Aleksander Machniak
5fe8a69956
Fix IMAP Injection + CSRF bypass in mail search
...
Reported by Martila Security Research Team
2026-03-17 15:34:13 +01:00
Aleksander Machniak
6d586cfa4d
Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
...
Disable GuzzleHttp\Cookie\FileCookieJar instantiation.
Reported by y0us.
2026-03-17 15:11:38 +01:00
Aleksander Machniak
122a2cd112
Fix new phpstan errors
2026-03-17 14:53:08 +01:00
Kizashi Nagata
51db344a4d
Fix link pattern matching HTML tag characters in URL path ( #10115 )
...
The link_pattern introduced in 2c3b46c1fhttps://example.com/ ">click here</a>) to consume the tag
characters as part of the URL.
Replace \S with [^\s<>"'] to exclude HTML tag delimiters and quote
characters from URL path matching, and [^\s.:;,] with [^\s.:;,<>"']
for the path segment terminator.
2026-03-14 11:50:24 +01:00
Aleksander Machniak
6a1555e287
Fix bug where rel=stylesheet part of a <link> could get removed
2026-03-12 08:17:13 +01:00
Aleksander Machniak
cafc7b82b4
Fix Postgres connection using IPv6 address ( #10104 )
2026-03-10 19:24:25 +01:00
Aleksander Machniak
667c4b731c
Fix PHP fatal error when using IMAP cache ( #10102 )
2026-03-08 11:47:35 +01:00
Kizashi Nagata
7cab5643c1
Fix URL matching for domain names with port numbers ( #10105 )
2026-03-08 11:05:19 +01:00
Aleksander Machniak
4e95ebe12b
Fix new phpstan error - redundant if statement
2026-03-05 12:41:46 +01:00
Aleksander Machniak
249681c2e9
Localization update
2026-02-22 15:43:51 +01:00
Aleksander Machniak
2af7417d89
Fix str_contains() use
2026-02-08 10:27:30 +01:00
Aleksander Machniak
8dac75abbd
Fix CSS injection vulnerability reported by CERT Polska
2026-02-08 09:24:29 +01:00
Aleksander Machniak
26d7677471
Fix remote image blocking bypass via SVG content reported by nullcathedral
2026-02-08 09:21:34 +01:00
Aleksander Machniak
4c378113ce
Set folder property also on a result from the cache
2026-01-28 11:14:13 +01:00
Aleksander Machniak
609124d94f
OAuth: Add oauth_auth_type option
2026-01-25 13:03:05 +01:00
Aleksander Machniak
75dbc2fe11
OAuth: Fix bug where it was impossible to login again after logout ( #10073 )
2026-01-25 12:26:43 +01:00
Aleksander Machniak
d8363fbd7d
Fix new phpstan error
2026-01-25 08:40:17 +01:00
Aleksander Machniak
0e5712b89f
Update localization
2026-01-11 10:13:10 +01:00
Aleksander Machniak
3cebe59538
Remove some old code for IE
2026-01-04 13:39:51 +01:00
Aleksander Machniak
cb7f2d0066
Fix a UI issue on using browser Back button after allowing remote resources ( #10062 )
2026-01-04 13:34:43 +01:00
Aleksander Machniak
42794a40aa
Support request_url config option for resolving relative URLs ( #9868 )
2026-01-01 15:14:18 +01:00
Aleksander Machniak
7a3843f9b7
Support X-Forwarded-Host/X-Forwarded-Port in self URLs generation ( #9952 )
2026-01-01 12:57:02 +01:00
James Renken
fd395ddf0d
Support $HasAttachment/$HasNoAttachment keywords for "With attachment" search filter ( #10056 )
...
Also make content-types consistent between app.js:add_message_row() & rcmail_action_mail_index()
Fixes #10053
2025-12-28 19:49:04 +01:00
Aleksander Machniak
e5d5ed91bd
Fix the regexp so it will produce less false-positives
2025-12-15 11:36:05 +01:00
Aleksander Machniak
7c3267b9b0
Fix Information Disclosure vulnerability in the HTML style sanitizer
...
reported by somerandomdev
2025-12-14 09:02:25 +01:00
Aleksander Machniak
5162a0d9d7
Fix Cross-Site-Scripting vulnerability via SVG's animate tag
...
reported by Valentin T., CrowdStrike.
2025-12-14 09:01:26 +01:00
Pablo Zmdl
202daa6f97
Replace changed by expires_at in session handling
...
This prepares using extended session lifetimes configurable per session
2025-12-04 14:47:16 +01:00
Dominik Schmidt
ce893b2e1d
Preserve requested url on oidc login ( #10033 )
...
