roundcubemail

mirror of https://github.com/roundcube/roundcubemail.git synced 2025-12-28 07:55:07 +00:00

Author	SHA1	Message	Date
Aleksander Machniak	dc4ffea1d0	CS fix	2025-12-14 09:15:49 +01:00
Aleksander Machniak	7c3267b9b0	Fix Information Disclosure vulnerability in the HTML style sanitizer reported by somerandomdev	2025-12-14 09:02:25 +01:00
Aleksander Machniak	5162a0d9d7	Fix Cross-Site-Scripting vulnerability via SVG's animate tag reported by Valentin T., CrowdStrike.	2025-12-14 09:01:26 +01:00
Dominik Schmidt	ce893b2e1d	Preserve requested url on oidc login (#10033 ) * feat: preserve requested url on oidc login * fix(oidc): redirect to idp when session timed out	2025-11-29 18:21:16 +01:00
Michael Steininger	cdd3d1ed69	Allow "target" in html attributes when saving signature (#10017 )	2025-11-23 14:55:33 +01:00
Aleksander Machniak	7cab146f7b	Fix new phpstan errors	2025-11-22 15:07:31 +01:00
Pablo Zmdl	a361fa79f1	Add rel='noopener' to all links opening in a new window Browsers younger than ~5 years don't need this, but older browsers might cause problems. Code style change as demanded by eslint Remove accidentally added `id` attribute Fix test as it was intended	2025-11-04 16:03:22 +01:00
Philip Weir	db2e201788	Contact import improvements (#9431 ) * contact import: correct mismapped fields * contacts: remove im:other field from UI, it does not exist in the vCard * vcard: add some more maps for common vcard types to roundcube types * contact import: list all possible roundcube contact fields in csv import UI, remove hard coded $local_map * add SORT_LOCALE_STRING flag * fix typos * remove unwanted label * move field list to csv2vcard * move rcube_csv2vcard::list_fields to rcmail_action_contacts_import::list_fields as it relies on rcmail_action_contacts * use single field map for csv2vcard imports, remove hardcoded version * fix test * small cs fix * reformat csv2vcard.inc * fix failing test * restore existance check * fix failing test again	2025-10-08 13:36:57 +02:00
Philip Weir	6926f5c307	Add scope param for contact search (#9902 ) * add scope param for contact search * fix failing tests * add test for contact search scope * test scope on advanced search form * use str_contains	2025-10-05 18:49:18 +02:00
Aleksander Machniak	41bffe1581	Tests: Use different jpg file	2025-10-05 11:47:16 +02:00
Aleksander Machniak	6bd2484fe6	Add test	2025-10-05 11:40:53 +02:00
Aleksander Machniak	1582d3f0ec	Update CS Fixer conf	2025-09-27 17:57:00 +02:00
Philip Weir	7fd9bf05e3	Only apply fix_path for href attrib in <link>s (#9943 ) Some checks failed E2E / Linux / PHP ${{ matrix.php }} (8.1) (push) Has been cancelled Details E2E / Linux / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details E2E / Linux / PHP ${{ matrix.php }} (8.5) (push) Has been cancelled Details CI / Coding Style (push) Has been cancelled Details CI / Static Analysis (push) Has been cancelled Details Message Rendering / Linux / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details Message Rendering / Linux / PHP ${{ matrix.php }} (8.4) (push) Has been cancelled Details Message Rendering / Linux / PHP ${{ matrix.php }} (8.5) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.1) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.2) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.4) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.5) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.1) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.2) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.4) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.5) (push) Has been cancelled Details roundcubemail-testrunner image / build and push with PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details roundcubemail-testrunner image / build and push with PHP ${{ matrix.php }} (8.4) (push) Has been cancelled Details roundcubemail-testrunner image / build and push with PHP ${{ matrix.php }} (8.5-rc) (push) Has been cancelled Details	2025-09-18 07:36:36 +02:00
