Skip to content

Commit df9effa

Browse files
committed
Merge branch 'master' into release-1.7
2 parents 018bcf7 + 0f28851 commit df9effa

37 files changed

Lines changed: 643 additions & 166 deletions

File tree

.github/workflows/browser_tests.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ jobs:
4949
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
5050

5151
- name: Setup PHP
52-
uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # v2.32.0
52+
uses: shivammathur/setup-php@fcafdd6392932010c2bd5094439b8e33be2a8a09 # v2.37.0
5353
with:
5454
php-version: ${{ matrix.php }}
5555
extensions: dom, curl, fileinfo, libxml, mbstring, zip, pcntl, pdo, sqlite, pdo_sqlite, gd, ldap, intl, pspell

.github/workflows/ci.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2020

2121
- name: Setup PHP
22-
uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # v2.32.0
22+
uses: shivammathur/setup-php@fcafdd6392932010c2bd5094439b8e33be2a8a09 # v2.37.0
2323
with:
2424
php-version: "8.1"
2525
extensions: mbstring
@@ -60,7 +60,7 @@ jobs:
6060
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
6161

6262
- name: Setup PHP
63-
uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # v2.32.0
63+
uses: shivammathur/setup-php@fcafdd6392932010c2bd5094439b8e33be2a8a09 # v2.37.0
6464
with:
6565
php-version: "8.4"
6666
extensions: mbstring

.github/workflows/tests.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ jobs:
2424
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2525

2626
- name: Setup PHP
27-
uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # v2.32.0
27+
uses: shivammathur/setup-php@fcafdd6392932010c2bd5094439b8e33be2a8a09 # v2.37.0
2828
with:
2929
php-version: ${{ matrix.php }}
3030
extensions: dom, curl, fileinfo, libxml, mbstring, zip, pcntl, pdo, sqlite, pdo_sqlite, gd, ldap, intl, pspell, enchant
@@ -63,7 +63,7 @@ jobs:
6363
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
6464

6565
- name: Setup PHP
66-
uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # v2.32.0
66+
uses: shivammathur/setup-php@fcafdd6392932010c2bd5094439b8e33be2a8a09 # v2.37.0
6767
with:
6868
php-version: ${{ matrix.php }}
6969
extensions: dom, curl, fileinfo, libxml, mbstring, zip, pdo, sqlite, pdo_sqlite, gd, ldap, intl

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,3 +37,6 @@ skins/elastic/styles/_variables.less
3737

3838
# Ignore files used for local overriding.
3939
/tests/MessageRendering/.env
40+
41+
# PHPUnit cache
42+
/tests/.phpunit.result.cache

CHANGELOG.md

Lines changed: 42 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -4,12 +4,18 @@ This file includes only changes we consider noteworthy for users, admins and plu
44

55
## Unreleased
66

7+
- Bump OpenPGPjs version to 6.3.0
8+
- Allow cidr (subnets) in proxy_whitelist (#7103)
9+
- Zipdownload: Fix message date time zone in mbox export (#10147)
10+
11+
## 1.7-rc6
12+
713
- Added support for arrays in `smtp_user` and `smtp_pass` config options (#10083)
814
- Added system health checker CLI script (#10106)
915
- Stricter recognition of an Ajax request (#10118)
1016
- Password: Added Stalwart driver (#10114)
1117
- Fix regression where some data url images could get ignored/lost (#10128)
12-
- Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke
18+
- Fix SVG Animate FUNCIRI Attribute Bypass — Remote Image Loading via fill/filter/stroke [CVE-2026-35545]
1319

1420
## 1.7-rc5
1521

@@ -18,14 +24,14 @@ This file includes only changes we consider noteworthy for users, admins and plu
1824
- Fix PHP fatal error when using IMAP cache (#10102)
1925
- Fix Postgres connection using IPv6 address (#10104)
2026
- Fix bug where `rel=stylesheet` part of a `<link>` could get removed
21-
- Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
22-
- Security: Fix bug where a password could get changed without providing the old password
23-
- Security: Fix IMAP Injection + CSRF bypass in mail search
24-
- Security: Fix remote image blocking bypass via various SVG animate attributes
25-
- Security: Fix remote image blocking bypass via a crafted body background attribute
26-
- Security: Fix fixed position mitigation bypass via use of !important
27-
- Security: Fix XSS issue in a HTML attachment preview
28-
- Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts
27+
- Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler [CVE-2026-35537]
28+
- Security: Fix bug where a password could get changed without providing the old password [CVE-2026-35541]
29+
- Security: Fix IMAP Injection + CSRF bypass in mail search [CVE-2026-35538]
30+
- Security: Fix remote image blocking bypass via various SVG animate attributes [CVE-2026-35543]
31+
- Security: Fix remote image blocking bypass via a crafted body background attribute [CVE-2026-35542]
32+
- Security: Fix fixed position mitigation bypass via use of !important [CVE-2026-35544]
33+
- Security: Fix XSS issue in a HTML attachment preview [CVE-2026-35539]
34+
- Security: Fix SSRF + Information Disclosure via stylesheet links to a local network hosts [CVE-2026-35540]
2935