* feat: preserve requested url on oidc login
* fix(oidc): redirect to idp when session timed out
2025-11-29 18:21:16 +01:00
Aleksander Machniak
4583641133
Localization: Remove empty lines
2025-11-29 18:18:58 +01:00
Aleksander Machniak
7d960125dc
rcube_db_param implements Stringable interface
2025-11-29 15:53:38 +01:00
Aleksander Machniak
f0d63004d6
Localization update
2025-11-29 13:57:20 +01:00
Michael Steininger
cdd3d1ed69
Allow "target" in html attributes when saving signature ( #10017 )
2025-11-23 14:55:33 +01:00
Dominik Schmidt
01a362aa9f
feat: add getter for cached oauth options ( #10029 )
2025-11-23 12:39:21 +01:00
Aleksander Machniak
7cab146f7b
Fix new phpstan errors
2025-11-22 15:07:31 +01:00
Pablo Zmdl
a361fa79f1
Add rel='noopener' to all links opening in a new window
...
Browsers younger than ~5 years don't need this, but older browsers might cause problems.
Code style change as demanded by eslint
Remove accidentally added `id` attribute
Fix test as it was intended
2025-11-04 16:03:22 +01:00
Aleksander Machniak
bd83492549
Minor phpdoc fix
2025-10-29 14:14:20 +01:00
Pablo Zmdl
e34a813355
New plugin "markdown_editor": compose in markdown, send as HTML
...
This adds a markdown editor that sends HTML to the server.
It uses codemirror and some custom code to show a syntax highlighted
textarea and some buttons to help editing
(including a preview).
Drafts get marked via an internal email header that causes the markdown
editor to automatically start if a message composition is
continued that was started using the markdown editor.
2025-10-27 15:34:19 +01:00
Pablo Zmdl
fd8ac88643
Allow additional attributes for included scripts
2025-10-27 15:34:19 +01:00
Pablo Zmdl
ea050faaad
Allow event handlers to act after a signature was inserted
2025-10-27 15:34:19 +01:00
Pablo Zmdl
bbd884b957
Allow event handlers to hook into messageform submission
...
submit() doesn't emit an event prior to sending the data but
requestSubmit() does.
2025-10-27 15:34:19 +01:00
Philip Weir
b8f65f4692
use variable replacement built in to rcmail.get_label() js ( #10014 )
2025-10-18 08:25:23 +02:00
Aleksander Machniak
09f163960c
Fix PHP 8.5 deprecation about PDO driver specific constants
2025-10-16 15:03:34 +02:00
Philip Weir
39821c8a56
Move autocomplete list rendering to client side ( #9832 )
...
* basic support for autocomplete list rendering on client side
* remove 'contact_search_name' config var, add 'rcube_addressbook::compose_autocomplete_fields()'
* add contactlist_name_template config replacement for contact_search_name
2025-10-11 17:13:13 +02:00
Philip Weir
db2e201788
Contact import improvements ( #9431 )
...
* contact import: correct mismapped fields
* contacts: remove im:other field from UI, it does not exist in the vCard
* vcard: add some more maps for common vcard types to roundcube types
* contact import: list all possible roundcube contact fields in csv import UI, remove hard coded $local_map
* add SORT_LOCALE_STRING flag
* fix typos
* remove unwanted label
* move field list to csv2vcard
* move rcube_csv2vcard::list_fields to rcmail_action_contacts_import::list_fields as it relies on rcmail_action_contacts
* use single field map for csv2vcard imports, remove hardcoded version
* fix test
* small cs fix
* reformat csv2vcard.inc
* fix failing test
* restore existance check
* fix failing test again
2025-10-08 13:36:57 +02:00
Aleksander Machniak
0abdccaf55
Get rid of IE related code
2025-10-08 11:13:26 +02:00
Philip Weir
46f8f31a13
Add tooltip with folder name to widescreen list of multi folder listing ( #9989 )
2025-10-07 15:38:43 +02:00
Philip Weir
6926f5c307
Add scope param for contact search ( #9902 )
...
* add scope param for contact search
* fix failing tests
* add test for contact search scope
* test scope on advanced search form
* use str_contains
2025-10-05 18:49:18 +02:00
Aleksander Machniak
1e55383302
Use symfony/polyfill-php85 for array_first() and array_last()
2025-10-03 14:27:05 +02:00
Mathias Schneider
bdbfbd9074
Support early MIME types for S/MIME encrypted messages ( #9973 )
...
Co-authored-by: Mathias Schneider <thiesje@web.de >
2025-09-21 10:14:24 +02:00
Philip Weir
7fd9bf05e3
Only apply fix_path for href attrib in <link>s ( #9943 )
2025-09-18 07:36:36 +02:00
