Legacy code was probably wrong
[squirrelmail.git] / doc / release_notes_archive / 1.5 / Notes-1.5.1.txt
CommitLineData
dc00b90c 1/*****************************************************************
2 * Release Notes: SquirrelMail 1.5.1 *
3 * The "Fire in the Hole" Release *
4 * 2006-02-19 *
5 *****************************************************************/
6
7In this edition of SquirrelMail Release Notes:
8 * All About This Release!
9 * Major Updates
10 * Security Updates
11 * Plugin Updates
12 * Possible Issues
13 * Backwards Incompatible Changes
14 * Data Directory Changes
15 * Reporting Your Favorite SquirrelMail Bug
16
17
18All About This Release!
19=======================
20This is the second release of our new 1.5.x-series, which is a
21DEVELOPMENT release.
22
23See the Major Updates section of this file for more information.
24
25
26Major Updates
27==============
28Rewritten IMAP functions and optimized IMAP data caching code. Internal
29sorting functions should be faster than code used in SquirrelMail <= 1.5.0.
30Together with the optimized caching code, all the logic concerning sorting has
31been rewritten so that Squirrelmail can display more columns with sort support
32in the messages list. I.e. the From and To column in the same view sorted on
33size. Also, the number of IMAP calls is reduced by smarter caching in the IMAP
34mailbox area and by the optimized header and sort cache code. Reducing the
35amount of IMAP calls will lower the load on your IMAP server and increase
36SquirrelMail performance.
37
38In-house gettext implementation replaced with PHP Gettext classes. Update adds
39ngettext and dgettext support.
40
41Begin work on separating the SquirrelMail internal logic from user interface
42related logic. This has resulted in the first (very) rough CSS-based PHP
43templates. In future releases we will finish the mentioned separation and work
44on simpler templates.
45
46Added JavaScript-based message row highlighting code (disabled by default) for
47faster selection of messages in the messages list.
48
49Usage of a centralized error handler. Development will continue in 1.5.2.
50
51SquirrelMail has started using internal cookie functions in order to have more
52control over cookie format. Cookies set with sqsetcookie() function now use an
53extra parameter (HttpOnly) to secure cookie information by making the cookie
54not accessible to scripts (particularly, JavaScript). This feature is only
55supported in browsers that follow the MSDN cookie specifications (see
56http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp).
57Currently this is limited to IE6 >= SP1.
58
59SquirrelMail IMAP and SMTP libraries now support use of STARTTLS extension.
60The code is experimental and requires PHP 5.1.0 or newer with
61stream_socket_enable_crypto() function support enabled.
62
63Updated wrapping functions in compose. New wrapping code improves quoting
64of text chapters. Thanks to Justus Pendleton.
65
66Added code for advanced searching in messages. Now it's possible to switch
67between normal search and advanced search.
68
69Main SquirrelMail code implements view_as_html, msg_flags and folder_settings
70plugin features. These plugins should not be used in SquirrelMail 1.5.1.
71
72SquirrelMail translations are loaded from locale/*/setup.php files. If files
73are not present or only one translation (en_US) is available, translation
74selection options are not displayed to end user.
75
76Security Updates
77================
78This release contains security fixes applied to development branch after 1.5.0
79release:
80 CVE-2004-0521 - SQL injection vulnerability in address book.
81 CVE-2004-1036 - XSS exploit in decodeHeader function.
82 CVE-2005-0075 - Potential file inclusion in preference backend selection code.
83 CVE-2005-0103 - Possible file/offsite inclusion in src/webmail.php.
84 CVE-2005-0104 - Possible XSS issues in src/webmail.php.
85 CVE-2005-1769 - Several cross site scripting (XSS) attacks.
86 CVE-2005-2095 - Extraction of all POST variables in advanced identity code.
87 CVE-2006-0188 - Possible XSS through right_frame parameter in webmail.php.
88 CVE-2006-0195 - Possible XSS in MagicHTML, IE only.
89 CVE-2006-0377 - IMAP injection in sqimap_mailbox_select mailbox parameter.
90
91If you use SquirrelMail 1.5.0, you should upgrade to 1.5.1 or downgrade to latest
92stable SquirrelMail version.
93
94
95Plugin Updates
96==============
97Added site configuration options for filters, fortune, translate, newmail,
98bug_report plugins. Improved newmail and change_password plugins. Fixed data
99corruption issues in calendar plugin.
100
101SquirrelSpell plugin was updated to use generic SquirrelMail preference functions.
102User preferences and personal dictionaries that were stored in .words files are
103moved to .pref files or other configured user data storage backend.
