Mirrors/roundcubemail
2
0
Fork 0
mirror of https://github.com/roundcube/roundcubemail.git synced 2026-03-24 00:36:59 +01:00
Code Issues Packages Projects Releases Wiki Activity
13,594 Commits 72 Branches 208 Tags
45e6929759fc1dabaefdb3f9c573aab4d84ff1ad
Commit Graph

8375 Commits

Author SHA1 Message Date
Aleksander Machniak
45e6929759 Small phpdoc improvements 2026-03-22 07:38:54 +01:00
Aleksander Machniak
579b68eff9 Fix SSRF + Information Disclosure via stylesheet links to a local network hosts 
Reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/
 2026-03-18 10:35:16 +01:00
Aleksander Machniak
1b30edf536 Fix XSS issue in a HTML attachment preview 
Reported by aikido_security
 2026-03-18 10:23:34 +01:00
Aleksander Machniak
226811a1c9 Fix fixed position mitigation bypass via use of !important 
Reported by nullcathedral
 2026-03-18 10:20:00 +01:00
Aleksander Machniak
fd0e98178d Fix remote image blocking bypass via a crafted body background attribute 
Reported by nullcathedral
 2026-03-18 10:15:43 +01:00
Aleksander Machniak
82ab5eca7b Fix remote image blocking bypass via various SVG animate attributes 
Reported by nullcathedral
 2026-03-17 15:53:29 +01:00
Aleksander Machniak
5fe8a69956 Fix IMAP Injection + CSRF bypass in mail search 
Reported by Martila Security Research Team
 2026-03-17 15:34:13 +01:00
Aleksander Machniak
6d586cfa4d Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler 
Disable GuzzleHttp\Cookie\FileCookieJar instantiation.

Reported by y0us.
 2026-03-17 15:11:38 +01:00
Aleksander Machniak
122a2cd112 Fix new phpstan errors 2026-03-17 14:53:08 +01:00
Kizashi Nagata
51db344a4d Fix link pattern matching HTML tag characters in URL path (#10115) 
The link_pattern introduced in 2c3b46c1f uses \S (non-whitespace) for
the URL path segment, which also matches <, >, ", and ' characters.
This causes URLs inside HTML-like markup in plain text (e.g.
<a href="https://example.com/">click here</a>) to consume the tag
characters as part of the URL.

Replace \S with [^\s<>"'] to exclude HTML tag delimiters and quote
characters from URL path matching, and [^\s.:;,] with [^\s.:;,<>"']
for the path segment terminator.
 2026-03-14 11:50:24 +01:00
Aleksander Machniak
6a1555e287 Fix bug where rel=stylesheet part of a <link> could get removed 2026-03-12 08:17:13 +01:00
Aleksander Machniak
cafc7b82b4 Fix Postgres connection using IPv6 address (#10104) 2026-03-10 19:24:25 +01:00
Aleksander Machniak
667c4b731c Fix PHP fatal error when using IMAP cache (#10102) 2026-03-08 11:47:35 +01:00
Kizashi Nagata
7cab5643c1 Fix URL matching for domain names with port numbers (#10105) 2026-03-08 11:05:19 +01:00
Aleksander Machniak
4e95ebe12b Fix new phpstan error - redundant if statement 2026-03-05 12:41:46 +01:00
Aleksander Machniak
249681c2e9 Localization update 2026-02-22 15:43:51 +01:00
Aleksander Machniak
2af7417d89 Fix str_contains() use 2026-02-08 10:27:30 +01:00
Aleksander Machniak
8dac75abbd Fix CSS injection vulnerability reported by CERT Polska 2026-02-08 09:24:29 +01:00
Aleksander Machniak
26d7677471 Fix remote image blocking bypass via SVG content reported by nullcathedral 2026-02-08 09:21:34 +01:00
Aleksander Machniak
4c378113ce Set folder property also on a result from the cache 2026-01-28 11:14:13 +01:00
Aleksander Machniak
609124d94f OAuth: Add oauth_auth_type option 2026-01-25 13:03:05 +01:00
Aleksander Machniak
75dbc2fe11 OAuth: Fix bug where it was impossible to login again after logout (#10073) 2026-01-25 12:26:43 +01:00
Aleksander Machniak
d8363fbd7d Fix new phpstan error 2026-01-25 08:40:17 +01:00
Aleksander Machniak
0e5712b89f Update localization 2026-01-11 10:13:10 +01:00
Aleksander Machniak
3cebe59538 Remove some old code for IE 2026-01-04 13:39:51 +01:00
Aleksander Machniak
cb7f2d0066 Fix a UI issue on using browser Back button after allowing remote resources (#10062) 2026-01-04 13:34:43 +01:00
Aleksander Machniak
42794a40aa Support request_url config option for resolving relative URLs (#9868) 2026-01-01 15:14:18 +01:00
Aleksander Machniak
7a3843f9b7 Support X-Forwarded-Host/X-Forwarded-Port in self URLs generation (#9952) 2026-01-01 12:57:02 +01:00
James Renken
fd395ddf0d Support $HasAttachment/$HasNoAttachment keywords for "With attachment" search filter (#10056) 
Also make content-types consistent between app.js:add_message_row() & rcmail_action_mail_index()

