This path https://github.com/roundcube/roundcubemail/commit/0fcb2b139bf0c50dec3b828984... not secure because only limit read file by extension php,ini,conf and folder /etc. Allowed read /usr/local/etc logs and other file (if hosting not limit open_basedir).
A.L.E.C писал 2013-03-27 20:11:
We already fixed the issue in git branches: master, release-0.9, release-0.8, release-0.7. We'll release updated packages soon.