Pablo Zmdl	8eeedc0c8c	Show homograph-warning-icon before email address, unify warning wording Some checks are pending E2E / Linux / PHP ${{ matrix.php }} (8.1) (push) Waiting to run Details E2E / Linux / PHP ${{ matrix.php }} (8.3) (push) Waiting to run Details E2E / Linux / PHP ${{ matrix.php }} (8.5) (push) Waiting to run Details CI / Coding Style (push) Waiting to run Details CI / Static Analysis (push) Waiting to run Details Message Rendering / Linux / PHP ${{ matrix.php }} (8.3) (push) Waiting to run Details Message Rendering / Linux / PHP ${{ matrix.php }} (8.4) (push) Waiting to run Details Message Rendering / Linux / PHP ${{ matrix.php }} (8.5) (push) Waiting to run Details Unit / Linux / PHP ${{ matrix.php }} (8.1) (push) Waiting to run Details Unit / Linux / PHP ${{ matrix.php }} (8.2) (push) Waiting to run Details Unit / Linux / PHP ${{ matrix.php }} (8.3) (push) Waiting to run Details Unit / Linux / PHP ${{ matrix.php }} (8.4) (push) Waiting to run Details Unit / Linux / PHP ${{ matrix.php }} (8.5) (push) Waiting to run Details Unit / Windows / PHP ${{ matrix.php }} (8.1) (push) Waiting to run Details Unit / Windows / PHP ${{ matrix.php }} (8.2) (push) Waiting to run Details Unit / Windows / PHP ${{ matrix.php }} (8.3) (push) Waiting to run Details Unit / Windows / PHP ${{ matrix.php }} (8.4) (push) Waiting to run Details Unit / Windows / PHP ${{ matrix.php }} (8.5) (push) Waiting to run Details This moves the warning icon that is triggered by the homograph check from the generic "notification area" (between headers and body) to the header area, before the address that the warning is referring to. The previous warning left it unclear which address was found to be problematic, which now is obvious. Additionally there's now a test to check for these warnings to show up in the DOM.	2025-09-17 14:38:12 +02:00
Pablo Zmdl	600c420d26	Prepend group-names to display-name This is not optimal handling, but the most appropriate one as long as we don't actually support groups in addresss-lists. This way users can at least see the group's display-name. And we don't strip text that might be relevant to spot abusive emails. Previously group-names were just removed, which makes it harder to spot such abusive emails.	2025-09-17 14:38:12 +02:00
Pablo Zmdl	14c263c608	Also "wash" the `name` attribute of textarea and select	2025-09-17 14:37:45 +02:00
Pablo Zmdl	0c667c5859	Wash the `name` attribute also on more elements It can pollute the document's namespace unless handled.	2025-09-17 14:37:45 +02:00
Oscar Di Manno	b7fb465486	fix: Sanitize filename on download (#9960 ) Some checks failed E2E / Linux / PHP ${{ matrix.php }} (8.1) (push) Has been cancelled Details E2E / Linux / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details E2E / Linux / PHP ${{ matrix.php }} (8.5) (push) Has been cancelled Details CI / Coding Style (push) Has been cancelled Details CI / Static Analysis (push) Has been cancelled Details Message Rendering / Linux / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details Message Rendering / Linux / PHP ${{ matrix.php }} (8.4) (push) Has been cancelled Details Message Rendering / Linux / PHP ${{ matrix.php }} (8.5) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.1) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.2) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.4) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.5) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.1) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.2) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.4) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.5) (push) Has been cancelled Details roundcubemail-testrunner image / build and push with PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details roundcubemail-testrunner image / build and push with PHP ${{ matrix.php }} (8.4) (push) Has been cancelled Details roundcubemail-testrunner image / build and push with PHP ${{ matrix.php }} (8.5-rc) (push) Has been cancelled Details * fix: Sanitize filename on download * fix: filename encoding in the Content-Disposition header This improves the handling of the filename* parameter in the Content-Disposition header. Now, the filename* parameter is only used when it differs from the fallback filename * tests: Add test for the filename* parameter in Content-Disposition	2025-09-14 11:50:31 +02:00
