Fix for possible remote file inclusion

[squirrelmail.git] / ChangeLog

*************************************
*** SquirrelMail Devel Series 1.5 ***
*************************************

Version 1.5.1 -- CVS
--------------------
  - New reply citation to include date and author.
  - Security: Fix some possible XSS bugs.
  - Norwegian Bokmal translation uses nb_NO.
  - Integrated Msg_Flags plugin - turn on/off icons using configuration tool, menu
    number 11 (Tweaks), option number 3, after which users must select an icon
    theme in Options/Display Preferences.  "Flag"/"Unflag" buttons are implemented
    as separate plugin.
  - Added Farsi and Tagalog translation support.
  - Enabled Ukrainian and Russian-Ukrainian support
  - Subfolders named "foo.inbox" didn't always work well.  Fixed.
  - sqimap_create_stream() was not obeying passed params properly.
  - Fix non-selectable inbox.
  - Add src/configtest.php script which checks for common errors in the config.
  - Improve display of some unparsable/absent dates (#891354).
  - Add comment (Highest,Normal,Lowest) to X-Priority header.
    Some SpamAssassin rule triggers on the absence of such a comment.
  - Corrected moving of last message in a folder using Delete-Move-Next
    functionality added to core in 1.5.0.
  - Fix test for LOGINDISABLED, should only test when the auth mech actually
    is 'login'.
  - Update required PHP version to 4.1.0, and remove PHP 4.0.x legacy code.
  - Make writing of preferences, abook, calendars fail better when disk full
    (#915527).
  - Remove code related to non-UID-supporting IMAP servers.
  - Fix quoteimap() regex escaping problem (#921291).
  - Added option to suppress Received: line in outbound SM headers (#847107).
  - Changed read_body header from links to buttons (looks like message index).
  - Add functions for building HTML forms (functions/forms.php).
  - Moved javascript_on to session (from prefs). Centralized javascript detection
    in prefs.php method checkForJavascript.
  - Added abook_init and abook_add_class hooks.
  - Fixed "Resume Draft" to continue using selected identities (#845290).
  - Fixed RFC2821 incompliancy by adding a fallback mechanism to HELO if
    EHLO is not supported.
  - Fixed RFC2298 incompliancy by setting envelope sender to null.
  - Fixed problem where setting all the messages on the last page of the
    message list would return one page higher.
  - Remove call to perform expunge on mailbox select - auto-expunge will
    still be performed on message delete, etc.
  - Allow single quotes to be used in theme name in conf.pl (#805309).
  - Fixed on the fly decoding of base64 encoded attachments.
  - Fixed message rejects by the postfix sendmail wrapper when attachments were
    involved.
  - Fixed date display bug for messages of today. Show short format in case
    of long format. (only occurs in the timeframe around 0:00 AM till
    timezone).
  - Added address book sorting options. Ascending/descending sorting code
    written by Bryan Loniewski.
  - Use Special Folder Color config option works again (#931956).
  - In POP3-class, be more liberal regarding RFC-incompliant POP3-servers.
  - Set up language before outputing errors in auth.php to make them appear in
    the correct language.
  - Added Basque translation support.
  - Remove flag buttons / links from display if mailbox doesn't allow it.
  - Make used of cached ordered uid list in case of server_side_sorting.
  - Rewrite of internal mailbox sorting routines.
  - Added sort by message size.
  - Security: Fixed XSS vulnerability in content-type display in the attachment
    area of read_body.php discovered by Roman Medina.
  - Get alternating row colors of addressbook in sync with mailbox list.
  - Give proper error when PEAR DB not found.
  - Remove inappropriate strip_tags() from add-to-addressbook (#968475).
  - Prefs caching didn't work properly with register_globals off (#995102).
  - Security: fix SQL injection vulnerability in addressbook.
    [CAN-2004-0521]
  - Removed html_top and html_bottom hooks.  No longer used/needed.
  - Added "trailing text" for options built by SquirrelMail (text placed
    after text and select list inputs on options pages)
  - Custom option page values now repopulate correctly
  - Added "no focus" option for compose page in display preferences (setting
    reply focus to "No focus" also affects composing new messages)
  - Current hook name is now globally available when running a hook ($currentHookName)
  - Fix bug when Saving to Draft folder that contains special characters.
  - Added size limit to signatures saved in file backend. Created error_option_save
    function, that allows sending error message to options page. Thanks to Martynas
    Bieliauskas for spotting big signature "option".
  - Make SquirrelSpell work with safe_mode enabled, if using PHP >=4.3.0.
    Patch by Ray Ferguson.
  - Make IP-address in Message-ID RFC822 compliant.
  - Uneditable address book entries no longer have checkboxes on addresses page.
  - Alignment of title text above folder list fixed.
  - Changed structure of xtra_code functions that are used by some translations.
  - Added Uighur language support.
  - Added status bar to compose window when "Compose In New Window" is used.
  - Reenabled the move_messages_button_action hook and changed its name to
    mailbox_display_button_action to promote the new location
  - Making delete button, when viewing a message, consider which page was viewed
    before.
  - $agresive_decoding configuration option changed to $aggressive_decoding.
    Fixed spelling.
