unique($recipients);
// find recipient public keys
@@ -373,17 +369,36 @@
*/
function part_structure($p, $body = null)
{
+ static $got_content = false;
+
+ // Prevent from "decryption oracle" [CVE-2019-10740] (#6638)
+ // On mail compose (edit/reply/forward) we support encrypted content
only
+ // in the first "content part" of the message.
+ if ($got_content && $this->rc->task == 'mail' && $this->rc->action ==
'compose') {
+ return;
+ }
+
+ // Don't be tempted to support encryption in text/html parts
+ // Because of EFAIL vulnerability we should never support this (#6289)
+
if ($p['mimetype'] == 'text/plain' || $p['mimetype'] ==
'application/pgp') {
$this->parse_plain($p, $body);
+ $got_content = true;
}
else if ($p['mimetype'] == 'multipart/signed') {
$this->parse_signed($p, $body);
+ $got_content = true;
}
else if ($p['mimetype'] == 'multipart/encrypted') {
$this->parse_encrypted($p);
+ $got_content = true;
}
else if ($p['mimetype'] == 'application/pkcs7-mime') {
$this->parse_encrypted($p);
+ $got_content = true;
+ }
+ else {
+ $got_content = $p['structure']->type === 'content';
}
return $p;
diff -Nru roundcube-1.3.8+dfsg.1/plugins/enigma/lib/enigma_ui.php
roundcube-1.3.10+dfsg.1/plugins/enigma/lib/enigma_ui.php
--- roundcube-1.3.8+dfsg.1/plugins/enigma/lib/enigma_ui.php 2018-10-23
13:12:53.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/plugins/enigma/lib/enigma_ui.php 2019-08-28
13:24:50.000000000 +0200
@@ -423,12 +423,12 @@
}
}
+ $table->set_row_attribs($subkey->revoked || ($subkey->expires &&
$subkey->expires < $now) ? 'deleted' : '');
$table->add('id', $subkey->get_short_id());
$table->add('algo', $algo);
$table->add('created', $subkey->created ?
$this->rc->format_date($subkey->created, $date_format, false) : '');
$table->add('expires', $subkey->expires ?
$this->rc->format_date($subkey->expires, $date_format, false) :
$this->enigma->gettext('expiresnever'));
$table->add('usage', implode(',', $usage));
- $table->set_row_attribs($subkey->revoked || ($subkey->expires &&
$subkey->expires < $now) ? 'deleted' : '');
}
$out .= html::tag('fieldset', null,
@@ -448,9 +448,9 @@
}
$username .= ' <' . $user->email . '>';
+ $table->set_row_attribs($user->revoked || !$user->valid ?
'deleted' : '');
$table->add('id', rcube::Q(trim($username)));
$table->add('valid', $this->enigma->gettext($user->valid ? 'valid'
: 'unknown'));
- $table->set_row_attribs($user->revoked || !$user->valid ?
'deleted' : '');
}
$out .= html::tag('fieldset', null,
@@ -732,7 +732,7 @@
}
$table->add('title', html::label('key-name',
rcube::Q($this->enigma->gettext('newkeyident'))));
- $table->add(null, implode($identities, "\n"));
+ $table->add(null, implode("\n", $identities));
// Key size
$select = new html_select(array('name' => 'size', 'id' => 'key-size'));
@@ -1100,10 +1100,14 @@
if ($mode && ($status instanceof enigma_error)) {
$code = $status->getCode();
-
if ($code == enigma_error::KEYNOTFOUND) {
- $vars = array('email' => $status->getData('missing'));
- $msg = 'enigma.' . $mode . 'nokey';
+ if ($email = $status->getData('missing')) {
+ $vars = array('email' => $email);
+ $msg = 'enigma.' . $mode . 'nokey';
+ }
+ else {
+ $msg = 'enigma.' . ($encrypt_enable ? 'encryptnoprivkey' :
'signnokey');
+ }
}
else if ($code == enigma_error::BADPASS) {
$this->password_prompt($status);
diff -Nru roundcube-1.3.8+dfsg.1/plugins/enigma/localization/en_US.inc
roundcube-1.3.10+dfsg.1/plugins/enigma/localization/en_US.inc
--- roundcube-1.3.8+dfsg.1/plugins/enigma/localization/en_US.inc
2018-10-23 13:12:53.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/plugins/enigma/localization/en_US.inc
2019-08-28 13:24:50.000000000 +0200
@@ -112,6 +112,7 @@
$messages['signnopass'] = 'Signing failed. Key password required.';
$messages['encrypterror'] = 'Encryption failed.';
$messages['encryptnokey'] = 'Encryption failed. Public key not found for
$email.';
+$messages['encryptnoprivkey'] = 'Encryption failed. Private key not found.';
$messages['nokeysfound'] = 'No keys found';
$messages['keynotfound'] = 'Key not found!';
$messages['keyopenerror'] = 'Unable to get key information! Internal error.';
diff -Nru roundcube-1.3.8+dfsg.1/plugins/enigma/README
roundcube-1.3.10+dfsg.1/plugins/enigma/README
--- roundcube-1.3.8+dfsg.1/plugins/enigma/README 2018-10-23
13:12:53.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/plugins/enigma/README 2019-08-28
13:24:50.000000000 +0200
@@ -58,7 +58,7 @@
Possible reasons:
- non-working loader in shebang (#! /usr/bin/env php)
Make sure it works for the user the php scripts are executed upon
- (i.e. apache, www-date, etc.)
+ (i.e. apache, www-data, etc.)
- SELinux setting, try command: setsebool -P httpd_unified 0
Note: pinentry is used with gpg >= 2.0 and <= 2.1.12.
