Roundcube Webmail 1.7-beta2

This is a second beta release for the next major version 1.7 of Roundcube webmail.

With this milestone we introduce some more fixes, and bring full support for the early version of PHP 8.5.

It does not include breaking changes (beyond those of 1.7-beta).

Some noteworthy changes are:

• Support PHP v8.5(-pre) without deprecation warnings.
• Support IPv6 in database DSN (#9937)
• Use htmleditor setting also for identity signature (#9954)
• Fix regression in handling of non-unicode characters in a plain text message (#9953)
• Fix parsing of inline styles that aren't well-formatted (#9948)
• Support early MIME types for S/MIME encrypted messages (#9973)
• Only apply fix_path for href attrib in s (#9943)
• Show homograph-warning-icon before email address, unify warning wording (#9945)
• Show full details with warning icon in case of phishing suspicion (#9945)
• Prepend group-names to display-name (#9945) Thanks to coco_melon for the reporting!
• Wash the name attribute also on more elements (#9949) – Thanks to pwn.ai by Octagon Networks for the reporting!
• Sanitize filename on download (#9960)
• Drop Internet Explorer from supported browsers (#9963)
• Enforce leading backslash for non-namespaced non-Roundcube uses (#9935)
• Use asset_url() instead of get_skin_file() for deleteicon on contact edit form (#9933)
• Several changes to the test tooling.

This is a beta release and we recommend to test it on a separate environment.
Migrate existing configs with either the installto.sh or the update.sh scripts.

And don't forget to backup your data before installing it!

Changelog

Here is the full changelog since `1.7-beta``:

• Build the container image only in our main repo, not in forks
• Fix installing aspell in all test workflow runs (#9993)
• Improve uploading artefacts on browser test failure (#9980)
• Update CS Fixer conf
• markdownify remaining docs (#9955)
• Support early MIME types for S/MIME encrypted messages (#9973)
• Only apply fix_path for href attrib in s (#9943)
• Show homograph-warning-icon before email address, unify warning wording
• Show full details with warning icon in case of phishing suspicion
• Prepend group-names to display-name
• Also "wash" the name attribute of textarea and select
• Wash the name attribute also on more elements
• fix: Sanitize filename on download (#9960)
• Run test with PHP 8.5-rc (#9970)
• Remove Internet Explorer from README (#9963)
• For container-based testing allow to specify a testrunner image, and COMPOSER_ARGS
• Note the password for watching the browser during tests
• Run tests via scripts to allow arguments; add eslint service
• Run some tests (optionally) on a copy of the current code
• Make targets to help with publishing releases
• Use generic tag name in container image build script
• Build testrunner images for php v8.4 and 8.5-rc, too
• Fix flaky browser test
• Fix PHP Fatal error: Uncaught TypeError: html::quote(): Argument #1 ($str) must be of type string, null given (#9957)
• Tests: Attempt to fix a flaky browser test
• PHP 8.5: Remove redundant setAccessible() calls
• CS-Fixer: Enable modernize_strpos
• Enforce leading backslash for non-namespaced non-Roundcube uses (#9935)
• Fix regression in handling of non-unicode characters in a plain text message (#9953)
• Update changelog
• Use htmleditor config for indentity signature (#9954)
• PHP 8.5: Replace __(sleep|wakeup) with __(serialize|unserialize)
• PHP 8.5: Remove setAccessible() calls, they are no-op sine 8.1
• PHP 8.5: Remove deprecated imagedestroy() use
• Fix parsing of inline styles that aren't well-formatted (#9948)
• Fix typo in defaults.inc.php (replace mmust with must) (#9934)
• Use asset_url() instead of get_skin_file() for deleteicon on contact edit form (#9933)
• Support IPv6 in database DSN (#9937)
• Localization: Remove non-working links to Transifex
• Update localization from Transifex
• Mark release 1.7-beta in the changelog (#9931)
• Make target to remove untracked minified .js and .css files
• Include node_modules/.bin into PATH to ensure uglify etc. are found
• CS/PHPDoc fix
• PHP 8.5 compat. fixes

Roundcube Webmail 1.7-beta

This is a beta release for the next major version 1.7 of Roundcube webmail.

