Mirrors/roundcubemail
2
0
Fork 0
mirror of https://github.com/roundcube/roundcubemail.git synced 2026-03-19 14:36:48 +01:00
Code Issues Packages Projects Releases Wiki Activity
12,496 Commits 72 Branches 208 Tags
d742954ccbcdee7020f8f2e7c49ce0fca5a0efab
Commit Graph

7793 Commits

Author SHA1 Message Date
Aleksander Machniak
d742954ccb Fix XSS issue in a HTML attachment preview 
Reported by aikido_security
 2026-03-18 12:48:49 +01:00
Aleksander Machniak
57dec0c127 Fix fixed position mitigation bypass via use of !important 
Reported by nullcathedral
 2026-03-18 12:48:37 +01:00
Aleksander Machniak
e052328e3d Fix remote image blocking bypass via a crafted body background attribute 
Reported by nullcathedral
 2026-03-18 12:48:08 +01:00
Aleksander Machniak
1a63e01542 Fix remote image blocking bypass via various SVG animate attributes 
Reported by nullcathedral
 2026-03-18 12:47:12 +01:00
Aleksander Machniak
7daf5aa9c1 Fix IMAP Injection + CSRF bypass in mail search 
Reported by Martila Security Research Team
 2026-03-18 12:47:00 +01:00
Aleksander Machniak
618c5428ed Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler 
Disable GuzzleHttp\Cookie\FileCookieJar instantiation.