diff -Nru roundcube-1.3.8+dfsg.1/plugins/managesieve/Changelog
roundcube-1.3.10+dfsg.1/plugins/managesieve/Changelog
--- roundcube-1.3.8+dfsg.1/plugins/managesieve/Changelog 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/plugins/managesieve/Changelog 2019-08-28
13:24:50.000000000 +0200
@@ -1,3 +1,4 @@
+- Fix so "Create filter" option does not show up when Filters menu is disabled
(#6723)
- Fix bug where show_real_foldernames setting wasn't respected (#6422)
- Fix bug where text: syntax was forced for strings longer than 1024
characters (#6143)
- Fix missing Save button in Edit Filter Set page of Classic skin (#6154)
diff -Nru roundcube-1.3.8+dfsg.1/plugins/managesieve/managesieve.php
roundcube-1.3.10+dfsg.1/plugins/managesieve/managesieve.php
--- roundcube-1.3.8+dfsg.1/plugins/managesieve/managesieve.php 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/plugins/managesieve/managesieve.php 2019-08-28
13:24:50.000000000 +0200
@@ -138,6 +138,13 @@
return;
}
+ $this->load_config();
+
+ $vacation_mode = (int) $this->rc->config->get('managesieve_vacation');
+ if ($vacation_mode == 2) {
+ return;
+ }
+
// use jQuery for popup window
$this->require_plugin('jqueryui');
diff -Nru roundcube-1.3.8+dfsg.1/program/include/iniset.php
roundcube-1.3.10+dfsg.1/program/include/iniset.php
--- roundcube-1.3.8+dfsg.1/program/include/iniset.php 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/include/iniset.php 2019-08-28
13:24:50.000000000 +0200
@@ -5,7 +5,7 @@
| program/include/iniset.php |
| |
| This file is part of the Roundcube Webmail client |
- | Copyright (C) 2008-2017, The Roundcube Dev Team |
+ | Copyright (C) 2008-2019, The Roundcube Dev Team |
| |
| Licensed under the GNU General Public License version 3 or |
| any later version with exceptions for skins & plugins. |
@@ -21,7 +21,7 @@
*/
// application constants
-define('RCMAIL_VERSION', '1.3.8');
+define('RCMAIL_VERSION', '1.3.10');
define('RCMAIL_START', microtime(true));
if (!defined('INSTALL_PATH')) {
diff -Nru roundcube-1.3.8+dfsg.1/program/include/rcmail_install.php
roundcube-1.3.10+dfsg.1/program/include/rcmail_install.php
--- roundcube-1.3.8+dfsg.1/program/include/rcmail_install.php 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/include/rcmail_install.php 2019-08-28
13:24:50.000000000 +0200
@@ -519,10 +519,9 @@
{
$errors = array();
$files = array(
- 'skins/larry/images/roundcube_logo.png' => 'image/png',
- 'program/resources/blank.tiff' => 'image/tiff',
- 'program/resources/blocked.gif' => 'image/gif',
- 'skins/larry/README' => 'text/plain',
+ 'program/resources/tinymce/video.png' => 'image/png',
+ 'program/resources/blank.tiff' => 'image/tiff',
+ 'program/resources/blocked.gif' => 'image/gif',
);
foreach ($files as $path => $expected) {
diff -Nru roundcube-1.3.8+dfsg.1/program/js/app.js
roundcube-1.3.10+dfsg.1/program/js/app.js
--- roundcube-1.3.8+dfsg.1/program/js/app.js 2018-10-23 13:12:54.000000000
+0200
+++ roundcube-1.3.10+dfsg.1/program/js/app.js 2019-08-28 13:24:50.000000000
+0200
@@ -1604,6 +1604,7 @@
if (menu) {
$(menu).hide();
}
+
this.command(action, this.env.drag_target);
this.env.drag_target = null;
};
@@ -1633,7 +1634,8 @@
else if (list = this.contact_list)
model = this.env.contactfolders;
- if (this.drag_active && model && this.env.last_folder_target) {
+ // Note: we accept only mouse events to ignore dragging aborts with ESC
key (#6623)
+ if (this.drag_active && model && this.env.last_folder_target &&
!rcube_event.is_keyboard(e)) {
var target = model[this.env.last_folder_target];
list.draglayer.hide();
@@ -1718,7 +1720,7 @@
// remove focus from list widgets
if (window.rcube_list_widget && rcube_list_widget._instances.length) {
- $.each(rcube_list_widget._instances, function(i,list){
+ $.each(rcube_list_widget._instances, function(i,list) {
if (list && !rcube_mouse_is_over(e, list.list.parentNode))
list.blur();
});
@@ -1733,7 +1735,7 @@
}
// reset popup menus; delayed to have updated menu_stack data
- setTimeout(function(e){
+ setTimeout(function(e) {
var obj, skip, config, id, i, parents = $(target).parents();
for (i = ref.menu_stack.length - 1; i >= 0; i--) {
id = ref.menu_stack[i];
@@ -9059,8 +9061,15 @@
// get the IMP mailbox of the message with the given UID
this.get_message_mailbox = function(uid)
{
- var msg = (this.env.messages && uid ? this.env.messages[uid] : null) || {};
- return msg.mbox || this.env.mailbox;
+ var msg;
+
+ if (this.env.messages && uid && (msg = this.env.messages[uid]) && msg.mbox)
+ return msg.mbox;
+
+ if (/^[0-9]+-(.*)$/.test(uid))
+ return RegExp.$1;
+
+ return this.env.mailbox;
};
// build request parameters from single message id (maybe with mailbox name)
diff -Nru roundcube-1.3.8+dfsg.1/program/js/list.js
roundcube-1.3.10+dfsg.1/program/js/list.js
--- roundcube-1.3.8+dfsg.1/program/js/list.js 2018-10-23 13:12:54.000000000
+0200
+++ roundcube-1.3.10+dfsg.1/program/js/list.js 2019-08-28 13:24:50.000000000
+0200
@@ -355,8 +355,11 @@
node.style.display = 'none';
+ // Specify removed row uid in the select_next argument.
+ // It's needed because after removing a set of rows
+ // reference to the last selected message is lost.
if (sel_next)
- this.select_next();
+ this.select_next(uid);
delete this.rows[uid];
this.rowcount--;
@@ -579,6 +582,7 @@
rcube_event.add_listener({event:'mousemove', object:this,
method:'drag_mouse_move'});
rcube_event.add_listener({event:'mouseup', object:this,
method:'drag_mouse_up'});
+
if (bw.touch) {
rcube_event.add_listener({event:'touchmove', object:this,
method:'drag_mouse_move'});
rcube_event.add_listener({event:'touchend', object:this,
method:'drag_mouse_up'});
@@ -586,6 +590,7 @@
// enable dragging over iframes
this.add_dragfix();
+ this.focus();
}
return false;
@@ -875,12 +880,12 @@
/**
* get first/next/previous/last rows that are not hidden
*/
-get_next_row: function()
+get_next_row: function(uid)
{
if (!this.rowcount)
return false;
- var last_selected_row = this.rows[this.last_selected],
+ var last_selected_row = this.rows[uid || this.last_selected],
new_row = last_selected_row ? last_selected_row.obj.nextSibling : null;
while (new_row && (new_row.nodeType != 1 || new_row.style.display == 'none'))
@@ -889,12 +894,12 @@
return new_row;
},
-get_prev_row: function()
+get_prev_row: function(uid)
{
if (!this.rowcount)
return false;
- var last_selected_row = this.rows[this.last_selected],
+ var last_selected_row = this.rows[uid || this.last_selected],
new_row = last_selected_row ? last_selected_row.obj.previousSibling : null;
while (new_row && (new_row.nodeType != 1 || new_row.style.display == 'none'))
@@ -1029,15 +1034,12 @@
/**
- * Select row next to the last selected one.
+ * Select row next to the specified or last selected one
* Either below or above.
*/
-select_next: function()
+select_next: function(uid)
{
- var next_row = this.get_next_row(),
- prev_row = this.get_prev_row(),
- new_row = (next_row) ? next_row : prev_row;
-
+ var new_row = this.get_next_row(uid) || this.get_prev_row(uid);
if (new_row)
this.select_row(new_row.uid, false, false);
},
@@ -1323,9 +1325,7 @@
*/
key_press: function(e)
{
- var target = e.target || {};
-
- if (!this.focused || target.nodeName == 'INPUT' || target.nodeName ==
'TEXTAREA' || target.nodeName == 'SELECT')
+ if (!this.focused || $(e.target).is('input,textarea,select'))
return true;
var keyCode = rcube_event.get_keycode(e),
diff -Nru roundcube-1.3.8+dfsg.1/program/lib/Roundcube/bootstrap.php
roundcube-1.3.10+dfsg.1/program/lib/Roundcube/bootstrap.php
--- roundcube-1.3.8+dfsg.1/program/lib/Roundcube/bootstrap.php 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/lib/Roundcube/bootstrap.php 2019-08-28
13:24:50.000000000 +0200
@@ -53,7 +53,7 @@
}
// framework constants
-define('RCUBE_VERSION', '1.3.8');
+define('RCUBE_VERSION', '1.3.10');
define('RCUBE_CHARSET', 'UTF-8');
if (!defined('RCUBE_LIB_DIR')) {
diff -Nru roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_contacts.php
roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_contacts.php
--- roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_contacts.php
2018-10-23 13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_contacts.php
2019-08-28 13:24:50.000000000 +0200
@@ -356,7 +356,7 @@
if (!empty($post_search) || !empty($required)) {
$ids = array(0);
// build key name regexp
- $regexp = '/^(' . implode(array_keys($post_search), '|') .
')(?:.*)$/';
+ $regexp = '/^(' . implode('|', array_keys($post_search)) .
