config/config.inc.php.sample | 9 2 + 7 - 0 !
1 file changed, 2 insertions(+), 7 deletions(-)

 adapt db.inc.php to the use of dbconfig-common package

config/config.inc.php.sample | 10 8 + 2 - 0 !
1 file changed, 8 insertions(+), 2 deletions(-)

 debianize sample config file

  * By default we do not have any plugins available (these are in
    roundcube-plugins).
  * Disable spellchecking, because it needs recommended packages.

bin/cleandb.sh | 2 1 + 1 - 0 !
bin/decrypt.sh | 2 1 + 1 - 0 !
bin/deluser.sh | 2 1 + 1 - 0 !
bin/gc.sh | 2 1 + 1 - 0 !
bin/indexcontacts.sh | 2 1 + 1 - 0 !
bin/initdb.sh | 2 1 + 1 - 0 !
bin/installto.sh | 2 1 + 1 - 0 !
bin/moduserprefs.sh | 2 1 + 1 - 0 !
bin/msgexport.sh | 2 1 + 1 - 0 !
bin/msgimport.sh | 2 1 + 1 - 0 !
bin/update.sh | 2 1 + 1 - 0 !
bin/updatecss.sh | 2 1 + 1 - 0 !
bin/updatedb.sh | 2 1 + 1 - 0 !
installer/index.php | 2 1 + 1 - 0 !
program/include/iniset.php | 2 1 + 1 - 0 !
tests/bootstrap.php | 2 1 + 1 - 0 !
16 files changed, 16 insertions(+), 16 deletions(-)

 fix install_path for bin/*.sh and tests/bootstrap.php

These scripts get installed to /usr/share/roundcube/bin, but
INSTALL_PATH should be /var/lib/roundcube/.  Fixed/updated with

    sed -ri "s#(\\s*define\\s*\\(\\s*(['\"])INSTALL_PATH\\2)\\s*,.*#\\1, '/var/lib/roundcube/');#" \
            bin/*.sh installer/index.php program/include/iniset.php

Except:

  - bin/install-jsdeps.sh, where we keep define('INSTALL_PATH', realpath(__DIR__ . '/..') . '/' ); and
  - bin/updatecss.sh, where we use define('INSTALL_PATH', './');

We also edit tests/bootstrap.php to use the RCUBE_INSTALL_PATH environment variable.

bin/update.sh | 19 11 + 8 - 0 !
program/include/rcmail_install.php | 33 29 + 4 - 0 !
2 files changed, 40 insertions(+), 12 deletions(-)

 patch update scripts to work with debian package

config/defaults.inc.php | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 use enchant spellchecker engine by default.

We don't want to send messages to a 3rd party

config/defaults.inc.php | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 switch to utf-8 as default charset

plugins/password/README | 11 7 + 4 - 0 !
plugins/password/helpers/chgsaslpasswd.c | 2 1 + 1 - 0 !
plugins/password/helpers/chgvirtualminpasswd.c | 2 1 + 1 - 0 !
3 files changed, 9 insertions(+), 6 deletions(-)

 specify debian path and group names in password plugin

program/lib/Roundcube/rcube_db.php | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 map dbconfig-common's "sqlite3" driver to "sqlite"

Bug-Debian: https://bugs.debian.org/714727

plugins/http_authentication/logout.html | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 avoid fetching jquery from google, use the embedded one

This page is also just an example. The user is expected to provide their
own page.

composer.json-dist | 25 12 + 13 - 0 !
1 file changed, 12 insertions(+), 13 deletions(-)

 update php pear dependencies

The current dependencies that are published by upstream are too
conservative, so:
 * replace ~ and ^ (that only allows minor versions changes) with >= as
   documented in the INSTALL file;
 * replace pear/ with pear-pear.php.net/ to create current Debian
   package names.

jsdeps.json | 102 2 + 100 - 0 !
1 file changed, 2 insertions(+), 100 deletions(-)

 make it possible to download/install unminified sourcefiles

We remove system libraries from this file so we easily notice updates
(either of the version, or of the map).

plugins/jqueryui/jqueryui.php | 9 5 + 4 - 0 !
1 file changed, 5 insertions(+), 4 deletions(-)

 use system jqueryui

We source jquery-ui-accessible-datepicker.min.js after libjs-jquery-ui's
jquery-ui.min.js to avoid concatening these files (see the former's
headers).

