Dev

dev@lists.roundcube.net

1 participants
4299 discussions

'preferences' column initialization in user_create
by Jacques Belin 23 Oct '20

23 Oct '20

Hi, I am fresh new on this list, and it seems that its archives are not available. So, excuse me if this topic has alreadey been discussed. I am working on an update of the squirrelmail_usercopy plugin, to permit the transfer of address groups and the equivalent of the roundcube's "message_highlight" plugin when creating à new user on roundcube with data taken from a current squirrelmail account. Many of our squirrelmail users use these features. If the addition of address groups has been done updating only the original plugin's code, I had to make some change in the "create" function in the program/lib/Roundcube/rcube_user.php file to permit the import of the message highlight preferences. This change is simply the addition of the field 'preferences' for the call of the "user_create" hook, and the storage of the returned value in the "preferences" column of the "users" table of the database. See the diff of the file below (for roundcube 1.4.8) : ----------------------------------------------------------- --- rcube_user.php.orig 2020-08-10 21:05:20.000000000 +0200 +++ rcube_user.php 2020-10-12 15:27:40.574055096 +0200 @@ -621,6 +621,7 @@ 'user_email' => $user_email, 'email_list' => $email_list, 'language' => $_SESSION['language'], + 'preferences' => serialize(array()), )); // plugin aborted this operation @@ -630,11 +631,12 @@ $insert = $dbh->query( "INSERT INTO ".$dbh->table_name('users', true). - " (`created`, `last_login`, `username`, `mail_host`, `language`)". - " VALUES (".$dbh->now().", ".$dbh->now().", ?, ?, ?)", + " (`created`, `last_login`, `username`, `mail_host`, `language`, `preferences`)". + " VALUES (".$dbh->now().", ".$dbh->now().", ?, ?, ?, ?)", $data['user'], $data['host'], - $data['language']); + $data['language'], + $data['preferences']); if ($dbh->affected_rows($insert) && ($user_id = $dbh->insert_id('users'))) { // create rcube_user instance to make plugin hooks work @@ -643,6 +645,7 @@ 'username' => $data['user'], 'mail_host' => $data['host'], 'language' => $data['language'], + 'preferences' => $data['preferences'], )); $rcube->user = $user_instance; $mail_domain = $rcube->config->mail_domain($data['host']); ------------------------------------------------------------ The change has to be made because if the user_create hook permits to populate all columns of the "users" table, the "preferences" column is not treated by the hook, while the "messages highlight" plugin stores its preferences there. Adding the change as I suggest could be seen only as a measure of consistency about the initialization of the "users" table. When I searched in the code to understand why my updated plugin didn't work, I was surprised to see that the "preferences" field was simply not treated... And even beyond the squirrelmail_usercopy plugin, I think this change could help others user-creation related plugins. So, do you think it would be considered to add this change in roundcube ? Jacques. -- The last man connected to the Interet was browsing some old WebSites. "You have new mail" appeared on the screen... --------------------------- adapted from a short Fredric Brown's story

2 3

Roundcube Webmail 1.4.9 released
by Thomas Bruederli 28 Sep '20

28 Sep '20

Dear subscribers We proudly announce yesterday's release of version 1.4.9. It's a service update to the stable version 1.4 of Roundcube Webmail. It contains fixes and general improvements from our issue tracker, mainly related to email composition and UI oddities in Elastic skin and with the TinyMCE richtext editor. See the full changelog in the release notes on the Github download page [1]. This version is considered stable and we recommend updating all productive installations of Roundcube with it. Download the latest tarballs from https://roundcube.net/download Best, Alec & Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.9

1 0

Security updates 1.4.8, 1.3.15 and 1.2.12 released
by Thomas Bruederli 10 Aug '20

10 Aug '20

Dear subscribers We just published security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They all contain two recently reported cross-site scripting (XSS) vulnerabilities. The 1.4.8 release also contains a number of general improvements from our issue tracker [1]. Security fixes: * Fix cross-site scripting (XSS) via HTML messages with malicious svg content (CVE-2020-16145) * Fix cross-site scripting (XSS) via HTML messages with malicious math content Credits for these two findings go to Łukasz Pilorz from Pentesters [2]. See the full changelogs in the release notes on the Github download pages for the updated versions. We strongly recommend updating all productive installations of Roundcube with these new versions. Download the latest tarballs from https://roundcube.net/download Best, Alec & Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.8 [2] https://www.pentesters.pl/