Fixes #10053
 2025-12-28 19:49:04 +01:00
Aleksander Machniak
e5d5ed91bd Fix the regexp so it will produce less false-positives 2025-12-15 11:36:05 +01:00
Aleksander Machniak
7c3267b9b0 Fix Information Disclosure vulnerability in the HTML style sanitizer 
reported by somerandomdev
 2025-12-14 09:02:25 +01:00
Aleksander Machniak
5162a0d9d7 Fix Cross-Site-Scripting vulnerability via SVG's animate tag 
reported by Valentin T., CrowdStrike.
 2025-12-14 09:01:26 +01:00
Pablo Zmdl
202daa6f97 Replace changed by expires_at in session handling 
This prepares using extended session lifetimes configurable per session
 2025-12-04 14:47:16 +01:00
Dominik Schmidt
ce893b2e1d Preserve requested url on oidc login (#10033) 
* feat: preserve requested url on oidc login
* fix(oidc): redirect to idp when session timed out
 2025-11-29 18:21:16 +01:00
Aleksander Machniak
4583641133 Localization: Remove empty lines 2025-11-29 18:18:58 +01:00
Aleksander Machniak
7d960125dc rcube_db_param implements Stringable interface 2025-11-29 15:53:38 +01:00
Aleksander Machniak
f0d63004d6 Localization update 2025-11-29 13:57:20 +01:00
Michael Steininger
cdd3d1ed69 Allow "target" in html attributes when saving signature (#10017) 2025-11-23 14:55:33 +01:00
Dominik Schmidt
01a362aa9f feat: add getter for cached oauth options (#10029) 2025-11-23 12:39:21 +01:00
Aleksander Machniak
7cab146f7b Fix new phpstan errors 2025-11-22 15:07:31 +01:00
Pablo Zmdl
a361fa79f1 Add rel='noopener' to all links opening in a new window 
Browsers younger than ~5 years don't need this, but older browsers might cause problems.

Code style change as demanded by eslint

Remove accidentally added `id` attribute

Fix test as it was intended
 2025-11-04 16:03:22 +01:00
Aleksander Machniak
bd83492549 Minor phpdoc fix 2025-10-29 14:14:20 +01:00
Pablo Zmdl
e34a813355 New plugin "markdown_editor": compose in markdown, send as HTML 
This adds a markdown editor that sends HTML to the server.

It uses codemirror and some custom code to show a syntax highlighted
textarea and some buttons to help editing
(including a preview).

Drafts get marked via an internal email header that causes the markdown
editor to automatically start if a message composition is
continued that was started using the markdown editor.
 2025-10-27 15:34:19 +01:00
Pablo Zmdl
fd8ac88643 Allow additional attributes for included scripts 2025-10-27 15:34:19 +01:00
Pablo Zmdl
ea050faaad Allow event handlers to act after a signature was inserted 2025-10-27 15:34:19 +01:00
Pablo Zmdl
bbd884b957 Allow event handlers to hook into messageform submission 
submit() doesn't emit an event prior to sending the data but
requestSubmit() does.
 2025-10-27 15:34:19 +01:00
Philip Weir
b8f65f4692 use variable replacement built in to rcmail.get_label() js (#10014) 2025-10-18 08:25:23 +02:00
Aleksander Machniak
09f163960c Fix PHP 8.5 deprecation about PDO driver specific constants 2025-10-16 15:03:34 +02:00
Philip Weir
39821c8a56 Move autocomplete list rendering to client side (#9832) 
* basic support for autocomplete list rendering on client side
* remove 'contact_search_name' config var, add 'rcube_addressbook::compose_autocomplete_fields()'
* add contactlist_name_template config replacement for contact_search_name
 2025-10-11 17:13:13 +02:00
Philip Weir
db2e201788 Contact import improvements (#9431) 
* contact import: correct mismapped fields
* contacts: remove im:other field from UI, it does not exist in the vCard
* vcard: add some more maps for common vcard types to roundcube types
* contact import: list all possible roundcube contact fields in csv import UI, remove hard coded $local_map
* add SORT_LOCALE_STRING flag
* fix typos
* remove unwanted label
* move field list to csv2vcard
* move rcube_csv2vcard::list_fields to rcmail_action_contacts_import::list_fields as it relies on rcmail_action_contacts
* use single field map for csv2vcard imports, remove hardcoded version
* fix test
* small cs fix
* reformat csv2vcard.inc
* fix failing test
* restore existance check
* fix failing test again
 2025-10-08 13:36:57 +02:00