roundcubemail

This is the next service release to update the stable version 1.6.
It provides a bunch of small fixes and improvements after getting your feedback from the previous releases. See the full changelog below.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix regression in handling LDAP search_fields configuration parameter (#9210)
• Enigma: Fix finding of a private key when decrypting a message using GnuPG v2.3
• Fix page jump menu flickering on click (#9196)
• Update to TinyMCE 5.10.9 security release (#9228)
• Fix PHP8 warnings (#9235, #9238, #9242, #9306)
• Fix saving other encryption settings besides enigma's (#9240)
• Fix unneeded php command use in installto.sh and deluser.sh scripts (#9237)
• Fix TinyMCE localization installation (#9266)
• Fix bug where trailing non-ascii characters in email addresses could have been removed in recipient input (#9257)
• Fix IMAP GETMETADATA command with options - RFC5464

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:

• Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download reported by Rene Rehme (rehme.infosec).

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix PHP8 fatal error when parsing a malformed BODYSTRUCTURE (#9171)
• Fix duplicated Inbox folder on IMAP servers that do not use Inbox folder with all capital letters (#9166)
• Fix PHP warnings (#9174)
• Fix UI issue when dealing with an invalid managesieve_default_headers value (#9175)
• Fix bug where images attached to application/smil messages weren't displayed (#8870)
• Fix PHP string replacement error in utils/error.php (#9185)
• Fix regression where smtp_user did not allow pre/post strings before/after %u placeholder (#9162)
• Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download

This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:

• Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download reported by Rene Rehme (rehme.infosec).

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!

CHANGELOG

• Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download
  reported by Rene Rehme (rehme.infosec).

This is a security update to the stable version 1.4 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:

• Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168) reported separately by Matthieu Faou (ESET) and Denys Klymenko.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.4.x with it. Please do backup your data before updating!

CHANGELOG

• Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)
• Fix PHP 5.4 compatibility by using pear-core-minimal 1.10.11 (#9148)

This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:

Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (https://github.com/roundcube/roundcubemail/issues/9168) reported separately by Matthieu Faou (ESET) and Denys Klymenko.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!

CHANGELOG

• Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:

• Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168) reported separately by Matthieu Faou (ESET) and Denys Klymenko.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix PHP8 warnings (#9142, #9160)
• Fix default 'mime.types' path on Windows (#9113)
• Managesieve: Fix javascript error when relational or spamtest extension is not enabled (#9139)
• Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)

This is a security update to the stable version 1.5 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:

• Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages, reported by Niraj Shivtarkar.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.5.x with it. Please do backup your data before updating!

CHANGELOG

• Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
• Fix so output of log_date_format with microseconds contains time in server time zone, not UTC
• Fix so N property always exists in a vCard export (#8771)
• Fix so rcmail::format_date() works with DateTimeImmutable input (#8867)
• Fix bug where a non-ASCII character in app.js could cause error in javascript engine (#8894)

This is a security update to the stable version 1.4 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:

• Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages, reported by Niraj Shivtarkar.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.4.x with it. Please do backup your data before updating!

CHANGELOG

• Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
• Enigma: Fix initial synchronization of private keys

This is a security update to the stable version 1.6 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:

• Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages, reported by Niraj Shivtarkar.

This version is considered stable and we recommend to update all productive installations of Roundcube 1.6.x with it. Please do backup your data before updating!

CHANGELOG

• Fix bug where installto.sh/update.sh scripts were removing some essential options from the config file (#9051)
• Update jQuery-UI to version 1.13.2 (#9041)
• Fix regression that broke use_secure_urls feature (#9052)
• Fix potential PHP fatal error when opening a message with message/rfc822 part (#8953)
• Fix bug where a duplicate <title> tag in HTML email could cause some parts being cut off (#9029)
• Fix bug where a list of folders could have been sorted incorrectly (#9057)
• Fix regression where LDAP addressbook 'filter' option was ignored (#9061)
• Fix wrong order of a multi-folder search result when sorting by size (#9065)
• Fix so install/update scripts do not require PEAR (#9037)
• Fix regression where some mail parts could have been decoded incorrectly, or not at all (#9096)
• Fix handling of an error case in Cyrus IMAP BINARY FETCH, fallback to non-binary FETCH (#9097)
• Fix PHP8 deprecation warning in the reconnect plugin (#9083)
• Fix "Show source" on mobile with x_frame_options = deny (#9084)
• Fix various PHP warnings (#9098)
• Fix deprecated use of ldap_connect() in password's ldap_simple driver (#9060)
• Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages

This is the second service release to update the stable version 1.6.
It provides a bunch of small fixes and improvements after getting your feedback from the previous releases. See the full changelog below.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

Upgrading the Complete Package

Attention when upgrading Roundcube using the complete package!

