diff --git a/CHANGELOG b/CHANGELOG index bcaa870e3..ead3d106c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3070 +1,3074 @@ # Changelog Roundcube Webmail +- Fix cross-site scripting (XSS) vulnerability in setting Content-Type/Content-Disposition for attachment preview/download + +RELEASE 1.4.15 +-------------- - Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168) - Fix PHP 5.4 compatibility by using pear-core-minimal 1.10.11 (#9148) RELEASE 1.4.14 -------------- - Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages - Enigma: Fix initial synchronization of private keys RELEASE 1.4.13 -------------- - Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content RELEASE 1.4.12 -------------- - Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919) - Fix bug where contacts search didn't work with addressbook_search_mods set to an empty array (#7974) - Fix bug causing some HTML message content to be not centered in Elastic skin (#7911) - Fix bug where consecutive LDAP searches could return wrong results (#8064) - Fix bug where plus characters in attachment filename could have been ignored (#8074) - Fix displaying HTML body with inline images encapsulated using TNEF format (winmail.dat) - Fix handling of custom sender addresses with names (#8106) - Fix shift + drag'n'drop menu not working in Elastic skin with Chrome browser (#8107) - Fix Firefox infinate loading display on mail screen (#8128) - Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193) - Fix SQL injection via some session variables RELEASE 1.4.11 -------------- - Display a nice error informing about no PHP8 support - Elastic: Fix compatibility with Less v3 and v4 (#7813) - Fix bug with managesieve_domains in Settings > Forwarding form (#7849) - Fix errors in MSSQL database update scripts (#7853) - Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content RELEASE 1.4.10 -------------- - Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655) - Fix folder list issue whan special folder is a subfolder (#7647) - Fix Elastic's folder subscription toggle in search result (#7653) - Fix state of subscription toggle on folders list after changing folder state from the search result (#7653) - Security: Fix cross-site scripting (XSS) via HTML or Plain text messages with malicious content [CVE-2020-35730] RELEASE 1.4.9 ------------- - Fix HTML editor in latest Chrome 85.0.4183.102, update to TinyMCE 4.9.11 (#7615) - Add missing localization for some label/legend elements in userinfo plugin (#7478) - Fix importing birthday dates from Gmail vCards (BDAY:YYYYMMDD) - Fix restoring Cc/Bcc fields from local storage (#7554) - Fix jstz.min.js installation, bump version to 1.0.7 - Fix incorrect PDO::lastInsertId() use in sqlsrv driver (#7564) - Fix link to closure compiler in bin/jsshrink.sh script (#7567) - Fix bug where some parts of a message could have been missing in a reply/forward body (#7568) - Fix empty space on mail printouts in Chrome (#7604) - Fix empty output from HTML5 parser when content contains XML tag (#7624) - Fix scroll jump on key press in plain text mode of the HTML editor (#7622) - Fix so autocompletion list does not hide on scroll inside it (#7592) RELEASE 1.4.8 ------------- - Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507) - Managesieve: Fix too-small input field in Elastic when using custom headers (#7498) - Fix support for an error as a string in message_before_send hook (#7475) - Elastic: Fix redundant scrollbar in plain text editor on mail reply (#7500) - Elastic: Fix deleted and replied+forwarded icons on messages list (#7503) - Managesieve: Allow angle brackets in out-of-office message body (#7518) - Fix bug in conversion of email addresses to mailto links in plain text messages (#7526) - Fix format=flowed formatting on plain text part derived from the HTML content (#7504) - Fix incorrect rewriting of internal links in HTML content (#7512) - Fix handling links without defined protocol (#7454) - Fix paging of search results on IMAP servers with no SORT capability (#7462) - Fix detecting special folders on servers with both SPECIAL-USE and LIST-STATUS (#7525) - Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145] - Security: Fix cross-site scripting (XSS) via HTML messages with malicious math content RELEASE 1.4.7 ------------- - Fix