From 49b8e5d0bb712ccf1a1a52bd794d3d7bb905a493 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Sat, 19 Oct 2013 09:49:49 -0400
Subject: [PATCH] Add plugin hook 'contact_validate' to let plugins validate contact records

---
 CHANGELOG |  124 +++++++++++++++++++++++++++++------------
 1 files changed, 87 insertions(+), 37 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 7ed74f9..a791dca 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,54 +1,57 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
-- Fixed iframe scrolling on touch devices
-- Optimized message list for touch devices
+- Fix default spell-check configuration after Google suspended their spell service
+- Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
+- Fix iframe onload for upload errors handling (#1489379)
+- Fix address matching in Return-Path header on identity selection (#1489374)
+- Fix HTML part detection when encapsulated inside multipart/signed (#1489372)
+- Fix text wrapping issue with long unwrappable lines (#1489371)
+- Add spellchecker backend for the After the Deadline service
+- Replace markdown-style [1] link indexes in plain text email bodies
+- Fixed issues where HTML comments inside style tag would hang Internet Explorer
+- Improved mailto: link arguments handling (#1489363)
+- Use DOMDocument LIBXML_PARSEHUGE and LIBXML_COMPACT options if possible (#1489302)
+- Support HTTP_HOST, SERVER_NAME and SERVER_ADDR values in include_host_config feature
+- Hide Delivery Status Notification option when smtp_server is unset (#1489336)
+- Make default font size for HTML messages configurable (request #118)
+- Display full attachment name using title attribute when name is too long to display (#1489320)
+- Fix XSS issue in addressbook group name field [CVE-2013-5646] (#1489333)
+- Fix attachment icon issue when rare font/language is used (#1489326)
+- After message is sent refresh messages list of replied message folder (#1489249)
+- Add option force specified domain in user login - username_domain_forced (#1489264)
+- Fix expanded thread root message styling after refreshing messages list (#1489327)
+- Fix issue where From address was removed from Cc and Bcc fields when editing a draft (#1489319)
+- Add option to import Vcards with group assignments
+- Save groups membership in Vcard export (#1488509)
+- Workaround broken PHP function timezone_name_from_abbr (#1489261)
+- Fix error_reporting directive check (#1489323)
+- Make cached message size limit configurable - messages_cache_threshold (#1489317)
+- Log also failed logins to userlogins log
+- Add temp_dir_ttl configuration option (#1489304)
+- Allow setting INBOX as Sent folder (#1489219)
 - Fix replacement variables in user-specific base_dn in some LDAP requests (#1489279)
-- Fix purge action in folder manager (#1489280)
 - Fix image scaling issues when image has only one dimension smaller than the limit (#1489274)
 - Fix issue where uploaded photo was lost when contact form did not validate (#1489274)
-- Fix base URL resolving on attribute values with no quotes (#1489275)
-- Fix wrong handling of links with '|' character (#1489276)
-- Fix XSS vulnerability when saving HTML signatures (#1489251)
 - Move identity selection based on non-standard headers into (new) identity_select plugin (#1488553)
-- Fix colorspace issue on image conversion using ImageMagick (#1489270)
-- Fix XSS vulnerability when editing a message "as new" or draft (#1489251)
 - Fix downloading binary files with (wrong) text/* content-type (#1489267)
-- Fix rewrite rule in .htaccess (#1489240)
-- Fix detecting Turkish language in ISO-8859-9 encoding (#1489252)
-- Fix identity-selection using Return-Path headers (#1489241)
-- Fix parsing of links with ... in URL (#1489192)
-- Fix compose priority selector when opening in new window (#1489257)
 - Respect HTTP_X_FORWARDED_FOR and HTTP_X_REAL_IP variables for session IP check
 - Simplified configuration by merging it into one file + defaults (#1487311)
 - Make message list header stay on top when scrolling (#1295420)
-- Fix bug where signature wasn't changed on identity selection when editing a draft (#1489229)
-- Fix IMAP SETMETADATA parameters quoting (#1489231)
 - Add support for 'enchant' spellcheck engine
-- Fix "could not load message" error on valid empty message body (#1489228)
 - Check filetype detection in installer and update script (#1489193)
-- Fix handling of message/rfc822 attachments on message forward and edit (#1489214)
 - Fix folder names truncation in Classic skin (#1489220)
-- Fix parsing of square bracket characters in IMAP response strings (#1489223)
-- Don't clear References and in-Reply-To when a message is "edited as new" (#1489216)
 - Make possible to disable some (broken) IMAP extensions with imap_disable_caps option (#1489184)
 - Contacts drag-n-drop default action is to move contacts (#1488751)
 - Added possibility to choose to move or copy contacts from drag-n-drop menu (#1488751)
-- Fix messages list sorting with THREAD=REFS
 - Fix Close link and remove About link on error pages (#1489109)
-- Remove deprecated (in PHP 5.5) PREG /e modifier usage (#1489174)
-- Fix empty messages list when register_globals is enabled (#1489157)
 - Improved/unified attachment preview screen, added print button
 - Fix lack of space between searchfiler and quicksearchbar in Larry skin (#1489158)
-- Fix so valid and set date.timezone is not required by installer checks (#1489180)
-- Canonize boolean ini_get() results (#1489189)
 - Cache LDAP's user_specific search and use vlv for better performance (#1489186)
 - LDAP: auto-detect and use VLV indices for all search operations
 - LDAP: additional group configuration options for  address books
 - LDAP: separated address book implementation from a generic LDAP wrapper class
 - Allow address books to browse a multi-level group hierarchy in the contacts list
-- Fix so install do not fail when one of DB driver checks fails but other drivers exist (#1489178)
-- Fix so exported vCard specifies encoding in v3-compatible format (#1489183)
 - Fix session issues when local and database time differs (#1486132)
 - Fix thread cache syncronization/validation (#1489028)
 - Added feature to import messages to the currently selected folder
@@ -82,6 +85,53 @@
 - Extended archive plugin with user-configurable options to store messages into subfolders
 - Fix export of selected contacts from search result (#1488905)
 - Feature to export only selected contacts from addressbook (by Phil Weir)
+
+RELEASE 0.9.4
+-------------
+- Make identities matching case insensitive (#1485480)
+- Fix issue where too big message data was stored in cache causing sql errors (#1489316)
+- Fix iframe scrollbars on webkit desktop browsers (#1489306)
+- Fix issue where legacy config was overriden by default config (#1489288)
+- Fix newmail_notifier issue where favicon wasn't changed back to default (#1489313)
+- Fix setting of Junk and NonJunk flags by markasjunk plugin (#1489285)
+- Fix lack of Reply-To address in header of forwarded message body (#1489298)
+- Fix bugs when invoking contact creation form when read-only addressbook is selected (#1489296)
+- Fix identity selection on reply (#1489291)
+- Fix so additional headers are added to all messages sent (#1489284)
+- Fix display issue after moving folder in Folder Manager (#1489293)
+- Fix handling of non-default date formats (#1489294)
+- Fix unquoted path in PREG expression on Windows (#1489290)
+- Fix wrong close tag in /template/mail.html (#1489295)
+
+RELEASE 0.9.3
+-------------
+- Fix setting refresh_interval to "Never" in Preferences (#1489286)
+- Fixed iframe scrolling on touch devices
+- Optimized message list for touch devices
+- Fix purge action in folder manager (#1489280)
+- Fix base URL resolving on attribute values with no quotes (#1489275)
+- Fix wrong handling of links with '|' character (#1489276)
+- Fix colorspace issue on image conversion using ImageMagick (#1489270)
+- Fix XSS vulnerability when editing a message "as new" or draft [CVE-2013-5645] (#1489251)
+- Fix XSS vulnerability when saving HTML signatures [CVE-2013-5645] (#1489251)
+- Fix rewrite rule in .htaccess (#1489240)
+- Fix detecting Turkish language in ISO-8859-9 encoding (#1489252)
+- Fix identity-selection using Return-Path headers (#1489241)
+- Fix parsing of links with ... in URL (#1489192)
+- Fix compose priority selector when opening in new window (#1489257)
+- Fix bug where signature wasn't changed on identity selection when editing a draft (#1489229)
+- Fix IMAP SETMETADATA parameters quoting (#1489231)
+- Fix "could not load message" error on valid empty message body (#1489228)
+- Fix handling of message/rfc822 attachments on message forward and edit (#1489214)
+- Fix parsing of square bracket characters in IMAP response strings (#1489223)
+- Don't clear References and in-Reply-To when a message is "edited as new" (#1489216)
+- Fix messages list sorting with THREAD=REFS
+- Remove deprecated (in PHP 5.5) PREG /e modifier usage (#1489174)
+- Fix empty messages list when register_globals is enabled (#1489157)
+- Fix so valid and set date.timezone is not required by installer checks (#1489180)
+- Canonize boolean ini_get() results (#1489189)
+- Fix so install do not fail when one of DB driver checks fails but other drivers exist (#1489178)
+- Fix so exported vCard specifies encoding in v3-compatible format (#1489183)
 