  - Added $lossy_encoding option (provides fix for #806698)
  - Reenabled use of $default_charset option. Option works only with en_US
    translation in order to prevent language/charset misconfiguration.
  - Fixes for nonpopulation of folder lists and errors when emptying the trash
    (provides fixes for #1019185 and #1017941)
  - Fixed $custom_css loading in squirrelspell plugin.
  - Turkish translation uses C character case conversion rules. Fixes PHP and
    SquirrelMail functions are assume English conversion rules.
  - Fixed problem that caused an error when deleting all messages on the last page
    of a paginated view (provides fix for #1014612)
  - Added MySQL password/UNIX crypt support to mysql backend in the
    change_password plugin
  - Make SMTP Authentication detection in conf.pl more RFC-compliant.
  - Fixed IMAP errors when using mail_fetch plugin to auto-fetch on login.
  - Fixed folder list in Create Folders list for Courier (properly skip INBOX).
  - Fixed undefined variables in sqimap_create_stream().
  - Added Bengali translation support.
  - Fixed left frame mailbox list when sorting by case.
  - Separated fortune plugin configuration variables from main plugin scripts.
    See plugins/fortune/INSTALL.
  - Fix for #906217 when checking spelling of inline replies, the corrected
    words would appear through original email.
  - Fixed empty information menu when viewing vCards without information
    but name and e-mail address.
  - User may now add an e-mail address when adding vCards without one to the
    address book. No need to wait for the error message anymore.
  - Removed japanese_xtra function used by older XTRA_CODE calls. Plugins
    should use separate xtra_code functions. Older function does not provide
    information about supported options.
  - Added php-gettext classes (see class/l10n/*.php) and ngettext support
    functions (provides fix for #1019007).
  - LC_NUMERIC locale is set to C. (workaround for #1027130). Some plugins
    might use decimal delimiters incorrectly.
  - Added sq_is8bit function that can be used to detect 8bit strings.
  - Added sq_mb_list_encodings function that provides list of encodings supported
    by PHP mbstring module.
  - Added Content-Transfer-Encoding: 8bit header for read receipts that contain
    8bit symbols. (provides fix for #934033).
  - Fixed decoding function problems when mbstring.func_override has MB_OVERLOAD_REGEX
    enabled.
  - Security: Fixed XSS exploit in decodeHeader function. [CAN-2004-1036]
  - Added site configuration and custom translation engine support to translate
    plugin.
  - Fixed SquirrelSpell error output.  Patch courtesy David Boone.
  - Fixed bug in IMAP read routines that treated "0" as false instead of
    a string (patch courtesy Maurice Makaay).
  - Fixed PHP notice when header property value is blank.
  - Added compact paginator option. Patch by Felix Egli.
  - Fixed reply/forward form in order to avoid warnings in SSL enabled sites. Patch
    by Felix Egli.
  - Removed command line option unsupported by qmail-inject in
    class/deliver/Deliver_SendMail.class.php. Thanks to Ken Brush.
  - Global file based address book is controled in configuration. Removed
    global_file address book backend (use 'local_file' instead).
  - Added Net-Style theme by Gabriele Maidecchi. Closes patch #1041323.
  - Fix: Messages shown with bad times in message list due to misinterpreted
    UW IMAP internal date.
  - Fixed path used by random theme.
  - Utf7-imap encoding/decoding functions will check, if required charset is
    supported by mbstring and use it. Fixes bug #1005353.
  - LDAP backend will use internal SquirrelMail charset conversion functions
    instead of PHP XML extension. Fixes bug #655137.
  - Added Wood theme and Silver Steel theme by Pavel Spatny and Simple Green theme
  - Fix two time zone calculation bugs, thanks to David White. Fixes #1063879.
  - 'Priority' and 'Importance' headers are now also recognised, next to the
    'X-Priority' header that we've supported since a long time. Fixes #1039935.
  - Handle a reload of the signout page gracefully: do not present an error
    about having to be logged in to be able to sign out. Fixes #1070069.
  - Prevent & being eaten in set_url_var, thanks Marcin Orlowski. Fixes #1053725.
  - Removed internal_link hook.
  - Added sq_setlocale function in order to use multiple locale names.
  - Set up language before outputing errors in signout.php to make them appear
    in the correct language.
  - Added size attributes to new_mail sound tags. Fixes #818958.
  - Removed extra ; in SquirrelMail added Received header per RFC 822. Fixes #1088548.
  - Add IMAP server type "hmailserver" to make search work with hMailServer.
    Fixes #1085377.
  - Reuploaded newmail plugin sounds. Fixes files uploaded to cvs without binary
    option.
  - Changing your JavaScript preference required a re-login to work.
    Fixes #983614.
  - Fix listcommands plugin to behave like normal reply/compose
    links, and return to message page that originally called from.
  - Max upload file size now correctly handles a '-1' value, meaning
    unlimited. (#1094569).
  - Security: Added hook for Preferences Backend to resolve potential
    file inclusions. [CAN-2005-0075]
  - Remove Printer Friendly Clean Display config option, the cleaning
    is now always done.
  - Create new Options section "Compose Preferences" and move some
    options from Display Preferences there; also move some around within
    Display Preferences.
  - Security: Fix possible file/offsite inclusion in src/webmail.php.
    [CAN-2005-0075]

