Mirrors/roundcubemail
2
0
Fork 0
mirror of https://github.com/roundcube/roundcubemail.git synced 2026-03-03 06:44:03 +01:00
Code Issues Packages Projects Releases Wiki Activity
13,570 Commits 72 Branches 205 Tags
master
Commit Graph

186 Commits

Author SHA1 Message Date
Aleksander Machniak
2af7417d89 Fix str_contains() use 2026-02-08 10:27:30 +01:00
Aleksander Machniak
8dac75abbd Fix CSS injection vulnerability reported by CERT Polska 2026-02-08 09:24:29 +01:00
Aleksander Machniak
42794a40aa Support request_url config option for resolving relative URLs (#9868) 2026-01-01 15:14:18 +01:00
Aleksander Machniak
7a3843f9b7 Support X-Forwarded-Host/X-Forwarded-Port in self URLs generation (#9952) 2026-01-01 12:57:02 +01:00
Aleksander Machniak
e5d5ed91bd Fix the regexp so it will produce less false-positives 2025-12-15 11:36:05 +01:00
Aleksander Machniak
7c3267b9b0 Fix Information Disclosure vulnerability in the HTML style sanitizer 
reported by somerandomdev
 2025-12-14 09:02:25 +01:00
Pablo Zmdl
a03221041e Run test with PHP 8.5-rc (#9970) 
* Allow to inject composer arguments into testing scripts

* Run unit tests with PHP v8.5, too

* Run browser tests with PHP 8.5, too

* Depend on php-cs-fixer v3.8, which supports PHP v8.4

* Run code style checks in CI on PHP v8.4

* Check for vars being set and not null before using them as array keys

* Use generic tag name in container image build script

The script is meant for locally building images (the CI workflow runs
other code), so we now use localhost/ as namespace.

* Check that variable is usable before using it as array key

This includes proper type declarations for the method arguments and its return value.

* Ensure that the input to chr() is between 0 and 255.

* Require guzzle v7.10.0, which supports PHP 8.5

* Update phpunit a little to decide when to fail on deprecations

PHPUnit 10.5.47 and later know the flag `--do-not-fail-on-deprecation`, which allows us to make it not exit with code 1
in case of deprecations on the second run of the script. That second run uses the lowest valid dependencies, which might
contain deprecations when used with newer versions of PHP, but still are acceptable versions, and should not make our
tests fail.

* Run message rendering tests with PHP v8.4 and v8.5, too

* Check explicitly for null-ness

0 would be a valid value here.

* Replace chr() by mb_chr() and remove the workaround
 2025-09-14 11:33:38 +02:00
Aleksander Machniak
3139bff247 CS-Fixer: Enable modernize_strpos 2025-08-15 13:20:24 +02:00
Michael Voříšek
026eb8c801 Enforce leading backslash for non-namespaced non-Roundcube uses (#9935) 2025-08-15 10:27:00 +02:00
Aleksander Machniak
a0d0f5e72e Fix parsing of inline styles that aren't well-formatted (#9948) 2025-08-03 11:28:53 +02:00
Pablo Zmdl
c069be5897 Validate URL parameter in upload code (#9865) 2025-06-01 09:17:23 +02:00
Aleksander Machniak
1d080c7494 Bump PHP version for CS fixer, enable some default rules 2025-05-04 12:59:37 +02:00
Aleksander Machniak
f7d8852d17 Use str_starts_with() where applicable 2025-03-30 11:32:38 +02:00
Philip Weir
ccede1f272 Update links in comments and config to https where available (#9759) 2025-01-26 13:34:57 +01:00
Aleksander Machniak
c99dcacddb - Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010] 
Credits to Oskar Zeino-Mahmalat (https://www.sonarsource.com)
 2024-08-04 10:27:18 +02:00
Michael Voříšek
a30e0ad438 Infer file/line location in rcube::raise_error() from backtrace (#9422) 
* \n\s+'file' => __FILE__,

* \n\s+'line' => __LINE__,

* 'line' => __LINE__, 'file' => __FILE__,

* 'file' => __FILE__, 'line' => __LINE__,

* rest

* more

* improve cs

* more cs

* revert rcube_utils::preg_error changes

* impl file/line from backtrace

* Revert "revert rcube_utils::preg_error changes"
 2024-04-21 11:48:35 +02:00
Aleksander Machniak
15c1228cf3 Code improvements 2024-03-24 08:52:17 +01:00
Aleksander Machniak
91816ca187 Fix phpstan errors 2024-02-10 09:23:12 +01:00
Michael Voříšek
332c165d28 Fix some basic JS CS (#9328) 
* fix "nonblock-statement-body-position" (fixed already)

* fix "comma-dangle"

* fix "no-regex-spaces"

* fix "new-parens"

* fix "object-curly-newline"

* fix "object-property-newline"

* fix "spaced-comment" semimanually

* fix "no-constant-condition" manually

* fix "unicorn/no-hex-escape"

* fix "unicorn/escape-case"

* fix "quote-props"

* fix "no-whitespace-before-property" - fix bug/typo

* fix "unicorn/empty-brace-spaces"

* fix "keyword-spacing"

* fix "dot-notation"

* fix "no-return-assign" manually

* fix "padding-line-between-statements"

* fix "key-spacing"

* fix "no-else-return" semimanually

* fix some "no-undef"

* fix case cs

* Revert "fix "padding-line-between-statements""

* improve switch/case format I.

