- New reply citation to include date and author.
- Security: Fix some possible XSS bugs.
- Norwegian Bokmal translation uses nb_NO.
- - Integrated Msg_Flags plugin - turn on/off icons using configuration tool, menu
- number 11 (Tweaks), option number 3, after which users must select an icon
- theme in Options/Display Preferences. "Flag"/"Unflag" buttons are implemented
- as separate plugin.
+ - Integrated Msg_Flags plugin - turn on/off icons using configuration tool,
+ menu number 11 (Tweaks), option number 3, after which users must select an
+ icon theme in Options/Display Preferences.
+ "Flag"/"Unflag" buttons are implemented as separate plugin.
- Added Farsi and Tagalog translation support.
- Enabled Ukrainian and Russian-Ukrainian support
- - Subfolders named "foo.inbox" didn't always work well. Fixed.
+ - Fixed subfolders named "foo.inbox" didn't always work well.
- sqimap_create_stream() was not obeying passed params properly.
- Fix non-selectable inbox.
- Add src/configtest.php script which checks for common errors in the config.
- Added option to suppress Received: line in outbound SM headers (#847107).
- Changed read_body header from links to buttons (looks like message index).
- Add functions for building HTML forms (functions/forms.php).
- - Moved javascript_on to session (from prefs). Centralized javascript detection
- in prefs.php method checkForJavascript.
+ - Moved javascript_on to session (from prefs). Centralized JavaScript
+ detection in prefs.php method checkForJavascript.
- Added abook_init and abook_add_class hooks.
- Fixed "Resume Draft" to continue using selected identities (#845290).
- Fixed RFC2821 incompliancy by adding a fallback mechanism to HELO if
still be performed on message delete, etc.
- Allow single quotes to be used in theme name in conf.pl (#805309).
- Fixed on the fly decoding of base64 encoded attachments.
- - Fixed message rejects by the postfix sendmail wrapper when attachments were
+ - Fixed message rejects by the Postfix sendmail wrapper when attachments were
involved.
- Fixed date display bug for messages of today. Show short format in case
of long format. (only occurs in the timeframe around 0:00 AM till
- Added sort by message size.
- Security: Fixed XSS vulnerability in content-type display in the attachment
area of read_body.php discovered by Roman Medina.
+ - Removed src/move_messages.php, move_before_move and move_messages_button_action
+ hooks. Mailbox listing actions should be handled by src/right_main.php and
+ functions/mailbox_display.php hooks.
- Get alternating row colors of addressbook in sync with mailbox list.
- Give proper error when PEAR DB not found.
- Remove inappropriate strip_tags() from add-to-addressbook (#968475).
- Prefs caching didn't work properly with register_globals off (#995102).
- Security: fix SQL injection vulnerability in addressbook.
- [CAN-2004-0521]
+ [CVE-2004-0521]
- Removed html_top and html_bottom hooks. No longer used/needed.
- Added "trailing text" for options built by SquirrelMail (text placed
after text and select list inputs on options pages)
- Custom option page values now repopulate correctly
- Added "no focus" option for compose page in display preferences (setting
reply focus to "No focus" also affects composing new messages)
- - Current hook name is now globally available when running a hook ($currentHookName)
+ - Current hook name is now globally available when running a hook
+ ($currentHookName)
- Fix bug when Saving to Draft folder that contains special characters.
- - Added size limit to signatures saved in file backend. Created error_option_save
- function, that allows sending error message to options page. Thanks to Martynas
- Bieliauskas for spotting big signature "option".
+ - Added size limit to signatures saved in file backend. Created
+ error_option_save function, that allows sending error message to options
+ page. Thanks to Martynas Bieliauskas for spotting big signature "option".
- Make SquirrelSpell work with safe_mode enabled, if using PHP >=4.3.0.
Patch by Ray Ferguson.
- Make IP-address in Message-ID RFC822 compliant.
- Fixed $custom_css loading in squirrelspell plugin.
- Turkish translation uses C character case conversion rules. Fixes PHP and
SquirrelMail functions are assume English conversion rules.
- - Fixed problem that caused an error when deleting all messages on the last page
- of a paginated view (provides fix for #1014612)
+ - Fixed problem that caused an error when deleting all messages on the last
+ page of a paginated view (provides fix for #1014612).