The installto.sh script does not update the vendor folder of the installation target.
If you're not using Composer to install plugins or other dependencies, please remove the composer.json file of your Roundcube installation before running the installto.sh script.

If you have Composer installed, run composer update --no-dev to complete the upgrade.

CHANGELOG

• Add Uyghur localization
• Fix regression in OAuth request URI caused by use of REQUEST_URI instead of SCRIPT_NAME as a default (#8878)
• Fix bug where false attachment reminder was displayed on HTML mail with inline images (#8885)
• Fix bug where a non-ASCII character in app.js could cause error in javascript engine (#8894)
• Fix JWT decoding with url safe base64 schema (#8890)
• Fix bug where .wav instead of .mp3 file was used for the new mail notification in Firefox (#8895)
• Fix PHP8 warning (#8891)
• Fix support for Windows-31J charset (#8869)
• Fix so LDAP VLV option is disabled by default as documented (#8833)
• Fix so an email address with name is supported as input to the managesieve notify :from parameter (#8918)
• Fix Help plugin menu (#8898)
• Fix invalid onclick handler on the logo image when using non-array skin_logo setting (#8933)
• Fix duplicate recipients in "To" and "Cc" on reply (#8912)
• Fix bug where it wasn't possible to scroll lists by clicking middle mouse button (#8942)
• Fix bug where label text in a single-input dialog could be partially invisible in some locales (#8905)
• Fix bug where LDAP (fulltext) search didn't work without 'search_fields' in config (#8874)
• Fix extra leading newlines in plain text converted from HTML (#8973)
• Fix so recipients with a domain ending with .s are allowed (#8854)
• Fix so vCard output does not contain non-standard/redundant TYPE=OTHER and TYPE=INTERNET (#8838)
• Fix QR code images for contacts with non-ASCII characters (#9001)
• Fix PHP8 warnings when using list_flags and list_cols properties by plugins (#8998)
• Fix bug where subfolders could loose subscription on parent folder rename (#8892)
• Fix connecting to LDAP using an URI with ldapi:// scheme (#8990)
• Fix insecure shell command params handling in cmd_learn driver of markasjunk plugin (#9005)
• Fix bug where some mail headers didn't work in cmd_learn driver of markasjunk plugin (#9005)
• Fix PHP fatal error when importing vcf file using PHP 8.2 (#9025)
• Fix so output of log_date_format with microseconds contains time in server time zone, not UTC

This is the first service release to update the new stable version 1.6.
It provides a bunch of small fixes and improvements after getting your feedback from the 1.6.0 release. See the full changelog below.

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

Upgrading the Complete Package

Attention when upgrading Roundcube using the complete package!

The installto.sh script does not update the vendor folder of the installation target.
If you're not using Composer to install plugins or other dependencies, please remove the composer.json file of your Roundcube installation before running the installto.sh script.

If you have Composer installed, run composer update --no-dev to complete the upgrade.