Version 1.5.0
--------------------
  - Added new preference that determines cursor focus when replying
  - Added support in conf.pl for MS cls command.
  - conf.pl changes for relative paths outside the SM tree (#715119).
  - conf.pl changes for delete_folder restrictions with Courier-IMAP and
    UW-IMAP (#715550).
  - Fixed code to allow for \ in password/username (#718116).
  - Added mailto: support for Windows clients.  See
    contrib/squirrelmail.mailto.reg
  - Added lowsrc to the list of attributes to be removed.
  - Fixed message highlighting for To, CC and From and
    for RFC1522 headers (bug #719564)
  - Fixed incorrect folding inside message-id's
  - Fix for Folders being listed in create/remove/rename operations
    (#725443, #722823, #729225)
  - Fix for bad attachment view link (#697381, #729295)
  - Fix comp_in_new in search and addressbook not having right parameters (#731768).
  - Fix max attachment filesize off by factor 10 when ini_var set in bytes (#730742).
  - Fix for parsing fetch results. We are now able to extract the UID if it's
    returned after the header.
  - Remove obsoleted parsing functions.
  - Fixed language bug in posting on modifying/deleting servers on mail_fetch plugin
    (#742705).
  - Fixed infinite loop in parseAddress on invalid mailaddress (#742584).
  - Rewrote ugly "Not a very useful errormessage" to something more friendly.
  - Make central function for compose links to make sure compose_in_new always
    works the same way.
  - Fix that when JavaScript off, compose in new was broken (#749654).
  - Do not output JavaScript functions in page_header when JavaScript off.
  - Support MS Exchange "DOMAIN/username/mailbox"-style usernames (#745814).
  - Do not set Full Name to empty when edit_identity is false and edit_name is true (#750728).
  - Added koi8-u, windows-1255, windows-1256, iso-8859-6 charset decoding support.
  - Rewrite of sqimap_read_data_list which as result we better handle the
    returned imap responses and we display error messages when connections are
    dropped.
  - Rewrite of email address parser and solve the infinite loops issues due to
    bad formatted addresses.
  - Modified conf.pl: default to force usernames lowercase for servers which
    are case-insensitive.
  - Applied bugfixes from stable to htmlfilter code.
  - Fix bug #722933 where resuming a draft message would lose the reference headers.
  - Removed hard coded colors from login.php and made it use the default theme and css file
  - Fix that sending of read receipts failed when JavaScript on and comp in new off (#738130).
  - Replaced search with new version by Alex Lemaresquier. (Originally
    "asearch" plugin).
  - New debugging function: sm_print_r() in strings.php.
  - Use SM_PATH in config_default. Change default server type to 'other' instead
    of cyrus. (#766577).
  - Added feature to allow user to switch on full date display in mailboxes instead
    of just partial date/time based on time of email and current date.
  - Fixed bug that would cause e-mails dated in the future to be displayed with only
    the time.
  - Fixed unseen/total notifications to return behaviour back to 1.2.x style.
  - Added 4 hooks (internal_link, mailbox_display_buttons, move_messages_button_action, create_collapse_link)
  - Fix SquirrelSpell JS problem with other plugins that use forms (ie Menu Buttons).
  - Fix when forwarding messages as attachment from message list, the displayed subject
    was wrong (appearing to the user that the wrong messages were attached).
    Closes #772371.
  - Fix that when user has no theme preference set, Alien Glow would be selected under
    display preferences in stead of Default.
  - Updated 'action' to be 'smaction' so that plugins can modify the submit/action of
    forms.  This was suggested for the gpg plugin, but might be useful elsewhere.
  - Add support for Mail-Followup-To header.
  - Add a confirmation for the user that their mail has been sent.
  - Fixed issue with forwarding emails having a ) appended to the end.
  - Add "attachments_bottom" hook to allow manipulating/adding to the attachments
  - Fix to prevent username & password from being displayed in error messages
    if IMAP connection dropped during login
  - Modified preference loading code to always have a complete $color array
    set in case a user uses an incomplete theme.
  - new function sqimap_msgs_list_move() to replace sqimap_msgs_list_copy()
  - sqimap_msgs_list_copy() no longer deletes messages copied.
  - Workaround for Mozilla bug #200412 in order to show multipart/related html mail.
  - Fix for disapearing '0' from decoded strings (bug #784193)
  - Replace all session_start() calls with sqsession_is_active() to be compatible
    with upcoming PHP 4.3.3.
  - Encoding of Russian translation changed to utf-8. Lithuanian translation changed
    to utf-8. Fix allows to use national letters in folder names correctly.
  - Added "Bypass Trash" checkbox to folder index, used with the Delete
    button. (update: This needs work and will be changed, possibly removed)
  - Fixed a problem with delete_move_next and server thread-sorting.
  - New hook function: boolean_hook_function()  Used for true/false hooks.
  - Calendar plugin: in month view, display events on the same day sorted by time,
    and include the time of the event in its tooltip.
  - Added default settings for Mercury/32 to conf.pl.
  - Fix to prevent mailboxes are deleted in selected stage which is against
    RFC3501.
  - Fix reply all address string in case the personal name contained a comma
    (address separator).
  - Added SASL PLAIN to IMAP and SMTP. Thanks to avel for the prodding and
    code snippet.
  - conf.pl will no longer offer to detect login methods if TLS is enabled.
  - conf.pl no longer offers UID support toggle, which is forced true in
    global.php
  - HTML Filter bugfixes and further strengthening in response to some
    findings reported by stardust.
  - Disabled Vietnamese and Ukrainian translations. They are done in different
    language.
  - Removed all translations. SquirrelMail translations are distributed as
    separate packages and kept in different cvs module.
  - New function: imap_general.php:create_imap_stream()
  - Updated src/login.php to detect, handle, and warn on LOGINDISABLED from IMAP server.
  - Fixed SquirrelMail to work under PHP5.
  - Reintroduce alternating row colors in addressbook, something that has
    accidentally disappeared in the past.
  - Disabled Quick-email-reporting feature in spamcop plugin. Bug.809452. Admin
    can enable it by setting variable in plugins/spamcop/setup.php
  - Fix again for Internet Explorer's stupidity of decoding characters, then
    executing it blindly. See http://www.securityfocus.com/archive/1/340118.
  - Replaced obsolete 2mbit.com RBL with ahbl.org RBL. Bug.No.829887
  - Added a sitewide override for authenticated SMTP - see authentication.txt.
  - Fixed sorting of sent_subfolders.
    Sent_subfolder plugin is hooked to special_mailbox hook.
  - Integration of delete_move_next plugin into core.
  - Compression of buttons/headers for message index and message body
  - New option to save replies in the same folder as the original message.


