*** SquirrelMail Devel Series 1.5 ***
*************************************
-Version 1.5.2 - CVS
+Version 1.5.2 - SVN
-------------------
+ - Fix broken set_url_var function in functions/html.php (#1729814).
+ - Fix incorrect detection of auth mechanisms in conf.pl (#1727033).
+ - The search expression in the LDAP backend of the Addressbook is now
+ configurable, which can allow the result set to be expanded.
+ - Preliminary support for NAMESPACE in Squirrelmail IMAP Backend: NAMESPACE
+ is parsed and stored in session upon login.
+ - Now uses the $Forwarded IMAP keyword for forwarded messages, when it is
+ enabled or when arbitrary keywords ("PERMANENT FLAGS \*") are permitted.
+ RFC 4550, paragraph 2.8.
+ - Added support for authorization identifier in IMAP backend, for SASL
+ authentication mechanisms PLAIN and DIGEST-MD5. This can be set upon login
+ by use of an external plugin.
- Fix warning about array required in array_keys for display options when no
fontset is defined.
- Added "bad plugin" blacklist in configtest.php.
html output code. If third party code displays errors from address
book object in html, errors must be sanitized and ASCII line feeds
should be converted to html line breaks.
+ - Add note to conf.pl / config_default.php to warn users that set
+ sensitive passwords in that file to properly secure it.
+ - Prevent modifications in advanced identities, when editing of
+ identities is disabled.
+ - Configuration utility does not allow 8bit symbols in IMAP folder names
+ (#1485501).
+ - Address book file backend will break with error message, if required
+ address book fields are not available. Prevents address book corruption
+ and address book format violations that can cause PHP notices.
+ - Added line length setting in local_file address book backend (#1181561).
+ - Removed proprietary wrap attribute from compose form (#1512681).
+ - Fix URL for Read Receipts being incorrect in some cases (#1177518).
+ - Don't allow selecting INBOX as Sent, Draft or Trash folder (#1242346).
+ - Session cookies are turned on, if session.use_cookies is turned off
+ in PHP configuration (#1518885).
+ - Make the default attachment dir /var/local/squirrelmail/attach, not
+ $data_dir.
+ - Add HTML labels for form elements.
+ - Fixed spamcop web based reporting form (#1519673) and removed service
+ type options from spamcop plugin.
+ - Removed trailing ?> from function scripts.
+ - Added checks for non-existent backend to AddressBook class.
+ - Make the base for the SquirrelMail URL configurable. Adds a new variable
+ config_base_location to config.php and a new option to conf.pl. This is
+ to prevent problems in installs where our heuristic doesn't work
+ correctly (#1521299, #1460675, #1110064, #1000850, #1113791).
+ - Removed conf.pl dependency on Perl IO::Socket module. Automatic detection
+ of supported authentication mechanisms is disabled, if IO::Socket is not
+ available.
+ - Removed HTTP Status header from signout page (#1424748).
+ - config_default.php is loaded before site configuration file.
+ config_local.php overrides are removed from config.php and loaded by
+ main initiation script.
+ - Fixed resuming of compose when session expired while writing, and make
+ sure the code only sets those variables that are needed in compose and
+ are not already set. Thanks James Bercegay from GulfTech for pointing
+ this out.
+ - Subfolders of system folders are not tagged as special in folder
+ management page in order to allow rename and delete operations with
+ subfolders (#1460011).
+ - Trash subfolders are allowed in courier. INBOX.Trash is not treated
+ as special on Courier, unless some SquirrelMail configuration option
+ marks this folder as special (#1354393). Configtest utility should
+ display warning, if Courier IMAP XMAGICTRASH extension is detected.
+ - Show purge link for Trash folder without any messages, if folder has
+ subfolders (#1413569).
+ - Custom SMTP AUTH configuration variables are moved from config_local.php
+ to main configuration file.
+ - Fixed subscription of new 'noselect' folders (#1315912).
+ - Moving the development documentation to the documentation module.
+ - Drop obsolete script plugins/make_archive.pl.
+ - Fix misspelled constant PREG_SPLIT_NI_EMPTY in sqimap_get_message
+ (#1543573).
+ - Provide View Unsafe Images link on viewing a text/html attachment.
+ - Added APOP, TLS and STLS support to mail_fetch plugin (#575299).
+ - Added Courier IMAP OUTBOX check to configtest utility.
+ - Moved login_form hook to its own table row on login page.
+ - Added check_plugin_version() function.
+ - If mailbox name starts with slash or contains ../, error message is
+ generated. Safety check for insecure default UW IMAP setup (#1557078).
+ - Ignore message copy errors when messages are deleted. Allows to delete
+ messages when quota is exceeded. (#614887) (#646386) (#1446026)
+ - Fixed unintended literal fetching (#1562271).
+ - Checked if configuration file is readable in configuration utility
+ (#1568355).
+ - Added PHP pspell extension support to squirrelspell plugin.
+ - Add CEST and MEST (non-standard) timezone codes for +0200.
+ - Add support for SpamAssassin's X-Spam-Status header (#1589520).
+ - Added plugin on/off switch, which completely disables all plugins
+ (optionally for one named user, otherwise for all users).
+ - Security: close cross site scripting vulnerability in draft, compose
+ and mailto functionality [CVE-2006-6142].