- Added MySQL password/UNIX crypt support to mysql backend in the
- change_password plugin
+ change_password plugin.
- Make SMTP Authentication detection in conf.pl more RFC-compliant.
- Fixed IMAP errors when using mail_fetch plugin to auto-fetch on login.
- Fixed folder list in Create Folders list for Courier (properly skip INBOX).
- LC_NUMERIC locale is set to C. (workaround for #1027130). Some plugins
might use decimal delimiters incorrectly.
- Added sq_is8bit function that can be used to detect 8bit strings.
- - Added sq_mb_list_encodings function that provides list of encodings supported
- by PHP mbstring module.
+ - Added sq_mb_list_encodings function that provides list of encodings
+ supported by PHP mbstring module.
- Added Content-Transfer-Encoding: 8bit header for read receipts that contain
8bit symbols. (provides fix for #934033).
- - Fixed decoding function problems when mbstring.func_override has MB_OVERLOAD_REGEX
- enabled.
- - Security: Fixed XSS exploit in decodeHeader function. [CAN-2004-1036]
+ - Fixed decoding function problems when mbstring.func_override has
+ MB_OVERLOAD_REGEX enabled.
+ - Security: Fixed XSS exploit in decodeHeader function. [CVE-2004-1036]
- Added site configuration and custom translation engine support to translate
plugin.
- Fixed SquirrelSpell error output. Patch courtesy David Boone.
a string (patch courtesy Maurice Makaay).
- Fixed PHP notice when header property value is blank.
- Added compact paginator option. Patch by Felix Egli.
- - Fixed reply/forward form in order to avoid warnings in SSL enabled sites. Patch
- by Felix Egli.
+ - Fixed reply/forward form in order to avoid warnings in SSL enabled sites.
+ Patch by Felix Egli.
- Removed command line option unsupported by qmail-inject in
class/deliver/Deliver_SendMail.class.php. Thanks to Ken Brush.
- Global file based address book is controled in configuration. Removed
supported by mbstring and use it. Fixes bug #1005353.
- LDAP backend will use internal SquirrelMail charset conversion functions
instead of PHP XML extension. Fixes bug #655137.
- - Added Wood theme and Silver Steel theme by Pavel Spatny and Simple Green theme
+ - Added Wood and Silver Steel themes by Pavel Spatny and Simple Green theme.
- Fix two time zone calculation bugs, thanks to David White. Fixes #1063879.
- 'Priority' and 'Importance' headers are now also recognised, next to the
'X-Priority' header that we've supported since a long time. Fixes #1039935.
- Handle a reload of the signout page gracefully: do not present an error
about having to be logged in to be able to sign out. Fixes #1070069.
- - Prevent & being eaten in set_url_var, thanks Marcin Orlowski. Fixes #1053725.
+ - Prevent & being eaten in set_url_var, thanks Marcin Orlowski (#1053725).
- Removed internal_link hook.
- Added sq_setlocale function in order to use multiple locale names.
- Set up language before outputing errors in signout.php to make them appear
in the correct language.
- Added size attributes to new_mail sound tags. Fixes #818958.
- - Removed extra ; in SquirrelMail added Received header per RFC 822. Fixes #1088548.
+ - Removed extra ; in SquirrelMail added Received header per RFC 822
+ (#1088548).
- Add IMAP server type "hmailserver" to make search work with hMailServer.
Fixes #1085377.
- Reuploaded newmail plugin sounds. Fixes files uploaded to cvs without binary
- Max upload file size now correctly handles a '-1' value, meaning
unlimited. (#1094569).
- Security: Added hook for Preferences Backend to resolve potential
- file inclusions. [CAN-2005-0075]
+ file inclusions. [CVE-2005-0075]
- Remove Printer Friendly Clean Display config option, the cleaning
is now always done.
- Create new Options section "Compose Preferences" and move some
options from Display Preferences there; also move some around within
Display Preferences.
- Security: Fix possible file/offsite inclusion in src/webmail.php.
- [CAN-2005-0103]
- - Security: Fix possible XSS issues in src/webmail.php. [CAN-2005-0104]
+ [CVE-2005-0103]
+ - Security: Fix possible XSS issues in src/webmail.php. [CVE-2005-0104]
- Fix undefined variables in src/webmail.php.