**************************************
*** SquirrelMail Stable Series 1.4 ***
**************************************

Version 1.4.0 -- 3 April 2003
-----------------------------
  - Fixed mail_fetch plugin. Now folder edition defaults to actual value.
    All settings from other servers are preserved when deleting one.
  - Added Vietnamese translation.
  - Fixed the newmail plugin.
  - Added RECENT response to sqimap_get_status.
  - Fixed attachment filename resolving.
  - Added check for X-Confirm-Reading-To to make MDN work for messages sent by Pine.
  - sqextractGlobalVar removed (use sqgetGlobalVar instead).
  - Subfolders of Sent and Drafts show To field instead of From
  - Updates in conf.pl to infamous delete_folder setting, including
    addition of appropriate default value for courier and UW.
  - Fix for date/time display in certain timezones.
  - Fix some features of login.php that are used by some plugins and was broken
    by register_globals = off.
  - Added Greek locale. Thanks to George P. Kremmydas
    <george at kefalonia-ithaki.gr> and Alexandros Vellis <avel at noc.uoa.gr>
  - Added notes about PHP 4.3.x to documentation.
  - Fixed \Noselect mailbox detection.
  - Fixed charset decode of base64 encoded strings.
  - Fixed encoding of email addresses in our composed messages.
  - Fixed folder creation for Courier using Autoconfig options.
  - Fixed encoded string handling inside MDN notifications.
  - Fixed unfold header routine in imap_messages (for mailbox_display).
  - Fixed subject_line hook.
  - Fixed sqgetGlobalVar switching.
  - Fixed handling of encoding/decoding strings.
  - Fixed wrong array_slice call for a subset of the headers.
  - Allow encoded personal names in compose.php.
  - Improved address parsing of addresses coming from the compose form.
  - Fixed uninitialized indices when parsing attachments.
  - Support text/directory MIME-type for vCards (RFC 2425).
  - Added Arabic locale. Thanks to Asrar Abbasi <asrar at canasoft.net> and
    Naveed Saqib <naveed.saqib at biznas.com>.
  - Update required PHP version in documentation to 4.0.6.
  - Fixed delete_move_next plugin to remember where it moved mail to.
  - Fixed compose to remember attachments.
  - Security: Fixed possible XSS in compose when replying to malicious sources.
  - Add display of the maximum filesize for attachment uploads.
  - Do not add < and > if an identity doesn't contain a full name.
  - Fixed bug in parsing Content-Type properties part.
  - Added move_before_move hook to allow plugins to act upon the different buttons
  - Fixed bug in Forwarding of Emails (move_messages.php)
  - Fixed variable spelling error in filters.php
  - Fixed some operator bugs in compose.php, move_messages.php, and spamcop.php