bug where subfolders of special folders could have been duplicated on folder list - Increase maximum size of contact jobtitle and department fields to 128 characters - Fix missing newline after the logged line when writing to stdout (#7418) - Elastic: Fix context menu (paste) on the recipient input (#7431) - Fix problem with forwarding inline images attached to messages with no HTML part (#7414) - Fix problem with handling attached images with same name when using database_attachments/redundant_attachments (#7455) - Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace RELEASE 1.4.6 ------------- - Installer: Fix regression in SMTP test section (#7417) RELEASE 1.4.5 ------------- - Fix bug in extracting required plugins from composer.json that led to spurious error in log (#7364) - Fix so the database setup description is compatible with MySQL 8 (#7340) - Markasjunk: Fix regression in jsevent driver (#7361) - Fix missing flag indication on collapsed thread in Larry and Elastic (#7366) - Fix default keyservers (use keys.openpgp.org), add note about CORS (#7373, #7367) - Password: Fix issue with Modoboa driver (#7372) - Mailvelope: Use sender's address to find pubkeys to check signatures (#7348) - Mailvelope: Fix Encrypt button hidden in Elastic (#7353) - Fix PHP warning: count(): Parameter must be an array or an object... in ID command handler (#7392) - Fix error when user-configured skin does not exist anymore (#7271) - Elastic: Fix aspect ratio of a contact photo in mail preview (#7339) - Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382) - Security: Fix a couple of XSS issues in Installer (#7406) - Security: Fix XSS issue in template object 'username' (#7406) - Security: Better fix for CVE-2020-12641 - Security: Fix cross-site scripting (XSS) via malicious XML attachment RELEASE 1.4.4 ------------- - Fix bug where attachments with Content-Id were attached to the message on reply (#7122) - Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211) - Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230) - Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231) - Elastic: Fix color of a folder with recent messages (#7281) - Elastic: Restrict logo size in print view (#7275) - Fix invalid Content-Type for messages with only html part and inline images - Mail_Mime-1.10.7 (#7261) - Fix missing contact display name in QR Code data (#7257) - Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246) - Fix regression in testing database schema on MSSQL (#7227) - Fix cursor position after inserting a group to a recipient input using autocompletion (#7267) - Fix string literals handling in IMAP STATUS (and various other) responses (#7290) - Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293) - Fix handling keyservers configured with protocol prefix (#7295) - Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189) - Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206) - Fix so imap error message is displayed to the user on folder create/update (#7245) - Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147) - Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312) - Fix characters encoding in group rename input after group creation/rename (#7330) - Fix bug where some message/rfc822 parts could not be attached on forward (#7323) - Make install-jsdeps.sh script working without the 'file' program installed (#7325) - Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331) - Fix so Print button for PDF attachments works on Firefox >= 75 (#5125) - Security: Fix XSS issue in handling of CDATA in HTML messages [CVE-2020-12625] - Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings [CVE-2020-12641] - Security: Fix local file inclusion (and code execution) via crafted 'plugins' option [CVE-2020-12640] - Security: Fix CSRF bypass that could be used to log out an authenticated user [CVE-2020-12626] (#7302) RELEASE 1.4.3 ------------- - Enigma: Fix so key list selection is reset when opening key creation form (#7154) - Enigma: Fix so using list checkbox selection does not load the key preview frame - Enigma: Fix generation of key pairs for identities with IDN domains (#7181) - Enigma: Display IDN domains of key users and identities in UTF8 - Enigma: Fix bug where "Send unencrypted" button didn't work in Elastic skin (#7205) - Managesieve: Fix bug where it wasn't possible to save flag actions (#7188) - Markasjunk: Fix bug where marking as spam/ham didn't work on moving messages with drag-and-drop (#7137) - Password: Make chpass-wrapper.py Python 3 compatible (#7135) - Elastic: Fix disappearing sidebar in mail compose after clicking Mail button - Elastic: Fix incorrect aria-disabled attribute on Mail taskmenu button in mail compose - Elastic: Fix bug where it was possible to switch editor mode when 'htmleditor' was in 'dont_override' (#7143) - Elastic: Fix text selection in recipient inputs (#7129) - Elastic: Fix missing Close button in "more recipients" dialog - Elastic: Fix non-working folder subscription checkbox for newly added folders (#7174) - Fix regression where "Open in new window" action didn't work (#7155) - Fix PHP Warning: array_filter() expects parameter 1 to be array, null given in subscriptions_option plugin (#7165) - Fix unexpected error message when mail refresh involves folder auto-unsubscribe (#6923) - Fix recipient duplicates in print-view when the recipient list has been expanded (#7169) - Fix bug where files in skins/ directory were listed on skins list (#7180) - Fix bug where message parts with no Content-Disposition header and no name were not listed on attachments list (#7117) - Fix display issues with mail subject that contains line-breaks (#7191) - Fix invalid Content-Transfer-Encoding on multipart messages - Mail_Mime fix (#7170) - Fix regression where using an absolute path to SQLite database file on Windows didn't work (#7196) - Fix using unix:///path/to/socket.file in memcached driver (#7210) RELEASE 1.4.2 ------------- - Plugin API: Make actionbefore, before, actionafter and after events working with plugin actions (#7106) - Managesieve: Replace "Filter disabled" with "Filter enabled" (#7028) - Managesieve: Fix so modifier type select wasn't hidden after hiding modifier select on header change - Managesieve: Fix filter selection after removing a first filter (#7079) - Markasjunk: Fix marking more than one message as spam/ham with email_learn driver (#7121) - Password: Fix kpasswd and smb drivers' double-escaping bug (#7092) - Enigma: Add script to import keys from filesystem to the db storage (for multihost) - Installer: Fix DB Write test on SQLite database ("database is locked" error) (#7064) - Installer: Fix so SQLite DSN with a relative path to the database file works in Installer - Elastic: Fix contrast of warning toasts (#7058) - Elastic: Simple search in pretty selects (#7072) - Elastic: Fix hidden list widget on mobile/tablet when selecting folder while search menu is open (#7120) - Fix so type attribute on script tags is not used on HTML5 pages (#6975) - Fix unread count after purge on a folder that is not currently selected (#7051) - Fix bug where Enter key didn't work on messages list in "List" layout (#7052) - Fix bug where deleting a saved search in addressbook caused display issue on sources/groups list (#7061) - Fix bug where a new saved search added after removing all searches wasn't added to the list (#7061) - Fix bug where a new contact group added after removing all groups from addressbook wasn't added to the list - Fix bug where Ctype extension wasn't required in Installer and INSTALL file (#7049) - Fix so install-jsdeps.sh removes Bootstrap's sourceMappingURL (#7035) - Fix so use of Ctrl+A does not scroll the list (#7020) - Fix/remove useless keyup event handler on username input in logon form (#6970) - Fix bug where cancelling switching from HTML to plain text didn't set the flag properly (#7077) - Fix bug where HTML reply could add an empty line with extra indentation above the original message (#7088) - Fix matching multiple X-Forwarded-For addresses with 'proxy_whitelist' (#7107) - Fix so displayed maximum attachment size depends also on 'max_message_size' (#7105) - Fix bug where 'skins_allowed' option didn't enforce user skin preference (#7080) - Fix so contact's organization field accepts up to 128 characters (it was 50) - Fix bug where listing tables in PostgreSQL database with db_prefix didn't work (#7093) - Fix bug where 'text' attribute on body tag was ignored when displaying HTML message (#7109) - Fix bug where next message wasn't displayed after delete in List mode (#7096) - Fix so number of