3036
## 1.7-rc4
3137

@@ -43,14 +49,14 @@ This file includes only changes we consider noteworthy for users, admins and plu
4349
- Password: Extend Dovecot passwdfile driver with dynamic file path support (#10036)
4450
- Fix a UI issue on using browser Back button after allowing remote resources (#10062)
4551
- Fix syntax error in DDL scripts for Postgres (#10070)
46-
- Fix remote image blocking bypass via SVG content reported by nullcathedral
47-
- Fix CSS injection vulnerability reported by CERT Polska
52+
- Fix remote image blocking bypass via SVG content reported by nullcathedral [CVE-2026-25916]
53+
- Fix CSS injection vulnerability reported by CERT Polska [CVE-2026-26079]
4854

4955
## 1.7-rc2
5056

5157
- Fix syntax error in DDL scripts for Postgres (#10052)
52-
- Fix Cross-Site-Scripting vulnerability via SVG's animate tag
53-
- Fix Information Disclosure vulnerability in the HTML style sanitizer
58+
- Fix Cross-Site-Scripting vulnerability via SVG's animate tag [CVE-2025-68461]
59+
- Fix Information Disclosure vulnerability in the HTML style sanitizer [CVE-2025-68460]
5460
- Support $HasAttachment/$HasNoAttachment keywords for "With attachment" search filter (#10053)
5561

5662
## 1.7-rc
@@ -237,9 +243,9 @@ This file includes only changes we consider noteworthy for users, admins and plu
237243
- Fix bug in collapsing/expanding folders with some special characters in names (#9324)
238244
- Fix PHP8 warnings (#9363, #9365, #9429)
239245
- Fix missing field labels in CSV import, for some locales (#9393)
240-
- Fix command injection via crafted im_convert_path/im_identify_path on Windows
241-
- Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
242-
- Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
246+
- Fix command injection via crafted im_convert_path/im_identify_path on Windows [CVE-2024-37385]
247+
- Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences [CVE-2024-37384]
248+
- Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes [CVE-2024-37383]
243249

244250
## Release 1.6.6
245251

@@ -263,7 +269,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
263269
- Fix bug where images attached to application/smil messages weren't displayed (#8870)
264270
- Fix PHP string replacement error in utils/error.php (#9185)
265271
- Fix regression where `smtp_user` did not allow pre/post strings before/after `%u` placeholder (#9162)
266-
- Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download
272+
- Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download [CVE-2023-47272]
267273

268274
## Release 1.6.4
269275

@@ -467,7 +473,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
467473
- Fix some PHP8 compatibility issues (#8363)
468474
- Fix chpass-wrapper.py helper compatibility with Python 3 (#8324)
469475
- Fix scrolling and missing Close button in the Select image dialog in Elastic/mobile (#8367)
470-
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
476+
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content [CVE-2021-46144]
471477

472478
## Release 1.5.1
473479

@@ -513,8 +519,8 @@ This file includes only changes we consider noteworthy for users, admins and plu
513519
- Fix a couple of PHP8 warnings (#8175, #8176)
514520
- Fix bug where "from my contacts" and "from trusted senders" values were mixed up (#8177)
515521
- Fix password/token length check on OAuth login (#8178)
516-
- Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
517-
- Fix SQL injection via some session variables
522+
- Fix XSS issue in handling attachment filename extension in mimetype mismatch warning [CVE-2021-44025] (#8193)
523+
- Fix SQL injection via some session variables [CVE-2021-44026]
518524
- Fix handling of dark_mode_support:false setting in skins meta.json (#8186)
519525
- Fix security issues regarding server name and trusted_host_patterns setting
520526

@@ -664,7 +670,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
664670
- Elastic: Fix compatibility with Less v3 and v4 (#7813)
665671
- Fix bug with managesieve_domains in Settings > Forwarding form (#7849)
666672
- Fix errors in MSSQL database update scripts (#7853)
667-
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
673+
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content [CVE-2021-26925]
668674

