While it is still unclear whether or not there is a problem with bin/html2text.php (http://trac.roundcube.net/ticket/1485618), maybe it's worth considering adding session checking to all of the utilities in the bin directory. If a vulnerability exists in a utility, then having a session check will limit or complicate its exploitation.
The way quotaimg.php was doing session checking could be used in the other utilities. (quotaimg.php's session checking was removed in October: http://trac.roundcube.net/changeset/2012).
-kris