Kolab Groupware OBS

roundcubemail-1.1-collated.patch Added

@@ -0,0 +1,1091 @@
+diff -ur roundcubemail-1.1.orig/config/defaults.inc.php roundcubemail-1.1/config/defaults.inc.php
+--- roundcubemail-1.1.orig/config/defaults.inc.php	2014-11-04 15:28:27.000000000 +0100
++++ roundcubemail-1.1/config/defaults.inc.php	2014-11-05 12:46:36.186520550 +0100
+@@ -430,7 +430,7 @@
+ // Password charset.
+ // Use it if your authentication backend doesn't support UTF-8.
+ // Defaults to ISO-8859-1 for backward compatibility
+-$config['password_charset'] = 'ISO-8859-1';
++$config['password_charset'] = 'UTF-8';
+ 
+ // How many seconds must pass between emails sent by a user
+ $config['sendmail_delay'] = 0;
+@@ -532,6 +532,23 @@
+ // Note: useful when SMTP server stores sent mail in user mailbox
+ $config['no_save_sent_messages'] = false;
+ 
++// Improve system security by using special URL with security token.
++// This can be set to a number defining token length. Default: 16.
++// Warning: This requires http server configuration. Sample:
++//    RewriteRule ^/roundcubemail/[a-f0-9]{16}/(.*) /roundcubemail/$1 [PT]
++//    Alias /roundcubemail /var/www/roundcubemail/
++// Note: Use assets_path to not prevent the browser from caching assets
++$config['use_secure_urls'] = true;
++
++// Allows to define separate server/path for image/js/css files
++// Warning: If the domain is different cross-domain access to some
++// resources need to be allowed
++// Sample:
++//    <FilesMatch ".(eot|ttf|woff)">
++//    Header set Access-Control-Allow-Origin "*"
++//    </FilesMatch>
++$config['assets_path'] = '/roundcubemail/assets/';
++
+ // ----------------------------------
+ // PLUGINS
+ // ----------------------------------
+@@ -625,7 +642,7 @@
+ // Since Google shut down their public spell checking service, the default settings
+ // connect to http://spell.roundcube.net which is a hosted service provided by Roundcube.
+ // You can connect to any other googie-compliant service by setting 'spellcheck_uri' accordingly.
+-$config['spellcheck_engine'] = 'googie';
++$config['spellcheck_engine'] = 'pspell';
+ 
+ // For locally installed Nox Spell Server or After the Deadline services,
+ // please specify the URI to call it.
+@@ -1008,7 +1025,7 @@
+ $config['display_next'] = true;
+ 
+ // Default messages listing mode. One of 'threads' or 'list'.
+-$config['default_list_mode'] = 'list';
++$config['default_list_mode'] = 'threads';
+ 
+ // 0 - Do not expand threads
+ // 1 - Expand all threads automatically
+Only in roundcubemail-1.1/config: defaults.inc.php.orig
+diff -ur roundcubemail-1.1.orig/.htaccess roundcubemail-1.1/.htaccess
+--- roundcubemail-1.1.orig/.htaccess	2014-11-04 15:28:27.000000000 +0100
++++ roundcubemail-1.1/.htaccess	2014-11-05 12:46:36.166520529 +0100
+@@ -30,7 +30,7 @@
+ # security rules:
+ # - deny access to files not containing a dot or starting with a dot
+ #   in all locations except installer directory
+-RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]
++RewriteRule ^(?!installer|[a-f0-9]{16})(\.?[^\.]+)$ - [F]
+ # - deny access to some locations
+ RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
+ # - deny access to some documentation files
+diff -ur roundcubemail-1.1.orig/index.php roundcubemail-1.1/index.php
+--- roundcubemail-1.1.orig/index.php	2014-11-04 15:28:27.000000000 +0100
++++ roundcubemail-1.1/index.php	2014-11-05 12:46:36.167520530 +0100
+@@ -90,9 +90,9 @@
+ 
+ // try to log in
+ if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
+-    $request_valid = $_SESSION['temp'] && $RCMAIL->check_request(rcube_utils::INPUT_POST, 'login');
++    $request_valid = $_SESSION['temp'] && $RCMAIL->check_request();
+ 
+-    // purge the session in case of new login when a session already exists 
++    // purge the session in case of new login when a session already exists
+     $RCMAIL->kill_session();
+ 
+     $auth = $RCMAIL->plugins->exec_hook('authenticate', array(
+@@ -140,7 +140,7 @@
+         unset($redir['abort'], $redir['_err']);
+ 
+         // send redirect
+-        $OUTPUT->redirect($redir);
++        $OUTPUT->redirect($redir, 0, true);
+     }
+     else {
