Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: roundcube@packages.debian.org Control: affects -1 + src:roundcube [ Reason ] roundcube 1.4.13+dfsg.1-1~deb11u1 is vulnerable to CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages. The Security Team decided not to issue a DSA for that CVE, but it's now fixed in buster-security (1.3.17+dfsg.1-1~deb10u3) as well as testing/sid (1.6.3+dfsg-1), so it makes sense to fix it via (o)s-pu too. [ Impact ] Roundcube users will remain vulnerable to the XSS issue. For users uprading from buster-security to bullseye, that would be a security regression. [ Tests ] The XSS fix is covered by automated tests (phpunit) at build time, and I also manually tested the fix. [ Risks ] I believe the regression risk is very low, given the diff is fairly simple, and this is not a backport but an official upstream release from the LTS branch. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in oldstable [x] the issue is verified as fixed in unstable [ Changes ] * New security/bugfix upstream release: + Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages. (Closes: #1052059) + Enigma: Fix initial synchronization of private keys. * d/u/signing-key.asc: Add Alec's key BEE674A019359DC1. * Refresh d/patches. [ Other info ] bullseye(-security) has been following the upstream 1.4 branch, so I propose to upload 1.4.14+dfsg.1-1~deb11u1 rather than cherry-pick the CVE-2023-43770 fix on top of 1.4.13+dfsg.1-1~deb11u1. -- Guilhem.
diffstat for roundcube-1.4.13+dfsg.1 roundcube-1.4.14+dfsg.1 CHANGELOG | 8 composer.json-dist | 5 debian/changelog | 11 debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch | 4 debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch | 8 debian/patches/fix-install-path.patch | 4 debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch | 2 debian/patches/update-composer.patch | 9 debian/patches/update-script.patch | 2 debian/upstream/signing-key.asc | 199 +++++++--- index.php | 2 installer/index.php | 2 plugins/enigma/lib/enigma_driver_gnupg.php | 7 program/include/iniset.php | 2 program/lib/Roundcube/bootstrap.php | 2 program/lib/Roundcube/rcube_string_replacer.php | 4 public_html/index.php | 2 public_html/plugins/enigma/lib/enigma_driver_gnupg.php | 7 tests/Framework/StringReplacer.php | 12 tests/Framework/Text2Html.php | 17 20 files changed, 223 insertions(+), 86 deletions(-) diff -Nru roundcube-1.4.13+dfsg.1/CHANGELOG roundcube-1.4.14+dfsg.1/CHANGELOG --- roundcube-1.4.13+dfsg.1/CHANGELOG 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/CHANGELOG 2023-09-16 22:01:19.000000000 +0200 @@ -1,5 +1,9 @@ -CHANGELOG Roundcube Webmail -=========================== +# Changelog Roundcube Webmail + +RELEASE 1.4.14 +-------------- +- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages +- Enigma: Fix initial synchronization of private keys RELEASE 1.4.13 -------------- diff -Nru roundcube-1.4.13+dfsg.1/composer.json-dist roundcube-1.4.14+dfsg.1/composer.json-dist --- roundcube-1.4.13+dfsg.1/composer.json-dist 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/composer.json-dist 2023-09-16 22:01:19.000000000 +0200 @@ -27,5 +27,10 @@ "suggest": { "kolab/net_ldap3": "~1.1.1 required for connecting to LDAP", "mkopinsky/zxcvbn-php": "^4.4.2 required for Zxcvbn password strength driver" + }, + "config": { + "allow-plugins": { + "roundcube/plugin-installer": true + } } } diff -Nru roundcube-1.4.13+dfsg.1/debian/changelog roundcube-1.4.14+dfsg.1/debian/changelog --- roundcube-1.4.13+dfsg.1/debian/changelog 2022-01-06 08:51:41.