Pablo Zmdl	7d408ddb6e	Fix flaky browser test Some checks are pending E2E / Linux / PHP ${{ matrix.php }} (8.1) (push) Waiting to run Details E2E / Linux / PHP ${{ matrix.php }} (8.3) (push) Waiting to run Details CI / Coding Style (push) Waiting to run Details CI / Static Analysis (push) Waiting to run Details Message Rendering / Linux / PHP 8.3 (push) Waiting to run Details Unit / Linux / PHP ${{ matrix.php }} (8.1) (push) Waiting to run Details Unit / Linux / PHP ${{ matrix.php }} (8.2) (push) Waiting to run Details Unit / Linux / PHP ${{ matrix.php }} (8.3) (push) Waiting to run Details Unit / Linux / PHP ${{ matrix.php }} (8.4) (push) Waiting to run Details Unit / Windows / PHP ${{ matrix.php }} (8.1) (push) Waiting to run Details Unit / Windows / PHP ${{ matrix.php }} (8.2) (push) Waiting to run Details Unit / Windows / PHP ${{ matrix.php }} (8.3) (push) Waiting to run Details Unit / Windows / PHP ${{ matrix.php }} (8.4) (push) Waiting to run Details	2025-09-05 00:24:53 +02:00
Aleksander Machniak	c75f1b7e86	Tests: Attempt to fix a flaky browser test	2025-08-15 13:59:53 +02:00
Aleksander Machniak	6674533b3f	PHP 8.5: Remove redundant setAccessible() calls	2025-08-15 13:23:53 +02:00
Aleksander Machniak	3139bff247	CS-Fixer: Enable modernize_strpos	2025-08-15 13:20:24 +02:00
Aleksander Machniak	2c3b46c1f2	Fix regression in handling of non-unicode characters in a plain text message (#9953 )	2025-08-13 19:41:18 +02:00
Aleksander Machniak	8be7e1bfcf	PHP 8.5: Remove setAccessible() calls, they are no-op sine 8.1	2025-08-09 07:18:15 +02:00
Aleksander Machniak	a0d0f5e72e	Fix parsing of inline styles that aren't well-formatted (#9948 ) Some checks failed E2E / Linux / PHP ${{ matrix.php }} (8.1) (push) Has been cancelled Details E2E / Linux / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details CI / Coding Style (push) Has been cancelled Details CI / Static Analysis (push) Has been cancelled Details Message Rendering / Linux / PHP 8.3 (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.1) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.2) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.4) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.1) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.2) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.4) (push) Has been cancelled Details roundcubemail-testrunner image / build and push with PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details Notify manually requested reminders / reminder (push) Has been cancelled Details	2025-08-03 11:28:53 +02:00
Aleksander Machniak	70e4e86148	Support IPv6 in database DSN (#9937 )	2025-07-25 18:55:21 +02:00
Aleksander Machniak	060fc95672	PHP 8.5 compat. fixes	2025-07-13 13:17:30 +02:00
Aleksander Machniak	ba60aa8637	CS fixes in tests	2025-07-07 17:55:52 +02:00
Philip Weir	1e95cf3b9e	Stub out 2 more contact searching tests (#9903 ) * remove unused, duplicate, test * stub out contact advanced search * stub out contact saved search test * test std vs adv search response	2025-06-23 07:23:41 +02:00
Pablo Zmdl	5cab1c5b1d	Render text/markdown mimeparts as HTML (#9899 ) This implements rendering mime-types with content-type 'text/markdown' and 'text/x-markdown' into HTML in the preview and show views (if not "dispositioned" as "attachment"), but not in the get view for attached files (the one opening attachments in an external window.)	2025-06-19 17:01:09 +02:00
Pablo Zmdl	c069be5897	Validate URL parameter in upload code (#9865 )	2025-06-01 09:17:23 +02:00
Aleksander Machniak	c396e79aae	- Fix connecting to LDAP using ldapi:// URI (#8990 )	2025-05-25 09:40:50 +02:00
Aleksander Machniak	a0849d7d53	Improve link matching pattern in the string replacer	2025-05-25 08:43:28 +02:00
Aleksander Machniak	9a7aa231aa	Fix new phpstan errors	2025-04-29 15:43:50 +02:00
Aleksander Machniak	ab08ade64a	Use object-oriented style of Fileinfo functionality finfo_close() is rudundant since PHP 8.1 and might get deprecated in PHP 8.5	2025-04-23 15:45:05 +02:00
Aleksander Machniak	640ab6d0ea	Fix phpstan issue	2025-04-21 14:32:55 +02:00
Aleksander Machniak	8208b9f87d	Fix bug in handling rcmail::format_date()'s $convert argument (#9666 )	2025-04-21 12:28:14 +02:00
Aleksander Machniak	093231905d	Tests: Cleanup/refactor around HTTP client mocking	2025-04-06 14:54:20 +02:00
Aleksander Machniak	f9fc356dff	More tests for static.php	2025-04-05 15:56:18 +02:00
Aleksander Machniak	22884d5da1	Tests: Rise PHP server process startup time	2025-04-05 13:41:40 +02:00
Aleksander Machniak	5fab389625	Add (incomplete) tests for static.php and installer.php	2025-04-05 13:31:04 +02:00
