From c7c09f85d9ccab83f720d1f938035884b9db5d6a Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 05 Nov 2015 02:48:34 -0500
Subject: [PATCH] Fix HTML sanitizer to skip <!-- node type X --> in output (#1490583)

---
 INSTALL |   29 ++++++++++++++++++++++++-----
 1 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/INSTALL b/INSTALL
index 918be88..71c971e 100644
--- a/INSTALL
+++ b/INSTALL
@@ -11,14 +11,13 @@
 
 * The Apache, Lighttpd, Cherokee or Hiawatha web server
 * .htaccess support allowing overrides for DirectoryIndex
-* PHP Version 5.3.7 or greater including
-   - PCRE, DOM, JSON, XML, Session, Sockets (required)
+* PHP Version 5.3.7 or greater (but not PHP 7) including
+   - PCRE, DOM, JSON, Session, Sockets (required)
    - PHP Data Objects (PDO) with driver for either MySQL, PostgreSQL or SQLite (required)
    - Libiconv, Zip (recommended)
    - OpenSSL, Fileinfo, Mcrypt, mbstring (optional)
 * PEAR packages distributed with Roundcube or external:
-   - Mail_Mime 1.8.1 or newer
-   - Mail_mimeDecode 1.5.5 or newer
+   - Mail_Mime 1.9.0 or newer
    - Net_SMTP (latest from https://github.com/pear/Net_SMTP/)
    - Net_IDNA2 0.1.1 or newer
    - Auth_SASL 1.0.6 or newer
@@ -39,7 +38,7 @@
   or SQLite support in PHP
 * One of the above databases with permission to create tables
 * An SMTP server (recommended) or PHP configured for mail delivery
-* Composer installed either locally or globally
+* Composer installed either locally or globally (https://getcomposer.org)
 
 
 INSTALLATION
@@ -49,6 +48,9 @@
 2. Install dependencies using composer:
    - get composer from https://getcomposer.org/download/
    - rename the composer.json-dist file into composer.json
+   - if you want to use LDAP address books, enable the LDAP libraries in your
+     composer.json file by moving the items from "suggest" to the "require"
+     section (remove the explanation texts after the version!).
    - run `php composer.phar install --no-dev`
 3. Make sure that the following directories (and the files within)
    are writable by the webserver
@@ -150,6 +152,23 @@
 	php_value       upload_max_filesize     2M
 
 
+SECURE YOUR INSTALLATION
+========================
+
+Access through the webserver to the following directories should be denied:
+
+  /config
+  /temp
+  /logs
+
+Roundcube uses .htaccess files to protect these directories, so be sure to
+allow override of the Limit directives to get them taken into account. The
+package also ships a .htaccess file in the root directory which defines some
+rewrite rules. In order to properly secure your installation, please enable
+mod_rewrite for Apache webserver and double check access to the above listed
+directories and their contents is denied.
+
+
 UPGRADING
 =========
 

--
Gitblit v1.9.1