************************************** *** SquirrelMail Stable Series 1.4 *** ************************************** Version 1.4.23 - SVN -------------------- - Added capability to issue SEARCH commands in literal format (so that non-ASCII search terms are handled RFC-correctly). - Fixed hook name clash: new "smtp_auth" hook added in version 1.4.22 has been renamed to "smtp_authenticate" - Added SASL PLAIN mechanism for IMAP logins; backported from version 1.5.2. - Prevent syslog warning in call_user_func_array() call when no arguments given. Patch from Jean-Philippe Guerard (#3309935). - Changed the read_body_menu_top hook from concat_hook_function to do_hook_function (plugin authors please note) - Always ensure that the Reply-To header is a full email address in outgoing messages - Fixed issue with Noselect mailboxes being clickable in folder list - Made performance improvements in mailbox listing - Attachment filename extensions changed from ".msg" to ".eml" - Unified address book searches somewhat: file-backed address books now search in each field individually; database-backed address books now search in fields other than first/last name (nickname, email); LDAP- backed address books now search in common name fields as well as by email address (cn, sn, givenname, mail) - You may now enable LDAP-backed address books to be listed (using the "List all" button on the address search screen accessed via the "Addresses" button on the compose screen) by adding "$ldap_abook_allow_listing = TRUE;" (without quotes) to config/config_local.php (previously, this required editing of a file). - Added ability to control browser rendering mode (quirks versus standards) - see the $browser_rendering_mode setting in config/config.php or the "4. General Options ==> 19. Browser rendering mode" setting in the configuration tool (#3240356). - Added "search_index_before" hook (analog of the "mailbox_index_before" hook) - Made performance improvements in security token handling - Improvements for compatibility with PHP 5.4. - Added option that allows users to have replies to their own messages sent to the recipient of the previous message (#3520988). - Added Solarized Light and Solarized Dark themes, by Pavneet Arora. - Added associative edit list option widget, with optional folder list selector for values - Added option to use blank spacer instead of security image ("This image has been removed for security reasons.") for replacing unsafe images. - Full date and time is used as "title" (mouseover) text for dates shown on the message list screen - Custom Stylesheets are now sorted on the Display Preferences page - $xtra in the displayHtmlHeader function is now available in the global scope so that plugins can modify it during the generic_header hook - Added some generic client-side (JavaScript) libraries (including an asynchronous server request mechansim). See the new /scripts directory (plugin authors can refer to the plugin documentation for how to use them) - Added optional JavaScript folder list refresh ("check mail") mechanisms that try to avoid refreshing if server is not responding - see the $check_mail_mechanism setting in config/config.php or the "4. General Options ==> "21. Auto check mail mechanism" setting in the configuration tool. (If you do not update your configuration, you will get messages in your logs: "PHP Notice: Undefined variable: check_mail_mechanism in /path/to/squirrelmail/src/left_main.php on line 322...") - Added advanced control over the SSL context used when connecting to the SMTP and IMAP servers over SSL/TLS (thanks to Emmanuel Dreyfus). You can take a look at $imap_stream_options and $smtp_stream_options in config_local.example.php in SquirrelMail version 1.5.2 for more information. These configuration settings should work the same under 1.4.23: http://sourceforge.net/p/squirrelmail/code/HEAD/tree/trunk/squirrelmail/config/config_local.example.php - Added ability to show login error from the IMAP server instead of traditional "Unknown user or password incorrect" (thanks to Alain Williams). See $display_imap_login_error in the configuration file or "4. General Options ==> 22. Display login error from IMAP" in the configuration tool. - Configuration tool now shows the SquirrelMail version - Added new attachments_top hook to src/read_body.php - When resuming