contacts in a group is not limited to 200 when redirecting to mail composer from Contacts (#6972) - Fix malformed characters in HTML message with charset meta tag not in head (#7116) RELEASE 1.4.1 ------------- - Elastic: Change HTML editor widget to improve form flow (#6992) - Elastic: Fix position of mobile floating action button (#7038) - Managesieve: Fix locked UI after opening filter frame (#7007) - Fix PHP warning: "array_merge(): Expected parameter 2 to be an array, null given in sendmail.inc (#7003) - Fix bug where cache keys could exceed length limit specified in db schema (#7004) - Fix invalid Signature button state after escaping Mailvelope mode (#7015) - Fix so 401 error is returned only on failed logon requests (#7010) - Fix db_prefix handling in queries with `TRUNCATE TABLE ` and `UNIQUE ` (#7013) - Fix so update.sh script warns about changed defaults (#7011) - Fix tables listing routine when DSN contained a database with unsupported suffix (#7034) - Fix so Elastic is also a default in jqueryui plugin (#7039) - Fix bug where the Installer would not warn about required schema upgrade (#7042) RELEASE 1.4.0 ------------- - Elastic: Resizeable columns (#6929) - Elastic: Fix position and style of auto-complete dropdown on small screens (#6951) - Elastic: Fix initial focus on recipients input in mail compose screen - Elastic: Fix inserting responses at cursor position (#6971) - Elastic: Fix unread filter icon and search state on folder change (#6978) - Elastic: Fix regression where Encrypt button wasn't displayed in mail compose toolbar (#6982) - Elastic: Fix regression where recipient input didn't update internal input state (#6988) - Enigma: Fix bug where signing option was set to disabled after saving a draft in Elastic skin (#6515) - Redis: Improve error handling and phpredis 5.X support (#6888) - Archive: Fix bug where next email was not displayed after Archive button use (#6965) - Archive: Fix missing Archive icon in folder selector popup in Elastic - Fix bug where cache keys were not case-sensitive on MySQL/MSSQL (#6942) - Fix so an error is logged when encryption fails (#6948) - Fix bug where inline images could have been ignored if Content-Id header contained redundant spaces (#6980) - Fix and document skin_logo setup (#6981) RELEASE 1.4-rc2 --------------- - Update to jQuery 3.4.1 - Clarified 'address_book_type' option behavior (#6680) - Added cookie mismatch detection, display an error message informing the user to clear cookies - Renamed 'log_session' option to 'session_debug' - Removed 'delete_always' option (#6782) - Don't log full session identifiers in userlogins log (#6625) - Support $HasAttachment/$HasNoAttachment keywords (#6201) - Support PECL memcached extension as a session and cache storage driver (experimental) - Switch to IDNA2008 variant (#6806) - installto.sh: Add possibility to run the update even on the up-to-date installation (#6533) - Plugin API: Add 'render_folder_selector' hook - Added 'keyservers' option to define list of HKP servers for Enigma/Mailvelope (#6326) - Added flag to disable server certificate validation via Mysql DSN argument (#6848) - Select all records on the current list page with CTRL + A (#6813) - Use Left/Right Arrow keys to faster move over threaded messages list (#6399) - Changes in `display_next` setting (#6795): - Move it to Preferences > User Interface > Main Options - Make it apply to Contacts interface too - Make it apply only if deleting/moving a previewed message/contact - Redis: Support connection to unix socket - Put charset meta specification before a title tag, add page title automatically (#6811) - Elastic: Various internal refactorings - Elastic: Add Prev/Next buttons on message page toolbar (#6648) - Elastic: Close search options on Enter key press in quick-search input (#6660) - Elastic: Changed some icons (#6852) - Elastic: Changed read/unread icons (#6636) - Elastic: Changed "Move to..." icon (#6637) - Elastic: Add hide/show for advanced preferences (#6632) - Elastic: Add default icon on Settings/Preferences lists for external plugins (#6814) - Elastic: Add indicator for popover menu items that open a submenu (#6868) - Elastic: Move compose attachments/options to the right side (#6839) - Elastic: Add border/background to attachments list widget (#6842) - Elastic: Add "Show unread messages" button to the search bar (#6587) - Elastic: Fix bug where toolbar disappears on attachment menu use in Chrome (#6677) - Elastic: Fix folders list scrolling on touch devices (#6706) - Elastic: Fix non-working pretty selects in Chrome browser (#6705) - Elastic: Fix issue with absolute positioned mail content (#6739) - Elastic: Fix bug where some menu actions could cause a browser popup warning - Elastic: Fix handling mailto: URL parameters in contact menu (#6751) - Elastic: Fix keyboard navigation in some menus, e.g. the contact menu - Elastic: Fix visual issue with long buttons in .boxwarning (#6797) - Elastic: Fix handling new-line in text pasted to a recipient input - Elastic: Fix so search is not reset when returning from the message preview page (#6847) - Larry: Fix regression where menu actions didn't work with keyboard (#6740) - ACL: Display user/group names (from ldap) instead of acl identifier - Password: Added ldap_exop driver (#4992) - Password: Added support for SSHA512 password algorithm (#6805) - Managesieve: Fix bug where global includes were requested for vacation (#6716) - Managesieve: Use RFC-compliant line endings, CRLF instead of LF (#6686) - Managesieve: Fix so "Create filter" option does not show up when Filters menu is disabled (#6723) - Enigma: For verified signatures, display the user id associated with the sender address (#5958) - Enigma: Fix bug where revoked users/keys were not greyed out in key info - Enigma: Fix error message when trying to encrypt with a revoked key (#6607) - Enigma: Fix "decryption oracle" bug [CVE-2019-10740] (#6638) - Enigma: Fix bug where signature verification could have been skipped for some message structures (#6838) - Fix language selection for spellchecker in html mode (#6915) - Fix css styles leak from replied/forwarded message to the rest of the composed text (#6831) - Fix invalid path to "add contact" icon when using assets_path setting - Fix invalid path to blocked.gif when using assets_path setting (#6752) - Fix so advanced search dialog is not automatically displayed on searchonly addressbooks (#6679) - Fix so an error is logged when more than one attachment plugin has been enabled, initialize the first one (#6735) - Fix bug where flag change could have been passed to a preview frame when not expected - Fix bug in HTML parser that could cause missing text fragments when there was no head/body tag (#6713) - Fix bug where HTML messages with a xml:namespace tag were not rendered (#6697) - Fix TinyMCE download location (#6694) - Fix so "Open in new window" consistently displays "external window" interface (#6659) - Fix bug where next row wasn't selected after deleting a collapsed thread (#6655) - Fix bug where external content (e.g. mail body) was passed to templates parsing code (#6640) - Fix bug where attachment preview didn't work with x_frame_options=deny (#6688) - Fix so bin/install-jsdeps.sh returns error code on error (#6704) - Fix bug where bmp images couldn't be displayed on some systems (#6728) - Fix bug in parsing vCard data using PHP 7.3 due to an invalid regexp (#6744) - Fix bug where bold/strong text was converted to upper-case on html-to-text conversion (6758) - Fix bug in rcube_utils::parse_hosts() where %t, %d, %z could return only tld (#6746) - Fix bug where Next/Prev button in mail view didn't work with multi-folder search result (#6793) - Fix bug where selection of columns on messages list wasn't working - Fix bug in converting multi-page Tiff images to Jpeg (#6824) - Fix bug where handling multiple messages from multi-folder search result could not work (#6845) - Fix bug where unread count wasn't updated after moving multi-folder result (#6846) - Fix wrong messages order after returning to a multi-folder search result (#6836) - Fix some PHP 7.4 compat. issues (#6884, #6866) - Fix bug where it was possible to bypass the position:fixed CSS check in received messages (#6898) - Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899) - Fix bug where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (#6897) - Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896) RELEASE 1.4-rc1 --------------- - Changed 'password_charset' default to 'UTF-8' (#6522) - Add skins_allowed option (#6483) - SMTP GSSAPI support via krb_authentication