')(?:.*)$/';
// use initial WHERE clause, to limit records number if possible
if (!empty($where))
$this->set_search_set($where);
diff -Nru roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_db.php
roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_db.php
--- roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_db.php 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_db.php 2019-08-28
13:24:50.000000000 +0200
@@ -914,7 +914,7 @@
$name[] = $start . $elem . $end;
}
- return implode($name, '.');
+ return implode('.', $name);
}
/**
diff -Nru roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_html2text.php
roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_html2text.php
--- roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_html2text.php
2018-10-23 13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_html2text.php
2019-08-28 13:24:50.000000000 +0200
@@ -248,8 +248,6 @@
protected $callback_search = array(
'/<(a) [^>]*href=("|\')([^"\']+)\2[^>]*>(.*?)<\/a>/i', // <a href="">
'/<(h)[123456]( [^>]*)?>(.*?)<\/h[123456]>/i', // h1 - h6
- '/<(b)( [^>]*)?>(.*?)<\/b>/i', // <b>
- '/<(strong)( [^>]*)?>(.*?)<\/strong>/i', // <strong>
'/<(th)( [^>]*)?>(.*?)<\/th>/i', // <th> and
</th>
);
@@ -659,9 +657,6 @@
public function tags_preg_callback($matches)
{
switch (strtolower($matches[1])) {
- case 'b':
- case 'strong':
- return $this->_toupper($matches[3]);
case 'th':
return $this->_toupper("\t\t". $matches[3] ."\n");
case 'h':
diff -Nru roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_image.php
roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_image.php
--- roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_image.php
2018-10-23 13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_image.php
2019-08-28 13:24:50.000000000 +0200
@@ -324,7 +324,7 @@
$p['out'] = $filename;
$p['type'] = self::$extensions[$type];
- $result = rcube::exec($convert . ' 2>&1 -colorspace sRGB -strip
-quality 75 {in} {type}:{out}', $p);
+ $result = rcube::exec($convert . ' 2>&1 -colorspace sRGB -strip
-flatten -quality 75 {in} {type}:{out}', $p);
if ($result === '') {
chmod($filename, 0600);
diff -Nru roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_imap_generic.php
roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_imap_generic.php
--- roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_imap_generic.php
2018-10-23 13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_imap_generic.php
2019-08-28 13:24:50.000000000 +0200
@@ -1237,10 +1237,10 @@
$items[] = 'UNSEEN';
}
- list($code, $response) = $this->execute('STATUS',
array($this->escape($mailbox),
- '(' . implode(' ', $items) . ')'));
+ list($code, $response) = $this->execute('STATUS',
+ array($this->escape($mailbox), '(' . implode(' ', $items) . ')'),
0, '/^\* STATUS /i');
- if ($code == self::ERROR_OK && preg_match('/^\* STATUS /i',
$response)) {
+ if ($code == self::ERROR_OK && $response) {
$result = array();
$response = substr($response, 9); // remove prefix "* STATUS "
@@ -1703,11 +1703,11 @@
}
}
- list($code, $response) = $this->execute('ID', array(
- !empty($args) ? '(' . implode(' ', (array) $args) . ')' :
$this->escape(null)
- ));
+ list($code, $response) = $this->execute('ID',
+ array(!empty($args) ? '(' . implode(' ', (array) $args) . ')' :
$this->escape(null)),
+ 0, '/^\* ID /i');
- if ($code == self::ERROR_OK && preg_match('/^\* ID /i', $response)) {
+ if ($code == self::ERROR_OK && $response) {
$response = substr($response, 5); // remove prefix "* ID "
$items = $this->tokenizeResponse($response, 1);
$result = null;
@@ -1758,9 +1758,9 @@
}
}
- list($code, $response) = $this->execute('ENABLE', $extension);
+ list($code, $response) = $this->execute('ENABLE', $extension, 0, '/^\*
ENABLED /i');
- if ($code == self::ERROR_OK && preg_match('/^\* ENABLED /i',
$response)) {
+ if ($code == self::ERROR_OK && $response) {
$response = substr($response, 10); // remove prefix "* ENABLED "
$result = (array) $this->tokenizeResponse($response);
@@ -3114,7 +3114,7 @@
// * QUOTA user/sample (STORAGE 654 9765)
// a0001 OK Completed
- list($code, $response) = $this->execute('GETQUOTAROOT',
array($this->escape($mailbox)));
+ list($code, $response) = $this->execute('GETQUOTAROOT',
array($this->escape($mailbox)), 0, '/^\* QUOTA /i');
$result = false;
$min_free = PHP_INT_MAX;
@@ -3122,41 +3122,39 @@
if ($code == self::ERROR_OK) {
foreach (explode("\n", $response) as $line) {
- if (preg_match('/^\* QUOTA /', $line)) {
- list(, , $quota_root) = $this->tokenizeResponse($line, 3);
+ list(, , $quota_root) = $this->tokenizeResponse($line, 3);
- $quotas = $this->tokenizeResponse($line, 1);
+ $quotas = $this->tokenizeResponse($line, 1);
- if (empty($quotas)) {
- continue;
- }
+ if (empty($quotas)) {
+ continue;
+ }
- foreach (array_chunk($quotas, 3) as $quota) {
- list($type, $used, $total) = $quota;
- $type = strtolower($type);
+ foreach (array_chunk($quotas, 3) as $quota) {
+ list($type, $used, $total) = $quota;
+ $type = strtolower($type);
- if ($type && $total) {
- $all[$quota_root][$type]['used'] = intval($used);
- $all[$quota_root][$type]['total'] = intval($total);
- }
+ if ($type && $total) {
+ $all[$quota_root][$type]['used'] = intval($used);
+ $all[$quota_root][$type]['total'] = intval($total);
}
+ }
- if (empty($all[$quota_root]['storage'])) {
- continue;
- }
+ if (empty($all[$quota_root]['storage'])) {
+ continue;
+ }
- $used = $all[$quota_root]['storage']['used'];
- $total = $all[$quota_root]['storage']['total'];
- $free = $total - $used;
-
- // calculate lowest available space from all storage quotas
- if ($free < $min_free) {
- $min_free = $free;
- $result['used'] = $used;
- $result['total'] = $total;
- $result['percent'] = min(100,
round(($used/max(1,$total))*100));
- $result['free'] = 100 - $result['percent'];
- }
+ $used = $all[$quota_root]['storage']['used'];
+ $total = $all[$quota_root]['storage']['total'];
+ $free = $total - $used;
+
+ // calculate lowest available space from all storage quotas
+ if ($free < $min_free) {
+ $min_free = $free;
+ $result['used'] = $used;
+ $result['total'] = $total;
+ $result['percent'] = min(100,
round(($used/max(1,$total))*100));
+ $result['free'] = 100 - $result['percent'];
}
}
}
@@ -3221,9 +3219,9 @@
*/
public function getACL($mailbox)
{
- list($code, $response) = $this->execute('GETACL',
array($this->escape($mailbox)));
+ list($code, $response) = $this->execute('GETACL',
array($this->escape($mailbox)), 0, '/^\* ACL /i');
- if ($code == self::ERROR_OK && preg_match('/^\* ACL /i', $response)) {
+ if ($code == self::ERROR_OK && $response) {
// Parse server response (remove "* ACL ")
$response = substr($response, 6);
$ret = $this->tokenizeResponse($response);
@@ -3258,10 +3256,10 @@
*/
public function listRights($mailbox, $user)
{
- list($code, $response) = $this->execute('LISTRIGHTS', array(
- $this->escape($mailbox), $this->escape($user)));
+ list($code, $response) = $this->execute('LISTRIGHTS',
+ array($this->escape($mailbox), $this->escape($user)), 0, '/^\*
LISTRIGHTS /i');
- if ($code == self::ERROR_OK && preg_match('/^\* LISTRIGHTS /i',
$response)) {
+ if ($code == self::ERROR_OK && $response) {
// Parse server response (remove "* LISTRIGHTS ")
$response = substr($response, 13);
@@ -3287,9 +3285,9 @@
*/
public function myRights($mailbox)
{
- list($code, $response) = $this->execute('MYRIGHTS',
array($this->escape($mailbox)));
+ list($code, $response) = $this->execute('MYRIGHTS',
array($this->escape($mailbox)), 0, '/^\* MYRIGHTS /i');
- if ($code == self::ERROR_OK && preg_match('/^\* MYRIGHTS /i',
$response)) {
+ if ($code == self::ERROR_OK && $response) {
// Parse server response (remove "* MYRIGHTS ")
$response = substr($response, 11);
@@ -3704,11 +3702,12 @@
* @param string $command IMAP command
* @param array $arguments Command arguments
* @param int $options Execution options
+ * @param string $filter Line filter (regexp)
*
* @return mixed Response code or list of response code and data
* @since 0.5-beta
*/
- public function execute($command, $arguments=array(), $options=0)
+ public function execute($command, $arguments = array(), $options = 0,
$filter = null)
{
$tag = $this->nextTag();
$query = $tag . ' ' . $command;
@@ -3735,7 +3734,10 @@
$line = $this->readLine(4096);
if ($response !== null) {
- $response .= $line;
+ // TODO: Better string literals handling with filter
+ if (!$filter || preg_match($filter, $line)) {
+ $response .= $line;
+ }
}
// parse untagged response for [COPYUID 1204196876 3456:3457
123:124] (RFC6851)
@@ -3751,8 +3753,12 @@
// Remove last line from response
if ($response) {
- $line_len = min(strlen($response), strlen($line) + 2);
- $response = substr($response, 0, -$line_len);
+ if (!$filter) {
+ $line_len = min(strlen($response), strlen($line));
+ $response = substr($response, 0, -$line_len);
+ }
+
+ $response = rtrim($response, "\r\n");
}
// optional CAPABILITY response
diff -Nru roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_imap.php
roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_imap.php
--- roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_imap.php 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_imap.php
2019-08-28 13:24:50.000000000 +0200
@@ -1056,8 +1056,10 @@
}
// slice resultset first...