Aleksander Machniak	09a1c86079	Fix phpunit.xml	2025-03-16 16:52:13 +01:00
Aleksander Machniak	dc9f6943a4	Bump minimum phpunit version to v10	2025-03-16 16:20:47 +01:00
Aleksander Machniak	344260db89	Bump laravel/dusk version	2025-03-16 13:46:29 +01:00
Aleksander Machniak	94fd5a0f80	CS fixes (for the new fixer version rules)	2025-02-23 11:51:27 +01:00
Aleksander Machniak	781f006ed2	Fix PHP warning Some checks failed E2E / Linux / PHP ${{ matrix.php }} (8.1) (push) Has been cancelled Details E2E / Linux / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details CI / Coding Style (push) Has been cancelled Details CI / Static Analysis (push) Has been cancelled Details Message Rendering / Linux / PHP 8.3 (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.1) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.2) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.1) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.2) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details roundcubemail-testrunner image / build and push with PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details	2025-02-16 14:16:35 +01:00
Aleksander Machniak	44f0ac5b00	Fix folder list sorting when using personal namespace prefix of INBOX/ (#9452 )	2025-02-16 12:40:37 +01:00
Aleksander Machniak	64df318a73	Add static files server (#9294 ) Make use of public_html mandatory	2025-02-09 14:10:50 +01:00
Pablo Zmdl	752b152a23	Check if attachment is actually(!) referred to (#9585 ) * Check if "inline" msg part is actually referred to If there's no reference to it in a sibling HTML part then we handle it as a classic attachment (which is shown as downloadable). * Fetch all msg headers also for images to always get Content-Location Previously all headers were only fetched for message/rfc822, or if the Content-Type's "name" parameter was set, or if a Content-ID was set. The RFC doesn't require neither the "name" parameter nor a Content-ID for using Content-Location, though, so we shouldn't depend on those. Instead now all headers are also fetched if the main part of the Content-Type is "image", to catch more cases. * Parse HTML for references only on demand * Typos and comment formatting * Don't skip test anymore We want it tested! * More MR tests with images * Remove early special handling for "inline" images We decide later, which attachment is considered "inline" and which isn't. * Remove early resolving of references in TNEF parts * Testing message rendering of TNEF emails * Don't use image disposition, it's unreliable * Split adding raw parts and attachments * Fix renaming variable * Rename file to make its test be run * Remove outdated script * Annotate test cases with GitHub issue numbers * Fix test case class name * remove comment * Test inline image message rendering * Rename test file to reflect cases better * Reduce image used in test email It doesn't change much, but there's also no sense in decoding big images that we don't use. * Remove unused variable initialisation	2025-02-09 09:56:43 +01:00
Aleksander Machniak	41eaff2839	Fix decoding of attachment names encoded using both RFC2231 and RFC2047 standards (#9725 ) Some checks failed E2E / Linux / PHP ${{ matrix.php }} (8.1) (push) Has been cancelled Details E2E / Linux / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details CI / Coding Style (push) Has been cancelled Details CI / Static Analysis (push) Has been cancelled Details Message Rendering / Linux / PHP 8.3 (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (7.3) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (7.4) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.0) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.1) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.2) (push) Has been cancelled Details Unit / Linux / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (7.3) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (7.4) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.0) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.1) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.2) (push) Has been cancelled Details Unit / Windows / PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details roundcubemail-testrunner image / build and push with PHP ${{ matrix.php }} (8.3) (push) Has been cancelled Details	2025-02-02 13:58:39 +01:00

1 2 3 4 5 ...

669 Commits