Version 1.4.0 RC 2a
-------------------
  - Fix broken themes box in display options.
  - Massive overhaul of administrator plugin.
  - Added new function sqgetGlobalVar to global.php to provide direct access
    to variables in $_GET, $_POST, $_SESSION, $_COOKIE and $_SERVER.
  - Patch from O'Shaughnessy Evans <shaug-sqm@wumpus.org> to allow disabled $org_logo
  - Lots of language/internationalization updates
  - conf.pl fixes for certain uses of SM_PATH, esp. $signout_page.
  - SMTP & IMAP auth method "plain" was a misnomer - now corrected to
    the more accurate name "login" (Plain to be implemented soon).
  - Fix for compose after search bug.  (Closes #662346)
  - Improved error reporting when sending mail with SMTP.
  - Changed SquirrelMail identification to use User-Agent instead of X-Mailer.
  - Prevent endless loop when timezone config is not found. Thanks Joshua Colson.
  - Fix IMAP error when returning to message from viewing image attachment.
  - Do more trimming to indented subjects in threadview so they don't wrap.
  - Trash folder now displays purge link in all cases. (Closes #655943)
  - Fix typo in delete_move_next plugin which caused PHP file-handle errors.
  - Make vCard more liberal in what it accepts (thanks Kurt Pires).
  - Fix problem with subject encoding when using Japanse.
  - Move login_form hook to be actually in the login form.
  - Fix message_details plugin ability to save a raw message.
  - Try better to get the filename of an attachment.
  - Deliver_SMTP class now uses HTTP_HOST in SMTP HELO.  Should fix DNS
    issues some people have reported. (Closes #560524)
  - Obsolete sqm_topdir(), which caused login trouble with installs that
    have open_basedir restrictions. Thanks Jimmy Connor.
  - Fix broken abook_take plugin.
  - Fix HTML errors that caused display problems in NS4.
  - Correctly fold encoded header lines.
  - Fix prefs caching not working correctly in PHP 4.3 caused by a stupid
    version checking mechanism.
  - Security: Fix XSS hole that allowed JavaScript execution by sending someone
    an email with specially crafted headers. Thanks Jason Munro, and
    Masato Higashiyama.


Version 1.4.0 RC 1
------------------
  - Change the way highlighting rules are stored to make them more reliable and
    easier to manage.
  - Reorganization of conf.pl, menu #2
  - Added CRAM-MD5 and DIGEST-MD5 authentication support for IMAP and SMTP
  - Experimental TLS support for IMAP and SMTP (requires PHP 4.3.x)
  - Override settings with config_local.php
  - Compose form no longer shows attachment options if PHP file_uploads
    disabled
  - Improved bodystructure parsing.
  - Support for windows-1257 charset.
  - Optimizations to the number of IMAP calls.
  - Fix problem with IE6 + iso-8859-13.
  - Allow Mail Fetch to use a different POP3 server port number.
  - Force magic_quotes_runtime to be off to avoid problems with this setting.
  - Introduce check_sm_version function for plugins wanting to know
    which version of SquirrelMail this is.
  - Configurable session name to avoid conflicts with other PHP applications.
  - Miscellaneous fixes for systems with error_reporting set to E_ALL.
  - Many many other bugfixes and tweaks!


*************************************
*** SquirrelMail Devel Series 1.3 ***
*************************************


Version 1.3.2
-------------
  - Rewrite of message delivery related functions.
  - User interface modifications.
  - Added Japanese support thanks to Masato HIGASHIYAMA <masato@yamaai-tech.com>
  - Remove NOOP checks in the POP3 client of mail_fetch to make things more
    compatible and not break things which don't need to be broken.
  - Fix src directory being moved on Windows systems, bugs #586518 #605256 #610676.
  - This release is compatible with installations that have register_globals set to off.
  - Do not lose user prefs/sigs/abooks when trying to save to a full disk.
  - Make the SquirrelMail link on the right top configurable so a provider can point
    to their own FAQ for example.
  - Enable TZ in safe_mode if safe_mode_allowed_env_vars permits this bug #612148.
  - Fix some bugs in folder management (create, delete,...) and add enhancements.

Version 1.3.1
-------------
  - lots of fixes by Marc, including #596781 and #596930

Version 1.3.0
-------------
  - allow_call_time_by_reference=off fixes.
  - Added forward as attachment in read_body.
  - Better clean-up of left attachments at login.
  - Restore compose sessions in case of a expired session.
  - Added "Display Message" / "Up" links in read_body to navigate in messages with
    attached messages (message/rfc822).
  - Don't activate the Send Receipt link when the folder is the Sent folder.
  - Moved view_header code out of read_body.php and put it in view_header.php.
  - Open message/rfc822 attachments in read_body what makes it possible to
    reply to attached messages.
  - Rewrite of the newMail function in compose.php. This simplifies the
    interface between read_body.php and compose.php.
  - Moved compose related code from read_body to compose.
  - Rewrite of mailbox-display to make it more modular (we use it in search.php).
  - Added support for displaying multiple entities.
  - Changed finding display entities.
  - Extract disposition and xmailer header information in the headerparser
    instead of request them individualy by an imap-call.
  - Store message objects in the current session. This saves a lot of imap-calls.
  - Added UID support.
  - Store addresses in an object instead of a string.
  - Rewrite of the bodystructureparser function. Now the message object contains
    all described parameters in RFC2060.
  - Introduction of the mime class where all mime related functions are situated
  - Fixed removing MDN attachments.
  - Fixed MDN problems with js confirmbox.
  - Speedimprovements in case we download mime-entities.
  - Added possibility to extract message/rfc822 attachments and store them as
    the original message in a folder.
  - Right to left languages implementation initiated
  - Enable people with file_uploads = off to still send mail. Patch from Seth
    E. Randall.
  - Moved the generic_header hook back to page_header.php. bug #554278
  - Make default theme work. Bug #557313, thanks Tyler Bannister.