669675
## Release 1.4.10
670676

@@ -734,10 +740,10 @@ This file includes only changes we consider noteworthy for users, admins and plu
734740
- Fix error when user-configured skin does not exist anymore (#7271)
735741
- Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
736742
- Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)
737-
- Security: Fix a couple of XSS issues in Installer (#7406)
738-
- Security: Fix XSS issue in template object 'username' (#7406)
739-
- Security: Better fix for CVE-2020-12641
740-
- Security: Fix cross-site scripting (XSS) via malicious XML attachment
743+
- Security: Fix a couple of XSS issues in Installer [CVE-2020-18671, CVE-2020-18670] (#7406)
744+
- Security: Fix XSS issue in template object 'username' [CVE-2020-13964] (#7406)
745+
- Security: Better fix for remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings [CVE-2020-12641]
746+
- Security: Fix cross-site scripting (XSS) via malicious XML attachment [CVE-2020-13965]
741747

742748
## Release 1.4.4
743749

@@ -1063,6 +1069,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
10631069
- Enigma: Add button to send mail unencrypted if no key was found (#5913)
10641070
- Enigma: Add options to set PGP cipher/digest algorithms (#5645)
10651071
- Enigma: Multi-host support
1072+
- Enigma: Remove default for enigma_pgp_homedir [CVE-2018-1000071] (#6173)
10661073
- Managesieve: Add ability to disable filter sets and other actions (#5496, #5898)
10671074
- Managesieve: Add option managesieve_forward to enable settings dialog for simple forwarding (#6021)
10681075
- Managesieve: Support filter action with custom IMAP flags (#6011)
@@ -1143,7 +1150,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
11431150
- Fix bug where only attachments with the same name would be ignored on zip download (#6301)
11441151
- Fix bug where unicode contact names could have been broken/emptied or caused DB errors (#6299)
11451152
- Fix bug where after "mark all folders as read" action message counters were not reset (#6307)
1146-
- Enigma: [EFAIL] Don't decrypt PGP messages with no MDC protection (#6289)
1153+
- Enigma: [EFAIL] Don't decrypt PGP messages with no MDC protection [CVE-2018-19205] (#6289)
11471154
- Fix bug where some HTML comments could have been malformed by HTML parser (#6333)
11481155

11491156
## Release 1.3.6
@@ -1380,7 +1387,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
13801387
## Release 1.2.3
13811388

13821389
- Searching in both contacts and groups when LDAP addressbook with group_filters option is used
1383-
- Fix vulnerability in handling of mail()'s 5th argument
1390+
- Fix vulnerability in handling of mail()'s 5th argument [CVE-2016-9920]
13841391
- Fix To: header encoding in mail sent with mail() method (#5475)
13851392
- Fix flickering of header topline in min-mode (#5426)
13861393
- Fix bug where folders list would scroll to top when clicking on subscription checkbox (#5447)
@@ -1459,7 +1466,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
14591466
- Fix bug where contact search menu fields where always unchecked in Larry skin
14601467
- Fix autoloading of 'html' class
14611468
- Fix bug where Encrypt button appears when switching editor to HTML (#5235)
1462-
- Fix XSS issue in href attribute on area tag (#5240)
1469+
- Fix XSS issue in href attribute on area tag [CVE-2016-4552] (#5240)
14631470

14641471
## Release 1.2-rc
14651472

@@ -1611,16 +1618,16 @@ This file includes only changes we consider noteworthy for users, admins and plu
16111618
- Fix mouseup event handling when dragging a list record (#4808)
16121619
- Fix bug where preview_pane setting wasn't always saved into user preferences (#4809)
16131620
- Fix bug where messages count was not updated after message move/delete with skip_deleted=false (#4814)
1614-
- Fix security issue in contact photo handling (#4817)
1621+
- Fix security issue in contact photo handling [CVE-2015-8794, CVE-2015-5382] (#4817)
16151622
- Fix possible memcache/apc cache data consistency issues (#4820)
16161623
- Fix bug where imap_conn_options were ignored in IMAP connection test (#4822)
16171624
- Fix bug where some files could have "executable" extension when stored in temp folder (#4815)
16181625
- Fix attached file path unsetting in database_attachments plugin (#4823)
16191626
- Fix issues when using moduserprefs.sh without --user argument (#4825)
1620-
- Fix potential info disclosure issue by protecting directory access (#4816)
1627+
- Fix potential info disclosure issue by protecting directory access [CVE-2015-5383] (#4816)
16211628
- Fix blank image in html_signature when saving identity changes (#4833)
16221629
- Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#4827)
1623-
- Fix XSS vulnerability in _mbox argument handling (#4837)
1630+
- Fix XSS vulnerability in _mbox argument handling [CVE-2015-8793, CVE-2015-5381] (#4837)
16241631