- 24hr clock format should include a leading 0.
- Removed numeric keys for plugin array in config.php.
- - Fixed translations of "On DATE, AUTHOR said" and "AUTHOR said" replies.
+ - Fixed translations of "On DATE, AUTHOR Wrote" and "AUTHOR Wrote" replies.
- Added sq_str_pad function for padding of multi-byte strings.
- Added sq_strlen function for calculation of multi-byte string length.
- Quoted "INBOX" in check for the status of INBOX in a LIST call. Fixes an
issue with a specific IMAP server.
- - In sqgetGlobalVar(), reset $value if the var is not found in the
- specified location.
- Move default_pref to the config/ dir, but keep checking legacy locations
first for bc. Do not fail with an error when default_pref not found, just
create an empty one.
- Use the proper attachment filenames in case of forwarding a message.
- Fix for #855320 where Outlook Express was creating CID: based URLs,
but not assigning a content-id to the attachment. This is a bug in
- Outlook Express and is non-RFC compliant behaviour.
+ Outlook Express and is non-RFC compliant behaviour.
- Strip <outbind://> tags out. This is a Microsoft only protocol and
references files local to the sending machine. This causes issues
- with Internet Explorer.
+ with Internet Explorer.
- Replace <img src="outbind://"> links with clean images to stop
issues with Internet Explorer not being able to track down the image.
- Empty src attribute on img tags causes logouts (IE only), replacing
is always INBOX.
- Always show Purge link next to Trash, even when empty.
- errors in addressbook_init() function are no longer fatal. If function
- fails to activate address book backend, it displays error box (with
+ fails to activate address book backend, it displays error box (with
error_box() function). error box can be hidden by setting first
function argument to false.
- - Sanitized search in ldap address book backend. Use of asterisk
+ - Sanitized search in ldap address book backend. Use of asterisk
together with other symbols is not supported.
- Added ldap backend to change_password plugin.
- Change defaults of some prefs to more sensible / usable settings.
- Revise the documentation of the packaged plugins.
- Fixed edit form checks in address listing (#1124018).
- After sending resumed draft, return to message list.
- - Parse and replace mailto: links with internal compose links when
+ - Parse and replace mailto: links with internal compose links when
viewing in HTML format.
- Plugins may now define an "extra" array element to return to the attachment
types hook, which will be also inserted in the attachment link for the
is specific to Microsoft ADS (#1035454). Thanks to Michael Brown.
- Missing PHP LDAP extension errors are now handled by ldap backend and
errors are displayed after address book initialization.
- - LDAP connections are opened during search and not during address book
+ - LDAP connections are opened during search and not during address book
initialization.
- - Fixed wrapping of multibyte strings in message view and replies
+ - Fixed wrapping of multibyte strings in message view and replies
(#1043576).
- mbstring internal encoding is switched to ASCII, if mbstring.func_overload
is enabled (#929644).
- Create a generic function to empty a folder tree, thanks to
Randy Smith (#1145578).
- Add robots noindex/nofollow meta tag to SquirrelMail generated pages.
-
-Version 1.5.0
---------------------
+ - Fix incorrect folder hierarchy display (#1009654), thanks
+ Awais Ahmad for the patch (#1082558).
+ - src/delete_message.php script is disabled. It provided functions that
+ could be implemented without playing with multiple redirects.
+ - Remove lots of obsoleted code from left_main.php.
+ - Partial support of IMAP REFERRAL: do not fail on IMAP REFERRAL response
+ (RFC 2221) but log the user out with a hint. Patch by Ariel Arjona
+ (#1006242).
+ - Fixed SquirrelMail language cookie detection in php register_globals=off.
+ - If default SquirrelMail language is set to empty string, interface will
+ try to follow browser's HTTP_ACCEPT_LANGUAGE header or fallback to en_US
+ (#764709).
+ - If From: field is unset in an email, header object for from field is not
+ correctly set, and generates an error on reply (#1179754).
+ - Add Cancel button to addressbook (#1180565).
+ - RFC 2046: Send mixed messages with multipart/alternative nested boundaries
+ with correct boundary strings.