a draft, correct (from) identity is now pre-selected - Removed overly-restrictive character limitations on address book nicknames - Prevent session lock-up caused by filters plugin trying to move messages in an account that is over quota - Added MD5 alternative to directory hash calculation - Added ability for administrator to control whether or not users can edit their reply-to address ($edit_reply_to in config.php) - Added new "login_before_page_header" (boolean) hook; allows plugins to have more explicit control over login page header - Added new "smtp_helo_override" hook; allows plugins to override the HELO host sent to the SMTP server when sending messages - Added STARTTLS support for both IMAP and SMTP connections - Added PDO support for database connections, so no external database module needs to be installed - compose_send hook now has $draft flag in hook arguments - Fixed insufficient sendmail command argument escaping (thanks to Mitchel Sahertian, Beyond Security/Dawid Golunski and Filippo Cavallarin for bringing this to our attention). [CVE-2017-7692] - Upgraded preferences for the delete_move_next plugin. Automatic user preference updates are included, but note that if your installation is new, or all user prefs have been converted from "on"/"off" to 0/1 then you can add the following to SquirrelMail's config/config_local.php to avoid convertign legacy values over and over: $do_not_convert_delete_move_next_legacy_preferences = TRUE; - Added ability to control the display of the "Check Spelling" button provided by the squirrelspell plugin, which allows administrators to offer this plugin but keep it out of the way for users who do not want it. Put sqspell_show_button=0 in default preferences if it should be hidden by default - Added ability (and user preference) to return to message list after moving a message - Search enhancement: Added ability to search in more than one header without having to search the body - Add ability for saved drafts to indicate if they are a reply and if so, to which message, and mark that message as replied when the draft is finally sent - Added option to allow returning to the message one had been replying to after sending - Sanitize user-supplied attachment filenames (thanks to Florian Grunow for reporting this issue) [CVE-2018-8741] - Allow users who cannot edit their email address but who have multiple identities to edit all their identities - Changed anti-CSRF security token lifetime to be session-based. - Added favicon and ability for admins to use their own by setting $head_tag_extra in config_local.php (see documented comments in, for example, src/webmail.php) - Altered hook types "do_hook_function" and "concat_hook_function" such that the ultimate hook return value (in its current state, as computed (or not) by the plugins that have executed previously) is both globalized and passed as an additional argument to each plugin. This allows plugins to cooperate better and not overwrite each other's return values. - Updated SVG handling, closing several related vulnerabilities (#2831) [CVE-2018-14950] [CVE-2018-14951] [CVE-2018-14952] [CVE-2018-14953] [CVE-2018-14954] [CVE-2018-14955] - Added IMAP ID command (RFC2971), sent after every login - use by setting $imap_id_command_args in config/config_local.php (see notes in functions/imap_general.php for more details) - Fixed PHP7 warnings (#2847) - Added handling for RCDATA and RAWTEXT elements in HTML sanitizer [CVE-2019-12970] - Added the ability to modify of the value of the global $PHP_SELF variable used throughout the SquirrelMail code. The administrator may do so by adding the configuration settings $php_self_pattern and $php_self_replacement to config/config_local.php, where the pattern should be a full regular expression including the delimiters. This may be helpful when the web server sees traffic from a proxy so the normal $PHP_SELF does not resolve to what it should be for the real client. - Users can now mouse over the checkbox on the message list to see who a message is from - Show more accurate filesize for uploaded files and base64-encoded attachments (when reading a message) - Migrate away from create_function() as long as we have PHP 5.3+ Version 1.4.22 - 12 July 2011 ----------------------------- - Backported default timezone fix from version 1.5.2; helps mitigate