16251632
## Release 1.1.1
16261633

@@ -1680,7 +1687,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
16801687
- Fix keyboard navigation and css in datepicker widget across many Firefox versions
16811688
- Fix false warning when opening attached text/plain files (#4748)
16821689
- Fix bug where signature could have been inserted twice after plain-to-html switch (#4746)
1683-
- Fix security issue in DBMail driver of password plugin (#4757)
1690+
- Fix security issue in DBMail driver of password plugin [CVE-2015-2180] (#4757)
16841691
- Enable FollowSymLinks option in .htaccess file which is required by rewrite rules (#4754)
16851692
- Fix so JSON.parse() errors on localStorage items are ignored (#4752)
16861693

@@ -2144,7 +2151,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
21442151

21452152
## Release 0.9-rc2
21462153

2147-
- Fix security issue in save-pref command
2154+
- Fix security issue in save-pref command [CVE-2013-1904]
21482155
- Remove sig_above configuration option, use reply_mode only (#4135)
21492156
- Refresh current folder in opener window after draft save or message sent (#4132)
21502157
- Fix saving draft just after entering compose window (#4141)
@@ -3011,7 +3018,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
30113018
- Fix checking for new mail: now checks unseen count of inbox (#2123)
30123019
- Improve performance by avoiding unnecessary updates to the session table (#2552)
30133020
- Fix invalid `<font>` tags which cause HTML message rendering problems (#2687)
3014-
- Fix CVE-2010-0464: Disable DNS prefetching (#2639)
3021+
- Disable DNS prefetching [CVE-2010-0464] (#2639)
30153022
- Fix Received headers to behave better with SpamAssassin (#2682)
30163023
- Password: Make passwords encoding consistent with core, add 'password_charset' global option (#2658)
30173024
- Fix adding contacts SQL error on mysql (#2645)
@@ -3509,6 +3516,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
35093516
- Fixed some iconv/mb_string problems (#1202)
35103517
- Correctly quote mailbox name when using in URL (#1016)
35113518
- Fixed "headers already sent" errors (#1399)
3519+
- Fix CSS Expression Input Validation Vulnerability [CVE-2007-6321] (#1276)
35123520

35133521
## Release 0.1-STABLE
35143522

composer.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
"masterminds/html5": "~2.9.0",
1212
"mlocati/ip-lib": "^1.22.0",
1313
"pear/auth_sasl": "~1.2.0",
14-
"pear/crypt_gpg": "~1.6.3",
14+
"pear/crypt_gpg": "~1.7.0",
1515
"pear/mail_mime": "~1.10.11",
1616
"pear/net_sieve": "~1.4.7",
1717
"pear/net_smtp": "~1.12.0",

config/defaults.inc.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -681,7 +681,7 @@
681681
// Setting this value to 'php' will use the default session save handler configured in PHP
682682
$config['session_storage'] = 'db';
683683

684-
// List of trusted proxies
684+
// List of trusted proxies (exact IPs or CIDR ranges, e.g. '10.0.0.0/8', '2001:db8::/32')
685685
// X_FORWARDED_* and X_REAL_IP headers are only accepted from these IPs
686686
$config['proxy_whitelist'] = [];
687687

jsdeps.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -51,10 +51,10 @@
5151
{
5252
"lib": "openpgp",
5353
"name": "OpenPGP.js",
54-
"version": "5.0.0",
54+
"version": "6.3.0",
5555
"url": "https://cdn.jsdelivr.net/npm/openpgp@$v/dist/openpgp.min.js",
5656
"dest": "plugins/enigma/openpgp.min.js",
57-
"sha1": "0fc8b02e9d26a28280b46fd8d3a1516d9bff21db",
57+
"sha1": "fcfc7c22633bd018b7793de050dbde9b0d284799",
5858
"license": "LGPL",
5959
"copyright": "Copyright (c) OpenPGP Development Team",
6060
"source": "https://cdn.jsdelivr.net/npm/openpgp@$v/dist/openpgp.js"

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
"optionalDependencies": {
1313
"jquery": "^3.7.1",
1414
"tinymce": "^5.10.9",
15-
"openpgp": "^5.0.0",
15+
"openpgp": "^6.3.0",
1616
"codemirror": "^5.58.3",
1717
"bootstrap": "^4.5.3",
1818
"less": "^4.1.3"

plugins/enigma/composer.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
"require": {
1515
"php": ">=7.3.0",
1616
"roundcube/plugin-installer": "~0.3.5",
17-
"pear/crypt_gpg": "~1.6.3"
17+
"pear/crypt_gpg": "~1.7.0"
1818
},
1919
"autoload": {
2020
"classmap": [

0 commit comments

Comments
 (0)