+         if (!$auth['valid']) {
+@@ -171,10 +171,10 @@
+     }
+ }
+ 
+-// end session (after optional referer check)
+-else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])
+-    && (!$RCMAIL->config->get('referer_check') || rcube_utils::check_referer())
+-) {
++// end session
++else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
++    $RCMAIL->request_security_check($mode = rcube_utils::INPUT_GET);
++
+     $userdata = array(
+         'user' => $_SESSION['username'],
+         'host' => $_SESSION['storage_host'],
+@@ -234,32 +234,9 @@
+ 
+     $OUTPUT->send($plugin['task']);
+ }
+-// CSRF prevention
+ else {
+-    // don't check for valid request tokens in these actions
+-    $request_check_whitelist = array('login'=>1, 'spell'=>1, 'spell_html'=>1);
+-
+-    if (!$request_check_whitelist[$RCMAIL->action]) {
+-        // check client X-header to verify request origin
+-        if ($OUTPUT->ajax_call) {
+-            if (rcube_utils::request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) {
+-                header('HTTP/1.1 403 Forbidden');
+-                die("Invalid Request");
+-            }
+-        }
+-        // check request token in POST form submissions
+-        else if (!empty($_POST) && !$RCMAIL->check_request()) {
+-            $OUTPUT->show_message('invalidrequest', 'error');
+-            $OUTPUT->send($RCMAIL->task);
+-        }
+-
+-        // check referer if configured
+-        if ($RCMAIL->config->get('referer_check') && !rcube_utils::check_referer()) {
+-            raise_error(array(
+-                'code' => 403, 'type' => 'php',
+-                'message' => "Referer check failed"), true, true);
+-        }
+-    }
++    // CSRF prevention
++    $RCMAIL->request_security_check();
+ 
+     // check access to disabled actions
+     $disabled_actions = (array) $RCMAIL->config->get('disabled_actions');
+diff -ur roundcubemail-1.1.orig/plugins/acl/acl.js roundcubemail-1.1/plugins/acl/acl.js
+--- roundcubemail-1.1.orig/plugins/acl/acl.js	2014-11-04 15:28:27.000000000 +0100
++++ roundcubemail-1.1/plugins/acl/acl.js	2014-11-05 12:46:36.168520531 +0100
+@@ -58,8 +58,11 @@
+     var users = this.acl_get_usernames();
+ 
+     if (users && users.length && confirm(this.get_label('acl.deleteconfirm'))) {
+-        this.http_request('settings/plugin.acl', '_act=delete&_user='+urlencode(users.join(','))
+-            + '&_mbox='+urlencode(this.env.mailbox),
++        this.http_post('settings/plugin.acl', {
++                _act: 'delete',
++                _user: users.join(','),
++                _mbox: this.env.mailbox
++            },
+             this.set_busy(true, 'acl.deleting'));
+     }
+ }
+@@ -67,7 +70,7 @@
+ // Save ACL data
+ rcube_webmail.prototype.acl_save = function()
+ {
+-    var user = $('#acluser', this.acl_form).val(), rights = '', type;
++    var data, type, rights = '', user = $('#acluser', this.acl_form).val();
+ 
+     $((this.env.acl_advanced ? '#advancedrights :checkbox' : '#simplerights :checkbox'), this.acl_form).map(function() {
+         if (this.checked)
+@@ -88,12 +91,18 @@
+         return;
+     }
+ 
+-    this.http_request('settings/plugin.acl', '_act=save'
+-        + '&_user='+urlencode(user)
+-        + '&_acl=' +rights
+-        + '&_mbox='+urlencode(this.env.mailbox)
+-        + (this.acl_id ? '&_old='+this.acl_id : ''),
+-        this.set_busy(true, 'acl.saving'));
++    data = {
++        _act: 'save',
++        _user: user,
++        _acl: rights,
++        _mbox: this.env.mailbox
++    }
++
++    if (this.acl_id) {
++        data._old = this.acl_id;
++    }
++
++    this.http_post('settings/plugin.acl', data, this.set_busy(true, 'acl.saving'));
+ }
+ 
+ // Cancel/Hide form
+diff -ur roundcubemail-1.1.orig/plugins/acl/acl.php roundcubemail-1.1/plugins/acl/acl.php
+--- roundcubemail-1.1.orig/plugins/acl/acl.php	2014-11-04 15:28:27.000000000 +0100
++++ roundcubemail-1.1/plugins/acl/acl.php	2014-11-05 12:46:36.169520532 +0100
+@@ -454,10 +454,10 @@
+      */
+     private function action_save()
+     {

debian.changelog Changed

debian.series Changed

roundcubemail.dsc Changed

Changes of Revision 51