With this milestone we introduce a few breaking changes, some new features, and bring full support for PHP 8.4.

Some noteworthy changes are:

• Make public_html/ mandatory as entry-point for HTTP daemons, protecting all installations better.
• Improve support for OAuth2 (e.g. supporting OpenID Connect discovery URLs).
• A Mouse-over menu on the messages list with quick action icons.
• Advanced mail search syntax with more possibilities – you can now use e.g. is:unread to only match unread messages. The test file has a list of implemented keywords.
• Message parts of content-type text/markdown are now rendered to HTML (if they are designated for showing).
• Add a 'php' logging driver, which passes all log statements to PHP's error_log handler, allowing to unify all log output.
• Requires PHP v8.1 or newer.

Breaking Changes

• Dropped support for PHP < 8.1.
• Removed support for MS SQL Server and Oracle.
• Make public_html/ entry-point mandatory, all static resources are served via static.php.
• Removed apc cache driver (replaced by apcu cache driver).
• Change smtp_log option default value to false.

This is a beta release and we recommend to test it on a separate environment.
Migrate existing configs with either the installto.sh or the update.sh scripts.

And don't forget to backup your data before installing it!

Changelog

Here is the full changelog:

• Set minimum required PHP version to 8.1 (#9599)
• Update to jQuery 3.7.1
• Drop dependency on JsTimeZoneDetect (#8965)
• Added apcu cache driver (#9828)
• Removed apc cache driver
• Renamed composer.json.dist to composer.json (#9279)
• Make public_html/ entry-point mandatory, all static resources are served via static.php (#9294, #8851)
• Removed support for MS SQL Server and Oracle (#7854)
• Added more strict code quality/style validation
• Added text/markdown mail rendering (#8873)
• Store uploads metadata in a separate sql database table instead of a session (#8415)
• Mouse-over menu on messages list (#7141)
• Advanced mail search syntax with more possibilities (without UI) (#8502)
• Added an option for a default mail search scope (#9077, #7556)
• Added an option for default "Keep formatting" state, option can be hidden via dont_override (#8987, #9703)
• Added option to define font list and font-size list for HTML editor - available_fonts/available_font_sizes (#5700)
• IMAP: Support for HAproxy protocol header in IMAP connections (#8625)
• Change 'smtp_log' option default value to False
• Add 'php' logging driver (#6138)
• Delete messages directly from Junk on folder purge if delete_junk is enabled (#8766)
• Hide information about quota, when there is no quota (#8994)
• Set timeout=30, connect_timeout=5, read_timeout=120 as defaults for HTTP client (#8865)
• Remove use of utf8_encode() and utf8_decode() functions deprecated in PHP 8.2
• Support PHP Zip extension and 7z in install-jsdeps.sh (#8935)
• Add identities management script - bin/identity.sh (#8887)
• Add skin information into the About dialog (#9441)
• Prefer 8bit over quoted-printable for HTML parts, when force_7bit is disabled (#8477)
• Convert images in HTML content pasted into HTML editor to data: URIs (and later to attachments) (#6938)
• Add possibility to change ATTR_EMULATE_PREPARES via config file (#9213)
• Use draft settings (like DSN) on "Edit as new" (#9349)
• Add more detailed feedback on vCard import errors (#9591)
• Use new HTML5 parser available on PHP >= 8.4
• Clear "list is empty" message on loading a new list (#9006)
