Mirrors/roundcubemail
2
0
Fork 0
mirror of https://github.com/roundcube/roundcubemail.git synced 2026-03-03 06:44:03 +01:00
Code Issues Packages Projects Releases Wiki Activity
12,412 Commits 72 Branches 205 Tags
8a4eecbcb00eea109c0bd24475e08036ae698eac
Commit Graph

138 Commits

Author SHA1 Message Date
Aleksander Machniak
c445e19484 Fix security issues regarding server name and trusted_host_patterns setting 2021-10-17 10:59:54 +02:00
Aleksander Machniak
318d6d0859 Simplify code according to the minimum PHP version supported 2021-10-05 19:29:57 +02:00
Aleksander Machniak
f2688ba492 Use ?? operator where applicable 2021-09-21 19:12:06 +02:00
johndoh
693252edfe Remove redudant php version checks (#8154) 2021-08-01 17:39:12 +02:00
Aleksander Machniak
6f435ecb52 Fix fatal error/warning on invalid input to user parameter (#8152) 
Added a new utility method: rcube_utils::get_input_string()
 2021-08-01 10:31:09 +02:00
Aleksander Machniak
766189f524 Fix PHP 8.1 deprecation warnings 2021-07-31 08:38:47 +02:00
Aleksander Machniak
0d4a395464 Fix PHP 8.1 deprecation warnings 2021-07-31 07:53:14 +02:00
Thomas P
0044673e11 Add config options for subject prefixes (#7929) 2021-04-25 09:41:08 +02:00
Josh Soref
203f456620 Spelling (#8001) 2021-04-18 08:43:18 +02:00
Aleksander Machniak
0df8e97476 Small code improvement + tests 2021-03-22 16:11:38 +01:00
Aleksander Machniak
9f19b931e3 Fix cross-site scripting (XSS) via HTML messages with malicious CSS content 
and improve css parsing code.