+ $index = array_slice($search_set->get(), $from, $slice_length);
$fetch = array();
- foreach (array_slice($search_set->get(), $from, $slice_length)
as $msg_id) {
+
+ foreach ($index as $msg_id) {
list($uid, $folder) = explode('-', $msg_id, 2);
$fetch[$folder][] = $uid;
}
@@ -1067,6 +1069,11 @@
foreach ($fetch as $folder => $a_index) {
$a_msg_headers = array_merge($a_msg_headers,
array_values($this->fetch_headers($folder, $a_index)));
}
+
+ // Re-sort the result according to the original search set
order
+ usort($a_msg_headers, function($a, $b) use ($index) {
+ return array_search($a->uid . '-' . $a->folder, $index) -
array_search($b->uid . '-' . $b->folder, $index);
+ });
}
if ($slice) {
diff -Nru roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_ldap_generic.php
roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_ldap_generic.php
--- roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_ldap_generic.php
2018-10-23 13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_ldap_generic.php
2019-08-28 13:24:50.000000000 +0200
@@ -55,19 +55,6 @@
}
/**
- * Get a specific LDAP entry, identified by its DN
- *
- * @param string $dn Record identifier
- * @param array $attributes Attributes to return
- *
- * @return array Hash array
- */
- function get_entry($dn, $attributes = array())
- {
- return parent::get_entry($dn, !empty($attributes) ? $attributes :
$this->attributes);
- }
-
- /**
* Prints debug/error info to the log
*/
public function log($level, $msg)
diff -Nru roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_ldap.php
roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_ldap.php
--- roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_ldap.php 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_ldap.php
2019-08-28 13:24:50.000000000 +0200
@@ -1009,7 +1009,7 @@
if ($this->ready && $dn) {
$dn = self::dn_decode($dn);
- if ($rec = $this->ldap->get_entry($dn)) {
+ if ($rec = $this->ldap->get_entry($dn, $this->prop['attributes']))
{
$rec = array_change_key_case($rec, CASE_LOWER);
}
@@ -1530,8 +1530,15 @@
foreach ($fieldmap as $rf => $lf)
{
- for ($i=0; $i < $rec[$lf]['count']; $i++) {
- if (!($value = $rec[$lf][$i]))
+ // we might be dealing with normalized and non-normalized data
+ $entry = $rec[$lf];
+ if (!is_array($entry) || !isset($entry['count'])) {
+ $entry = (array) $entry;
+ $entry['count'] = count($entry);
+ }
+
+ for ($i=0; $i < $entry['count']; $i++) {
+ if (!($value = $entry[$i]))
continue;
list($col, $subtype) = explode(':', $rf);
@@ -1543,7 +1550,7 @@
$out['address' . ($subtype ? ':' : '') .
$subtype][$i][$col] = $value;
else if ($col == 'address' && strpos($value, '$') !== false)
// address data is represented as string separated with $
list($out[$rf][$i]['street'], $out[$rf][$i]['locality'],
$out[$rf][$i]['zipcode'], $out[$rf][$i]['country']) = explode('$', $value);
- else if ($rec[$lf]['count'] > 1)
+ else if ($entry['count'] > 1)
$out[$rf][] = $value;
else
$out[$rf] = $value;
diff -Nru roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_message.php
roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_message.php
--- roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_message.php
2018-10-23 13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_message.php
2019-08-28 13:24:50.000000000 +0200
@@ -769,12 +769,12 @@
// multipart/alternative or message/rfc822
if ($primary_type == 'multipart' || $part_mimetype ==
'message/rfc822') {
- $this->parse_structure($mail_part, true);
-
- // list message/rfc822 as attachment as well (mostly .eml)
- if ($primary_type == 'message' &&
!empty($mail_part->filename)) {
+ // list message/rfc822 as attachment as well
+ if ($part_mimetype == 'message/rfc822') {
$this->add_part($mail_part, 'attachment');
}
+
+ $this->parse_structure($mail_part, true);
}
// part text/[plain|html] or delivery status
else if ((($part_mimetype == 'text/plain' || $part_mimetype ==
'text/html') && $mail_part->disposition != 'attachment') ||
diff -Nru roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_mime.php
roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_mime.php
--- roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_mime.php 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_mime.php
2019-08-28 13:24:50.000000000 +0200
@@ -844,6 +844,8 @@
'image/jpg' => array('jpg', 'jpeg', 'jpe'),
'image/pjpeg' => array('jpg', 'jpeg', 'jpe'),
'image/tiff' => array('tif'),
+ 'image/bmp' => array('bmp'),
+ 'image/x-ms-bmp' => array('bmp'),
'message/rfc822' => array('eml'),
'text/x-mail' => array('eml'),
);
diff -Nru roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_utils.php
roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_utils.php
--- roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_utils.php
2018-10-23 13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_utils.php
2019-08-28 13:24:50.000000000 +0200
@@ -119,18 +119,16 @@
$rcube = rcube::get_instance();
- if (!$dns_check || !$rcube->config->get('email_dns_check')) {
+ if (!$dns_check || !function_exists('checkdnsrr') ||
!$rcube->config->get('email_dns_check')) {
return true;
}
- // find MX record(s)
- if (!function_exists('getmxrr') || getmxrr($domain_part,
$mx_records)) {
- return true;
- }
-
- // find any DNS record
- if (!function_exists('checkdnsrr') || checkdnsrr($domain_part,
'ANY')) {
- return true;
+ // Check DNS record(s)
+ // Note: We can't use ANY (#6581)
+ foreach (array('A', 'MX', 'CNAME', 'AAAA') as $type) {
+ if (checkdnsrr($domain_part, $type)) {
+ return true;
+ }
}
}
@@ -390,7 +388,7 @@
return '/* evil! */';
}
- $strict_url_regexp = '!url\s*\([ "\'](https?:)//[a-z0-9/._+-]+["\'
]\)!Uims';
+ $strict_url_regexp =
'!url\s*\(\s*["\']?(https?:)//[a-z0-9/._+-]+["\']?\s*\)!Uims';
// cut out all contents between { and }
while (($pos = strpos($source, '{', $last_pos)) && ($pos2 =
strpos($source, '}', $pos))) {
@@ -401,7 +399,7 @@
$styles = substr($source, $pos+1, $length);
// Convert position:fixed to position:absolute (#5264)
- $styles = preg_replace('/position:[\s\r\n]*fixed/i', 'position:
absolute', $styles);
+ $styles = preg_replace('/position[^a-z]*:[\s\r\n]*fixed/i',
'position: absolute', $styles);
// check every line of a style block...
if ($allow_remote) {
@@ -431,7 +429,7 @@
$source = substr_replace($source, $repl, $pos+1, $length);
$last_pos = $pos2 - ($length - strlen($repl));
}
-
+/*
// remove html comments and add #container to each tag selector.