plugin (#6417) - Avoid Referer leaking by using Referrer-Policy:same-origin header (#6385) - Removed 'referer_check' option (#6440) - Use constant prefix for temp file names, don't remove temp files from other apps (#6511) - Ignore 'Sender' header on Reply-All action (#6506) - deluser.sh: Add option to delete users who have not logged in for more than X days (#6340) - HTML5 Upload Progress - as a replacement for the old server-side solution (#6177) - Update to TinyMCE 4.8.2 - Update to jQuery-MiniColors 2.3.4 - Prevent from using deprecated timezone names from jsTimezoneDetect - Force session.gc_probability=1 when using custom session handlers (#6560) - Support simple field labels (e.g. LetterHub examples) in csv imports (#6541) - Add cache busters also to images used by templates (#6610) - Plugin API: Added 'raise_error' hook (#6199) - Plugin API: Added 'common_headers' hook (#6385) - Plugin API: Added 'ldap_connected' hook - Enigma: Update to OpenPGPjs 4.2.1 - fixes user name encoding issues in key generation (#6524) - Enigma: Fixed multi-host synchronization of private and deleted keys and pubring.kbx file - Managesieve: Added support for 'editheader' extension - RFC5293 (#5954) - Managesieve: Fix bug where custom header or variable could be lost on form submission (#6594) - Markasjunk: Integrate markasjunk2 features into markasjunk - marking as non-junk + learning engine (#6504) - Password: Added 'modoboa' driver (#6361) - Password: Fix bug where password_dovecotpw_with_method setting could be ignored (#6436) - Password: Fix bug where new users could skip forced password change (#6434) - Password: Allow drivers to override default password comparisons (eg new is not same as current) (#6473) - Password: Allow drivers to override default strength checks (eg allow for 'not the same as last x passwords') (#246) - Passowrd: Allow drivers to define password strength rules displayed to the user - Password: Allow separate password saving and strength drivers for use of strength checking services (#5040) - Password: Add zxcvbn driver for checking password strength (#6479) - Password: Disallow control characters in passwords - Password: Add support for Plesk >= 17.8 (#6526) - Elastic: Improved datepicker displayed always in parent window - Elastic: On touch devices display attachment icons on messages list (#6296) - Elastic: Make menu button inactive if all subactions are inactive (#6444) - Elastic: On mobile/tablet jump to the list on folder selection (#6415) - Elastic: Various improvements on mail compose screen (#6413) - Elastic: Support new-line char as a separator for pasted recipients (#6460) - Elastic: Improved UX of search dialogs (#6416) - Elastic: Fix unwanted thread expanding when selecting a collapsed thread in non-mobile mode (#6445) - Elastic: Fix too small height of mailvelope mail preview frame (#6600) - Elastic: Add "status bar" for mobile in mail composer - Elastic: Add selection options on contacts list (#6595) - Elastic: Fix unintentional layout preference overwrite (#6613) - Elastic: Fix bug where Enigma options in mail compose could sometimes be ignored (#6515) - Log errors caused by low pcre.backtrack_limit when sending a mail message (#6433) - Fix regression where drafts were not deleted after sending the message (#6756) - Fix so max_message_size limit is checked also when forwarding messages as attachments (#6580) - Fix so performance stats are logged to the main console log also when per_user_logging=true - Fix malformed message saved into Sent folder when using big attachments and low memory limit (#6498) - Fix incorrect IMAP SASL GSSAPI negotiation (#6308) - Fix so unicode in local part of the email address is also supported in recipient inputs (#6490) - Fix bug where autocomplete list could be displayed out of screen (#6469) - Fix style/navigation on error page depending on authentication state (#6362) - Fix so invalid smtp_helo_host is never used, fallback to localhost (#6408) - Fix custom logo size in Elastic (#6424) - Fix listing the same attachment multiple times on forwarded messages - Fix bug where a message/rfc822 part without a filename wasn't listed on the attachments list (#6494) - Fix inconsistent offset for various time zones - always display Standard Time offset (#6531) - Fix dummy Message-Id