• Add enable_autolink option for HTML editor (#9818, #9762)
• Rework/fix zoom and rotate of attached images (#9843, #7669)
• Installer: Show NOT OK if none of the database extensions is installed (#9594, #9604)
• Plugin API: Added message_delete hook (#9499)
• Plugin API: Added message_move hook (#9499)
• Mailvelope: Add a button to enable the extension for webmail domain (#9498)
• OAuth: Add support for SMTP without authentication (#9183)
• OAuth: Add support for OAuth/OpenIDC discovery (#8201)
• OAuth: Add support for invalidating the OAuth-session on logout (#8057)
• OAuth: Add support for OpenID Connect RP-Initiated Logout (#9109)
• OAuth: Add support for OpenID Connect Back-Channel Logout (#9110)
• OAuth: Add support for PKCE (#8757)
• OAuth: Add support for OAUTHBEARER (#9217)
• OAuth: Add oauth_debug option (#9217)
• OAuth: Fix: missing config oauth_provider_name in rcmail_oauth's constructor (#9217)
• OAuth: Fix Bearer authentication for Kinde (#9244)
• OAuth: Refactor: move display to the rcmail_oauth class and use loginform_content hook (#9217)
• OAuth: Add a flag to the 'authenticate' hook arguments indicating SSO is in use
• Additional_Message_Headers: Added %u, %d and %l variables (#8746, #8732)
• ACL: Set default of 'acl_specials' option to ['anyone'] (#8911)
• Enigma: Support Kolab's Web Of Anti-Trust feature (#8626)
• Enigma: Add key icon to passphrase input (#9894)
• Managesieve: Support :encodeurl (RFC 5435) (#8917)
• Managesieve: Add List-ID to the list of headers for creating new sieve-filters (#8307)
• Managesieve: Support an array in managesieve_host option (#9447)
• Managesieve: Fix the frontend datetime picker not respecting the 12h format and apending a dangling 's' to the seconds (#9688)
• Managesieve: Add parsing for all PHP time formatters from time_format config to frontend the time picker (#9655)
• Password: Add ldap_samba_ad driver (#8525)
• Password: Allow LDAP access using LDAP URI and SASL binding (#8402)
• Password: Use Guzzle HTTP Client in the pwned driver
• Password: Use Guzzle HTTP Client in the directadmin driver
• Password: Use Guzzle HTTP Client in the plesk driver
• Password: Use Guzzle HTTP Client in the modoboa driver
• Password: Use Guzzle HTTP Client in the domainfactory driver
• Password: Use Guzzle HTTP Client in the cpanel driver
• Password: Check that a user email is part of password in the zxcvbn checker (#9404)
• Virtuser_file: Support opensmtpd file format (#9898)
• Zipdownload: Change "Download..." menu label into "Export..." (#9713)
• Fix bug in handling rcmail::format_date()'s $convert argument (#9666)
• Fix use of Bootstrap's box-sizing inside a HTML message content (#9727)
• Fix folders hierarchy when special folders are subfolders of INBOX, with no personal namespace prefix (#9452)
• Fix attachment name decoding when 'charset' parameter exists in the headers (#9376)
• Fix deprecated (in PHP 8.4) use of session_set_save_handler() (#9060)
• Fix potential HTTP protocol version mismatch (#8982)
• Fix "Assign to group" action state after creation of a first group (#9889)
• Fix bug where contacts search would fail if contactlist_fields contained vcard fields (#9850)
• Fix bug where an mbox export file could include inconsistent message delimiters (#9879)

Roundcube Webmail 1.5.11

This is the next service release to update the LTS version 1.5 of Roundcube.

It only fixes a compatibility issue with PHP 5.5 that slipped into the previous (1.5.10) release.

This release is considered stable and if you was not able to upgrade to 1.5.10 you should update now.