// also replace body definition because we also stripped off the
<body> tag
$source = preg_replace(
@@ -449,6 +447,39 @@
$container_id,
),
$source);
+*/
+ // remove html comments
+ $source = preg_replace('/(^\s*<\!--)|(-->\s*$)/m', '', $source);
+
+ // add #container to each tag selector
+ if ($container_id) {
+ // (?!##str) below is to not match with ##str_replacement_0##
+ // from rcube_string_replacer used above, this is needed for
+ // cases like @media { body { position: fixed; } } (#5811)
+ $regexp =
'/(^\s*|,\s*|\}\s*|\{\s*)((?!##str):?[a-z0-9\._#\*\[][a-z0-9\._:\(\)#=~
\[\]"\|\>\+\$\^-]*)/im';
+ $callback = function($matches) use ($container_id, $prefix) {
+ $replace = $matches[2];
+
+ if (stripos($replace, ':root') === 0) {
+ $replace = substr($replace, 5);
+ }
+
+ $replace = "#$container_id " . $replace;
+
+ // Remove redundant spaces (for simpler testing)
+ $replace = preg_replace('/\s+/', ' ', $replace);
+
+ return str_replace($matches[2], $replace, $matches[0]);
+ };
+
+ $source = preg_replace_callback($regexp, $callback, $source);
+ }
+
+ // replace body definition because we also stripped off the <body> tag
+ if ($container_id) {
+ $regexp = '/#' . preg_quote($container_id, '/') . '\s+body/i';
+ $source = preg_replace($regexp, "#$container_id", $source);
+ }
// put block contents back in
$source = $replacements->resolve($source);
@@ -569,13 +600,15 @@
// %n - host
$n = preg_replace('/:\d+$/', '', $_SERVER['SERVER_NAME']);
// %t - host name without first part, e.g. %n=mail.domain.tld,
%t=domain.tld
- $t = preg_replace('/^[^\.]+\./', '', $n);
- // %d - domain name without first part
- $d = preg_replace('/^[^\.]+\./', '', $_SERVER['HTTP_HOST']);
+ // If %n=domain.tld then %t=domain.tld as well (remains valid)
+ $t = preg_replace('/^[^.]+\.(?![^.]+$)/', '', $n);
+ // %d - domain name without first part (up to domain.tld)
+ $d = preg_replace('/^[^.]+\.(?![^.]+$)/', '', $_SERVER['HTTP_HOST']);
// %h - IMAP host
$h = $_SESSION['storage_host'] ?: $host;
// %z - IMAP domain without first part, e.g. %h=imap.domain.tld,
%z=domain.tld
- $z = preg_replace('/^[^\.]+\./', '', $h);
+ // If %h=domain.tld then %z=domain.tld as well (remains valid)
+ $z = preg_replace('/^[^.]+\.(?![^.]+$)/', '', $h);
// %s - domain name after the '@' from e-mail address provided at
login screen.
// Returns FALSE if an invalid email is provided
if (strpos($name, '%s') !== false) {
diff -Nru roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_vcard.php
roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_vcard.php
--- roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_vcard.php
2018-10-23 13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_vcard.php
2019-08-28 13:24:50.000000000 +0200
@@ -535,8 +535,8 @@
'/item(\d+)\.(TEL|EMAIL|URL)([^:]*?):(.*?)item\1.X-ABLabel:(?:_\$!<)?([\w()
-]*)(?:>!\$_)?./si',
'/^item\d*\.X-AB.*$/mi', // remove cruft like item1.X-AB*
'/^item\d*\./mi', // remove item1.ADR instead of ADR
- '/\n+/', // remove empty lines
- '/^(N:[^;\R]*)$/m', // if N doesn't have any semicolons,
add some
+ '/\n+/', // remove empty lines
+ '/^(N:[^;\r\n]*)$/m', // if N doesn't have any semicolons,
add some
),
array(
'\2;type=\5\3:\4',
@@ -673,8 +673,10 @@
$data = self::vcard_unquote($data);
}
- $entry = array_merge($entry, (array) $data);
- $result[$field][] = $entry;
+ if (is_array($data) || (is_string($data) && strlen($data))) {
+ $entry = array_merge($entry, (array) $data);
+ $result[$field][] = $entry;
+ }
}
}
diff -Nru roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_washtml.php
roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_washtml.php
--- roundcube-1.3.8+dfsg.1/program/lib/Roundcube/rcube_washtml.php
2018-10-23 13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/lib/Roundcube/rcube_washtml.php
2019-08-28 13:24:50.000000000 +0200
@@ -318,7 +318,7 @@
$out = $this->wash_uri($value, true);
}
else if ($this->is_link_attribute($node->nodeName, $key)) {
- if (!preg_match('!^(javascript|vbscript|data:text)!i',
$value)
+ if (!preg_match('!^(javascript|vbscript|data:)!i', $value)
&& preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i',
$value)
) {
$out = $value;
diff -Nru roundcube-1.3.8+dfsg.1/program/steps/addressbook/search.inc
roundcube-1.3.10+dfsg.1/program/steps/addressbook/search.inc
--- roundcube-1.3.8+dfsg.1/program/steps/addressbook/search.inc 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/steps/addressbook/search.inc
2019-08-28 13:24:50.000000000 +0200
@@ -209,8 +209,8 @@
// search request ID
$search_request = md5('addr'
- .(is_array($fields) ? implode($fields, ',') : $fields)
- .(is_array($search) ? implode($search, ',') : $search));
+ .(is_array($fields) ? implode(',', $fields) : $fields)
+ .(is_array($search) ? implode(',', $search) : $search));
// save search settings in session
$_SESSION['search'][$search_request] = $search_set;
diff -Nru roundcube-1.3.8+dfsg.1/program/steps/mail/func.inc
roundcube-1.3.10+dfsg.1/program/steps/mail/func.inc
--- roundcube-1.3.8+dfsg.1/program/steps/mail/func.inc 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/steps/mail/func.inc 2019-08-28
13:24:50.000000000 +0200
@@ -1250,6 +1250,7 @@
$safe_mode = $MESSAGE->is_safe || intval($_GET['_safe']);
$out = '';
$part_no = 0;
+ $token = $RCMAIL->get_request_token();
$header_attrib = array();
foreach ($attrib as $attr => $value) {
@@ -1283,12 +1284,11 @@
else if (!$part->size) {
continue;
}
-
// Check if we have enough memory to handle the message in it
// #1487424: we need up to 10x more memory than the body
else if (!rcube_utils::mem_check($part->size * 10)) {
$out .= html::span('part-notice',
$RCMAIL->gettext('messagetoobig'). ' '
- .
html::a('?_task=mail&_action=get&_download=1&_uid='.$MESSAGE->uid.'&_part='.$part->mime_id
+ .
html::a('?_task=mail&_action=get&_download=1&_uid='.$MESSAGE->uid.'&_part='.$part->mime_id.'&_token='.$token
.'&_mbox='. urlencode($MESSAGE->folder),
$RCMAIL->gettext('download')));
continue;
}
@@ -1333,7 +1333,7 @@
// #1487424: we need up to 10x more memory than the body
if (!rcube_utils::mem_check(strlen($MESSAGE->body) * 10)) {
$out .= html::span('part-notice',
$RCMAIL->gettext('messagetoobig'). ' '
- .