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/debian/changelog 2023-09-25 11:32:59.000000000 +0200 @@ -1,3 +1,14 @@ +roundcube (1.4.14+dfsg.1-1~deb11u1) bullseye; urgency=high + + * New security/bugfix upstream release: + + Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling + of linkrefs in plain text messages. (Closes: #1052059) + + Enigma: Fix initial synchronization of private keys. + * d/u/signing-key.asc: Add Alec's key BEE674A019359DC1. + * Refresh d/patches. + + -- Guilhem Moulin <guilhem@debian.org> Mon, 25 Sep 2023 11:32:59 +0200 + roundcube (1.4.13+dfsg.1-1~deb11u1) bullseye-security; urgency=high * New security upstream release, with fix for CVE-2021-46144: XSS diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch roundcube-1.4.14+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch --- roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch 2022-01-06 08:51:41.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-8.5.13-1.patch 2023-09-25 11:32:59.000000000 +0200 @@ -1335,7 +1335,7 @@ /** diff --git a/tests/Framework/StringReplacer.php b/tests/Framework/StringReplacer.php -index ace8bf6..9d56fe2 100644 +index 16dff6a..756eddd 100644 --- a/tests/Framework/StringReplacer.php +++ b/tests/Framework/StringReplacer.php @@ -5,7 +5,7 @@ @@ -1348,7 +1348,7 @@ /** diff --git a/tests/Framework/Text2Html.php b/tests/Framework/Text2Html.php -index db2dbac..273eeed 100644 +index 1d6ffd2..8f86b86 100644 --- a/tests/Framework/Text2Html.php +++ b/tests/Framework/Text2Html.php @@ -5,7 +5,7 @@ diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch roundcube-1.4.14+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch --- roundcube-1.4.13+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch 2022-01-06 08:51:41.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/debian/patches/fix-FTBFS-with-phpunit-9.5.0-1.patch 2023-09-25 11:32:59.000000000 +0200 @@ -52,19 +52,19 @@ function test_links() diff --git a/tests/Framework/StringReplacer.php b/tests/Framework/StringReplacer.php -index 9d56fe2..d60cbd0 100644 +index 756eddd..32ce877 100644 --- a/tests/Framework/StringReplacer.php +++ b/tests/Framework/StringReplacer.php -@@ -75,8 +75,8 @@ class Framework_StringReplacer extends \PHPUnit\Framework\TestCase +@@ -77,8 +77,8 @@ class Framework_StringReplacer extends \PHPUnit\Framework\TestCase $result = $replacer->replace($input); $result = $replacer->resolve($result); - $this->assertContains('[<a href="http://en.wikipedia.org/wiki/Email">1</a>] to', $result, "Numeric linkref replacements"); - $this->assertContains('[<a href="http://www.link-ref.com">ref0</a>] repl', $result, "Alphanum linkref replacements"); -- $this->assertContains('of [Roundcube].', $result, "Don't touch strings wihtout an index entry"); +- $this->assertContains('of [Roundcube].[ref<0]', $result, "Don't touch strings wihtout an index entry"); + $this->assertStringContainsString('[<a href="http://en.wikipedia.org/wiki/Email">1</a>] to', $result, "Numeric linkref replacements"); + $this->assertStringContainsString('[<a href="http://www.link-ref.com">ref0</a>] repl', $result, "Alphanum linkref replacements"); -+ $this->assertStringContainsString('of [Roundcube].', $result, "Don't touch strings wihtout an index entry"); ++ $this->assertStringContainsString('of [Roundcube].[ref<0]', $result, "Don't touch strings wihtout an index entry"); } } diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/fix-install-path.patch roundcube-1.4.14+dfsg.1/debian/patches/fix-install-path.patch --- roundcube-1.4.13+dfsg.1/debian/patches/fix-install-path.patch 2022-01-06 08:51:41.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/debian/patches/fix-install-path.patch 2023-09-25 11:32:59.000000000 +0200 @@ -161,10 +161,10 @@ require_once INSTALL_PATH . 