Thanks to Mateusz Szymaniec (CERT Polska) for reporting the issue.
 2021-02-08 13:42:12 +01:00
Aleksander Machniak
b4b24f93df Fix some PHP8 warnings 2021-01-15 18:56:48 +01:00
Aleksander Machniak
39b3c0049e Fix cross-site scripting (XSS) via HTML or Plain text messages with malicious content [CVE-2020-35730] 
Credits to Alex Birnberg <birnbergalex@gmail.com>
 2020-12-27 18:27:42 +01:00
Aleksander Machniak
66062846ec Fix "unitialized string offset" warnings 2020-12-19 19:43:36 +01:00
Aleksander Machniak
12547ccf01 Require php-intl extension, get rid of Net_IDNA2, PHP8 fixes, short array syntax 
Net_IDNA2 is not compatible, and Intl is a bundled ext since PHP 5.3.
Fixed some regressions.
 2020-12-13 10:21:52 +01:00
Aleksander Machniak
61a5ade872 PHP8 fixes, short array syntax 2020-12-12 16:20:14 +01:00
Aleksander Machniak
f4ed1024dc PHP8 fixes, CS fixes, short array syntax, tests 2020-12-02 20:15:00 +01:00
Aleksander Machniak
0cbe4a4acc PHP8 fixes, CS fixes, short array syntax, added more tests 2020-11-22 12:03:02 +01:00
Michael Stilkerich
bad1dedbf6 Phpdoc type annotations (#7733) 2020-11-21 09:34:24 +01:00
Aleksander Machniak
318f91417f Add rcube_utils::explode() 2020-11-02 09:02:38 +01:00
Aleksander Machniak
545a1569f1 Steps -> Actions refactoring (#7688) 
* Move action handling code to rcmail class
* Add rcmail_action class
* Add action aliases
* Get rid of $OUTPUT global
* Move some methods from rcmail to rcmail_action
* PHP8 compat. fixes
* Add framework for testing actions
* Fix obvious code mistakes
 2020-11-01 11:25:38 +01:00
Aleksander Machniak
f95212d626 PHP8: More warnings fixed 2020-10-11 15:24:30 +02:00
Aleksander Machniak
bde383d051 PHP8: Fix various issues 
for now only these I found by running our unit tests, there will be much more
 2020-10-11 10:32:41 +02:00
Aleksander Machniak
f0084b6f54 Fix empty space on mail printouts in Chrome (#7604) 2020-09-23 10:49:16 +02:00
Aleksander Machniak
a5c2b4360c Fixes in context of undefined variables, and code style 2020-08-15 12:13:31 +02:00
Aleksander Machniak
1e1ea25b6c Added special value 'email' to login_username_filter, it changes also logon input type (#7179) 2020-07-03 12:56:17 +02:00
Aleksander Machniak
bdf0a6539e Relaxed domain name validation for extended TLDs support (#5588) 2020-01-19 19:21:28 +01:00
johndoh
51a9dd631f Add support for SameSite cookie attribute (req PHP >= 7.3.0) (#6772) 2020-01-05 15:53:51 +01:00
Aleksander Machniak
0b45c3c6b0 Fix matching multiple X-Forwarded-For addresses with 'proxy_whitelist' (#7107) 2019-12-07 09:34:15 +01:00
Aleksander Machniak
e3c6989494 Log X-Real-IP only when it's different than REMOTE_ADDR 2019-11-28 14:40:39 +01:00
Aleksander Machniak
63730cf842 Fix security issue where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (#6897) 2019-08-27 15:33:23 +02:00
Aleksander Machniak
057fb69bb9 Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899) 2019-08-27 14:37:17 +02:00
Aleksander Machniak
7bf868767e Fix security issue where it was possible to bypass the position:fixed CSS check in received messages (#6898) 2019-08-27 13:50:09 +02:00
Aleksander Machniak
1afa46d28d PHPDoc and CS fixes 2019-08-25 14:15:09 +02:00
Aleksander Machniak
8f895cb17f Replace function alias: getallheaders() -> apache_request_headers() 2019-07-06 08:28:53 +02:00
Aleksander Machniak
0a0ad2c9b7 Switch to IDNA2008 variant (#6806) 
After switching IDNA_NONTRANSITIONAL_TO_ASCII on, switch to
IDNA2008 variant in Net_LDAP2. Add test, update changelog.
 2019-06-16 12:03:27 +02:00
Max Bosse
f1d3f9ee44 Fix: Use IDNA_NONTRANSITIONAL_TO_UNICODE for idn_to_utf8 call 2019-06-16 10:41:25 +02:00
Max Boße
70c20740e7 Set 'IDNA_NONTRANSITIONAL_TO_ASCII' idn-option 2019-06-16 10:24:37 +02:00
Amir Caspi
6b5fa52ec1 Update rcube_utils::parse_host, fixes #6746 
Updated regexps used in parse_host to ensure that %t, %d, %z do not cut off domain and return only tld when underlying host has no subdomain (i.e., is just domain.tld rather than mail.domain.tld).  Update fixes #6746, now returns nothing shorter than domain.tld.

Also removed backslash from character class, period does not need to be escaped within character class.
 2019-05-19 08:32:26 +02:00
Aleksander Machniak
57c67db029 Remove year(s) from copyright headers + some cleanup 2019-04-16 10:42:45 +02:00
Aleksander Machniak
61eb78ad64 Fix so ANY record is not used for email domain validation, use A, MX, CNAME, AAAA instead (#6581) 2019-01-16 16:40:37 +01:00
Aleksander Machniak
afc68aae63 FIx temp_filename() regressions, update changelog, add note in UPGRADING 2018-11-07 16:51:25 +01:00
PhilW
e024f133fa give all temp files a constant prefix 2018-11-06 07:11:04 +00:00
Aleksander Machniak
2dcf50019c Merge branch 'master' into dev/elastic 2018-09-22 17:33:24 +02:00
Aleksander Machniak
c28242f63c Log errors caused by low pcre.backtrack_limit when sending a mail message (#6433) 2018-09-14 13:37:19 +02:00
Aleksander Machniak
796e5a17e6 Removed referer_check option (#6440) 2018-09-12 08:27:09 +02:00
Aleksander Machniak
cba1605949 Add http_only argument to rcube_utils::setcookie() 2018-07-02 15:56:07 +00:00
Aleksander Machniak
0716d499bc Fix bug where some escape sequences in html styles could bypass security checks 2018-05-05 17:12:18 +02:00
Aleksander Machniak
a889f55c31 Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl (#6244) 2018-04-12 09:39:33 +02:00
Aleksander Machniak
b2bebe531a Fix bug where usernames without domain part could be malformed or converted to lower-case on logon (#6224) 2018-04-10 09:24:29 +02:00