Reported by y0us.
 2026-03-18 12:39:40 +01:00
Aleksander Machniak
c15f5dbf09 Fix regression 2026-02-08 10:31:41 +01:00
Aleksander Machniak
5a3315cce5 Fix regressions 2026-02-08 10:08:14 +01:00
Aleksander Machniak
bf89cbaa58 Fix CSS injection vulnerability reported by CERT Polska 2026-02-08 09:40:21 +01:00
Aleksander Machniak
3ea9e6596a Fix remote image blocking bypass via SVG content reported by nullcathedral 2026-02-08 09:39:53 +01:00
Aleksander Machniak
49263ba2a0 Fix the regexp so it will produce less false-positives 2026-02-08 09:38:51 +01:00
Aleksander Machniak
3cb52d6db1 Fix Information Disclosure vulnerability in the HTML style sanitizer 
reported by somerandomdev
 2025-12-14 09:14:18 +01:00
Aleksander Machniak
f4856e3f91 Fix Cross-Site-Scripting vulnerability via SVG's animate tag 
reported by Valentin T., CrowdStrike
 2025-12-14 09:14:07 +01:00
Aleksander Machniak
c50a07d88c Use get_input_string() 2025-06-01 09:25:19 +02:00
Pablo Zmdl
7408f31379 Validate URL parameter in upload code (#9866) 2025-06-01 09:22:17 +02:00
Aleksander Machniak
522e20f32a Fix regression causing inline SVG images to be missing in mail preview (#9644) 2024-09-29 14:01:10 +02:00
Aleksander Machniak
316a0dd455 Fix regression where HTML messages were displayed unstyled (#9586) 2024-08-16 19:59:39 +02:00
Aleksander Machniak
44cec17e8f Fix regression where printing/scaling/rotating image attachments was broken (#9571) 2024-08-08 14:08:08 +02:00
Aleksander Machniak
ed98839031 Fix so install/update scripts do not require PEAR (#9037) 2024-08-04 11:22:55 +02:00
Aleksander Machniak
a25e48e2da Fix PHP5 compat. 2024-08-04 11:11:22 +02:00
Aleksander Machniak
53da61f7fc Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010] 
Credits to Oskar Zeino-Mahmalat (Sonar) https://www.sonarsource.com
 2024-08-04 10:30:13 +02:00
Aleksander Machniak
c222ea8b99 - Fix XSS vulnerability in serving of attachments other than HTML or SVG [CVE-2024-42008] 
Credits to Oskar Zeino-Mahmalat (Sonar) https://www.sonarsource.com
 2024-08-04 10:30:06 +02:00
Aleksander Machniak
1b3bb11d4f Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009] 
Credits to Oskar Zeino-Mahmalat (https://www.sonarsource.com)
 2024-08-04 10:29:58 +02:00
Aleksander Machniak
5c0fbde168 Fix PHP8 warnings 2024-05-19 11:04:47 +02:00
Aleksander Machniak
4da20eb1d1 Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes 
Reported by Valentin T. and Lutz Wolf of CrowdStrike.
 2024-05-19 10:21:09 +02:00
Aleksander Machniak
0d0bc61b13 Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences 
Reported by Huy Nguyễn Phạm Nhật.
 2024-05-19 10:19:22 +02:00
Aleksander Machniak
61a3c9aa89 Fix command injection via crafted im_convert_path/im_identify_path on Windows 
Reported by Huy Nguyễn Phạm Nhật.
 2024-05-19 10:13:35 +02:00
Aleksander Machniak
5ec496885e Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download 
Thanks to rehme.infosec for reporting the issues.
 2023-11-04 17:58:08 +01:00
Aleksander Machniak
b78637c762 Fix merge conflict 2023-10-14 18:24:16 +02:00
Aleksander Machniak
8d823e2947 Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168) 2023-10-14 18:19:00 +02:00
Aleksander Machniak
ef7c00ac2d Makefile: Backports and fix version number 2023-09-18 10:26:49 +02:00
Aleksander Machniak
fe42e143ca Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages 
Thanks to Niraj Shivtarkar for the report.
 2023-09-14 10:11:34 +02:00
Aleksander Machniak
401eae025d Fix PHP8 warning 2023-07-28 14:03:42 +02:00
Aleksander Machniak
5d5da0364d Fix PHP8 warning 2023-07-28 12:51:08 +02:00
Aleksander Machniak
e14755646d Fix PHP8 warning (#9071) 2023-07-28 12:19:26 +02:00
Aleksander Machniak
0e4caf123a Fix PHP 8.2 fatal error when imap_conn_options.proxy_protocol is not an array 2023-07-20 13:18:03 +02:00
Aleksander Machniak
fd42f1c214 Add rcube_db::error_info() 2023-07-20 10:30:07 +02:00
Aleksander Machniak
5a44e539fd Fix PHP7 compat. break in last commit 2023-06-14 13:05:08 +02:00
Aleksander Machniak
56a1d651f0 Fix so output of log_date_format with microseconds contains time in server time zone, not UTC 2023-06-14 13:04:55 +02:00
Aleksander Machniak
feb75c042b Fix PHP8 warnings 2023-06-12 12:13:25 +02:00
Aleksander Machniak
494045c8d4 Fix compat. with PHP5 2023-06-06 14:59:04 +02:00
Aleksander Machniak
5e2c85c9a1 Fix PHP8 warnings 2023-06-06 14:52:28 +02:00
Aleksander Machniak
e3637ea26c Fix PHP8 warnings 2023-06-06 13:00:10 +02:00
Aleksander Machniak
a30206bf6a Fix bug where a non-ASCII character in app.js could cause error in javascript engine (#8894) 2023-01-28 18:34:51 +01:00
Aleksander Machniak
6dc41a2c96 Make rcmail::format_date() to work with DateTimeImmutable 2023-01-18 11:47:39 +01:00
Aleksander Machniak
c0f183059c Fix get_address_book() issue for addressbooks that have a string identifier starting with a digit 2022-12-01 10:02:20 +01:00
Michael Steininger
278633b150 Fix php 8.0 warning if db_dsnr is used (#8779) 2022-11-11 11:39:09 +01:00
Aleksander Machniak
6e4d328841 Fix return to previous contact source/group after search reset 2022-11-11 11:23:58 +01:00
Aleksander Machniak
6abd913566 Fix so N property always exists in a vCard export (#8771) 2022-11-02 11:55:17 +01:00
Thomas Bruederli
88c1566126 Prepare release 1.5.3 2022-06-22 10:28:04 +02:00