HTML attachments containing 'data:' URLs, Internet Explorer-specifc
charset conversion exploits, and request forgery through included
images. Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon
- for reporting these issues. [CVE-2007-1262]
+ for reporting these issues. [CVE-2007-1262, CVE-2007-2589]
- Fix busy loop and notice when two literals in IMAP fetch (#1739433).
+ - Resolved issue with compose session not being updated after send/save.
+ - Added ability to detect HTTP_X_FORWARDED_PROTO in get_location(),
+ thanks to Daniel Watts.
+ - Fix test for signout.php in the logged in check in init.php so it
+ cannot be circumvented by manipulating the URL. External plugins might
+ rely on init.php guaranteeing that the user is logged in.
+ - Sort readdir() output in conf.pl (#1755886).
+ - Made the webmail_top hook work again for plugins that want to change
+ the URI of the "right" frame; plugins have to change the value of the
+ global variable $right_frame_url
+ - No longer store all message composition sessions in the PHP session,
+ since it was not made use of and in rare cases, made sessions too big
+ - Composition restoration functionality now correctly restores attachments
Version 1.5.1 (branched on 2006-02-12)
--------------------------------------