html::a('?_task=mail&_action=get&_download=1&_uid='.$MESSAGE->uid.'&_part=0'
+ .
html::a('?_task=mail&_action=get&_download=1&_uid='.$MESSAGE->uid.'&_part=0&_token='.$token
.'&_mbox='. urlencode($MESSAGE->folder),
$RCMAIL->gettext('download')));
}
else {
diff -Nru roundcube-1.3.8+dfsg.1/program/steps/mail/get.inc
roundcube-1.3.10+dfsg.1/program/steps/mail/get.inc
--- roundcube-1.3.8+dfsg.1/program/steps/mail/get.inc 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/steps/mail/get.inc 2019-08-28
13:24:50.000000000 +0200
@@ -133,7 +133,7 @@
list($real_ctype_primary, $real_ctype_secondary) = explode('/',
$real_mimetype);
// accept text/plain with any extension
- if ($real_mimetype == 'text/plain' && $real_mimetype == $mimetype)
{
+ if ($real_mimetype == 'text/plain' &&
rcmail_mimetype_compare($real_mimetype, $mimetype)) {
$valid_extension = true;
}
// ignore differences in text/* mimetypes. Filetype detection
isn't very reliable here
@@ -163,7 +163,7 @@
// "fix" real mimetype the same way the original is before
comparison
$real_mimetype = rcmail_fix_mimetype($real_mimetype);
- $valid = $real_mimetype == $mimetype && $valid_extension;
+ $valid = $valid_extension &&
rcmail_mimetype_compare($real_mimetype, $mimetype);
}
else {
$real_mimetype = $mimetype;
@@ -306,6 +306,19 @@
/**
+ * Compares two mimetype strings with making sure that
+ * e.g. image/bmp and image/x-ms-bmp are treated as equal.
+ */
+function rcmail_mimetype_compare($type1, $type2)
+{
+ $regexp = '~/(x-ms-|x-)~';
+ $type1 = preg_replace($regexp, '/', $type1);
+ $type2 = preg_replace($regexp, '/', $type2);
+
+ return $type1 === $type2;
+}
+
+/**
* Attachment properties table
*/
function rcmail_message_part_controls($attrib)
diff -Nru roundcube-1.3.8+dfsg.1/program/steps/mail/list.inc
roundcube-1.3.10+dfsg.1/program/steps/mail/list.inc
--- roundcube-1.3.8+dfsg.1/program/steps/mail/list.inc 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/steps/mail/list.inc 2019-08-28
13:24:50.000000000 +0200
@@ -40,6 +40,14 @@
}
}
+// is there a set of columns for this request?
+if ($cols = rcube_utils::get_input_value('_cols', rcube_utils::INPUT_GET)) {
+ $_SESSION['list_attrib']['columns'] = explode(',', $cols);
+ if (!in_array('list_cols', $dont_override)) {
+ $save_arr['list_cols'] = explode(',', $cols);
+ }
+}
+
// register layout change
if ($layout = rcube_utils::get_input_value('_layout', rcube_utils::INPUT_GET))
{
$OUTPUT->set_env('layout', $layout);
@@ -47,13 +55,6 @@
// force header replace on layout change
$cols = $_SESSION['list_attrib']['columns'];
}
-// is there a set of columns for this request?
-else if ($cols = rcube_utils::get_input_value('_cols',
rcube_utils::INPUT_GET)) {
- $_SESSION['list_attrib']['columns'] = explode(',', $cols);
- if (!in_array('list_cols', $dont_override)) {
- $save_arr['list_cols'] = explode(',', $cols);
- }
-}
if (!empty($save_arr)) {
$RCMAIL->user->save_prefs($save_arr);
diff -Nru roundcube-1.3.8+dfsg.1/program/steps/mail/sendmail.inc
roundcube-1.3.10+dfsg.1/program/steps/mail/sendmail.inc
--- roundcube-1.3.8+dfsg.1/program/steps/mail/sendmail.inc 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/program/steps/mail/sendmail.inc 2019-08-28
13:24:50.000000000 +0200
@@ -276,7 +276,7 @@
}
// append doctype and html/body wrappers
- $bstyle = !empty($bstyle) ? (" style='" . implode($bstyle, '; ') .
"'") : '';
+ $bstyle = !empty($bstyle) ? (" style='" . implode('; ', $bstyle) .
"'") : '';
$message_body = '<html><head>'
. '<meta http-equiv="Content-Type" content="text/html; charset=' .
$message_charset . '" /></head>'
. "<body" . $bstyle . ">\r\n" . $message_body;
diff -Nru roundcube-1.3.8+dfsg.1/public_html/index.php
roundcube-1.3.10+dfsg.1/public_html/index.php
--- roundcube-1.3.8+dfsg.1/public_html/index.php 2018-10-23
13:12:53.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/public_html/index.php 2019-08-28
13:24:49.000000000 +0200
@@ -3,7 +3,7 @@
/*
+-----------------------------------------------------------------------+
| Roundcube Webmail IMAP Client |
- | Version 1.3.8 |
+ | Version 1.3.10 |
| |
| Copyright (C) 2005-2017, The Roundcube Dev Team |
| |
diff -Nru
roundcube-1.3.8+dfsg.1/public_html/plugins/debug_logger/runlog/runlog.php
roundcube-1.3.10+dfsg.1/public_html/plugins/debug_logger/runlog/runlog.php
--- roundcube-1.3.8+dfsg.1/public_html/plugins/debug_logger/runlog/runlog.php
2018-10-23 13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/public_html/plugins/debug_logger/runlog/runlog.php
2019-08-28 13:24:50.000000000 +0200
@@ -19,7 +19,7 @@
public $timestamp = "d-M-Y H:i:s O";
public $max_line_size = 150;
- function runlog()
+ function __construct()
{
$this->start_time = microtime(true);
}
@@ -71,9 +71,6 @@
foreach ($this->tag_count as $tag => $count){
$tag_report .= "$tag: $count, ";
}
- if (!empty($tag_report)) {
-// $tag_report = "\n$tag_report\n";
- }
$end_txt = sprintf("end: $name - %0.4f seconds $tag_report",
$this->run_log[$lastk]['duration']);
$this->print_to_console($end_txt, $this->run_log[$lastk]['tag'],
'end');
$this->print_to_file($end_txt, $this->run_log[$lastk]['tag'],
'end');
@@ -223,7 +220,6 @@
return $buf;
}
-
function __destruct()
{
foreach ($this->file_handles as $handle) {
diff -Nru
roundcube-1.3.8+dfsg.1/public_html/plugins/enigma/lib/enigma_engine.php
roundcube-1.3.10+dfsg.1/public_html/plugins/enigma/lib/enigma_engine.php
--- roundcube-1.3.8+dfsg.1/public_html/plugins/enigma/lib/enigma_engine.php
2018-10-23 13:12:53.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/public_html/plugins/enigma/lib/enigma_engine.php
2019-08-28 13:24:50.000000000 +0200
@@ -266,10 +266,6 @@
$recipients = array_merge($recipients, $mime->getRecipients());
}
- if (empty($recipients)) {
- return new enigma_error(enigma_error::KEYNOTFOUND);
- }
-
$recipients = array_unique($recipients);
// find recipient public keys
@@ -373,17 +369,36 @@
*/
function part_structure($p, $body = null)
{
+ static $got_content = false;
+
+ // Prevent from "decryption oracle" [CVE-2019-10740] (#6638)
+ // On mail compose (edit/reply/forward) we support encrypted content
only
+ // in the first "content part" of the message.