Roundcube Webmail 1.6.11

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

• Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Managesieve: Fix match-type selector (remove unsupported options) in delete header action (#9610)
• Improve installer to fix confusion about disabling SMTP authentication (#9801)
• Fix PHP warning in index.php (#9813)
• OAuth: Fix/improve token refresh
• Fix dark mode bug where wrong colors were used for blockquotes in HTML mail preview (#9820)
• Fix HTML message preview if it contains floating tables (#9804)
• Fix removing/expiring redis/memcache records when using a key prefix
• Fix bug where a wrong SPECIAL-USE folder could have been detected, if there were more than one per-type (#9781)
• Fix a default value and documentation of password_ldap_encodage option (#9658)
• Remove mobile/floating Create button from the list in Settings > Folders (#9661)
• Fix Delete and Empty buttons state while creating a folder (#9047)
• Fix connecting to LDAP using ldapi:// URI (#8990)
• Fix cursor position on "below the quote" reply in HTML mode (#8700)
• Fix bug where attachments with content type of application/vnd.ms-tnef were not parsed (#7119)

Roundcube Webmail 1.5.10

This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

• Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!

CHANGELOG

• Fix current script state after initial scripts creation in managesieve_kolab_master mode
• Fix regression causing inline SVG images to be missing in mail preview (#9644)

Roundcube Webmail 1.6.10

This is the next service release to update the stable version 1.6. See the full changelog below.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• IMAP: Partial support for ANNOTATE-EXPERIMENT-1 extension (RFC 5257)
• OAuth: Support standard authentication with short-living password received with OIDC token (#9530)
• Fix PHP warnings (#9616, #9611)
• Fix whitespace handling in vCard line continuation (#9637)
• Fix current script state after initial scripts creation in managesieve_kolab_master mode
• Fix rcube_imap::get_vendor() result (and PHP warning) on Zimbra server (#9650)
• Fix regression causing inline SVG images to be missing in mail preview (#9644)
• Fix plugin "virtuser_file" to handle backward slashes in username (#9668)
• Fix PHP fatal error when parsing some malformed BODYSTRUCTURE responses (#9689)
• Fix insert_or_update() and reading database server config on PostgreSQL (#9710)
• Fix Oauth issues with use_secure_urls=true (#9722)
• Fix handling of binary mail parts (e.g. PDF) encoded with quoted-printable (#9728)
• Fix links in comments and config to https:// where available (#9759, #9756)
• Fix decoding of attachment names encoded using both RFC2231 and RFC2047 standards (#9725)

Roundcube Webmail 1.6.9

This is the next service release to update the stable version 1.6.
It provides two regression fixes that were introduced in from the previous release. See the full changelog below.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where printing/scaling/rotating image attachments was broken (#9571)
• Fix regression where HTML messages were displayed unstyled (#9586)

Roundcube Webmail 1.5.9

This is the next service release to update the stable version 1.5.
It provides two regression fixes that were introduced in from the previous release. See the full changelog below.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix regression where printing/scaling/rotating image attachments was broken (#9571)
• Fix regression where HTML messages were displayed unstyled (#9586)

Roundcube Webmail 1.6.8

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

• Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
• Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
• Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

Credits to Oskar Zeino-Mahmalat (Sonar) for all these findings and thanks for providing a very detailed report in a private communication.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Managesieve: Protect special scripts in managesieve_kolab_master mode
• Fix newmail_notifier notification focus in Chrome (#9467)
• Fix fatal error when parsing some TNEF attachments (#9462)
• Fix double scrollbar when composing a mail with many plain text lines (#7760)
• Fix decoding mail parts with multiple base64-encoded text blocks (#9290)
• Fix bug where some messages could get malformed in an import from a MBOX file (#9510)
• Fix invalid line break characters in multi-line text in Sieve scripts (#9543)
• Fix bug where "with attachment" filter could fail on some fts engines (#9514)
• Fix bug where an unhandled exception was caused by an invalid image attachment (#9475)
• Fix bug where a long subject title could not be displayed in some cases (#9416)
• Fix infinite loop when parsing malformed Sieve script (#9562)
• Fix bug where imap_conn_option's 'socket' was ignored (#9566)
• Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
• Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
• Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

Roundcube Webmail 1.5.8

This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides fixes to recently reported security vulnerabilities:

• Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
• Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008]
• Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]

Credits to Oskar Zeino-Mahmalat (Sonar) for all these findings and thanks for providing a very detailed report in a private communication.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!