timezone errors in environments where a default has not been set by the administrator. - Fixed system lock-ups caused by a combination of certain rare, malformed message headers and buggy versions of PHP mbstring (#3053349). - Now allow multiple plugins to handle (add links for) a single attachment MIME type. - Now allow administrators to disable all plugins or enable just a select few plugins (overriding the active plugins in the normal configuration) by setting $temporary_plugins as an empty array (all disabled) or an array with one or more plugin directory names in config_local.php. - Backport fix for call_user_func_array not supporting NULL as empty array in PHP 5.3.3 - Fixed sqauth_read_password() for plugins on the login_verified hook. - Added SMTP SASL PLAIN authentication option to configuration tool (core support for such is not new). - Gmail doesn't support standard search commands; removed sort buttons. - Forced addition of a file suffix to attachments that lack a filename (helps forwarded messages avoid spam filters) (thanks to Petr Kletecka) (#3139004). - Fixed missing security token in listcommands plugin. - Added smtp_auth hook (thanks to Emmanuel Dreyfus). - Made speed enhancements to threaded message display (thanks to Siim Poder) (#3288123). - Allow administrators to configure subfolders of user INBOXes to be treated as special folders by adding $subfolders_of_inbox_are_special to config_local.php. - Fixed incorrect display of INBOX subfolders under some configurations. IMPORTANT: You may need to update your configuration so that $default_sub_of_inbox is TRUE if it was FALSE (e.g., Courier IMAP users) and after updating to this version, your special folders are no longer listed at the top of your folder list. Also, if this change prevents users from logging in with an error such as "ERROR: Could not complete request. Query: CREATE "Trash" Reason Given: Invalid mailbox name.", you will need to correct the user preference values for the problem folders. You can do so with commands such as the following for file- based preferences (adjust the data directory location as needed): find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/trash_folder=Trash/trash_folder=INBOX.Trash/g' {} \; find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/draft_folder=Drafts/draft_folder=INBOX.Drafts/g' {} \; find /var/lib/squirrelmail/data/ -name *.pref -exec sed --in-place 's/sent_folder=Sent/sent_folder=INBOX.Sent/g' {} \; Or, for database-based preferences: UPDATE userprefs SET prefval = 'INBOX.Trash' WHERE prefkey = 'trash_folder' AND prefval = 'Trash'; UPDATE userprefs SET prefval = 'INBOX.Drafts' WHERE prefkey = 'draft_folder' AND prefval = 'Drafts'; UPDATE userprefs SET prefval = 'INBOX.Sent' WHERE prefkey = 'sent_folder' AND prefval = 'Sent'; MAKE SURE to back up your user preferences first! - Optimized message highlighting rules; faster message list display and faster highlight rules management (thanks to C. Bensend for extensive effort helping diagnose) - New Mail plugin no longer removes normal organization title when putting the number of new messages in the browser title - Added clickjacking protection (thanks to Asbjorn Thorsen and Geir Hansen for bringing this to our attention). [CVE-2010-4554] - Fixed XSS holes in generic options inputs, XSS hole in the SquirrelSpell plugin, XSS hole in the Index Order page, and added anti-CSRF protection to the empty trash feature and the Index Order page (thanks to Nicholas Carlini for finding all these issues). [CVE-2011-2752, CVE-2011-2753, CVE-2010-4555] - Fixed XSS problem with unsanitized style tags in messages. [CVE-2011-2023] Version 1.4.21 - 23 Jul 2010 ---------------------------- - Now allow more than one plugin to control the compose form submit action. - When sorting by received date, the received date is now shown on the message list. - Explicitly disabled browser caching for left_main and right_main pages (#2983134). - Fixed error with SpamCop reporting plugin not being able to send report as emails (#1795310). - Fixed typo in SpamCop plugin. - Reduced default time security tokens stay valid from 30 days to 2 days (reduces chances of session data growing too large) - Several speed enhancements for recent fixes regarding the display of encoded subjects, including a fix for messages with invalid