Also libjs-jquery-ui's datepicker-* files don't have the jquery.ui.
prefix.

plugins/password/helpers/chpass-wrapper.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 rename `python` to `python3`

.github/config-test.inc.php | 2 1 + 1 - 0 !
plugins/acl/tests/Acl.php | 2 1 + 1 - 0 !
plugins/additional_message_headers/tests/AdditionalMessageHeaders.php | 2 1 + 1 - 0 !
plugins/archive/tests/Archive.php | 2 1 + 1 - 0 !
plugins/attachment_reminder/tests/AttachmentReminder.php | 2 1 + 1 - 0 !
plugins/autologon/tests/Autologon.php | 2 1 + 1 - 0 !
plugins/autologout/tests/Autologout.php | 2 1 + 1 - 0 !
plugins/database_attachments/tests/DatabaseAttachments.php | 2 1 + 1 - 0 !
plugins/debug_logger/tests/DebugLogger.php | 2 1 + 1 - 0 !
plugins/emoticons/tests/Emoticons.php | 2 1 + 1 - 0 !
plugins/enigma/tests/Enigma.php | 2 1 + 1 - 0 !
plugins/enigma/tests/EnigmaDriverGnupg.php | 4 2 + 2 - 0 !
plugins/enigma/tests/EnigmaEngine.php | 4 2 + 2 - 0 !
plugins/enigma/tests/EnigmaError.php | 2 1 + 1 - 0 !
plugins/enigma/tests/EnigmaKey.php | 2 1 + 1 - 0 !
plugins/enigma/tests/EnigmaMimeMessage.php | 2 1 + 1 - 0 !
plugins/enigma/tests/EnigmaSignature.php | 2 1 + 1 - 0 !
plugins/enigma/tests/EnigmaSubkey.php | 2 1 + 1 - 0 !
plugins/enigma/tests/EnigmaUserid.php | 2 1 + 1 - 0 !
plugins/example_addressbook/tests/ExampleAddressbook.php | 4 2 + 2 - 0 !
plugins/filesystem_attachments/tests/FilesystemAttachments.php | 2 1 + 1 - 0 !
plugins/help/tests/Help.php | 2 1 + 1 - 0 !
plugins/hide_blockquote/tests/HideBlockquote.php | 2 1 + 1 - 0 !
plugins/http_authentication/tests/HttpAuthentication.php | 2 1 + 1 - 0 !
plugins/identicon/tests/Identicon.php | 2 1 + 1 - 0 !
plugins/identicon/tests/IdenticonEngine.php | 2 1 + 1 - 0 !
plugins/identity_select/tests/IdentitySelect.php | 2 1 + 1 - 0 !
plugins/jqueryui/tests/Jqueryui.php | 2 1 + 1 - 0 !
plugins/krb_authentication/tests/KrbAuthentication.php | 2 1 + 1 - 0 !
plugins/managesieve/tests/Engine.php | 6 3 + 3 - 0 !
plugins/managesieve/tests/Forward.php | 6 3 + 3 - 0 !
plugins/managesieve/tests/Managesieve.php | 2 1 + 1 - 0 !
plugins/managesieve/tests/Script.php | 2 1 + 1 - 0 !
plugins/managesieve/tests/Vacation.php | 6 3 + 3 - 0 !
plugins/markasjunk/tests/Markasjunk.php | 2 1 + 1 - 0 !
plugins/new_user_dialog/tests/NewUserDialog.php | 2 1 + 1 - 0 !
plugins/new_user_identity/tests/NewUserIdentity.php | 2 1 + 1 - 0 !
plugins/newmail_notifier/tests/NewmailNotifier.php | 2 1 + 1 - 0 !
plugins/password/tests/Password.php | 6 3 + 3 - 0 !
plugins/redundant_attachments/tests/RedundantAttachments.php | 2 1 + 1 - 0 !
plugins/show_additional_headers/tests/ShowAdditionalHeaders.php | 2 1 + 1 - 0 !
plugins/squirrelmail_usercopy/tests/SquirrelmailUsercopy.php | 2 1 + 1 - 0 !
plugins/subscriptions_option/tests/SubscriptionsOption.php | 2 1 + 1 - 0 !
plugins/userinfo/tests/Userinfo.php | 2 1 + 1 - 0 !
plugins/vcard_attachments/tests/VcardAttachments.php | 2 1 + 1 - 0 !
plugins/virtuser_file/tests/VirtuserFile.php | 2 1 + 1 - 0 !
plugins/virtuser_query/tests/VirtuserQuery.php | 2 1 + 1 - 0 !
plugins/zipdownload/tests/Zipdownload.php | 2 1 + 1 - 0 !
tests/ActionTestCase.php | 2 1 + 1 - 0 !
49 files changed, 60 insertions(+), 60 deletions(-)

 adjust test environment for dep-8 tests

Changes:

 1. Source INSTALL_PATH . 'plugins/ rather than __DIR__ . '/../ in
    setUp().  This doesn't cause FTBFS but we want to check installed
    code in DEP-8 tests.
 2. Source TESTS_DIR . '../SQL/ rather than INSTALL_PATH . '/SQL/
    in tests/ActionTestCase.php.  Again, this doesn't cause FTBFS but we
    want to run DEP-8 tests too and the binary packages ship the SQL
    scripts under dbconfig-common not INSTALL_PATH.

program/actions/contacts/qrcode.php | 3 3 + 0 - 0 !
program/include/rcmail_oauth.php | 3 3 + 0 - 0 !
2 files changed, 6 insertions(+)

 fix autoload locations

Snippets generated with `phpabtpl --suggest bacon/bacon-qr-code` and
`phpabtpl --suggest GuzzleHttp`.

tests/Actions/Contacts/Qrcode.php | 1 1 + 0 - 0 !
tests/Framework/Rcube.php | 4 1 + 3 - 0 !
2 files changed, 2 insertions(+), 3 deletions(-)

 mark flaky tests as such.