when resuming a draft without Message-Id header (#6548) - Fix handling of empty entries in vCard import (#6564) - Fix bug in parsing some IMAP command responses that include unsolicited replies (#6577) - Fix PHP 7.2 compatibility in debug_logger plugin (#6586) - Fix so ANY record is not used for email domain validation, use A, MX, CNAME, AAAA instead (#6581) - Fix so mime_content_type check in Installer uses files that should always be available (i.e. from program/resources) (#6599) - Fix missing CSRF token on a link to download too-big message part (#6621) - Fix bug when aborting dragging with ESC key didn't stop the move action (#6623) RELEASE 1.4-beta ---------------- - Added new skin with mobile support - the Elastic - Support Redis cache - Email Resent (Bounce) feature (#4985) - Improved Mailvelope integration - Added private key listing and generating to identity settings - Enable encrypt & sign option if Mailvelope supports it - Allow contacts without an email address (#5079) - Support SMTPUTF8 and relax email address validation to support unicode in local part (#5120) - Support for IMAP folders that cannot contain both folders and messages (#5057) - Update to jQuery-3.3.1 - Update to jQuery-minicolors 2.2.6 - Update to TinyMCE 4.7.13 - Remove sample PHP configuration from .htaccess and .user.ini files (#5850) - Extend skin_logo setting to allow per skin logos (#6272) - Use Masterminds/HTML5 parser for better HTML5 support (#5761) - Add More actions button in Contacts toolbar with Copy/Move actions (#6081) - Display an error when clicking disabled link to register protocol handler (#6079) - Add option trusted_host_patterns (#6009, #5752) - Support additional connect parameters in PostgreSQL database wrapper - Use UI dialogs instead of confirm() and alert() where possible - Display value of the SMTP message size limit in the error message (#6032) - Show message flagged status in message view (#5080) - Skip redundant INSERT query on successful logon when using PHP7 - Replace display_version with display_product_version (#5904) - Extend disabled_actions config so it accepts also button names (#5903) - Handle remote stylesheets the same as remote images, ask the user to allow them (#5994) - Add Message-ID to the sendmail log (#5871) - Add option to hide folders in share/other-user namespace or outside of the personal namespace root (#5073) - Archive: Fix archiving by sender address on cyrus-imap - Archive: Style Archive folder also on folder selector and folder manager lists - Archive: Add Thunderbird compatible Month option (#5623) - Archive: Create archive folder automatically if it's configured, but does not exist (#6076) - Enigma: Add button to send mail unencrypted if no key was found (#5913) - Enigma: Add options to set PGP cipher/digest algorithms (#5645) - Enigma: Multi-host support - Managesieve: Add ability to disable filter sets and other actions (#5496, #5898) - Managesieve: Add option managesieve_forward to enable settings dialog for simple forwarding (#6021) - Managesieve: Support filter action with custom IMAP flags (#6011) - Managesieve: Support 'mime' extension tests - RFC5703 (#5832) - Managesieve: Support GSSAPI authentication with krb_authentication plugin (#5779) - Managesieve: Support enabling the plugin for specified hosts only (#6292) - Password: Support host variables in password_db_dsn option (#5955) - Password: Automatic virtualmin domain setting, removed password_virtualmin_format option (#5759) - Password: Added password_username_format option (#5766) - subscriptions_option: show \\Noselect folders greyed out (#5621) - zipdownload: Added option to define size limit for multiple messages download (#5696) - vcard_attachments: Add possibility to send contact vCard from Contacts toolbar (#6080) - Changed defaults for smtp_user (%u), smtp_pass (%p) and smtp_port (587) - Composer: Fix certificate validation errors by using packagist only (#5148) - Add --get and --extract arguments and CACHEDIR env-variable support to install-jsdeps.sh (#5882) - Support _filter and _scope as GET arguments for opening mail UI (#5825) - Various improvements for templating engine and skin behaviours - Support conditional include - Support for 'link' objects - Support including files with path relative to templates directory - Use