Version 1.2.7 -- June 21 2002
-----------------------------
  - fix for 'compose as new' link. bug #554886
  - fix charset format in the admin plugin. bug #550725
  - fix for errant '.' in default_folder_prefix. bug #551310
  - fix for folder names with '?' and '*'. bug # 559257, #552180
  - added the ability to search without the charset argument. #552288
  - Made /noselect node display optional. bug #554988, patch #452178
  - Improved support for macosx IMAP server thanks Brian Haun
  - Added macosx friendly search, thanks Brian Haun bug #553038
  - Fixed word wrap problems when sending mail. bug #552961, #556143
  - Added possibility to use multiple compose windows without loss
    of attachements.
  - Fixed forward message/rfc822 attachments from a search
  - Fix SpamCop plugin.
  - Fixed send MDN link.
  - Fixed dealing with \r\n and \n in smtp.php.
  - Fixed to, cc, bcc arrays in message->header
  - Speed optimizements in generating message-lists.
  - Fixed loss of attachment with html addressbook.
  - Fixed saving drafts with attachments

Version 1.2.6 -- April 29 2002
------------------------------
  - Security: A complete MagicHTML rewrite since the existing codebase was
    causing too many XSS problems. Hopefully now Nick Cleaton will
    leave us alone. :) Testing credits go to Nick.
  - Security: Fix for cross-site scripting vulnerability (bug #545933)
    Reported by Nick Cleaton.
  - Changing "emtpy" to "purge" for more clarity.
  - Security: Fix for cross-site scripting vulnerability (bug #544658)
    Reported by Nick Cleaton.
  - Fix for incorrect word wrap in Opera (bug #495073)
  - Workaround for older prefs: some of them contain "None" for
    left_refresh (bug #540108)
  - Fix for entities in cc and bcc fields on message display (bug #522493)
  - Fixes for quoted values in the addressbook by David Rees (bug #538389)
  - Fixed src/src problem (bug #538803)
  - Fixed so non-ascii searches no longer fail both when searching
    and when applying filters (bug #520918)
  - Added POP3 Before SMTP option (feature request: #498428)
  - Added a server-side thread sorting option per folder
  - Added a server-side sorting global option
  - Compose in new window size can be set in Display prefs.
  - Logout error system unified.
  - Security: Fix for a "theme passed as cookie" exploit. [CAN-2002-0516]
  - PostgreSQL is now supported for database backed use
  - Added user option to sort messages by internal date
  - Changed attachment handling now attachments are adressed to
    unique compose session.
  - Added forward messages as message/rfc822 attachment
  - Fixed handling message/rfc822 attachments
  - Fixed folder list display when special folders have subfolders
  - Added option to auto-append sig before reply/forward text (523853)
  - Fixed subfolders being "orphaned" when renaming parents (498167)
  - Filters can be applied to only new mail.
  - Filters are updated when renaming/deleting folders (512056)
  - Filtering now happens on login (filters plugin)
  - Added option for WIDTH and HEIGHT tags to Org. Logo. (patch #412754)
  - Fixed resume draft bug #513521, #514639
  - Newmail plugin: admin can disable the use of audio (patch #517698)
  - Fixed quoting problem in safe html (patch #516542)
  - SPAM folder no longer special folder (filters plugin)
  - Filtering now happens on folder list refresh (filters plugin)
  - Added checking of input of the folders page
  - Made erronous deleting of folders harder (patch #514208)
  - Made SquirrelMail display \Noselect nodes in Cyrus also made it
    impossible to try to delete \Noselect nodes. (patch #452178)
  - SquirrelSpell version 0.3.8 -- pretty configuration error reporting
    added by popular demand.
  - Improved the handling of IMAP [PARSE] messages to reduce retrieval error.
  - Fixed small bug in handeling timezone (bug #536149).
  - MDN message now RFC compatible (bug #537662).
  - Fixed html tables in printer_friendly_bottom.php (patch #542367), and
    make it so that printer friendly uses black-on-white colors in stead
    of the theme colors.
  - Fixed return address of MDN receipts when having multiple identities
    (patch #530139).