104
105
106Possible Issues
107===============
108Internal SquirrelMail cookie implementation is experimental. If you have cookie
109expiration or corruption issues and can reproduce them only in 1.5.1 version,
110contact one of the SquirrelMail developers and to help them debug the issue.
111
112SquirrelMail 1.5.1 changed some functions and hooks. login_form hook requires
113different coding style. html_top, html_bottom, internal_link hooks have been
114removed. src/move_messages.php code has been moved to the main mailbox listing
115script. Some hooks may be broken after implementation of templates, especially
116in mailbox listing pages. soupNazi() function has been replaced with the
117checkForJavascript() function. sqimap_messages_delete(),
118sqimap_messages_copy(), sqimap_messages_flag() and sqimap_get_small_header()
119functions are now obsolete. Some IMAP functions return data in different
120format. If plugins depend on changed or removed functions, they will break in
121this version of SquirrelMail.
122
123This SquirrelMail version added http headers that prevent caching of pages by
124proxies. Headers are added in SquirrelMail displayHtmlHeader() function. Changes
125require that html output is not started before displayHtmlHeader() is called. If
126some code starts output, PHP errors will be displayed. If plugins display
127notices in options_save hook and don't stop script execution on error, page
128display will be broken.
129
130SquirrelMail 1.5.1 implemented code that unregisters globals in PHP
131register_globals=on setups. Plugins that load main SquirrelMail functions and
132depend on PHP register_globals=on will be broken.
133
134IMAP sorting/threading
135By default, SquirrelMail will make use of the capabilities provided by the IMAP
136server. This means that if the IMAP server supports SORT and THREAD sorting then
137SquirrelMail makes use of it. Some broken IMAP servers advertise the SORT and
138THREAD capabilities although they do not support it. For those IMAP servers
139there is a config option to disable the use of SORT and THREAD sort.
140
141Backward Incompatible Changes
142=============================
143Index order options are modified in 1.5.1 version. If older options are
144detected, interface upgrades to newer option format and deletes old options.
145
146In version 1.5.1, SquirrelSpell user dictionaries are saved with generic
147SquirrelMail data functions. SquirrelSpell should copy older dictionaries
148if dictionary version information is not present in user preferences. Once
149the dictionary is copied, <username>.words files are obsolete and no longer
150updated.
151
152If the same data directory is used with other backwards incompatible versions,
153the older SquirrelMail version may lose some user preferences or work with
154outdated data. Admins are advised to use a separate data directory for the
1551.5.1 release. The data directory can be configured by running configure.
156
157Data Directory
158==============
159The directory data/ is no longer included in our tarball. Since placing this
160directory under a web-accessible directory is not very wise, we've decided to
161not pack it anymore. Admins will need to create it. Please choose a location
162that's safe (not web accessible), e.g. /var/squirrelmail/data.
163
164Reporting Your Favorite SquirrelMail Bug
165========================================
166We constantly aim to make SquirrelMail even better, so we need you to submit
167any bugs you come across! Also, please mention that the bug is in this release
168(version 1.5.1), and list your IMAP server and web server details. Bugs can be
169submitted at:
170
171 http://www.squirrelmail.org/bugs
172
173Thanks for your cooperation with this. This helps ensure that nothing slips
174through the cracks. Also, please search the bug database for existing items
175before submitting a new bug. This will help to eliminate duplicate reports and
176increase the time we can spend FIXING existing bugs by DECREASING the time we
177spend sorting through bug reports. Remember to check for CLOSED bug reports
178also, not just OPEN bug reports, in case a bug you want to report may have been
179recently fixed in CVS.
180
181If you want to join us in coding SquirrelMail, or have other things to share
182with the developers, join the development mailing list:
183
184 squirrelmail-devel@lists.sourceforge.net
185
186
187About Our Release Alias
188=======================
189This release is labeled the "Fire in the Hole" release. "Fire in the Hole" is
190a phrase used to warn of the detonation of an explosive device. The phrase may
191have been originated by miners, who made extensive use of explosives while
192working underground.
193
194This release has been created to get a fixed package after more than two years
195of development in the CVS HEAD branch. This package contains many experimental
196changes. These changes add new features that can/will be unstable and/or
197create an inconsistent UI. If you want to use stable code, you should stick to
198the 1.4.x series of SquirrelMail. If you find issues in this package, make
199sure that they are still present in the latest development code snapshots. To
200obtain thelatest development snapshot, see
201
202 http://www.squirrelmail.org/download.php#snapshot
203
204 Happy SquirrelMailing!
205 - The SquirrelMail Project Team