CHANGELOG

• Kill session if refreshing oauth token fails (#8734)
• Fix various PHP 8.1 warnings (#8628, #8644, #8667, #8656, #8647)
• Password: Remove references to %c variable that has been removed before (#8633)
• Fix anchor links in HTML mail (#8632)
• Fix bug where config creation in Installer did ignore options in the form (#8634)
• Fix bug where renamed options were removed from the config on installto.sh (update.sh) run (#8643)
• Fix favicon rewrite rule in .htaccess (#8654)
• Fix various PHP 8.2 warnings
• Fix bug where it wasn't possible to create more than one response record on SQLite and Postgres (#8664)
• Fix support for ManageSieve over implicit SSL (#8670)
• Fix bug where "about:blank" page could trigger "load error" (#8554)
• Fix bug where setting 'Clear Trash on Logout' to 'all messages' didn't work (#8687)
• Fix bug where the attachment menu wouldn't disappear after an action is selected (#8691)
• Fix bug where some dialogs in an eml attachment preview would not close on mobile (#8627)
• Fix bug where multiline data:image URI's in emails were stripped from the message on display (#8613)
• Fix fatal error on identity page if Enigma plugin is misconfigured (#8719)
• Fix so N property always exists in a vCard export (#8771)
• Fix authenticating to Courier IMAP with passwords containing a '~' character (#8772)
• Fix handling of smtp/imap port options on configuration file update (#8756)
• Fix bug where array values could not be saved in utils/save_pref action (#8781)
• Add workaround for using Roundcube behind a reverse proxy with a subpath: 'request_path' option (#8738, #8770)
• Fix bug where "Invalid skin name" error was logged on preferences save if there's only one skin (#8825)
• Fix SIGBUS raised in ImageMagick when more than one process tried to generate a thumbnail of the same image attachment (#8511)
• Fix bug where updater does not update the vendor packages (#8642)
• Fix missing mail composing textarea on reply/draft with a long plain text content (#8866)

This is the stable release of the next major version 1.6 of Roundcube webmail.

With this milestone we cleaned up the codebase and bring full support for PHP 8.1.
The most noteworthy changes, as already announced with the beta release, are:

• PHP 8.1 support
• Dropped support for PHP < 7.3
• Support responses (snippets) in HTML format
• Option to purge deleted mails older than 30, 60 or 90 days
• Unified and simplified services connection config options
• Removed the Classic and Larry skins from the release packages
• SQLite: Use foreign keys, require SQLite >= 3.6.19

See the full changelog below.

Breaking Changes to 1.5 and prior versions

The following config options have either been removed or renamed:

1. IMAP:
   • renamed default_host to imap_host
   • removed default_port option (non-standard port can be set via imap_host)
   • set "localhost:143" as a default for imap_host
2. SMTP:
   • renamed smtp_server to smtp_host
   • removed smtp_port option (non-standard port can be set via smtp_host)
   • set "localhost:587" as a default for smtp_host
3. LDAP:
   • removed port option from ldap_public array (non-standard port can be set via host)
   • removed use_tls option from ldap_public array (use tls:// prefix in host)
4. Managesieve:
   • removed managesieve_port option (non-standard port can be set via managesieve_host)
   • removed managesieve_usetls option (set tls:// prefix to managesieve_host)

The skins Larry and Classic are no longer part of the release packages.
If you used them in your deployment, you need to install them manually. That can easily be done via Composer:

$ composer require roundcube/larry

This release is considered stable and we encourage you to update your productive installations after carefully testing the upgrade scenario. Download it from roundcube.net.

With the release of Roundcube 1.6.0, the previous stable release branches 1.5.x and 1.5.x will change into LTS low maintenance mode which means they will only receive important security updates. The 1.3.x series is no longer supported and maintained.

CHANGELOG (since 1.6-rc)

• Fix SMTP XCLIENT extension when not using STARTTLS (#8581)
• Fix call to undefined method rcube_ldap_generic::option_set() (#8564)
• Fix PHP Fatal error on incompatible method declaration of rcmail_output_json::command() and rcmail_output::command() (#8579)
• Fix support for DSN specification without host e.g. pgsql:///dbname (#8558)
• Fix TinyMCE configuration for handling styles of pasted content in webkit browsers (#8555)
• Fix bug where some checkboxes could be selected unintentinally (#8565)
• Fix css styles of the email recipient element while dragging (#8580)
• Fix PHP 8.1 warnings in the LDAP backend code (#8572)
• Fix various PHP 8.1 warnings (#8584)
• Fix bug where a recipient address containing UTF-8 characters was ignored when sending an email (#8493, #8546)
• Fix so rcmail::contact_exists() works with IDNA addresses (#8545)
• Fix password option in storage_init hook after refreshing oauth access token (#8436)
• Fix attachment Options popover menu after attachment delete (#8602)
• Fix so "Found unconstructed Spoofchecker" error is not fatal (#8537)

This is the second service release to update the new stable version 1.5.
It provides a bunch of small fixes and improvements for the PHP8 compatibility.