 RELEASE 0.9.2
 -------------
@@ -283,7 +333,7 @@
 - Fix #countcontrols issue in IE<=8 when text is very long (#1488890)
 - Fix unwanted horizontal scrollbar in message preview header (#1488866)
 - Add workaround for IE<=8 bug where Content-Disposition:inline was ignored (#1488844)
-- Fix XSS vulnerability in vbscript: and data:text links handling (#1488850)
+- Fix XSS vulnerability in vbscript: and data:text links handling [CVE-2012-6121] (#1488850)
 - Fix absolute positioning in HTML messages (#1488819)
 - Fix cache (in)validation after setting \Deleted flag
 - Fix keybord events on messages list in opera browser (#1488823)
@@ -338,8 +388,8 @@
 - Fix bug where domain name was converted to lower-case even with login_lc=false (#1488593)
 - Fix lower-casing email address on replies (#1488598)
 - Fix line separator in exported messages (#1488603)
-- Fix XSS issue where plain signatures wasn't secured in HTML mode (#1488613)
-- Fix XSS issue where href="javascript:" wasn't secured (#1488613)
+- Fix XSS issue where plain signatures wasn't secured in HTML mode [CVE-2012-4668] (#1488613)
+- Fix XSS issue where href="javascript:" wasn't secured [CVE-2012-3508] (#1488613)
 - Fix impossible to create message with empty plain text part (#1488610)
 - Fix stripped apostrophes when replying in plain text to HTML message (#1488606)
 - Fix inactive Save search option after advanced search (#1488607)
@@ -374,7 +424,7 @@
 - Fix removing contact photo using LDAP addressbook (#1488420)
 - Fix storing X-ANNIVERSARY date in vCard format (#1488527)
 - Update to Mail_Mime-1.8.5 (#1488521)
-- Fix XSS vulnerability in message subject handling using Larry skin (#1488519)
+- Fix XSS vulnerability in message subject handling using Larry skin [CVE-2012-3507] (#1488519)
 - Fix handling of links with various URI schemes e.g. "skype:" (#1488106)
 - Fix handling of links inside PRE elements on html to text conversion
 - Fix indexing of links on html to text conversion
@@ -501,7 +551,7 @@
 - Improved handling of some malformed values encoded with quoted-printable (#1488232)
 - Add possibility to do LDAP bind before searching for bind DN
 - Fix handling of empty <U> tags in HTML messages (#1488225)
-- Add content filter for embedded attachments to protect from XSS on IE (#1487895)
+- Add content filter for embedded attachments to protect from XSS on IE [CVE-2012-1253] (#1487895)
 - Use strpos() instead of strstr() when possible (#1488211)
 - Fix handling HTML entities when converting HTML to text (#1488212)
 - Fix fit_string_to_size() renders browser and ui unresponsive (#1488207)
@@ -669,7 +719,7 @@
 
 RELEASE 0.5.4
 -------------
-- Fix XSS vulnerability in UI messages (#1488030)
+- Fix XSS vulnerability in UI messages [CVE-2011-2937] (#1488030)
 
 RELEASE 0.5.3
 -------------
@@ -719,8 +769,8 @@
 - Security: add optional referer check to prevent CSRF in GET requests
 - Fix email_dns_check setting not used for identities/contacts (#1487740)
 - Fix ICANN example addresses doesn't validate (#1487742)
-- Security: protect login form submission from CSRF
-- Security: prevent from relaying malicious requests through modcss.inc
+- Security: protect login form submission from CSRF [CVE-2011-1491]
+- Security: prevent from relaying malicious requests through modcss.inc [CVE-2011-1492]
 - Fix handling of non-image attachments in multipart/related messages (#1487750)
 - Fix IDNA support when IDN/INTL modules are in use (#1487742)
 - Fix handling of invalid HTML comments in messages (#1487759)
@@ -1163,7 +1213,7 @@
 ---------------
 - Fix import of vCard entries with params (#1485453)
 - Fix HTML messages output with empty block elements (#1485974)
-- Use request tokens to protect POST requests from CSRF
+- Use request tokens to protect POST requests from CSRF [CVE-2009-4076, CVE-2009-4077]
 - Added hook when killing a session
 - Added hook to write_log function (#1485971)
 - Performance improvements by use UID commands (#1485690)
@@ -1290,7 +1340,7 @@
 - Fix large search results on server without SORT capability (#1485668)
 - Get rid of preg_replace() with eval modifier and create_function usage (#1485686)
 - Bring back <base> and <link> tags in HTML messages
-- Fix XSS vulnerability through background attributes as reported by Julien Cayssol
+- Fix XSS vulnerability through background attributes [CVE-2009-0413]
 - Fix problems with backslash as IMAP hierarchy delimiter (#1484467)
 - Secure vcard export by getting rid of preg's 'e' modifier use (#1485689)
 - Fix authentication when submitting form with existing session (#1485679)
@@ -1348,7 +1398,7 @@
 - Allow deleting identities when multiple_identities=false (#1485435)
 - Added option focus_on_new_message (#1485374)
 - Fix html2text class autoloading on Windows (#1485505)
-- Fix html signature formatting when identity save error occured (#1485426)
+- Fix html signature formatting when identity save error occurred (#1485426)
 - Add feedback and set busy when moving folder (#1485497)
 - Fix 'Empty' link visibility for some languages e.g. Slovak (#1485489)
 - Fix messages count bar overlapping (#1485270)

--
Gitblit v1.9.1