Version 1.2.5 -- 22 February 2002
---------------------------------
  - Multiple mailbox list calls cached.
  - Added 'View unsafe images' link to the bottom of pages which contain
    unsafe images.
  - Fixed 'too many close table tags' and various other issues
    which meant SM output didn't always validate as clean HTML.
  - Added the ability to add special folders through plugins.
  - Added an Always compose in a pop-up window option.
  - Search page update with ability to save searches and search
    all folders at once.
  - Made searching on multiple criteria possible, with thanks to Jason Munro
  - Fixed 'list all' in addressbook (#506624, thanks to Kurt Yoder)
  - Fixed small bugs in db_prefs
  - Allowed SquirrelMail to work from within a frame, eg. not using _top
    this is configureable. (thanks to Simon Dick)
  - Added options to conf.pl to enable automated plugin installation:
    ./conf.pl --install-plugin <pluginname>. This allows plugins to be
    distributed in packages. Conf.pl now also reports when saving fails.
  - Attachment hooks now also allow specification of generic rules like
    text/* which will be used when no specific rule is available.
  - conf.pl can now configure database backed address books and
    preferences.
  - Version 0.3.7 of SquirrelSpell. Fixes a potential privacy
    vulnerability (symlink attack), plus introduces formatting fixes
    and javadoc-style comments.
  - Bugfix in mailfetch reported by Mateusz Mazur
  - Administrator plugin. A web based conf.pl replacement.
  - Removed GLOBALS from conf.pl
  - HTML messages optimization.
  - Added support for requesting read receipts (MDN) and delivery receipts.
  - Added the ability to stop users changing their names and email addresses.
  - Added signature into multiple identities (Stefan Meier <Stefan.Meier@cimsource.com>)
  - Updated user help files to reflect UI chanegs and added functionality.

Version 1.2.4 -- 25 January 2002
--------------------------------
  - Security: Fixes a nasty remote arbitrary command execution vulnerability
    in the spellchecker plugin.

Version 1.2.3 -- 21 January 2002
--------------------------------
  - Fixed focus system on pages that contain forms.
  - Fixed IMAP code to send different command identifiers as per
    section 2.2.1 of RFC 2060.
  - Fixed 'sticky priority' so that replies are set to the same
    priority as the original message.
  - Fixed Printer Friendly to print HTML messages.
  - Fixed multiple receivers in Sent mailbox (#500910).
  - Disabled prefs caching under PHP 4.1
  - Added "Search Memory". Enabling to store up to
    9 predefined searchs.
  - Increased security in html message.
  - Added the possibility to specify system-defined css in order to
    allow users to change the font family and size of SM. Making possible to
    make it bigger or smaller depending on their screen size. Sysops may add
    or remove these system-defined css located in themes/css/
  - Fixed a bug appearing on some apache virtual hosts
  - Fixed javascript error (#505255)
  - Fixed the db_prefs so they work again (#499609, thanks to Simon Dick)

Version 1.2.2 -- 1 January 2002
-------------------------------

  - Fixed an infinite loop in printer friendly when wrapping option
    is not in the prefs.
    Bug reported by Boris Manojlovic <steki@verat.net>
  - Html cleanup, with patch from Dave Huang (#496712)
  - Fixed a problem saving prefs when using PHP 4.1
  - Russian, Thai, Swedish, Dutch and French update.
  - Changed configure invocation from bash to sh. (Bug #496752)
  - Changed conf.pl invocation from '#!/usr/bin/perl' to
    '#!/usr/bin/env perl' to help people who have perl somewhere
    else. (Bug #496753)
  - Fixed sorting of folder list, bug #497181
  - Fixed wrong behavior of non-javascript select all, bug #496681
  - Added "Show Pages" link to message list showing all messages
    (the resultant page of clicking "Show All")
  - i18n Fix. Because of different configurations in the gettext system,
    some installations could not manage correctly SM languages other than
    English. This has been corrected.
  - Miscellaneous rewrites and improvements.
  - Moved locale files into the ISO-conformant directories.
  - Moved help files into the ISO-conformant directories.
  - Moved compilepo and mergepo files from locale/ into po/
  - Slight i18n fixes and rewrites to accommodate for moved files.
  - Fixes for entities in the subject when replying.
  - Fixes for entities in the To: header. (Bug #489365)
  - Fix for incorrect javascript prefs handling (Bug #497688)
  - Added color 15 for themes to separate background and foreground colors.
  - Added several new themes.

Version 1.2.1 -- 25 December 2001
---------------------------------

  - Fixed the bug that kept the create, delete, and rename sections
    from appearing in the folders page (#496604)
  - Fixed the motd bug not allowing ' (#496616)
  - Sorting of addressbook_search fixed, thanks to the patch of
    Cor Bosman (xs4all)

Version 1.2.0 -- 25 December 2001
---------------------------------

  - Collapsible Folders
  - The Paginator!!!
  - Hundreds of UI Tweaks
  - Message Drafts
  - Rewrite of much of the options pages
  - Multiple identities
  - Reply Citations
  - Better Attachment Handling
  - Integration of Several Plugins into Core Code (including xmailer,
    attachment_common, paginator, priority, printer_friendly, sqclock)
  - Ability to mark messages as Read/Unread
  - New themes (including a Christmas theme, and several changing themes)
  - Rewrite of much of the options pages code
  - Improved support for newer versions of PHP
  - Message lists can be shown with alternating colors for easier reading
  - Can include/exclude yourself when using the "Reply All"
  - Message highlighting comes with dozens more easily accessable colors.
  - Option to set the "Priority" of the message(Normal/High/Low)
  - Now able to show all messages of an inbox at the same time.
  - Cleanup of the paginator code, improving display style
  - Cleanup of configuration file code, a bit
  - Introduction of sent_subfolders plugin as Official Plugin
  - Bugfixes..and more Bugfixes!