This version is considered stable and we recommend to update all productive installations
of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Enigma: Fix initial synchronization of private keys
• Enigma: Fix double quoted-printable encoding of pgp-signed messages with no attachments (#8413)
• Fix various PHP8 warnings (#8392)
• Fix mail headers injection via the subject field on mail compose (#8404)
• Fix bug where small message/rfc822 parts could not be decoded (#8408)
• Fix setting HTML mode on reply/forward of a signed message (#8405)
• Fix handling of RFC2231-encoded attachment names inside of a message/rfc822 part (#8418)
• Fix bug where some mail parts (images) could have not be listed as attachments (#8425)
• Fix bug where attachment icons were stuck at the top of the messages list in Safari (#8433)
• Fix handling of message/rfc822 parts that are small and are multipart structures with a single part (#8458)
• Fix bug where session could time out if DB and PHP timezone were different (#8303)
• Fix bug where DSN flag state wasn't stored with a draft (#8371)
• Fix broken encoding of HTML content encapsulated in a RTF attachment (#8444)
• Fix problem with aria-hidden=true on toolbar menus in the Elastic skin (#8517)
• Fix bug where title tag content was displayed in the body if it contained HTML tags (#8540)
• Fix support for DSN specification without host e.g. pgsql:///dbname (#8558)

This is the release candidate for the next major version 1.6 of Roundcube webmail.

It includes a small number of improvements and fixes in comparison to 1.6-beta release.

We believe it is production ready, but we recommend to test it on a separate environment.
And don't forget to backup your data before installing it.

CHANGELOG

• Update to jQuery-UI 1.13.1 (#8455)
• Added possibility to make the logo image a link via the 'skin_logo' option (#8501)
• Use navigator.pdfViewerEnabled for PDF viewer detection
• Remove use of unreliable charset detection (#8344)
• Don't list images attached to multipart/related part as attachments (#7184)
• Password: Add support for ssha256 algorithm (#8459)
• Fix so unix:// URI is supported in various host spec. options again (#8468)
• Fix slow loading of long HTML content into the HTML editor (#8108)
• Fix bug where SMTP password didn't work if it contained '%p' (#8435)
• Enigma: Fix initial synchronization of private keys
• Enigma: Fix double quoted-printable encoding of pgp-signed messages with no attachments (#8413)
• Fix handling of message/rfc822 parts that are small and are multipart structures with a single part (#8458)
• Fix bug where session could time out if DB and PHP timezone were different (#8303)
• Fix bug where DSN flag state wasn't stored with a draft (#8371)
• Fix broken encoding of HTML content encapsulated in a RTF attachment (#8444)
• Fix problem with aria-hidden=true on toolbar menus in the Elastic skin (#8517)
• Fix so links (e.g. www.some.page or http://some.page) are not considered mispellings (#8527)
• Fix bug where title tag content was displayed in the body if it contained HTML tags (#8540)

This is a beta release for the next major version 1.6 of Roundcube webmail.
With this milestone we cleaned up the codebase and bring full support for PHP 8.1.
The most noteworthy changes are:

• PHP 8.1 support
• Dropped support for PHP < 7.3
• Support responses (snippets) in HTML format
• Option to purge deleted mails older than 30, 60 or 90 days
• Unified and simplified services connection config options
• Removed the Classic and Larry skins from the release packages
• SQLite: Use foreign keys, require SQLite >= 3.6.19

Adding support for PHP 8.1 again required some refactoring of the Roundcube codebase
and removing/replacing now deprecated PHP code. We also used this cleaning efforts
and simplified Roundcube's config options a bit.

Breaking Changes

The following config options have either been removed or renamed:

1. IMAP:
   • renamed default_host to imap_host
   • removed default_port option (non-standard port can be set via imap_host)
   • set "localhost:143" as a default for imap_host
2. SMTP:
   • renamed smtp_server to smtp_host
   • removed smtp_port option (non-standard port can be set via smtp_host)
   • set "localhost:587" as a default for smtp_host
3. LDAP:
   • removed port option from ldap_public array (non-standard port can be set via host)
   • removed use_tls option from ldap_public array (use tls:// prefix in host)
4. Managesieve:
   • removed managesieve_port option (non-standard port can be set via managesieve_host)
   • removed managesieve_usetls option (tls:// prefix in managesieve_host have to be used)

If you used the Larry or the Classic skin in your deployment, you need to install them manually
as they are no longer part of the release packages. They can easily be installed via Composer:

$ composer require roundcube/larry

This is a beta release and we recommend to test it on a separate environment.
Migrate existing configs with eiither the installto.sh or the update.sh scripts.
And don't forget to backup your data before installing it.

