[RCD] Update 1.0.4 released

Thomas Bruederli thomas at roundcube.net
Mon Dec 22 12:06:48 CET 2014


On Mon, Dec 22, 2014 at 11:27 AM, Cor Bosman <cor at xs4all.nl> wrote:
>
> * Security: Fix possible CSRF attacks to some address book operations
> as well as to the ACL and Managesieve plugins.
> * Fix attachments encoded in TNEF containers (from Outlook)
> * Fix compatibility with PHP 5.2
>
>
>
> Hi Thomas, was this supposed to fix the uudecode problem as well?

No it wasn't. We didn't have a ticket nor time to investigate your
post which just came in the day before the release.

> 1.0.4 still breaks any message containing the simple string 'foobar begin 2015
> foobar'.
>
> In dutch this is a very common set of words, as it translates to 'early
> 2015'.   The problem is that the match for uuparts is too simple.
>
> I created a PR off of 1.0-release to fix this problem.
> https://github.com/roundcube/roundcubemail/pull/252

Thanks for this! We'll review it as soon as possible.

> In master this is handled differently, and it doesnt seem to fail, even
> though the matching for a uu encoded part could be improved there as well,

Maybe Alec can explain why commit
https://github.com/roundcube/roundcubemail/commit/48ba4414 also
refactors the uuencode part in git master without being mentioned in
the commit message.

~Thomas


More information about the dev mailing list