+ - EXPERIMENTAL: Mailbox listing converted to templated layout. Added
+ template support functions and classes. Rewrote some page header and
+ mailbox listing functions. Disabled 'show_recipient_instead' option.
+ Added more columns to mailbox listing and index order options.
+ - Removed sort by internal date option. Now you can use the Received column
+ in the index order option page for that.
+ - WARNING: if same user data storage location is used to store SquirrelMail
+ 1.4.x and 1.5.1+ user settings, SquirrelMail 1.5.1+ will reset mailbox
+ display order (Options->Index Options) in stable. Backup your data before
+ testing 1.5.1+ or use different storage location.
+ - Added experimental iframe sandbox for display of html formated emails.
+ - Disabled LOGINDISABLED check in src/login.php when IMAP server mapping is
+ used.
+ - Check destination folder in mail_fetch plugin before storing messages
+ in it. Modify destination folder, if it is renamed or deleted within
+ SquirrelMail (#584658).
+ - Made the Flags column a required column in the index order options page to
+ prohibit missing seen/unseen info in the messages list.
+ - Fixed disabled prev/next links in the message display when you reach the
+ end of the page (message set).
+ - Moved delete button to the right in the message list.
+ - Fixed imap capability detection in bug_report plugin. It was broken
+ when IMAP TLS was enabled or imap server mapping was used.
+ - Added mail_fetch plugin configuration file and moved plugin functions
+ from setup.php to functions.php file.
+ - SquirrelSpell plugin was modified to use standard SquirrelMail
+ preference system. User dictionaries that are stored in $username.words
+ files should be automatically updated to new format, when user logs in.
+ Fixed possible php script errors caused by $SQSPELL_APP configuration
+ variable changes. Removed $SQSPELL_EREG configuration option. Plugin's
+ version increased to 0.5.
+ - $skip_SM_header option was replaced with $encode_header_key and
+ $hide_auth_header options. First option allows to encode user's information
+ with provided encryption key (set in 2. Server settings -> B. Update SMTP /
+ Sendmail settings). Second option allows to disable authenticated user part
+ in Received: header, when user can't forge used email address. It is set in
+ 4. General Options -> 9. Allow editing of identity.
+ - Added dovecot preset to configuration utility.
+ - Modified mercury32 preset in order to remove INBOX prefix in mercury32 4.01.
+ - Added peardb backend to change_password plugin.
+ - Tweak IMAP connection error display (#1203154).
+ - Gracefully recover from over quota error while sending a mail (#1145144).
+ - Fix get_identities() for the case where the user has not set an email
+ address: use the fallback $username@$domain that's used in compose aswell.
+ - Fix "Include me in CC on Reply All" for the case where email address was
+ not set in the prefs (#781202, #1093363).
+ - Move documentation for SquirrelMail developers to doc/Development.
+ - Added id attribute support to form functions. It can be used for Section
+ 508 or WAI fixes. Original idea and patch by dugan <at> passwall.com.
+ - Fixed broken attachments caused by inconsistency of PHP chunk_split().
+ Thanks to Roalt Zijlstra.
+ - Identity code was not checking for domain part in username before setting
+ email address (Bug #1219184).
+ - Disallow access to the administrator plugin screens when the plugin is
+ not enabled in the config.
+ - Security: fix several cross site scripting (XSS) attacks. Thanks go to
+ Martijn Brinkers for finding a lot of these. [CVE-2005-1769]
+ - Update COPYING with new address of the FSF.
+ - Fixed missing quote character when trying to build cid: urls.
+ - Added address listing functions and listing controls to address
+ book LDAP backend. Blocked wildcard searches in file and database
+ backends when listing is disabled (#529563).
+ - Some LDAP address book backend configuration options (listing
+ controls, filtering, scope limit) are moved to 'advanced
+ configuration' subsection.
+ - Javascript relied on rg=1 in the login page to force focus to
+ password box if username was supplied as a url arg (#1222617).
+ - Fix variable typo in parseFetch which caused IMAP errors on Exchange.
+ Thanks Christian Froemmel.
+ - Added Bluesome theme by Saku Lehtiö (#1188209).
+ - Rewrite of advanced identity handlying to remove stupid extraction
+ of all post variables. [CVE-2005-2095]
+ - Added StartTLS support to address book LDAP backend (#1197703). Patch
+ by John Lane.