***************************************************************
*** SquirrelMail Development Series 1.1 and 1.1 Pre-Releases ***
****************************************************************

Version 1.2.0-rc3 -- 2 December 2001
------------------------------------
  - Speed improvements and optimizations on much of the code
  - Comments added, formatting cleaned up for much of the code
  - Several plugins integrated into the SquirrelMail core
    (focus change, attachment common, printer friendly, etc)
  - Several plugins added as "Official Plugins" to the main
    SquirrelMail distribution
  - First half of a rewrite of the option pages code
  - The Paginator!!!
  - Other stuff that I don't recall (developers, please fill this in!)

Version 1.1.3 -- (never really released)
----------------------------------------
  - Added major speed improvements to IMAP functions by our
    friends at XS4ALL
  - Fixed MOTD
  - Fixed multipart/alternative messages
  - Updated Dutch translation
  - Added Indonesian translation
  - Added Portuguese (Portugal) translation
  - Added language aliasing
  - Added Turkish translation

Version 1.1.2 -- May 21, 2001
-----------------------------
  - Many bugs squashed
  - Several UI tweaks and improvements
  - Added option (3 -> 14 in conf.pl) to auto create sent and trash folders.
  - Updated Czech translation
  - Support for multiple identities
  - Support for Russian Apache removed. It is now deemed easier to just
    turn off Charset Recoding in the Russian Apache config. See the file
    doc/README.russian_apache

Version 1.1.1 -- April 30, 2001
-------------------------------
  - Added built-in support for gettext if compiled support isn't available
  - Made validate.php include a few more standard things
  - Corrected a bug when sending an email properly

Version 1.1.0 -- April 21, 2000
-------------------------------
  - Added option to have signout page redirect to another page (patch from
    Scott Bronson) This can be configured in conf.pl (Org Prefs)
  - Much improved SMTP error handling (patch from Jeff Evans)
  - Preferences are now cached instead of read in every page load.
  - Improved URL parser
  - Added ability to read HTML messages by default instead of plain text
    (Display Options)
  - Added authenticated SMTP server support (configure in conf.pl)
  - Rewrote attachment handling code in compose.php
  - If aliases are typed in To, Cc, or Bcc, they are automatically looked up
    in the addressbook and converted to the associated addresses.
  - Added collapseable folder listing (an option that can be turned on in
    Folder Options)
  - Added alternating row colors to improve interface (Display Options)


**************************************
*** SquirrelMail Stable Series 1.0 ***
**************************************

Version 1.0.6 -- April 19, 2001
-------------------------------
  - Reworked validation for each page.  It's now standardized in validate.php
  - Fixed login bug that resulted from 1.0.5 security updates
  - Fixed plugin incompatibilities that were introduced in 1.0.5
  - Added more security checking to preference saving/loading
  - Updated German translation (thanks to Ronald Bauerschmidt <rb@debian.org>)
  - Updated Finnish help files

Version 1.0.5 -- April 17, 2001
-------------------------------
  - MAJOR security issues addressed.  Please upgrade as soon as possible.
    [CAN-2001-1159]
  - Downloading attachments should work better due to a tip by Ray Black III.
  - Fixed bug with drop-down folder list not containing INBOX
  - Added Swedish help files Teemu Junnila <teejun@vallcom.com>
  - Added Italian help files Antonetti Roberto <antonr@piceniaweb.com>

Version 1.0.4 -- April 9, 2001
------------------------------
  - Fixed some bugs with folder creation
  - Security fix for UW IMAP server to disallow folder paths outside of
    $folder_prefix
  - Some problems with header encoding/decoding fixed
  - Made subject column take up whatever width is available
  - Added bcc to html addressbook search

Version 1.0.3 -- March 9, 2001
------------------------------
  - Many i18n enhancements/fixes
  - Fixed bug with default theme path being set incorrectly
  - Fixed problem when sending/forwarding multiple attachments
  - Made folder drop-down list consistant in look to the other drop-downs
  - Fixed problem where some attachment filenames would not be displayed
  - Added Finnish help files by Teemu Junnila <teejun@vallcom.com>
  - Updated Norwegian translation
  - Updated Brazillian Portuguise translation

Version 1.0.2 -- February 8, 2001
---------------------------------
  - Added a workaround for RedHat's 4.0.4pl1-3 binary package  (It's also
    the same workaround for Konqueror and other PHP installations?)
  - Select All works through the search
  - Better escaped string handling from POST variables
  - Many more code cleanups and optimizations
  - Added Hungarian translation by Teemu Junnila <teejun@vallcom.com>