+ - Security: work around an issue in Internet Explorer that would guess
+ the mime type of a file based on contents, not Content-Type header.
+ - Security: Multiple IE cross site scripting issues related to the
+ generous parsing of the words 'expression' and 'url' by IE.
+ - Security: Removing @import when sanitizing html mail.
+ - Redesigned plugin hook system. do_hook_function() has been removed
+ and do_hook() now emulates do_hook_function()'s return value and
+ also has its plugin arguments passed by value, etc.
+ - Drop obsolete ORDB RBL from filters plugin (#1629398).
+ - Add warning about magic_quotes_* in configtest.
+ - Unify accepted versions for imap_server_type and set_defaults (#1629722).
+ - Improve attachment temp file creation.
+ - Add ability for listcommands plugin to show post and reply links for
+ user-configured non-RFC 2369-compliant lists; admin must enable by
+ configuring plugin. Thanks to Peter Steiner.
+ - Fixed HttpOnly cookies again.
+ - Update for switch from CVS to Subversion.
+ - Default provider URI link fixed (was broken when on plugin options pages, etc)
+ - Fix URL to send read receipts from read_body (#1637572).
+ - Add option to ask users for personal information on first login.
+ - Drop redundant call to session_register, which could trigger a segfault
+ in PHP 4.4.5 (#1664155).
+ - If a date-header cannot be parsed, display the unparsed version as a
+ better-than-nothing alternative.
+ - Fix Priority and Receipt compose options being reset after return from
+ HTML addressbook, and allow returning from an empty address book (#1673056).
+ - Do not special case the 'None' folder.
+ - Fixes for filters issues (#1634735).
+ - session_id reporting session id when no active session (#1685031).
+ - Added sq_change_text_domain() for plugins to use when switching text
+ domains. If plugins use this function, it fixes #1434043.
+ - Add dynamic textarea sizing slider control to compose screen (default_advanced
+ skin)
+ - Security: fixes for the HTML filter to counter further XSS exploits:
+ HTML attachments containing 'data:' URLs, Internet Explorer-specifc
+ charset conversion exploits, and request forgery through included
+ images. Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon
+ for reporting these issues. [CVE-2007-1262, CVE-2007-2589]
+ - Fix busy loop and notice when two literals in IMAP fetch (#1739433).
+ - Resolved issue with compose session not being updated after send/save.
+ - Added ability to detect HTTP_X_FORWARDED_PROTO in get_location(),
+ thanks to Daniel Watts.
+ - Fix test for signout.php in the logged in check in init.php so it
+ cannot be circumvented by manipulating the URL. External plugins might
+ rely on init.php guaranteeing that the user is logged in.
+ - Sort readdir() output in conf.pl (#1755886).
+ - Made the webmail_top hook work again for plugins that want to change
+ the URI of the "right" frame; plugins have to change the value of the
+ global variable $right_frame_url
+ - No longer store all message composition sessions in the PHP session,
+ since it was not made use of and in rare cases, made sessions too big
+ - Composition restoration functionality now correctly restores attachments
+ - Added smtp_auth hook
+ - Removed "Include CCs when Forwarding Messages", which had no functionality
+ whatsoever.
+ - Added "preselected" query argument to mailbox list.
+ - Make the Message Details plugin actually show the correct entity when
+ viewing details of attached messages.
+ - Enabled user selection of address format when adding from address
+ book during message composition.
+ - Added a "short_open_tag" configuration test.
+ - Fixed outgoing messages to allow addresses such as "0@..." or "000@...",
+ etc. (#1818398).
+ - PAGE_NAME might not be defined in all plugins, which might cause a
+ "not defined" error on session timeouts.
+ - Allow custom session handlers to work correctly (and be defined at the
+ application level with SquirrelMail).
+ - Fix off-by-one in bodystructure parsing triggered by servers sending
+ a body location part (e.g. Sun Java System Messaging Server). Thanks
+ John Callahan (#1808382).
+ - Invalid initialization of To: header (#1772893).
+ - Added SquirrelMail debug mode.
+ - Handle PHP's insistence on setting the value to 'deleted' for destroyed sessions
+ (#1829098).
+ - Some IMAP servers send nil for an empty email body (See RFC2180,
+ section 4.1.3 on empty strings).
+ - Let configtest.php use optional PEAR dynamic extension loading,
+ patch by Walter Huijbers (#1833123).
+ - Fix for IMAP servers that were having problems saving sent messages
+ - Added multiple select folder list option widgets (SMOPT_TYPE_FLDRLIST_MULTI).
+ - Added "Secured Configuration" mode.
+
Version 1.5.1 (branched on 2006-02-12)
--------------------------------------
- Add doc/security.txt with some hints for a more secure installation.
- Added sqauth_read_password() and sqauth_save_password() functions.
- Unset global GET, POST and COOKIE variables registered in PHP
- register_globals=on setups.
+ register_globals=on setups. (Also addresses: CVE-2006-2842, CVE-2006-3174)
- Capabilities array now contains all multivalue information provided
by the IMAP server. (Such as THREAD=SORT, THREAD=REFERENCES).
- Inclusion of Compatibility plugin automatic (no patch needed for plugin)
projects / squirrelmail.git / blobdiff