+ - Added subtree/one level search options to address book LDAP backend
+ (#1212618).
+ - Added Simple Green 2 and Simple Purple themes by Vicky Pyne (#1217066
+ and #1217069).
+ - sqimap_messages_delete|copy|flag and sqimap_get_small_header()
+ functions are removed from SquirrelMail IMAP API. Use sqimap_msgs_*
+ and sqimap_get_small_header_list() functions instead.
+ - Fix for bad cache on massive expunge/delete/move operations.
+ - Moved time zone configuration from locale/timezones.cfg to php array.
+ Adds time zone name localization options and fixes problems on systems
+ that don't support GNU C time zone mappings (#1177067).
+ - Use default color theme in logout_error function when possible.
+ - Fixes for increased error checking in PHP 5.0.5+ array_shift() (#1237160).
+ - Added extra checks in delivery class for In-Reply-To header. Fixes
+ E_NOTICE level warnings in php 5.0.4 and later (#1206474). [php5]
+ - Added extra checks in SquirrelMail charset_encode() function in case
+ somebody removes HTML to US-ASCII conversion library (#1239782).
+ - Fixed invalid reference in src/download.php. E_NOTICE level warnings
+ could corrupt attachments in php 4.4.0.
+ - Added internal dgettext() and dngettext() functions.
+ - Added display of attachments on printer friendly page.
+ - Added custom error handling class and related functions.
+ - Added option to disable upload of sounds in newmail plugin.
+ - Removed full URL from sound file preferences in newmail plugin
+ (#1233530).
+ - Stripped BaseDN from nicknames in address book's ldap_server backend.
+ - Fixed error handling in SquirrelSpell plugin. sprintf and gettext
+ formating errors in check_me.mod. Reported by Edward Chapman.
+ - Translations are loaded automatically from locale/<localename>/setup.php
+ files (#1240889).
+ - Allow configure to be ran from any directory, thanks Ceri Davies.
+ - Removed $available_languages configuration option. List is limited to
+ installed translations. Similar feature is implemented in limit_languages
+ plugin.
+ - Don't load plugins/administrator/auth.php during plugin initiation.
+ - Removed function references from address book database backend class,
+ list_addr(), lookup() and search() functions. Referenced lookup()
+ function caused E_NOTICE warnings in php 4.4.0. Reported by Cor Bosman.
+ - Test to ensure folder exists before attempting to delete it, otherwise
+ IMAP server will return an error.
+ - Added $save_html argument to charset_decode() function in order to be
+ able to convert html formated mails to different character set. Initial
+ patch by Peter Draganov (#1195232). Fixed display of html formated emails
+ in formatBody() function (#1258925).
+ - login_form hook changed from do_hook to concat_hook_function in order to
+ place form elements before login button (#1245070).
+ - Forwarding broken when not using compose in new window (#1222436).
+ - Drop data/ dir from distributed tarball.
+ - Readded options_identity_process and options_identity_renumber hooks
+ broken by CVE-2005-2095 fixes.
+ - Removed duplicate generic_header hook call in src/right_main.php (#1269189).
+ - Removed other special folders from rename/delete/unsubscribe folder forms.
+ Suggested by Florian Daumling.
+ - Focus on compose screen no longer shifts automatically if user has manually
+ focused somewhere herself.
+ - Running SquirrelMail with PHP register_globals = on will cause fatal error
+ in src/configtest.php.
+ - Added field size controls to database preference backend (#1233721).
+ - Added bincimap preset (#1285099).
+ - Fixed IMAP search command in filters plugin. Command was breaking
+ sqimap_mailbox_exists() check. Reported by Daniel Watts.
+ - Fixed decoding of quoted-printable text in decodeBody function.
+ Reported by João Carlos Mendes Luís.
+ - Added CR trimming to SquirrelSpell plugin in order to fix problems on
+ Windows systems.
+ - Sanitized names displayed in address book listing.
+ - Added extra field controls to address book class.
+ - HttpOnly cookie support (cookies inaccessible by JS). This will protect
+ IE6 browsers.
+ - Rare case of session being destroyed causing PHP errors, so ensure session
+ is restarted.
+ - If you don't have any filters defined, and spam filters are disabled, no
+ point issuing a STATUS call on INBOX for the filters plugin.