That way we can run phpunit with `--exclude-group=flaky
--fail-on-skipped --verbose` and avoid missing unintentionally skipped
tests.

program/lib/Roundcube/rcube.php | 7 0 + 7 - 0 !
1 file changed, 7 deletions(-)

 don't force set session.gc_probability=1

We don't have to rely on probabilistic synchronous garbage collection
since we're running bin/gc.sh periodically.

If desired the local admin can manually set session.gc_probability > 0
in the PHP configuration (on Debian systems the default value is 0 which
disables probability based GC).  They may then want to disable the
cronjob or systemd.timer(5) unit.

This reverts upstream commit 32a0ad6778cde495e30f3447e5220136f0528cee.

tests/Rcmail/OutputHtml.php | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fix upstream's test suite

Also, in our environment phpunit(1) resides in /usr/bin not vendor/bin.

program/actions/mail/index.php | 5 5 + 0 - 0 !
program/actions/mail/list.php | 10 6 + 4 - 0 !
2 files changed, 11 insertions(+), 4 deletions(-)

 fix cross-site scripting (xss) vulnerability in handling list
 columns from user preferences

Reported by Huy Nguyn Phm Nht.

program/lib/Roundcube/rcube_washtml.php | 2 1 + 1 - 0 !
tests/Framework/Washtml.php | 4 4 + 0 - 0 !
2 files changed, 5 insertions(+), 1 deletion(-)

 fix cross-site scripting (xss) vulnerability in handling svg animate
 attributes

Reported by Valentin T. and Lutz Wolf of CrowdStrike.

program/lib/Roundcube/rcube_tnef_decoder.php | 3 2 + 1 - 0 !
tests/Framework/Message.php | 87 87 + 0 - 0 !
2 files changed, 89 insertions(+), 1 deletion(-)

 fix fatal error when parsing some tnef attachments

program/lib/Roundcube/rcube_image.php | 179 88 + 91 - 0 !
1 file changed, 88 insertions(+), 91 deletions(-)

 fix bug where an unhandled exception was caused by an invalid image
 attachment

GD functions may throw ValueError in some cases since PHP 8.0.
We wrap them in try/catch blocks.

plugins/managesieve/lib/Roundcube/rcube_sieve_script.php | 7 4 + 3 - 0 !
plugins/managesieve/tests/Script.php | 14 14 + 0 - 0 !
2 files changed, 18 insertions(+), 3 deletions(-)

 fix infinite loop when parsing malformed sieve script

program/lib/Roundcube/rcube_imap_generic.php | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fix bug where imap_conn_option's 'socket' was ignored

program/actions/mail/compose.php | 36 11 + 25 - 0 !
program/actions/mail/index.php | 195 81 + 114 - 0 !
program/actions/mail/show.php | 4 0 + 4 - 0 !
program/actions/settings/index.php | 9 3 + 6 - 0 !
program/lib/Roundcube/rcube_washtml.php | 50 31 + 19 - 0 !
tests/Actions/Mail/Index.php | 71 43 + 28 - 0 !
6 files changed, 169 insertions(+), 196 deletions(-)

 fix xss vulnerability in post-processing of sanitized html content

Credits to Oskar Zeino-Mahmalat (https://www.sonarsource.com)

program/actions/mail/get.php | 5 5 + 0 - 0 !
program/lib/Roundcube/rcube_output.php | 20 15 + 5 - 0 !
2 files changed, 20 insertions(+), 5 deletions(-)

 fix xss vulnerability in serving of attachments other than html or
 SVG

Credits to Oskar Zeino-Mahmalat (Sonar) https://www.sonarsource.com

program/js/app.js | 19 7 + 12 - 0 !
program/lib/Roundcube/rcube_output.php | 3 2 + 1 - 0 !
2 files changed, 9 insertions(+), 13 deletions(-)

 fix regression where printing/scaling/rotating image attachments was
 broken

program/lib/Roundcube/rcube_utils.php | 157 120 + 37 - 0 !
program/lib/Roundcube/rcube_washtml.php | 80 8 + 72 - 0 !
tests/Framework/Utils.php | 52 37 + 15 - 0 !
tests/Framework/Washtml.php | 2 1 + 1 - 0 !
4 files changed, 166 insertions(+), 125 deletions(-)

 fix information leak (access to remote content) via insufficient css
 filtering

Credits to Oskar Zeino-Mahmalat (Sonar) https://www.sonarsource.com