CHANGELOG

• Unified and simplified services connection options (#8310)
• Plugin API: Removed smtp_port parameter in smtp_connect hook
• Plugin API: Renamed smtp_server parameter to smtp_host in smtp_connect hook
• Plugin API: Removed port parameter in managesieve_connect hook
• Plugin API: Removed usetls parameter in managesieve_connect hook
• Added support for PHP 8.1 (#8151)
• Dropped support for PHP < 7.3 (#7976)
• Dropped support for strftime-like format (with % sign) in date and time format configuration
• Moved the Classic and Larry skins to their own repository (#8271)
• SQLite: Use foreign keys, require SQLite >= 3.6.19
• Replace Endroid QrCode with BaconQrCode (#8173)
• Support responses (snippets) in HTML format (#5315)
• Purge also subfolders of Trash (and/or messages in them) on logout (#1037)
• Add support for encryption with AEAD ciphers, e.g. aes-256-gcm (#7097)
• Add option to purge deleted mails older than 30, 60 or 90 days (#5493)
• Add ability to mark multiple messages as not deleted at once (#5133)
• Add possibility to disable line-wrapping of sent mail body (#5101)
• Improve/Fix wrapping of plain text messages on preview and reply (#6974, #8391, #8378, #8289)
• Improve searching by sender/recipient headers, support Reply-To and Followup-To (#6582)
• Add option to control links handling behavior on html to text conversion (#6485)
• Add 'loginform_content' plugin hook (#8273, #6569)
• SMTP: If requested use TLS also without authentication (#4590, #8111)
• Display a generic error page on initial DB/configuration errors (#8222)
• Display telephone numbers as tel: links (#8240)
• Elastic: Move scrollbar settings to variables (#8352)
• Elastic: Use thin scrollbars in both light and dark mode
• Elastic: Make the scrollbar color lighter in dark mode (#8345)
• Autologout: A new plugin to auto log out users with a POST request (#8270)
• Enigma: Upgrade to OpenPGP.js v5.0
• Identicon: Make background color of the image to match the current skin colors (#8256)
• Newmail_notifier: Update favicon to match the current favicon style and size (#7826)
• Password: Remove password_blowfish_cost option, in favor of password_algorithm_options
• Password: Remove support for password_algorithms crypt, hash and cram-md5
• Password: Remove support for %c, %d, %n, %q variables in password_query
• Password: Add support for passwords based on PHP's password_hash() function (#7724)
• Password: Verify current password with IMAP (#8142)
• Password: Improve handling errors on executed commands (#8200)
• Password: Add Mailcow driver (#8291)
• Fix compatibility with Referrer-Policy: "strict-origin" (#8170)
• Fix locked SQLite database for the CLI tools (#8035)
• Fix Makefile on Linux (#8211)
• Fix so PHP warnings are ignored when resizing a malformed image attachment (#8387)
• Fix various PHP8 warnings (#8392)
• Fix mail headers injection via the subject field on mail compose (#8404)
• Fix bug where small message/rfc822 parts could not be decoded (#8408)
• Fix setting HTML mode on reply/forward of a signed message (#8405)
• Fix handling of RFC2231-encoded attachment names inside of a message/rfc822 part (#8418)
• Fix bug where some mail parts (images) could have not be listed as attachments (#8425)
• Fix bug where attachment icons were stuck at the top of the messages list in Safari (#8433)

This is the second service release to update the new stable version 1.5. It provides a bunch of small fixes and improvements to the OAuth feature as well as a security fix to a recently reported XSS vulnerability. See the full changelog below.