+ - Added folder filtering controls to SMOPT_TYPE_FLDRLIST option widget.
+ - Security: Fixed possible XSS issue in search feature. Issue was
+ originally resolved in stable, but changes not migrated forward.
+ - Update the cached mailbox header with the \Answered flag in case of an
+ reply.
+ - Added site configuration options to bug_report plugin. Plugin is available
+ only to interface administrators by default. See more information in
+ plugins/bug_report/README file.
+ - E_NOTICE and unlink error message if user hits delete multiple times
+ before compose page has reloaded.
+ - Undefined variable in rare case in view_header.php
+ - Variable by reference fix in printer_friendly_bottom.php.
+ - Undefined index in addressbook backends.
+ - sqimap_utf7_decode_mbx_tree returns variables by reference, rather than a
+ return value (#1351822)
+ - Make test for IE6 in SendDownloadHeaders also match versions higher
+ than 6 (#1339211).
+ - Allow double quote to be used in MOTD (#1276959).
+ - Prevent right_frame to be set to '//www.example.com'.
+ - Tweak printer friendly attachment view.
+ - Added new compose_send_after hook.
+ - Added new scheme to allow multiple plugins to share the onsubmit handler
+ for the compose form from the compose_form hook. See plugin.txt for more
+ information.
+ - Support for LIST-SUBSCRIBED extension. This speeds up the retrieval of
+ the subscribed mailbox-list.
+ - Properly clean up temporary attachment files when saving as Draft
+ (#1358407) and fix attachment cleaning code on logout.
+
+Version 1.5.0 - 2 February 2004
+-------------------------------
- Added new preference that determines cursor focus when replying
- Added support in conf.pl for MS cls command.
- conf.pl changes for relative paths outside the SM tree (#715119).
was wrong (appearing to the user that the wrong messages were attached).
Closes #772371.
- Fix that when user has no theme preference set, Alien Glow would be selected under
- display preferences in stead of Default.
+ display preferences instead of Default.
- Updated 'action' to be 'smaction' so that plugins can modify the submit/action of
forms. This was suggested for the gpg plugin, but might be useful elsewhere.
- Add support for Mail-Followup-To header.
- new function sqimap_msgs_list_move() to replace sqimap_msgs_list_copy()
- sqimap_msgs_list_copy() no longer deletes messages copied.
- Workaround for Mozilla bug #200412 in order to show multipart/related html mail.
- - Fix for disapearing '0' from decoded strings (bug #784193)
+ - Fix for disappearing '0' from decoded strings (bug #784193).
- Replace all session_start() calls with sqsession_is_active() to be compatible
with upcoming PHP 4.3.3.
- Encoding of Russian translation changed to utf-8. Lithuanian translation changed
- Moved the generic_header hook back to page_header.php. bug #554278
- Make default theme work. Bug #557313, thanks Tyler Bannister.
-
Version 1.2.7 -- June 21 2002
-----------------------------
- fix for 'compose as new' link. bug #554886
- Added a server-side sorting global option
- Compose in new window size can be set in Display prefs.
- Logout error system unified.
- - Security: Fix for a "theme passed as cookie" exploit. [CAN-2002-0516]
+ - Security: Fix for a "theme passed as cookie" exploit. [CVE-2002-0516]
- PostgreSQL is now supported for database backed use
- Added user option to sort messages by internal date
- Changed attachment handling now attachments are adressed to
Version 1.0.5 -- April 17, 2001
-------------------------------
- MAJOR security issues addressed. Please upgrade as soon as possible.
- [CAN-2001-1159]
+ [CVE-2001-1159]
- Downloading attachments should work better due to a tip by Ray Black III.
- Fixed bug with drop-down folder list not containing INBOX
- Added Swedish help files Teemu Junnila <teejun@vallcom.com>
- Better escaped string handling from POST variables
- Many more code cleanups and optimizations
- Added Hungarian translation by Teemu Junnila <teejun@vallcom.com>
- - Added Icelandic translation by Karl Heiðar <karlh@macho.is>
+ - Added Icelandic translation by Karl Hei�r <karlh@macho.is>
- Updated Taiwan translation
- Updated Swedish translation
- Updated Finnish translation