* improve switch/case format II.

regex: (^ *(break|return).*)\n *(\n)

* fix safe "eqeqeq"

* fix "radix"

* fix v3.49.0 CS (static providers)

* fix "string_implicit_backslashes" in php files

* fix comments align

* fix test static providers

* fix stan

* disable "final_internal_class" rule
 2024-02-06 08:28:19 +01:00
Michael Voříšek
d18406a8bd Fix binary operator spaces CS (#9330) 
* align_single_space_minimal for assign

* assign operators grouping is not supported by PHP CS Fixer

* binary_operator_spaces = single_space

* fix anonymous function on single line

* align comments manually
 2024-02-02 07:53:34 +01:00
Aleksander Machniak
34500a4fa4 Fix "missing return statement" phpstan errors 2024-01-27 19:07:52 +01:00
Michael Voříšek
ff2d721680 Fix more CS whitespace (#9318) 
* fix "no_useless_else" manually

* fix some "blank_line_before_statement"

* two manual changes

* Revert "fix some "blank_line_before_statement""

This reverts commit 2cc857c00e.

* fix some "blank_line_before_statement" using patched fixer (after "}" only)

* fix continue/break too
 2024-01-25 19:17:29 +01:00
Michael Voříšek
4ee79b9e84 fix "explicit_string_variable" (#9315) 2024-01-22 08:05:59 +01:00
Michael Voříšek
b1a0067e5d Fix more CS (#9303) 
* fix "class_attributes_separation"

* fix "ternary_to_null_coalescing"

* fix "no_extra_blank_lines"

* fix "php_unit_data_provider_name" - use snake_case

* fix remaining "function data_" manually

* move "php_unit_test_case_static_method_calls" to a better place in cnf

* fix 3.47.1 CS
 2024-01-20 08:22:32 +01:00
Michael Voříšek
6a53a1d853 Fix CS (whitespace, visibility) (#9297) 
* Fix "method_argument_space"

* Fix "control_structure_continuation_position"

* Fix "new_with_parentheses"

* Fix "blank_line_before_statement"

* Fix "visibility_required"

* Fix some "array_indentation"

* Fix some "array_indentation" - unify all "rcube::raise_error" calls

* rm useless eslint ignores and add rules counts

* sort eslint ignores

* fix eslint ignores grammar

* Revert "Fix "blank_line_before_statement""

* fix CS 3.46.0
 2024-01-04 14:26:35 +01:00
Michael Voříšek
2643be3eaa Fix single quotes CS (#9283) 
* Fix "single_quote"

* fix "escape_implicit_backslashes"

* fix typo from f363481c

* fix single quotes in JS

* fix some minor JS CS

* fix CS v3.45.0
 2023-12-31 16:36:55 +01:00
Michael Voříšek
3e458fa5fd Refer native constants unambiguously (#9275) 
* Fix "native_constant_invocation" CS

* "self_accessor" was fixed in 9269 PR

* "php_unit_strict" was fixed in 9268 PR
 2023-12-23 17:02:19 +01:00
Michael Voříšek
a9167a0d2f Fix "static_lambda" CS (#9276) 2023-12-20 20:01:00 +01:00
Michael Voříšek
e7d7e62146 Modernize more basic CS II (#9254) 
* fix "integer_literal_case"

* fix "phpdoc_separation"

* fix "phpdoc_var_without_name"

* fix "operator_linebreak"

* fix "no_alias_language_construct_call"

* fix "list_syntax"

* fix "concat_space"

* fix "array_syntax"

* fix "binary_operator_spaces"

* fix "binary_operator_spaces" relaxed

* fix "phpdoc_types_order"

* fix "phpdoc_trim"

* fix "native_type_declaration_casing"

* fix "method_chaining_indentation"

* fix "phpdoc_no_package"

* fix "elseif"

* fix PHP CS Fixer config itself too

* fix "native_type_declaration_casing"
 2023-12-17 13:14:45 +01:00
Michael Voříšek
ca8b17d191 Modernize more basic CS (#9258) 
* fix "yoda_style"

* fix "is_null"

* rm useless rule ignores

* add full "PhpCsFixer:risky" ruleset

* fix "implode_call"

* fix "no_alias_functions"

* fix "array_push"

* fix "long_to_shorthand_operator"

* fix "ternary_to_elvis_operator"

* fix "logical_operators"

* fix "fopen_flags"

* rename "returns" phpdoc tags to "return"

* fix "php_unit_construct"

* fix "function_to_constant"

* fix "php_unit_data_provider_return_type"

* fix "php_unit_set_up_tear_down_visibility"

* some safe "string_length_to_empty"

* fix "phpdoc_align"

* fix "phpdoc_no_alias_tag"

* fix "trailing_comma_in_multiline"