'program/include/clisetup.php'; diff --git a/program/include/iniset.php b/program/include/iniset.php -index 1f8bfd7..a26900e 100644 +index d9388db..11142d2 100644 --- a/program/include/iniset.php +++ b/program/include/iniset.php -@@ -28,7 +28,7 @@ define('RCMAIL_VERSION', '1.4.13'); +@@ -28,7 +28,7 @@ define('RCMAIL_VERSION', '1.4.14'); define('RCMAIL_START', microtime(true)); if (!defined('INSTALL_PATH')) { diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch roundcube-1.4.14+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch --- roundcube-1.4.13+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch 2022-01-06 08:51:41.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/debian/patches/hint-at-which-packages-needs-installing-under-PHP8.patch 2023-09-25 11:32:59.000000000 +0200 @@ -15,7 +15,7 @@ 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/program/include/iniset.php b/program/include/iniset.php -index 3919f74..cb6636b 100644 +index 9c4c773..956750d 100644 --- a/program/include/iniset.php +++ b/program/include/iniset.php @@ -20,7 +20,9 @@ diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/update-composer.patch roundcube-1.4.14+dfsg.1/debian/patches/update-composer.patch --- roundcube-1.4.13+dfsg.1/debian/patches/update-composer.patch 2022-01-06 08:51:41.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/debian/patches/update-composer.patch 2023-09-25 11:32:59.000000000 +0200 @@ -20,10 +20,10 @@ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/composer.json-dist b/composer.json-dist -index 192551a..2307894 100644 +index 13064ce..a73e69d 100644 --- a/composer.json-dist +++ b/composer.json-dist -@@ -10,22 +10,20 @@ +@@ -10,23 +10,21 @@ ], "require": { "php": ">=5.4.0 <8", @@ -54,5 +54,6 @@ + "kolab/net_ldap3": ">=1.1.1", + "pear-pear.php.net/crypt_gpg": ">=1.6.0", + "mkopinsky/zxcvbn-php": ">=4.4.2 required for Zxcvbn password strength driver" - } - } + }, + "config": { + "allow-plugins": { diff -Nru roundcube-1.4.13+dfsg.1/debian/patches/update-script.patch roundcube-1.4.14+dfsg.1/debian/patches/update-script.patch --- roundcube-1.4.13+dfsg.1/debian/patches/update-script.patch 2022-01-06 08:51:41.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/debian/patches/update-script.patch 2023-09-25 11:32:59.000000000 +0200 @@ -88,7 +88,7 @@ // update composer dependencies diff --git a/program/include/iniset.php b/program/include/iniset.php -index a26900e..3919f74 100644 +index 11142d2..9c4c773 100644 --- a/program/include/iniset.php +++ b/program/include/iniset.php @@ -39,6 +39,10 @@ if (!defined('RCUBE_LOCALIZATION_DIR')) { diff -Nru roundcube-1.4.13+dfsg.1/debian/upstream/signing-key.asc roundcube-1.4.14+dfsg.1/debian/upstream/signing-key.asc --- roundcube-1.4.13+dfsg.1/debian/upstream/signing-key.asc 2022-01-06 08:51:41.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/debian/upstream/signing-key.asc 2023-09-25 11:32:59.000000000 +0200 @@ -116,62 +116,145 @@ R5Tx6/YtysHeydQLrqjev9NSVUVjzcmqLSUB1Ra4smTRg76CW5jsAXId0t/s4OpK IZLniDIPYJLrbB0voZ54UsTc9DzlpgRSJTzmAvd3WphohnVZRGSrYVWZFUrrFQjB NGo9AhuRBH5dioO2iTlq+Hqers1fGK8XhSw84XWedJL/itdEpINH14tpJnM9hVNn -1/W4DFOUElp1C2a+d9NM8XVWSRa5Ag0EVPYxAQEQAM6TZmb86hsfXeTqiV4JMpBL -RiZ+6/mTDbdYRZEeErm/Vgw16r6tE7m3bNno0r/BRm3XmDBy4U72KP8oHiL55cUV -Y+5ogrJBCq4BbZLyhtVcnDSI2uavwWMS9g6nKbAPl78IFoIg0E+QeJqJPZhRN6ec -uBm2flOmhPyPK5NI0L03rYRpnC6XWBHqEtq8Rjj9KewhZiU2VisvGHbYi2Uj9Axc -cZY1+O4p6rPjYqJEkjAOE1kOlm+96bzL+VuxXr8H+Js7Ae1+3A0rm360qfIEDOYd -3vpQ4Om9rvrgwaX5XCZqTj6IFhlDS6gUMnyy2w9kes5YD/WVtH2jmjkOTi4ko9vC -diSdixQA1DXUkyCZk5A25yWR9N9AHXv5/kijVOpHJ5mqoPdsOBIG3RFCjmaUTmqJ -3nXhU8Zcd5/h7dVOwSq+NxYjYvF0CrB0TtzYXaA9UtHpTvbA2IuZarXn208RWgrr -Pp+H1zP3NAS/pJ1FgX/izZxFhAWC7fhJfpHHTQkVFt4mJ25873QSuwCSsO6qS6mq -oypByxNEAfVvIJUcf2ZdZkaRRFqOBgT13PhP8tKyRYp7wnuzngYDR7Pb2E9JRKT/ -WeAqEcEzWWmjNCs2MkOrDRNd3PC5VvkFCQnoIRsg763jcNrqNEfkm1lJ/Bf+qINr -PYJJTc1MjWBt5sWs8iJrABEBAAGJBD4EGAECAAkFAlT2MQECGwICKQkQPlQo0CYs -VPjBXSAEGQECAAYFAlT2MQEACgkQ0QXeoLVFs2zfsxAAzkKiAmiqQPWyjHV61IJl -13HrJrJS2KZJBu1AY0HjWkSf0zzy4DNF/P3iPmaZvk6rxAb9Mwk5JHx0vlk/m5yW -uM7yR97cyAt7FNrTq7PoVDzmB6nOcHYfLTnrA9Y7difUxE3ShVXWuSM/CDouSaPS -mRIw+BIuP9Op0peGuwM1UBWZ+bKUjRZOVhDDQPrbGApzcg1Mp+zgHhpFUa6enIG8 -P/O6ApteoFrKLGx4/SjeKgv52+YyfD2odHlliHbcu/k+g+Dp+VkPW1I1FQREijGG -K8c19UonBsSZxwT2gQwKtu++ZtLGsRkcpoonmR2mUkU8ruqoEdKk9Co3OQirrgep -Viadv1pcJsa59r6lYIVPdBkJVE0UA2WWp4tullmB5lRD4NNw07HoYnDalz4O/Myb -wjy9FCLgU7WZYtKDH+UiIe6uYIElkRbBBzO16MifgDrh0oNGmkl9m4EIkZeF/t+O -4KF2xEiYqcvv/tVgRjQ/PuHKJh/uspeyUSpcJz8l4x2aAKHJu9RmCp8dD5BcHIk7 -bG9XGiXbr8MsDCC8RtMOfdJIQSTW0FDU/1T8RLAYxw/G+6ESvp+8DDwPqWn1I6Wl -v8bBKwB3eNe1X35lHNsoFHhxsVPpdEvmMI43OWPXZ9CyU9O03FXADBp5L9A8Jq09 -qYasdAgt30ye7iPaTvtZWrS8SRAAgot+talYPKDemCGGXcm7Gj+hnRGe0h2kFzG5 -BJj0yYMcwlWK1fKHsmxxnBN9z3Eto5dcQZ36iLOwOjgdB24E3AEGbGxVnGUfHmqV -Qb/SxSKYuTmeXTfCTicEydW7uX4Esfq91EXdZbqsg4OeS5/J5WB2InXH+FhguTvE -9EkF2T/G4c+A837wOYphmPNnjKuw+so8WPUCaPR2CrjUh6diIjE3gVNloLvQlyke -QGHGKjeA0RmNZOcEKfOFLWNT4s82Yp7syOXQNMNbUhsgl02OFuSekjVdYUApa1qs -bo9P0A4AHk0EC0Paf6V8t6K1LUKUmfaueVQHC6TdHlEJmGU5azw86nKxyX3EtDKq -HahWVPbGpeFKtm36Bis6yQaImQ3tVzV/7yTAkCmLCnct9lAy10OA/21Unb8u6Gmt -AogOAIlELwKyC3mc1J1Br498uykaFgDrE4zXeg5d6x3btgd/0DBJlN65zz38s7Jv -H7QITrTsSXD2tJcp56XAQ4fHNgVgiKS3pRPa7XkbJcaZpb38JotKyfajG9Ig9If6 -bTWkfksL6dEfb67ZO37jmTg4dan1O3IbSUTB0Pn1ske1BKjIMMANcMjcxvS1wDuE -3WR4Ef+otIS6U4sVpkGHACUtjzfTxSSD6oTKxzXhvqQNVdRT7/LQlpg5FkjypP1Z -kusW/UW5Ag0EVPXdCAEQAMGVKyTQqWizKqdhhNzaq6rwn1vCP8qjfPjg1IsK2b+R -E0GObCuYIomotqOci5zWBqkLJUkZYqTyUqfh3w9BSB7nYi8TJXOYl19pxD2BPoOt -ZrB6Qm8t7w8Bw4tZ7gb5qPmrULC22q7yTwo+zAzFeExIC4K3MUCnrhzEAszAOhnx -qODXkxjImm42xEyS5wIARMEadAklfLmFZgCMIUiQ3eIpOGOYyfcXtySd9VrpyJ5Y -VJ3VECCyfcZXrrPxarX0/3dmW5oJkew9m1blN744zEx1RsmOe7GjJR0wioANy1/k -cjpJXnyKt5/XHGpHjuoHmjff+0BZzSS/Bjr0CiKijco/XauGvaRjYl0cvspnQqMl -0lLyMM0Ecol/06SvN5PQ7dm9Yc4V6Rz5XHL/LsWhxsDFvSavMeumXQFeAGvldfva -mLRuKfLZXA/A0G90nZdYC8MQt4NZvtcJLhpzowULFZEKfW9gDLcH3GQAVBrCMje7 -CGDL07fAzgDflwsm+W3fmAVKDACdjCrtgYn9No88Uj/JgpziiXk4fB/BUtySbODW -Eg//7pqFfVodBcMv/4Sf6jf2WZI0s9VH0gbkGjIAHEtG7dIRKW2SqGrzIHv8Sj3G -cUU6v+aF8GyI0mqM/IQG6JFA8eBAFt/120Ebk2aPd/3yoHP69bXU3fUuV6GDZ6Rx -ABEBAAGJAh8EGAECAAkFAlT13QgCGwwACgkQPlQo0CYsVPgsFA//Xjglp6XoEjmX -dk3upkT3+lgnWs5pHeHH23uPHd1VpNgVoGfl6ReQssqT4P5yRo9e00FKTlAokuEB -fEsJzBR8JBWLVt2LAO7d7BORd3jNRZH/TvVBrKhX+VipKNNC6gE3V64VAUwOhFAG -kSo2LtxXs/8nvPJ36fOriHOyoD1EMUe2lKyrVy8ox7qlRWu4YhMtZsLZutCsF64p -2OcaAwqMeR1HWMszdNO+oPfXAR3F8ubiBkHQl92fCs1/BaLOlFhm0DIre4/p47nM -q4fHjZE2N+D8K4tE76Z2kOgEjMGNfG4VCJOAIcj06Wq7QuCVlPv4dRUO2PfqW4ZS -8/5sH+KJfy6XTelA4w92Jd1r5vd497iQDezc4hRTdVOHsdZTqkdBp1a61jl2GhDg -PLoyDb+gCXnlucpg+vUdPUHDwRj+tOrfci3juwHI0WhUmWSXEGuCwJoagmtwMmnQ -2uhMp5TbKfATMcNTtCSx8HDomXfSgSvuVt7BKt0OP5wdhje5PisXtyyvwuT1pH6J -28PGPnRIiFDUFDLmDOC363F0w7Ng3FVJ2vryVIzp80yh6q+i5N3xvFrKVkZvnvUW -6x5ADkLHGpZlxnjwRhgJPYyte8r/0V/m1OOeykO0IpWkU1A1IiSR1A/zT0tDSx/I -nJvZpdFplfhUqMa5YRuuaVwAVlunTQU= -=PYcV +1/W4DFOUElp1C2a+d9NM8XVWSRa0KVRob21hcyBCcnVlZGVybGkgPGJydWVkZXJs +aUBrb2xhYnN5cy5jb20+iQI4BBMBAgAiBQJVCeY5AhsDBgsJCAcDAgYVCAIJCgsE +FgIDAQIeAQIXgAAKCRA+VCjQJixU+OK3D/0RKgxFHmIwqCuj4JSF1FWCc1D8jxcC +PLWXnrZ8IhTIkplaWYQ7EIPPhT05pNFPlCFAc8w67YqZw0UCCChAeK0InxyFQtrs +qBcqO1PedqqseX9wPlaoDFLVU6rC0BmG9e/3GQ+gcg6+cvEoQQ9Mp19oDZY33kUZ +JYMhdiCsxaDwPSfz4ObZTEz9iMBdfYzNG38LSDu8v4H9x59ryQldErhYZyi9hIKu +Fs+DoL3OnJxD7niyPqg3/wqNcVSgEaeV7al90LfgHYGyL7pr2sES0IXP+0kZfJAX +7YWlk2QiW50nxrEasb+ntodXybjHpe9Vt4my2FSJPaOg2m1T46gamArR3TpVaJm5 +oN9D/ZFPdMnBJiwfEwE4d1hUCsbViJ8izIQoLiMqM+NgLAX4eAU/fbCn53zb5b8N +LrdY5m6OHYyQ5J4+7bBBucc5LS64PqDdhmgBzWUOnVn3fNbfjoxxzbBQ7tF+S0zU +JRj5zgxaaWBs5knLA/vbjA0h9pM+3yG5N2oEB29NTLsuKBrMBELP/bJRzQGcnPeR +OYVVe1qfSbzXX2Ph8U42nNd7SAIOJdtzoqE4EbRlCJQaFAFjIEVTIUjw1Wrtruw+ +9YyJZLc9Fr1kEx4jc7BLy7QzJkrqcZxutAGAOW2iRraT8FAXERjfHGWUKcvt3GvF +ts5HGTvL/0Aln7QtVGhvbWFzIEJydWVkZXJsaSA8YnJ1ZWRlcmxpQGtvbGFic3lz +dGVtcy5jb20+iQI4BBMBAgAiBQJU9d0IAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe +AQIXgAAKCRA+VCjQJixU+DipD/99hnk5ldlkxqENZiUMBjjkoT9hgE1u6AAcJgSI +rTbBmWMa0QJp69hJ5bOsQq82wolCHnnM9o9dMRMzQuX2fG9Es3DK+Fk8kUT6lDJF +OHvY5KP1ya1DI1uozvrzRZojBcPLUk1Ijg74PzgS5Gg9n7UFQ9LAo4xnlhB+KzgA +agp1Si6jVJCSOLUCRHuauDwQNBJjp/18+aSRiI0Gx827gGsJ8ohot2N40EaVgw0K +d2Q6WzfEZIyoXakRE9bjBK+lrWRVBNYiWAc+1CsFwf6y48eyn0NIlU2HKJiq8UnS +hP5Wjp11YyUUiFm06zPYveMWOUyCQuJV55fh1/nG++c9SNct8RAvh7b7FjWmIowV +eUjm1KBb0JoOrCEsooLwKU5/CKrALrfF3B3kunTI9JJ1mHQ2ZbjjwbVj7/CeEXXM +uHgs17eZSD1IRZphlVu8X8QT03g0Diq+g7jH+tQLXXRNOGdaNCVSYj7gAveHkt8I +NevviVeVcIdR/nd923Nalio9IznWf5QyS9sTep+bivH4P1iidX+LT40AcowrGN3g +XLEDOc+UhV6974hhCaHN/8sLbEKugxZPLMyehFUW3K+GJlEYcNW7dOgk0QtYwMH/ +PdpLKasSr7aqzA0C9dvhYbPeWovSPOVfUPnkyHaSsLR1cCRMv74qKy0kCrqLGhEB +r/uAZrkCDQRU9jEBARAAzpNmZvzqGx9d5OqJXgkykEtGJn7r+ZMNt1hFkR4Sub9W +DDXqvq0Tubds2ejSv8FGbdeYMHLhTvYo/ygeIvnlxRVj7miCskEKrgFtkvKG1Vyc +NIja5q/BYxL2DqcpsA+XvwgWgiDQT5B4mok9mFE3p5y4GbZ+U6aE/I8rk0jQvTet +hGmcLpdYEeoS2rxGOP0p7CFmJTZWKy8YdtiLZSP0DFxxljX47inqs+NiokSSMA4T +WQ6Wb73pvMv5W7Fevwf4mzsB7X7cDSubfrSp8gQM5h3e+lDg6b2u+uDBpflcJmpO +PogWGUNLqBQyfLLbD2R6zlgP9ZW0faOaOQ5OLiSj28J2JJ2LFADUNdSTIJmTkDbn +JZH030Ade/n+SKNU6kcnmaqg92w4EgbdEUKOZpROaonedeFTxlx3n+Ht1U7BKr43 +FiNi8XQKsHRO3NhdoD1S0elO9sDYi5lqtefbTxFaCus+n4fXM/c0BL+knUWBf+LN +nEWEBYLt+El+kcdNCRUW3iYnbnzvdBK7AJKw7qpLqaqjKkHLE0QB9W8glRx/Zl1m +RpFEWo4GBPXc+E/y0rJFinvCe7OeBgNHs9vYT0lEpP9Z4CoRwTNZaaM0KzYyQ6sN +E13c8LlW+QUJCeghGyDvreNw2uo0R+SbWUn8F/6og2s9gklNzUyNYG3mxazyImsA +EQEAAYkEPgQYAQIACQUCVPYxAQIbAgIpCRA+VCjQJixU+MFdIAQZAQIABgUCVPYx +AQAKCRDRBd6gtUWzbN+zEADOQqICaKpA9bKMdXrUgmXXcesmslLYpkkG7UBjQeNa +RJ/TPPLgM0X8/eI+Zpm+TqvEBv0zCTkkfHS+WT+bnJa4zvJH3tzIC3sU2tOrs+hU +POYHqc5wdh8tOesD1jt2J9TETdKFVda5Iz8IOi5Jo9KZEjD4Ei4/06nSl4a7AzVQ +FZn5spSNFk5WEMNA+tsYCnNyDUyn7OAeGkVRrp6cgbw/87oCm16gWsosbHj9KN4q +C/nb5jJ8Pah0eWWIdty7+T6D4On5WQ9bUjUVBESKMYYrxzX1SicGxJnHBPaBDAq2 +775m0saxGRymiieZHaZSRTyu6qgR0qT0Kjc5CKuuB6lWJp2/Wlwmxrn2vqVghU90 +GQlUTRQDZZani26WWYHmVEPg03DTsehicNqXPg78zJvCPL0UIuBTtZli0oMf5SIh +7q5ggSWRFsEHM7XoyJ+AOuHSg0aaSX2bgQiRl4X+347goXbESJipy+/+1WBGND8+ +4comH+6yl7JRKlwnPyXjHZoAocm71GYKnx0PkFwciTtsb1caJduvwywMILxG0w59 +0khBJNbQUNT/VPxEsBjHD8b7oRK+n7wMPA+pafUjpaW/xsErAHd417VffmUc2ygU +eHGxU+l0S+Ywjjc5Y9dn0LJT07TcVcAMGnkv0DwmrT2phqx0CC3fTJ7uI9pO+1la +tLxJEACCi361qVg8oN6YIYZdybsaP6GdEZ7SHaQXMbkEmPTJgxzCVYrV8oeybHGc +E33PcS2jl1xBnfqIs7A6OB0HbgTcAQZsbFWcZR8eapVBv9LFIpi5OZ5dN8JOJwTJ +1bu5fgSx+r3URd1luqyDg55Ln8nlYHYidcf4WGC5O8T0SQXZP8bhz4DzfvA5imGY +82eMq7D6yjxY9QJo9HYKuNSHp2IiMTeBU2Wgu9CXKR5AYcYqN4DRGY1k5wQp84Ut +Y1PizzZinuzI5dA0w1tSGyCXTY4W5J6SNV1hQClrWqxuj0/QDgAeTQQLQ9p/pXy3 +orUtQpSZ9q55VAcLpN0eUQmYZTlrPDzqcrHJfcS0MqodqFZU9sal4Uq2bfoGKzrJ +BoiZDe1XNX/vJMCQKYsKdy32UDLXQ4D/bVSdvy7oaa0CiA4AiUQvArILeZzUnUGv +j3y7KRoWAOsTjNd6Dl3rHdu2B3/QMEmU3rnPPfyzsm8ftAhOtOxJcPa0lynnpcBD +h8c2BWCIpLelE9rteRslxpmlvfwmi0rJ9qMb0iD0h/ptNaR+Swvp0R9vrtk7fuOZ +ODh1qfU7chtJRMHQ+fWyR7UEqMgwwA1wyNzG9LXAO4TdZHgR/6i0hLpTixWmQYcA +JS2PN9PFJIPqhMrHNeG+pA1V1FPv8tCWmDkWSPKk/VmS6xb9RbkCDQRU9d0IARAA +wZUrJNCpaLMqp2GE3NqrqvCfW8I/yqN8+ODUiwrZv5ETQY5sK5giiai2o5yLnNYG +qQslSRlipPJSp+HfD0FIHudiLxMlc5iXX2nEPYE+g61msHpCby3vDwHDi1nuBvmo ++atQsLbarvJPCj7MDMV4TEgLgrcxQKeuHMQCzMA6GfGo4NeTGMiabjbETJLnAgBE +wRp0CSV8uYVmAIwhSJDd4ik4Y5jJ9xe3JJ31WunInlhUndUQILJ9xleus/FqtfT/ +d2ZbmgmR7D2bVuU3vjjMTHVGyY57saMlHTCKgA3LX+RyOklefIq3n9ccakeO6gea +N9/7QFnNJL8GOvQKIqKNyj9dq4a9pGNiXRy+ymdCoyXSUvIwzQRyiX/TpK83k9Dt +2b1hzhXpHPlccv8uxaHGwMW9Jq8x66ZdAV4Aa+V1+9qYtG4p8tlcD8DQb3Sdl1gL +wxC3g1m+1wkuGnOjBQsVkQp9b2AMtwfcZABUGsIyN7sIYMvTt8DOAN+XCyb5bd+Y +BUoMAJ2MKu2Bif02jzxSP8mCnOKJeTh8H8FS3JJs4NYSD//umoV9Wh0Fwy//hJ/q +N/ZZkjSz1UfSBuQaMgAcS0bt0hEpbZKoavMge/xKPcZxRTq/5oXwbIjSaoz8hAbo +kUDx4EAW3/XbQRuTZo93/fKgc/r1tdTd9S5XoYNnpHEAEQEAAYkCHwQYAQIACQUC +VPXdCAIbDAAKCRA+VCjQJixU+CwUD/9eOCWnpegSOZd2Te6mRPf6WCdazmkd4cfb +e48d3VWk2BWgZ+XpF5CyypPg/nJGj17TQUpOUCiS4QF8SwnMFHwkFYtW3YsA7t3s +E5F3eM1Fkf9O9UGsqFf5WKko00LqATdXrhUBTA6EUAaRKjYu3Fez/ye88nfp86uI +c7KgPUQxR7aUrKtXLyjHuqVFa7hiEy1mwtm60KwXrinY5xoDCox5HUdYyzN0076g +99cBHcXy5uIGQdCX3Z8KzX8Fos6UWGbQMit7j+njucyrh8eNkTY34Pwri0TvpnaQ +6ASMwY18bhUIk4AhyPTpartC4JWU+/h1FQ7Y9+pbhlLz/mwf4ol/LpdN6UDjD3Yl +3Wvm93j3uJAN7NziFFN1U4ex1lOqR0GnVrrWOXYaEOA8ujINv6AJeeW5ymD69R09 +QcPBGP606t9yLeO7AcjRaFSZZJcQa4LAmhqCa3AyadDa6EynlNsp8BMxw1O0JLHw +cOiZd9KBK+5W3sEq3Q4/nB2GN7k+Kxe3LK/C5PWkfonbw8Y+dEiIUNQUMuYM4Lfr +cXTDs2DcVUna+vJUjOnzTKHqr6Lk3fG8WspWRm+e9RbrHkAOQscalmXGePBGGAk9 +jK17yv/RX+bU457KQ7QilaRTUDUiJJHUD/NPS0NLH8icm9ml0WmV+FSoxrlhG65p +XABWW6dNBZkBDQRMvU7ZAQgAuHn9CCWqkw0DUGeQj6x7zbOZHAAr7X38Mna03ESd +vHR8I2Q/HWksX1WBKGnMgEXr0zr7Kd+lYKvGLewE7usuzDwWj4/S6tJMF+xzPEA5 +/I037nwIDI8XMOWw/iTUefvBvYVBdxd+YFbgHeO9YUvkAf1IPz3s3DcfR+chVDLr +6zt8m8iA4cOaiSNkaCTIzK+QzylBu8/NdNXvzVu8vRXx6vjp8uwO9MPr3H79S/iy +1+YH66SiN5tMypu3I9b8sWXwvUYoyM1mTdxoBMXsSCiXW5HIPRf84oCqO9kyYYL4 +8umGT9Nx5lmVXKbHd2iE908HoNHAor2ilQTXBUdaHWul7wARAQABtBZBLkwuRS5D +IDxhbGVjQGFsZWMucGw+iQFSBBMBAgAlAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIe +AQIXgAUCTL1QMAIZAQAhCRC+5nSgGTWdwRYhBLsi73Gclqhu70za0b7mdKAZNZ3B +EhkH/1eAuCOSXsWg8YwZzmABoKKZfNpJZ3QTwAMxXyCPjJMwLMLHsrVO+VbGupFc +IW/q/3bvt1r8LwPB73rg0TFiHoYzeQzdnOVYFW7wOYz9BDVjLE4goDk6xN5Nj1Cp +BMXzQFdr3HVKyuRK1CLd9p13CofiBlLsQ4JqtosnlvSCEjTLyIajACU3kY2je1e5 +8N5VHzZ+VMeg2xbuQJ3q1iTkYggZ+xRC1muw4Xgt2vxgfWjn7u3dmjYMT3H2WFpr +LZwliejHgzhWdYABdyCU5VuGCLOV+xk2UCADya0hvVVIezA/4YG3w01yjsljRrKy +HFJUqw+MqagA6dsfflZSvmROKMa0IkFsZWtzYW5kZXIgTWFjaG5pYWsgPGFsZWNA +YWxlYy5wbD6JAU8EEwECACIFAky9UCUCGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4B +AheAACEJEL7mdKAZNZ3BFiEEuyLvcZyWqG7vTNrRvuZ0oBk1ncHd6ggAoEj7tCV6 +VCueubKKkzLMLguELX0LUnA7990in5yqVFLvoVg7Kg/z67SnjT6DGYlyW+OPgvxz +E+urJJ7eljVaYv9Yh5/UpF/ubTloQByBRI7g7dAOMhpFWO/Cp1qVlr6RJSbmDyFB +xZBI0mDEpy/SmoUz0PqpxVIlrt7/8ND8ghYnxGo3+Db8+h1WiXRi6Miz7v7y3L0A +H6/iKAA3u52lB1cxBLQWiEiKlQylRDhsIkjXa9LqF/kHRfUAIGUxWRyuQdLnRaYx +2pyBNPcDYej+8zHqSdSkXSctVila2l/ZdEosqvRreFhpRQVDR2WKHjC8eNHUoD3I +07x8PiMkpw6Z4rQtQWxla3NhbmRlciBNYWNobmlhayA8bWFjaG5pYWtAYXBoZWxl +aWEtaXQuY2g+iQFOBBMBCgA4FiEEuyLvcZyWqG7vTNrRvuZ0oBk1ncEFAmHcFOMC +GyMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQvuZ0oBk1ncHfBwf8Dq9YzPA3 +gxIJKZ2XZpgQi1XtB0fpV02IVi//wEvhwy3aE0hsNnw44g8FDy1jtMkhvvz2kGbk +3chXfBMoMCSrfla7lLuJ54t+z59KmIpmVOai5HUz9FAkHSrG/d0ZNsomuYT+mWD9 +9sDTODQT429YZ02+AecRudQAW/2ny+0cySdrKvSlvQ8C73axiy4wAMiYWSl7LU36 +G4wtC/H3ZQL2LHToiAQmn5F4ECln7vJOKXr3MzUOI6kHFkjuArL1njI/D2BinsDt +HWwHovNgbMqIecwcg43E/HKgpq9dK+ti2QMppjF6Vz/H3nkQ3e/WIKm9395zq1Hs +jdt+3mwL78pXTLQrQWxla3NhbmRlciBNYWNobmlhayA8bWFjaG5pYWtAa29sYWJz +eXMuY29tPokBTwQTAQIAIgUCTnH06gIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC +F4AAIQkQvuZ0oBk1ncEWIQS7Iu9xnJaobu9M2tG+5nSgGTWdwShlCACIexVvyaW6 +hMp6wK3eRHBVH4onKrCo/ayBIYBm2Rjzcm71tWfbVa8PE+C+IxweRL3S19OpDAO2 +2ymca8w9wcihLJ/HKZ7uYhTSQDcsLPyazBTHNKHTvDGO+kLFVzBJ+aLeLXPm8ums +fR6/ZzGJt1E4qHeCHpBFhbN0IL2o8QvE9idMOZzDAB+mOSldircqGwzFx9eML0TJ +6/vgrYvHGBnkC+FHD7I2xdFgnW5nef+p/5TYmQ7SS4vOw6A3WHKgKlFi4yyfTczo +M4GEqtdqE40T16526OVv7VkBTiy4pgUna3JA4Sua0dpy1rfnUTr0y/VYrdHxnUZO +YgA44cWcBeF2tC9BbGVrc2FuZGVyIE1hY2huaWFrIDxtYWNobmlha0Brb2xhYnN5 +c3RlbXMuY29tPokBTgQTAQgAIQUCWTJWlwIbIwULCQgHAgYVCAkKCwIEFgIDAQIe +AQIXgAAhCRC+5nSgGTWdwRYhBLsi73Gclqhu70za0b7mdKAZNZ3Bh90IALeMO7uq +yPOS7KVp+gbHbmgeROG2/rxDFE6SoY64Vpqy/ZPRiZXQzjPBy6gkgY2Fr8n2ZBbp +NdxOHSKIc0SDWMO8ZxDteFhMi+9Y7uFO7ZqEL/BII0L2d4fRWiXCNnLQqoaI/f6Q +UP3kB6DQtvRg1sxT8wM1RPZBphUnT2xFvHnLgayI+uM83xJiUREArA0tLinRH8HU +O64iKMdvVAExWJ0BQQDDLia/CkTD4wh8d0iww978zySoFsLYF0Mv5wk6cclUgXwz +KpSp3WGZ9hX4vbFLzMYk/KVQbuoHq4ZtlD4IVVH7q9lCavz452PfzFDIwpytCIBd +RdsKmg8uuqspiym5AQ0ETL1O2QEIANHbid+rMQ/IX0/UyVtnLWunDEg6Yl2BtwHT +ecZ4Ym3tBxc1sbPDoYpY0DZ86gYi9DCbolrdjnrRK9ldYItVJ8rJUkEIDz/2yhjc +r3s3p2SyI94bocoG0WW+VRlssJMxTB2ihblihkY5HqT+9PgOFxnpSqz1ksTaI3JO +VcokidhoB7MJmuyb28rNtZCJP7upRUwBSoZfHiL83w3Ad1Fn49QVO7kshH11lNyJ +9jB17BTl1I0sj7RPqAorJcMxsSOJXW71ZcipXWym+GacY/qziQw7bT9CQYSmr4Si +RV7GahD91enDkdv+pUAnb8NEifQ1LT26XcL6Ng9EbG5AT4qI46kAEQEAAYkBNgQY +AQIACQUCTL1O2QIbDAAhCRC+5nSgGTWdwRYhBLsi73Gclqhu70za0b7mdKAZNZ3B +7ZMIAJq7HeUeK0Pwgg7l/LpHE+rKbq8yUqI3QjKKVqG0nQDaG02rBsVvpO6SnMrD +TgMZI8Q4Y9qjiF2wu1C2oA/CqtH4UYkNzpX+MPSs+NOELc1y+Qm6iLrbZksKyLxM +AvmQGYXY1h3t6OzMHfXkTO+ldJ4RLz72m/rKyHNRuisSD1AqE/FbTK+t2PY7AVSV +Gvr+MukqYwvNLHkXTISDXS6u9971K22TlNXMfJw5rWcpLOPv0XWNdOX+aOL+LTza +zWeXBvx3os1WubR7W0YzFKT9amCEVVVKbg4y9S8yQQQOTAayb6Y9yZfhQ9y+r/BT +eEaEN5WWmR9VMlAa8NsRTNNdvPo= +=cGVH -----END PGP PUBLIC KEY BLOCK----- diff -Nru roundcube-1.4.13+dfsg.1/index.php roundcube-1.4.14+dfsg.1/index.php --- roundcube-1.4.13+dfsg.1/index.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/index.php 2023-09-16 22:01:19.000000000 +0200 @@ -2,7 +2,7 @@ /** +-------------------------------------------------------------------------+ | Roundcube Webmail IMAP Client | - | Version 1.4.13 | + | Version 1.4.14 | | | | Copyright (C) The Roundcube Dev Team | | | diff -Nru roundcube-1.4.13+dfsg.1/installer/index.php roundcube-1.4.14+dfsg.1/installer/index.php --- roundcube-1.4.13+dfsg.1/installer/index.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/installer/index.php 2023-09-16 22:01:19.000000000 +0200 @@ -3,7 +3,7 @@ /** +-------------------------------------------------------------------------+ | Roundcube Webmail setup tool | - | Version 1.4.13 | + | Version 1.4.14 | | | | Copyright (C) The Roundcube Dev Team | | | diff -Nru roundcube-1.4.13+dfsg.1/plugins/enigma/lib/enigma_driver_gnupg.php roundcube-1.4.14+dfsg.1/plugins/enigma/lib/enigma_driver_gnupg.php --- roundcube-1.4.13+dfsg.1/plugins/enigma/lib/enigma_driver_gnupg.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/plugins/enigma/lib/enigma_driver_gnupg.php 2023-09-16 22:01:19.000000000 +0200 @@ -586,6 +586,13 @@ continue; } + // Private keys might be located in 'private-keys-v1.d' subdirectory. Make sure it exists. + if (strpos($file, '/private-keys-v1.d/')) { + if (!file_exists($this->homedir . '/private-keys-v1.d')) { + mkdir($this->homedir . '/private-keys-v1.d', 0700); + } + } + $tmpfile = $file . '.tmp'; if (file_put_contents($tmpfile, $data, LOCK_EX) === strlen($data)) { diff -Nru roundcube-1.4.13+dfsg.1/program/include/iniset.php roundcube-1.4.14+dfsg.1/program/include/iniset.php --- roundcube-1.4.13+dfsg.1/program/include/iniset.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/program/include/iniset.php 2023-09-16 22:01:19.000000000 +0200 @@ -24,7 +24,7 @@ } // application constants -define('RCMAIL_VERSION', '1.4.13'); +define('RCMAIL_VERSION', '1.4.14'); define('RCMAIL_START', microtime(true)); if (!defined('INSTALL_PATH')) { diff -Nru roundcube-1.4.13+dfsg.1/program/lib/Roundcube/bootstrap.php roundcube-1.4.14+dfsg.1/program/lib/Roundcube/bootstrap.php --- roundcube-1.4.13+dfsg.1/program/lib/Roundcube/bootstrap.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/program/lib/Roundcube/bootstrap.php 2023-09-16 22:01:19.000000000 +0200 @@ -58,7 +58,7 @@ } // framework constants -define('RCUBE_VERSION', '1.4.13'); +define('RCUBE_VERSION', '1.4.14'); define('RCUBE_CHARSET', 'UTF-8'); define('RCUBE_TEMP_FILE_PREFIX', 'RCMTEMP'); diff -Nru roundcube-1.4.13+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php roundcube-1.4.14+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php --- roundcube-1.4.13+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/program/lib/Roundcube/rcube_string_replacer.php 2023-09-16 22:01:19.000000000 +0200 @@ -59,8 +59,8 @@ $link_prefix = "([\w]+:\/\/|{$this->noword}[Ww][Ww][Ww]\.|^[Ww][Ww][Ww]\.)"; $this->options = $options; - $this->linkref_index = '/\[([^\]#]+)\](:?\s*' . substr($this->pattern, 1, -1) . ')/'; - $this->linkref_pattern = '/\[([^\]#]+)\]/'; + $this->linkref_index = '/\[([^<>\]#]+)\](:?