subject encoding (includes #2987016 amongst several other issues reported via mailing list, etc.) (Many thanks to Zdenek Pytela for the untiring help diagnosing and testing.) - Fixed minor vulnerability in Mail Fetch plugin. [CVE-2010-1637/TEHTRI-SA-2010-009] - Now properly quote personal part of encoded addresses when replying. - Now fill in default subject when forwarding as attachment (#2936541). - Implement header folding that doesn't add extraneous spaces so unfolding is less ambiguous (#1951776). - Fixed issues caused by use of PostgreSQL keyword "user" in SquirrelMail's default preferences database schema (#2943483). - Fixed attachment filename decoding problems (#2994865). - Now default search criteria to the TO header when searching the sent folder. - Fixed literal processing of 8-bit usernames/passwords during login. [CVE-2010-2813] Version 1.4.20 - 06 Mar 2010 --------------------------- - Fixed issue with search not using literals correctly (#2846511). - Fixed issue with returning to search results due to new security token code. - Fixed issue with multi-part related messages not showing all attachments (#2830140). - Fixed for security token missing in newmail plugin (#2919418). - Fixed sort in Sent folder to sort by "To" field instead of "From" field (#2907412). - Fixed mailto: urls containing + characters. Thanks to Michael Puls II for the patch. - Made base URL autodetection more robust; fixes some lighttpd issues (probably #1741469). - Encoded From headers are now properly quoted (#2830141). - Multibyte strings (notably subjects) are now handled correctly (#2824813, #2925731). - X-DNS-Prefetch-Control: off header is now sent to browsers to prevent information leakage when Firefox does DNS prefetching for URLs contained in emails. - Added unread links in message view. - Added the ability to configure Google Mail (Gmail) as the mail server behind SquirrelMail. - Added option in display preferences that allows the signature to be stripped from the original message when replying (#2952876). Thanks to Sven Strickroth. Version 1.4.20 RC2 - 17 Aug 2009 -------------------------------- - Protect message deletion with security token system. (Secunia Advisory SA34627) Version 1.4.20 RC1 - 12 Aug 2009 -------------------------------- - Removed the shut down DSBL blocklists (#2796734). - Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess (#2798839). - Updated INSTALL doc to remove possible bad system admin typos (#2827153). - PHP 5.3 deprecates ereg functions (#2820952). - Filters plugin uses badly formatted literals request (#2805201). - Provide option for complete removal of usernames and user IP addresses from message headers, and remove personal data from Message ID seed. (#880029/847107) - Implemented page referal verification mechanism. (Secunia Advisory SA34627) - Implemented security token system. (Secunia Advisory SA34627) Version 1.4.19 - 21 May 2009 ---------------------------- - Removed use of session_unregister() for compatibility with PHP 5.3.0 and PHP 6. - Fixed the Filters plugin to allow commas in filter criteria text and not to error out when spam-scanning only unread mail. - Resend cookie to browser after session ID regeneration so it gets the right cookie parameters. - In SMTP, when we EHLO with an IP, wrap it in brackets (#2793154). - The shell escaping fix in map_yp_alias [CVE-2009-1579] was incomplete. Thanks Michal Hlavinka for noticing this. [CVE-2009-1381] Version 1.4.18 - 11 May 2009 ---------------------------- - Fixed port detection in automatic base URL detection scheme (get_location()). (#2388423) - Added informational type option widget. - Added password type option widget. - Fixed filters plugin to allow spam filters to scan multiple messages, rather than the first message returned. (#1634735) - Removed code from spam filters plugin to stop if falling back to searching all messages when there was no new messages. - Altered filters plugin to issue single move/delete statement for multiple messages. - Updated some core code, and several plugins, to not use code marked as obsolete. - Corrected sqimap_msgs_list_copy to actually copy messages, rather than move. - Created new sqimap_msgs_list_move to move messages. - Migrated some fetch handling code from dev branch in plans to update some core functionality to allow reusability of