1 0

Security updates 1.4.7, 1.3.14 and 1.2.11 released
by Thomas Bruederli 05 Jul '20

05 Jul '20

Dear subscribers We just published security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They all contain a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace. Credits for this finding go to SSD Secure Disclosure [1]. The 1.4.7 release also contains a number of general improvements from our issue tracker. See the full changelog in the release notes on the Github download page [2]. We strongly recommend to update all productive installations of Roundcube with these new versions. Download the latest tarballs from https://roundcube.net/download Best, Alec & Thomas [1] https://ssd-disclosure.com/ [2] https://github.com/roundcube/roundcubemail/releases/tag/1.4.7

1 0

Security updates 1.4.5 and 1.3.12
by Thomas Bruederli 07 Jun '20

07 Jun '20

Dear subscribers We recently published service and security updates to the stable version 1.4 and the LTS version 1.3 of Roundcube Webmail. They contain four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. Security fixes: - Fix XSS issue in template object username ** - Fix cross-site scripting (XSS) via malicious XML attachment * - Fix a couple of XSS issues in Installer ** - Better fix for CVE-2020-12641 The latter two vulnerabilities again are related to public access to the Roundcube installer and are therefore classified minor. See the full changelogs in the release notes on the Github download pages [1] and [2]. In addition to the security releases 1.4.5 and 1.3.12 we today pushed follow-up releases containing one single fix for the installer’s test step which was broken with the former security update. We strongly recommend to update all productive installations of Roundcube with this new versions. Download the latest packages from https://roundcube.net/download Best, Thomas & Alec * Credits to the security researcher Matei “Mal” Badanoiu ** Credits to the security researcher LoRexxar@knownsec 404Team [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.5 [2] https://github.com/roundcube/roundcubemail/releases/tag/1.3.12

1 0

Security updates 1.4.4, 1.3.11 and 1.2.10 released
by Thomas Bruederli 29 Apr '20

29 Apr '20

Dear subscribers We just published service and security updates to the stable version 1.4 and the LTS versions 1.3 and 1.2 of Roundcube Webmail. They contain four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. Security fixes: - Cross-Site Scripting (XSS) via malicious HTML content - CSRF attack can cause an authenticated user to be logged out - Remote code execution via crafted config options - Path traversal vulnerability allowing local file inclusion via crafted ‘plugins’ option The latter two vulnerabilities are classified minor because they only affect Roundcube installations with public access to the Roundcube installer. That’s generally a high-risk situation and is expected to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done in core in order to also prevent from future and yet unknown attack vectors. See the full changelogs in the release notes on the Github download pages [1]. Download the updated packages from https://roundcube.net/download We strongly recommend to update all productive installations of Roundcube with this new versions. Best, Thomas & Alec [1] https://github.com/roundcube/roundcubemail/releases

1 0

Upcoming changes in Roundcube's plugin repository
by Thomas Bruederli 11 Apr '20

11 Apr '20

Roundcube’s plugin repository is built around Composer which is used to install plugins and their dependencies. For many years we’ve been running our own plugin repository from a fork [1] of the most popular packagist.org service. Over time source code repositories like Github, Gitlab or Bitbucket as well as the Packagist codebase changed significantly which made it hard for us to maintain our fork. We therefore decided to give it up in favor of the well maintained packagist.org service. The plan is to move all Roundcube plugins currently registered at plugins.roundcube.net to packagist.org. They’re already Composer packages of type roundcube-plugin and thus don’t need any changes in their code or structure. The plugins.roundcube.net service remains active as a Composer repository but will be changed to read-only mode. So what does this mean for you? * For Roundcube users For the consumer side using Composer to pull Roundcube plugins and updates to them, nothing changes. You don’t even need to change your composer.json file as all currently registered plugins will still be listed at plugins.roundcube.net while updates will be pulled from packagist.org which is the default repository for Composer anyway. * For plugin developers Unfortunately there’s no way for us to feed all Roundcube plugins registered in our repository to packagist.org. Therefore, as a plugin developer you’re required to sign up at packagist.org [2] and then register your plugin(s) there. It’s as simple as it was on plugins.roundcube.net and only takes you a minute or two. We strongly encourage you to do so even if you’re not currently pushing new releases to your plugin. * Roadmap We’d like to make the switch on May 17th 2020. On this day, the repository data of plugins.roundcube.net will be frozen and the current Packagist service will be replaced by a read-only clone that’ll keep on serving requests from Composer to install Roundcube plugins. After that day, all updates and new registrations for Roundcube plugins need to be submitted to packagist.org. Once a plugin is listed at packagist.org, Roundcube’s plugin repository will no longer list it in order to make packagist.org the only source. We’d like to thank all plugin developers for their efforts and contributions. Only with the rich variety of plugins, Roundcube webmail became the powerful open source software product it is today. Kind regards, Thomas & Alec [1] https://roundcube.net/news/2016/08/05/plugin-repository-pimped-up [2] https://packagist.org/login/

