Dear Roundcube users
We're proud to announce the next service release to the stable version 1.0 of Roundcube webmail. It contains a security fix along with some bug fixes and improvements for the long term support branch of Roundcube. The most important ones are:
- Security: Fix possible CSRF attacks to some address book operations
as well as to the ACL and Managesieve plugins.
- Fix attachments encoded in TNEF containers (from Outlook)
- Fix compatibility with PHP 5.2
See the full changelog here: http://trac.roundcube.net/wiki/Changelog
It's considered stable and we recommend to update all productive installations of Roundcube with this version. Download it from http://roundcube.net/download.
And remember: backup before updating!
Kind regards, Thomas
- Security: Fix possible CSRF attacks to some address book operations
as well as to the ACL and Managesieve plugins.
- Fix attachments encoded in TNEF containers (from Outlook)
- Fix compatibility with PHP 5.2
Hi Thomas, was this supposed to fix the uudecode problem as well? 1.0.4 still breaks any message containing the simple string 'foobar begin 2015 foobar'.
In dutch this is a very common set of words, as it translates to 'early 2015'. The problem is that the match for uuparts is too simple.
I created a PR off of 1.0-release to fix this problem. https://github.com/roundcube/roundcubemail/pull/252 https://github.com/roundcube/roundcubemail/pull/252
In master this is handled differently, and it doesnt seem to fail, even though the matching for a uu encoded part could be improved there as well,
Regards,
Cor
On Mon, Dec 22, 2014 at 11:27 AM, Cor Bosman cor@xs4all.nl wrote:
- Security: Fix possible CSRF attacks to some address book operations
as well as to the ACL and Managesieve plugins.
- Fix attachments encoded in TNEF containers (from Outlook)
- Fix compatibility with PHP 5.2
Hi Thomas, was this supposed to fix the uudecode problem as well?
No it wasn't. We didn't have a ticket nor time to investigate your post which just came in the day before the release.
1.0.4 still breaks any message containing the simple string 'foobar begin 2015 foobar'.
In dutch this is a very common set of words, as it translates to 'early 2015'. The problem is that the match for uuparts is too simple.
I created a PR off of 1.0-release to fix this problem. https://github.com/roundcube/roundcubemail/pull/252
Thanks for this! We'll review it as soon as possible.
In master this is handled differently, and it doesnt seem to fail, even though the matching for a uu encoded part could be improved there as well,
Maybe Alec can explain why commit https://github.com/roundcube/roundcubemail/commit/48ba4414 also refactors the uuencode part in git master without being mentioned in the commit message.
~Thomas
On 12/22/2014 12:06 PM, Thomas Bruederli wrote:
I created a PR off of 1.0-release to fix this problem. https://github.com/roundcube/roundcubemail/pull/252
Thanks for this! We'll review it as soon as possible.
Reviewed and merged.
In master this is handled differently, and it doesnt seem to fail, even though the matching for a uu encoded part could be improved there as well,
Feel free to create PR with improvements. Keep in mind I'd like to keep while+preg_match approach as it has the same performance as old preg_match_all-based solution, but uses less memory. I tested with 1MB message.
Maybe Alec can explain why commit https://github.com/roundcube/roundcubemail/commit/48ba4414 also refactors the uuencode part in git master without being mentioned in the commit message.
Well, while I was working on the main change of the commit I found out I broke the uuencoded parts handling. Then I fixed it in a way that also fixed some other issues. Nothing unusual here ;)
On Tue, Dec 23, 2014 at 9:27 AM, A.L.E.C alec@alec.pl wrote:
On 12/22/2014 12:06 PM, Thomas Bruederli wrote:
Maybe Alec can explain why commit https://github.com/roundcube/roundcubemail/commit/48ba4414 also refactors the uuencode part in git master without being mentioned in the commit message.
Well, while I was working on the main change of the commit I found out I broke the uuencoded parts handling. Then I fixed it in a way that also fixed some other issues. Nothing unusual here ;)
That's all fine but some additional hints in the commit message or even separate commits for better tracking and backporting would be helpful.
~Thomas
-
A.L.E.C -
Cor Bosman -
Thomas Bruederli