code. - Make address book file permissions 0600 - same as preference files. - Fix for address book nicknames that contain the : character. - Ensure that hash directory computation is the same on both 32 and 64 bit architectures. (#2596879) - Allow multiple addresses in one abook entry (separate with commas), although we HIGHLY DISCOURAGE grouping in this manner - note amongst other issues that can come up, sizing for large groups will be a problem. (#2611967) - Added Tamil translation (Thanks to Kengatharaiyer Sarveswaran). - Added Bengali (Bangladesh) translation (Thanks to Jamil Ahmed). - Moved documentation to doc/ directory and added example .htaccess files in all directories to which browsers don't need direct access. - Date headers in outgoing messages have been brought into RFC 822 compliance (removed time zone name). (#1849410) - Default Content-Transfer-Encoding is now RFC-compliant "7bit" instead of "us-ascii". (#1942060) - Outgoing attachments that have lines longer than allowed per RFC are now encoded so they are not corrupted by artificial line folds. Thanks to Kelly Fallon. (#2226470, $1473714) - Converted Italian (it_IT) to UTF-8. - Converted Czech (cs_CZ) to UTF-8. - Converted Hungarian (hu_HU) to UTF-8. - Added Khmer translation (Thanks to Khoem Sokhem). - Remove ability for HTML emails to use CSS positioning to overlay SquirrelMail content (Thanks to Luc Beurton). (#2723196) [CVE-2009-1581] - Fixed improper sanitizing of PHP_SELF and the lack of sanitizing of QUERY_STRING server environment variables (Thanks to Niels Teusink and Christian Balzer). [CVE-2009-1578] - Fixed the lack of sanitizing of contrib/decrypt_headers.php input; also includes general cleanup of that page (Thanks to Niels Teusink). [also CVE-2009-1578] - Fixed unsanitized shell command in example IMAP username mapping function (map_yp_alias) (Thanks to Niels Teusink). [CVE-2009-1579] - Fixed session fixation issues where someone who can modify a user's cookies could gain control of their login session. The SquirrelMail base URI is now uniformly generated, extraneous cookies are cleaned up and session IDs are regenerated upon every login (Thanks to Tomas Hoger). [CVE-2009-1580] Version 1.4.17 - 03 December 2008 --------------------------------- - Allow control over white space wrapping of auto-generated SquirrelMail option widgets. - Fix matching of alternate identities when replying. - Fix HTTPS detection under Windows IIS that was incorrectly setting cookies to be transmitted only over a secure connections when none existed (#2318118). - Security: Fix XSS exploit in hyperlinks when rendering messages. Thanks to Secunia Research for reporting this issue and for their patience. [CVE-2008-2379] Version 1.4.16 - 28 September 2008 ---------------------------------- - Added support for Latvian. - Add submit button type option widget - Allow address book lookups by fields other than nickname/alias - Include hooks in databased-based preference backend that have long been in the file-based preference backend - Removed the Address Take (abook_take) plugin; please see the Add Address (third party) plugin. - Allow a different server address for the POP server to be configured when using POP before SMTP. - Update the left_main_after_each_folder hook to work on the trash folder as well as all other folders. - Fix HTML validity issue with IE conditional construct (#1985916). - Backported sqsetcookie() from 1.5.2, so cookies won't be transmitted under non-SSL connections if the session is started under an SSL (https) connection (CVE-2008-3663). Also limits cookies to HTTPOnly, a feature of IE and Firefox to counter cross site scripting attacks. Version 1.4.15 - 23 May 2008 ---------------------------- - Fix saving of Read Receipts to Sent folder. - Converted Romanian (ro_RO) to UTF-8. - Converted Slovak (sk_SK) to UTF-8. - Converted Swedish (sv_SE) to UTF-8. Version 1.4.15 Release Candidate 1 - 12 May 2008 ------------------------------------------------ - Added support for Macedonian. - Don't allow invalid plugin names in conf.pl --install-plugin. - Fix warning in Printer Friendly due to missing include (#1849101). - Let configtest.php use optional PEAR dynamic extension loading, patch by Walter Huijbers (#1833123). - Fix for IMAP servers that were having problems saving sent messages. - Fix broken