1 0

plugin install with SQL and database prefix
by Sébastien BLAISOT 05 Jan '20

05 Jan '20

Hi dear roundcube community, First of all, I wish you all a happy new year. I am the maintainer of the automatic_addressbook plugin (or at least I used to be, as I don't have much time for it now, and I would be happy to have it integrated in roundcube default plugins if you want, but that's an other story) . I regularly get issues from users regarding database prefix when installing the plugin. I understand this is complicated to handle when installing manually, but it seems to also be the case when using composer (At least I got reports about failed SQL statements when installing with composer) As far as I can see, SQL statements in roundcube codebase have no prefix, as my sql statements in my plugin. How are database prefix handled when installing roundcube? How are they handled when installing a plugin with composer? (ok, I found how, see below) I have 2 concerns: - One is table creation (CREATE TABLE statements), on which prefix should added. Is that handled automatically by composer? (It seems to be the case) - The second one is foreign keys that reference roundcube standard tables like REFERENCES `users`(`user_id`) which should be changed to REFERENCES `PREFIX_users`(`user_id`). Is that automatically handled by composer at plugin installation? (It seems to be the missing one) Is there any documentation for plugin coders on how to properly handle plugins databases with references to standard roundcube databases regarding database prefix? As far as I can see here: https://github.com/roundcube/plugin-installer/blob/0.1.6/src/bin/rcubeinitd… This problem is already handled for CREATE DATABASE statements and for CREATE SEQUENCE statements but not for REFERENCES statements as used in the automatic_addressbook plugin here: - https://github.com/sblaisot/automatic_addressbook/blob/master/SQL/mysql.ini… - https://github.com/sblaisot/automatic_addressbook/blob/master/SQL/postgres.… I should be able to propose a PR on plugin_installer for that. Is there something more I need to be aware of before coding? Best regards and keep making such a good webmail! Sebastien

2 1

Automated in-browser tests
by Aleksander Machniak 02 Jan '20

02 Jan '20

TL;DR: We have Roundcube in-browser tests on Travis. I rewrote old Selenium-based tests created long time ago. These were not working and I guess no one payed attention to them. Now, it should be easier and better in many ways. New code uses Laravel's Dusk (and Facebook/WebDriver) with PHPUnit which is a nice and powerful framework for functional testing. This means: - setting up testing environment is very easy, - writing tests is simpler and we can do much more, - thanks to SQLite and GreenMail software you don't need a real IMAP/SMTP nor database server, you also don't need a HTTP server, - we test Elastic only, and we test all modes desktop/tablet/phone. - via Travis tests are executed on every commit and pull request. Which technicly means you don't even need PHP to write tests, just write code and do a pull request ;). Now, I would love to see pull requests coming that add some more in-browser tests. If you'd like to give it a go, I propose to start with Preferences UI tests. There's Settings/Preferences/General.php file you can use as a base for testing other Preferences sections. See also tests/Browser/README.md Happy New Year everybody! -- Aleksander Machniak Kolab Groupware Developer [https://kolab.org] Roundcube Webmail Developer [https://roundcube.net] ---------------------------------------------------- PGP: 19359DC1 # Blog: https://kolabian.wordpress.com

1 0

Update 1.4.2 released
by Thomas Bruederli 01 Jan '20

01 Jan '20

Dear subscribers We start the year 2020 with the second service release to update the brand new Roundcube Webmail version 1.4. It contains fixes and improvements reported since the release of version 1.4.0. See the full changelog in the release notes on the Github download page [1]. This release is considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from https://roundcube.net/download. Please do backup your data before updating. Happy New Year everybody! Alec & Thomas [1] https://github.com/roundcube/roundcubemail/releases/tag/1.4.2

1 0

← Newer
1
2
3
4
5
6
7
8
...
430
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Dev