\s*' . substr($this->pattern, 1, -1) . ')/'; + $this->linkref_pattern = '/\[([^<>\]#]+)\]/'; $this->link_pattern = "/$link_prefix($utf_domain([$url1]*[$url2]+)*)/"; $this->mailto_pattern = "/(" . "[-\w!\#\$%&*+~\/^`|{}=]+(?:\.[-\w!\#\$%&*+~\/^`|{}=]+)*" // local-part diff -Nru roundcube-1.4.13+dfsg.1/public_html/index.php roundcube-1.4.14+dfsg.1/public_html/index.php --- roundcube-1.4.13+dfsg.1/public_html/index.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/public_html/index.php 2023-09-16 22:01:19.000000000 +0200 @@ -3,7 +3,7 @@ /* +-----------------------------------------------------------------------+ | Roundcube Webmail IMAP Client | - | Version 1.4.13 | + | Version 1.4.14 | | | | Copyright (C) The Roundcube Dev Team | | | diff -Nru roundcube-1.4.13+dfsg.1/public_html/plugins/enigma/lib/enigma_driver_gnupg.php roundcube-1.4.14+dfsg.1/public_html/plugins/enigma/lib/enigma_driver_gnupg.php --- roundcube-1.4.13+dfsg.1/public_html/plugins/enigma/lib/enigma_driver_gnupg.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/public_html/plugins/enigma/lib/enigma_driver_gnupg.php 2023-09-16 22:01:19.000000000 +0200 @@ -586,6 +586,13 @@ continue; } + // Private keys might be located in 'private-keys-v1.d' subdirectory. Make sure it exists. + if (strpos($file, '/private-keys-v1.d/')) { + if (!file_exists($this->homedir . '/private-keys-v1.d')) { + mkdir($this->homedir . '/private-keys-v1.d', 0700); + } + } + $tmpfile = $file . '.tmp'; if (file_put_contents($tmpfile, $data, LOCK_EX) === strlen($data)) { diff -Nru roundcube-1.4.13+dfsg.1/tests/Framework/StringReplacer.php roundcube-1.4.14+dfsg.1/tests/Framework/StringReplacer.php --- roundcube-1.4.13+dfsg.1/tests/Framework/StringReplacer.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/tests/Framework/StringReplacer.php 2023-09-16 22:01:19.000000000 +0200 @@ -64,12 +64,14 @@ $this->assertEquals($output, $result); } + /** + * Test link references + */ function test_linkrefs() { - $input = "This is a sample message [1] to test the new linkref [ref0] replacement feature of [Roundcube].\n"; - $input.= "\n"; - $input.= "[1] http://en.wikipedia.org/wiki/Email\n"; - $input.= "[ref0] www.link-ref.com\n"; + $input = "This is a sample message [1] to test the linkref [ref0] replacement feature of [Roundcube].[ref<0]\n" + . "[1] http://en.wikipedia.org/wiki/Email\n" + . "[ref0] www.link-ref.com\n"; $replacer = new rcube_string_replacer; $result = $replacer->replace($input); @@ -77,6 +79,6 @@ $this->assertContains('[<a href="http://en.wikipedia.org/wiki/Email">1</a>] to', $result, "Numeric linkref replacements"); $this->assertContains('[<a href="http://www.link-ref.com">ref0</a>] repl', $result, "Alphanum linkref replacements"); - $this->assertContains('of [Roundcube].', $result, "Don't touch strings wihtout an index entry"); + $this->assertContains('of [Roundcube].[ref<0]', $result, "Don't touch strings wihtout an index entry"); } } diff -Nru roundcube-1.4.13+dfsg.1/tests/Framework/Text2Html.php roundcube-1.4.14+dfsg.1/tests/Framework/Text2Html.php --- roundcube-1.4.13+dfsg.1/tests/Framework/Text2Html.php 2021-12-29 23:45:05.000000000 +0100 +++ roundcube-1.4.14+dfsg.1/tests/Framework/Text2Html.php 2023-09-16 22:01:19.000000000 +0200 @@ -137,4 +137,21 @@ $this->assertEquals($expected, $html); } + + /** + * Test XSS issue + */ + function test_text2html_xss2() + { + $input = "\n[<script>evil</script>] https://google.com\n"; + $t2h = new rcube_text2html($input); + + $html = $t2h->get_html(); + + $expected = "<div class=\"pre\"><br>\n[<script>evil</script>] " + . "<a rel=\"noreferrer\" target=\"_blank\" href=\"https://google.com\">https://google.com</a><br>\n" + . "</div>"; + + $this->assertEquals($expected, $html); + } }
Attachment:
signature.asc
Description: PGP signature