+ if ($got_content && $this->rc->task == 'mail' && $this->rc->action ==
'compose') {
+ return;
+ }
+
+ // Don't be tempted to support encryption in text/html parts
+ // Because of EFAIL vulnerability we should never support this (#6289)
+
if ($p['mimetype'] == 'text/plain' || $p['mimetype'] ==
'application/pgp') {
$this->parse_plain($p, $body);
+ $got_content = true;
}
else if ($p['mimetype'] == 'multipart/signed') {
$this->parse_signed($p, $body);
+ $got_content = true;
}
else if ($p['mimetype'] == 'multipart/encrypted') {
$this->parse_encrypted($p);
+ $got_content = true;
}
else if ($p['mimetype'] == 'application/pkcs7-mime') {
$this->parse_encrypted($p);
+ $got_content = true;
+ }
+ else {
+ $got_content = $p['structure']->type === 'content';
}
return $p;
diff -Nru roundcube-1.3.8+dfsg.1/public_html/plugins/enigma/lib/enigma_ui.php
roundcube-1.3.10+dfsg.1/public_html/plugins/enigma/lib/enigma_ui.php
--- roundcube-1.3.8+dfsg.1/public_html/plugins/enigma/lib/enigma_ui.php
2018-10-23 13:12:53.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/public_html/plugins/enigma/lib/enigma_ui.php
2019-08-28 13:24:50.000000000 +0200
@@ -423,12 +423,12 @@
}
}
+ $table->set_row_attribs($subkey->revoked || ($subkey->expires &&
$subkey->expires < $now) ? 'deleted' : '');
$table->add('id', $subkey->get_short_id());
$table->add('algo', $algo);
$table->add('created', $subkey->created ?
$this->rc->format_date($subkey->created, $date_format, false) : '');
$table->add('expires', $subkey->expires ?
$this->rc->format_date($subkey->expires, $date_format, false) :
$this->enigma->gettext('expiresnever'));
$table->add('usage', implode(',', $usage));
- $table->set_row_attribs($subkey->revoked || ($subkey->expires &&
$subkey->expires < $now) ? 'deleted' : '');
}
$out .= html::tag('fieldset', null,
@@ -448,9 +448,9 @@
}
$username .= ' <' . $user->email . '>';
+ $table->set_row_attribs($user->revoked || !$user->valid ?
'deleted' : '');
$table->add('id', rcube::Q(trim($username)));
$table->add('valid', $this->enigma->gettext($user->valid ? 'valid'
: 'unknown'));
- $table->set_row_attribs($user->revoked || !$user->valid ?
'deleted' : '');
}
$out .= html::tag('fieldset', null,
@@ -732,7 +732,7 @@
}
$table->add('title', html::label('key-name',
rcube::Q($this->enigma->gettext('newkeyident'))));
- $table->add(null, implode($identities, "\n"));
+ $table->add(null, implode("\n", $identities));
// Key size
$select = new html_select(array('name' => 'size', 'id' => 'key-size'));
@@ -1100,10 +1100,14 @@
if ($mode && ($status instanceof enigma_error)) {
$code = $status->getCode();
-
if ($code == enigma_error::KEYNOTFOUND) {
- $vars = array('email' => $status->getData('missing'));
- $msg = 'enigma.' . $mode . 'nokey';
+ if ($email = $status->getData('missing')) {
+ $vars = array('email' => $email);
+ $msg = 'enigma.' . $mode . 'nokey';
+ }
+ else {
+ $msg = 'enigma.' . ($encrypt_enable ? 'encryptnoprivkey' :
'signnokey');
+ }
}
else if ($code == enigma_error::BADPASS) {
$this->password_prompt($status);
diff -Nru
roundcube-1.3.8+dfsg.1/public_html/plugins/enigma/localization/en_US.inc
roundcube-1.3.10+dfsg.1/public_html/plugins/enigma/localization/en_US.inc
--- roundcube-1.3.8+dfsg.1/public_html/plugins/enigma/localization/en_US.inc
2018-10-23 13:12:53.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/public_html/plugins/enigma/localization/en_US.inc
2019-08-28 13:24:50.000000000 +0200
@@ -112,6 +112,7 @@
$messages['signnopass'] = 'Signing failed. Key password required.';
$messages['encrypterror'] = 'Encryption failed.';
$messages['encryptnokey'] = 'Encryption failed. Public key not found for
$email.';
+$messages['encryptnoprivkey'] = 'Encryption failed. Private key not found.';
$messages['nokeysfound'] = 'No keys found';
$messages['keynotfound'] = 'Key not found!';
$messages['keyopenerror'] = 'Unable to get key information! Internal error.';
diff -Nru roundcube-1.3.8+dfsg.1/public_html/plugins/enigma/README
roundcube-1.3.10+dfsg.1/public_html/plugins/enigma/README
--- roundcube-1.3.8+dfsg.1/public_html/plugins/enigma/README 2018-10-23
13:12:53.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/public_html/plugins/enigma/README 2019-08-28
13:24:50.000000000 +0200
@@ -58,7 +58,7 @@
Possible reasons:
- non-working loader in shebang (#! /usr/bin/env php)
Make sure it works for the user the php scripts are executed upon
- (i.e. apache, www-date, etc.)
+ (i.e. apache, www-data, etc.)
- SELinux setting, try command: setsebool -P httpd_unified 0
Note: pinentry is used with gpg >= 2.0 and <= 2.1.12.
diff -Nru roundcube-1.3.8+dfsg.1/public_html/plugins/managesieve/Changelog
roundcube-1.3.10+dfsg.1/public_html/plugins/managesieve/Changelog
--- roundcube-1.3.8+dfsg.1/public_html/plugins/managesieve/Changelog
2018-10-23 13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/public_html/plugins/managesieve/Changelog
2019-08-28 13:24:50.000000000 +0200
@@ -1,3 +1,4 @@
+- Fix so "Create filter" option does not show up when Filters menu is disabled
(#6723)
- Fix bug where show_real_foldernames setting wasn't respected (#6422)
- Fix bug where text: syntax was forced for strings longer than 1024
characters (#6143)
- Fix missing Save button in Edit Filter Set page of Classic skin (#6154)
diff -Nru
roundcube-1.3.8+dfsg.1/public_html/plugins/managesieve/managesieve.php
roundcube-1.3.10+dfsg.1/public_html/plugins/managesieve/managesieve.php
--- roundcube-1.3.8+dfsg.1/public_html/plugins/managesieve/managesieve.php
2018-10-23 13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/public_html/plugins/managesieve/managesieve.php
2019-08-28 13:24:50.000000000 +0200
@@ -138,6 +138,13 @@
return;
}
+ $this->load_config();
+
+ $vacation_mode = (int) $this->rc->config->get('managesieve_vacation');
+ if ($vacation_mode == 2) {
+ return;
+ }
+
// use jQuery for popup window
$this->require_plugin('jqueryui');
diff -Nru roundcube-1.3.8+dfsg.1/public_html/program/js/app.js
roundcube-1.3.10+dfsg.1/public_html/program/js/app.js
--- roundcube-1.3.8+dfsg.1/public_html/program/js/app.js 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/public_html/program/js/app.js 2019-08-28
13:24:50.000000000 +0200
@@ -1604,6 +1604,7 @@
if (menu) {
$(menu).hide();
}
+
this.command(action, this.env.drag_target);
this.env.drag_target = null;
};
@@ -1633,7 +1634,8 @@
else if (list = this.contact_list)
model = this.env.contactfolders;
- if (this.drag_active && model && this.env.last_folder_target) {
+ // Note: we accept only mouse events to ignore dragging aborts with ESC
key (#6623)
+ if (this.drag_active && model && this.env.last_folder_target &&
!rcube_event.is_keyboard(e)) {
var target = model[this.env.last_folder_target];
list.draglayer.hide();
@@ -1718,7 +1720,7 @@
// remove focus from list widgets
if (window.rcube_list_widget && rcube_list_widget._instances.length) {
- $.each(rcube_list_widget._instances, function(i,list){
+ $.each(rcube_list_widget._instances, function(i,list) {
if (list && !rcube_mouse_is_over(e, list.list.parentNode))
list.blur();
});
@@ -1733,7 +1735,7 @@
}
// reset popup menus; delayed to have updated menu_stack data
- setTimeout(function(e){
+ setTimeout(function(e) {
var obj, skip, config, id, i, parents = $(target).parents();
for (i = ref.menu_stack.length - 1; i >= 0; i--) {
id = ref.menu_stack[i];
@@ -9059,8 +9061,15 @@
// get the IMP mailbox of the message with the given UID
this.get_message_mailbox = function(uid)
{
- var msg = (this.env.messages && uid ? this.env.messages[uid] : null) || {};
- return msg.mbox || this.env.mailbox;
+ var msg;
+
+ if (this.env.messages && uid && (msg = this.env.messages[uid]) && msg.mbox)
+ return msg.mbox;
+
+ if (/^[0-9]+-(.*)$/.test(uid))
+ return RegExp.$1;
+
+ return this.env.mailbox;
};
// build request parameters from single message id (maybe with mailbox name)
diff -Nru roundcube-1.3.8+dfsg.1/public_html/program/js/list.js
roundcube-1.3.10+dfsg.1/public_html/program/js/list.js
--- roundcube-1.3.8+dfsg.1/public_html/program/js/list.js 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/public_html/program/js/list.js 2019-08-28
13:24:50.000000000 +0200
@@ -355,8 +355,11 @@
node.style.display = 'none';
+ // Specify removed row uid in the select_next argument.