---------

Co-authored-by: Aleksander Machniak <alec@alec.pl>
 2023-12-17 09:51:11 +01:00
Michael Voříšek
93946f4ca7 Fix "self_accessor" PHP CS Fixer rule (#9269) 2023-12-17 09:44:43 +01:00
Michael Voříšek
1aef271290 Fix class/method names case typos (#9261) 
* fix Mail_Mime case

* fix StdErrMock case

* fix method calls case
 2023-12-16 15:39:59 +01:00
Michael Voříšek
a8707ae220 Fix and assert basic CS using CI (#9246) 
* Assert CS using CI

* fix "single_blank_line_at_eof"

* fix "statement_indentation"

* fix "switch_case_semicolon_to_colon"

* fix "control_structure_braces"

* fix "statement_indentation"

* fix "no_whitespace_in_blank_line"

* fix "no_trailing_whitespace_in_comment"

* fix "no_trailing_whitespace"

* fix "single_space_around_construct"

* fix "spaces_inside_parentheses"

* fix "ternary_operator_spaces"

* fix "trim_array_spaces"

* fix "whitespace_after_comma_in_array"

* fix "cast_spaces"

* fix "unary_operator_spaces"

* fix "no_trailing_comma_in_singleline"

* fix "ordered_imports"

* fix "no_unused_imports"

* Check composer.json format

* fix CI job name

* file header comments are not phpdoc

* fix "phpdoc_indent"

* fix "braces_position"

* fix "phpdoc_types"

* fix "no_blank_lines_after_class_opening"

* fix "no_multiple_statements_per_line"

* fix "multiline_comment_opening_closing"

* fix "single_line_empty_body"

* fix "non_printable_character"

* fix "phpdoc_trim_consecutive_blank_line_separation"

* fix "include"

* fix "no_mixed_echo_print"

---------

Co-authored-by: Aleksander Machniak <alec@alec.pl>
 2023-12-16 15:37:43 +01:00
Michael Voříšek
5425d1a84a Fix invalid phpdocs (#9252) 
* fix missing return type in phpdoc
* fix "phpdoc_scalar"
* Fix phpdoc variable names typos
* fix wrong phpdoc tags
 2023-12-10 16:20:50 +01:00
Michael Voříšek
13f68fa06f Fix explode_quoted_string for multibyte delimiter (#9248) 2023-12-10 10:15:52 +01:00
Aleksander Machniak
da3c12bce2 Silence some potential PHP warnings 2023-11-07 15:52:17 +01:00
Aleksander Machniak
102b04e74e Fix PHP7 compat. break in last commit 2023-06-14 13:00:54 +02:00
Aleksander Machniak
3e32395acd Fix so output of log_date_format with microseconds contains time in server time zone, not UTC 2023-06-14 12:56:00 +02:00
Aleksander Machniak
a3431e94ae Fix connecting to LDAP using an URI with ldapi:// scheme (#8990) 2023-05-13 19:40:05 +02:00
Aleksander Machniak
43af3e0e58 Move get_host() from rcube_utils to rcmail_utils, de-duplicate 2023-03-05 18:33:57 +01:00
vladasko-g
852ffc6826 Add idenity management script (#8887) 2023-03-05 17:56:52 +01:00
Thomas B
409aee8b3c Add config option for request uri field (#8738) (#8770) 
This can be used to read a custom header sent by a reverse proxy to resolve the absolute path to Roundcube

* add check against the proxy_whitelist option before using a HTTP header field value for the request uri composition.
* refactor the rcmail::url() method to also work when composing fully qualified urls.
* fix/adapt tests
 2022-11-23 21:05:00 +01:00
Aleksander Machniak
1b0c72f9c3 Fix PHP warning (#8784) 2022-11-15 19:00:40 +01:00
Aleksander Machniak
4ca3e5d610 CS fixes, update changelog 2022-08-01 12:25:00 +02:00
Christian Mollekopf
a9a9be9a69 Use rcube_utils::remote_addr() to take HTTP_X_FORWARDED_FOR into account 2022-07-22 10:42:24 +02:00
Christian Mollekopf
76154d27f2 Introduce optional support to inject PROXY protocol headers after 
opening IMAP TCP streams.

Version 1 (text based) and version 2 (binary) protocol header types are
supported. Supports both IPv4 and IPv6 style headers.

http://www.haproxy.org/download/1.6/doc/proxy-protocol.txt
 2022-07-22 10:32:50 +02:00
Aleksander Machniak
8ad92d5f98 Fix so unix:// URI is supported in various host spec. options again (#8468) 2022-04-10 19:46:22 +02:00
Aleksander Machniak
7b81a71393 Don't use TLS by default (#8359) 
Also unify the common code with a new rcube_utils::parse_host_uri() method
 2021-12-11 09:52:23 +01:00
Aleksander Machniak
c445e19484 Fix security issues regarding server name and trusted_host_patterns setting 2021-10-17 10:59:54 +02:00
Aleksander Machniak
318d6d0859 Simplify code according to the minimum PHP version supported 2021-10-05 19:29:57 +02:00