Security fix

• Cross-site scripting (XSS) via HTML messages with malicious CSS content

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• OAuth: pass 'id_token' to 'oauth_login' plugin hook (#8214)
• OAuth: fix expiration of short-lived oauth tokens (#8147)
• OAuth: fix relative path to assets if /index.php/foo/bar url is used (#8144)
• OAuth: no auto-redirect on imap login failures (#8370)
• OAuth: refresh access token in 'refresh' plugin hook (#8224)
• Fix so folder search parameters are honored by subscriptions_option plugin (#8312)
• Fix password change with Directadmin driver (#8322, #8329)
• Fix so css files in plugins/jqueryui/themes will be minified too (#8337)
• Fix handling of unicode/special characters in custom From input (#8357)
• Fix some PHP8 compatibility issues (#8363)
• Fix chpass-wrapper.py helper compatibility with Python 3 (#8324)
• Fix scrolling and missing Close button in the Select image dialog in Elastic/mobile (#8367)
• Security: fix cross-site scripting (XSS) via HTML messages with malicious CSS content

This is a security update to the stable version 1.4 of Roundcube Webmail.
It provides a fix to a recently reported XSS vulnerability:

• Cross-site scripting (XSS) via HTML messages with malicious CSS content

This version is considered stable and we recommend to update all productive installations of Roundcube 1.4.x with it. Please do backup your data before updating!

CHANGELOG

• Security: fix cross-site scripting (XSS) via HTML messages with malicious CSS content

This is the first service release to update the new stable version 1.5. It provides a bunch of small fixes and improvements after getting your feedback from the 1.5.0 release. See the full changelog below.

Important note for MySQL and MariaDB database backends

The change to full UTF-8 support in MySQL/MariaDB didn't work for everybody migrating an existing DB. Hence here's an important notice from the UPGRADING instructions:

If you use MySQL < 5.7.7 or MariaDB < 10.2.2 make sure to configure it with:

  innodb_large_prefix=1
  innodb_file_per_table=1
  innodb_file_format=Barracuda

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Fix importing contacts with no email address (#8227)
• Fix so session's search scope is not used if search is not active (#8199)
• Fix some PHP8 warnings (#8239)
• Fix so dark mode state is retained after closing the browser (#8237)
• Fix bug where new messages were not added to the list on refresh if skip_deleted=true (#8234)
• Fix colors on "Show source" page in dark mode (#8246)
• Fix handling of dark_mode_support:false setting in skins meta.json - also when devel_mode=false (#8249)
• Fix database initialization if db_prefix is a schema prefix (#8221)
• Fix undefined constant error in Installer on Windows (#8258)
• Fix installation/upgrade on MySQL 5.5 - Index column size too large (#8231)
• Fix regression in setting of contact listing name (#8260)
• Fix bug in Larry skin where headers toggle state was reset on full page preview (#8203)
• Fix bug where \u200b characters were added into the recipient input preventing mail delivery (#8269)
• Fix charset conversion errors on PHP < 8 for charsets not supported by mbstring (#8252)
• Fix bug where adding a contact to trusted senders via "Always allow from..." button didn't work (#8264, #8268)
• Fix bug with show_images setting where option 1 and 3 were swapped (#8268)
• Fix PHP fatal error on an undefined constant in contacts import action (#8277)
• Fix fetching headers of multiple message parts at once in rcube_imap_generic::fetchMIMEHeaders() (#8282)
• Fix bug where attachment download could sometimes fail with a CSRF check error (#8283)
• Fix an infinite loop when parsing environment variables with float/integer values (#8293)
• Fix so 'small-dark' logo has more priority than the 'small' logo (#8298)

This is a service and security update to the stable version 1.4 of Roundcube Webmail.
It provides fixes for two recently discovered SQL injection and XSS vulnerabilities as well a some general improvements from our issue tracker. See the full changelog below.

Security fixes

• Fix XSS issue in handling attachment filename extension in mimetype mismatch warning
• Fix possible SQL injection via some session variables

This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

CHANGELOG

• Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919)
• Fix bug where contacts search didn't work with addressbook_search_mods set to an empty array (#7974)
• Fix bug causing some HTML message content to be not centered in Elastic skin (#7911)
• Fix bug where consecutive LDAP searches could return wrong results (#8064)
• Fix bug where plus characters in attachment filename could have been ignored (#8074)
• Fix displaying HTML body with inline images encapsulated using TNEF format (winmail.dat)
• Fix handling of custom sender addresses with names (#8106)
• Fix shift + drag'n'drop menu not working in Elastic skin with Chrome browser (#8107)
• Fix Firefox infinite loading display on mail screen (#8128)
• Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
• Fix SQL injection via some session variables

This is a security update to the LTS version 1.3.
It fixes two recently discovered vulnerabilities:

• Fix XSS issue in handling attachment filename extension in mimetype mismatch warning
• Fix possible SQL injection via some session variables

This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!