+ // It's needed because after removing a set of rows
+ // reference to the last selected message is lost.
if (sel_next)
- this.select_next();
+ this.select_next(uid);
delete this.rows[uid];
this.rowcount--;
@@ -579,6 +582,7 @@
rcube_event.add_listener({event:'mousemove', object:this,
method:'drag_mouse_move'});
rcube_event.add_listener({event:'mouseup', object:this,
method:'drag_mouse_up'});
+
if (bw.touch) {
rcube_event.add_listener({event:'touchmove', object:this,
method:'drag_mouse_move'});
rcube_event.add_listener({event:'touchend', object:this,
method:'drag_mouse_up'});
@@ -586,6 +590,7 @@
// enable dragging over iframes
this.add_dragfix();
+ this.focus();
}
return false;
@@ -875,12 +880,12 @@
/**
* get first/next/previous/last rows that are not hidden
*/
-get_next_row: function()
+get_next_row: function(uid)
{
if (!this.rowcount)
return false;
- var last_selected_row = this.rows[this.last_selected],
+ var last_selected_row = this.rows[uid || this.last_selected],
new_row = last_selected_row ? last_selected_row.obj.nextSibling : null;
while (new_row && (new_row.nodeType != 1 || new_row.style.display == 'none'))
@@ -889,12 +894,12 @@
return new_row;
},
-get_prev_row: function()
+get_prev_row: function(uid)
{
if (!this.rowcount)
return false;
- var last_selected_row = this.rows[this.last_selected],
+ var last_selected_row = this.rows[uid || this.last_selected],
new_row = last_selected_row ? last_selected_row.obj.previousSibling : null;
while (new_row && (new_row.nodeType != 1 || new_row.style.display == 'none'))
@@ -1029,15 +1034,12 @@
/**
- * Select row next to the last selected one.
+ * Select row next to the specified or last selected one
* Either below or above.
*/
-select_next: function()
+select_next: function(uid)
{
- var next_row = this.get_next_row(),
- prev_row = this.get_prev_row(),
- new_row = (next_row) ? next_row : prev_row;
-
+ var new_row = this.get_next_row(uid) || this.get_prev_row(uid);
if (new_row)
this.select_row(new_row.uid, false, false);
},
@@ -1323,9 +1325,7 @@
*/
key_press: function(e)
{
- var target = e.target || {};
-
- if (!this.focused || target.nodeName == 'INPUT' || target.nodeName ==
'TEXTAREA' || target.nodeName == 'SELECT')
+ if (!this.focused || $(e.target).is('input,textarea,select'))
return true;
var keyCode = rcube_event.get_keycode(e),
diff -Nru roundcube-1.3.8+dfsg.1/public_html/skins/classic/templates/about.html
roundcube-1.3.10+dfsg.1/public_html/skins/classic/templates/about.html
--- roundcube-1.3.8+dfsg.1/public_html/skins/classic/templates/about.html
2018-10-23 13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/public_html/skins/classic/templates/about.html
2019-08-28 13:24:50.000000000 +0200
@@ -20,7 +20,7 @@
<div id="license">
<roundcube:object name="aboutcontent" />
<h2 class="sysname">Roundcube Webmail <roundcube:object name="version" /></h2>
-<p class="copyright">Copyright © 2005-2018, The Roundcube Dev Team</p>
+<p class="copyright">Copyright © 2005-2019, The Roundcube Dev Team</p>
<p class="license">This program is free software; you can redistribute it
and/or modify
it under the terms of the <a href="http://www.gnu.org/licenses/gpl.html";
target="_blank">GNU General Public License</a>
as published by the Free Software Foundation, either version 3 of the License,
or (at your option) any later version.<br/>
diff -Nru roundcube-1.3.8+dfsg.1/public_html/skins/larry/templates/about.html
roundcube-1.3.10+dfsg.1/public_html/skins/larry/templates/about.html
--- roundcube-1.3.8+dfsg.1/public_html/skins/larry/templates/about.html
2018-10-23 13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/public_html/skins/larry/templates/about.html
2019-08-28 13:24:50.000000000 +0200
@@ -14,7 +14,7 @@
<roundcube:object name="aboutcontent" />
<h2 class="sysname">Roundcube Webmail <roundcube:object name="version" /></h2>
-<p class="copyright">Copyright © 2005-2018, The Roundcube Dev Team</p>
+<p class="copyright">Copyright © 2005-2019, The Roundcube Dev Team</p>
<p class="license">This program is free software; you can redistribute it
and/or modify
it under the terms of the <a href="http://www.gnu.org/licenses/gpl.html";
target="_blank">GNU General Public License</a>
as published by the Free Software Foundation, either version 3 of the License,
or (at your option) any later version.<br/>
diff -Nru roundcube-1.3.8+dfsg.1/skins/classic/templates/about.html
roundcube-1.3.10+dfsg.1/skins/classic/templates/about.html
--- roundcube-1.3.8+dfsg.1/skins/classic/templates/about.html 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/skins/classic/templates/about.html 2019-08-28
13:24:50.000000000 +0200
@@ -20,7 +20,7 @@
<div id="license">
<roundcube:object name="aboutcontent" />
<h2 class="sysname">Roundcube Webmail <roundcube:object name="version" /></h2>
-<p class="copyright">Copyright © 2005-2018, The Roundcube Dev Team</p>
+<p class="copyright">Copyright © 2005-2019, The Roundcube Dev Team</p>
<p class="license">This program is free software; you can redistribute it
and/or modify
it under the terms of the <a href="http://www.gnu.org/licenses/gpl.html";
target="_blank">GNU General Public License</a>
as published by the Free Software Foundation, either version 3 of the License,
or (at your option) any later version.<br/>
diff -Nru roundcube-1.3.8+dfsg.1/skins/larry/templates/about.html
roundcube-1.3.10+dfsg.1/skins/larry/templates/about.html
--- roundcube-1.3.8+dfsg.1/skins/larry/templates/about.html 2018-10-23
13:12:54.000000000 +0200
+++ roundcube-1.3.10+dfsg.1/skins/larry/templates/about.html 2019-08-28
13:24:50.000000000 +0200
@@ -14,7 +14,7 @@
<roundcube:object name="aboutcontent" />
<h2 class="sysname">Roundcube Webmail <roundcube:object name="version" /></h2>
-<p class="copyright">Copyright © 2005-2018, The Roundcube Dev Team</p>
+<p class="copyright">Copyright © 2005-2019, The Roundcube Dev Team</p>
<p class="license">This program is free software; you can redistribute it
and/or modify
it under the terms of the <a href="http://www.gnu.org/licenses/gpl.html";
target="_blank">GNU General Public License</a>
as published by the Free Software Foundation, either version 3 of the License,
or (at your option) any later version.<br/>
