The SquirrelMail Project Team is proud to announce the release of SquirrelMail 1.4.7. This version is a maintenance release, addressing the following problems since 1.4.6:
- Minor security fixes
- A lot of bugfixes
- Added support for Ukrainian
This release addresses two different security issues found since the release of 1.4.6, which we consider to be of minor severity, but they have of course been fixed:
- It was possible to include a local file through functions/plugin.php with register_globals enabled, and magic_quotes disabled. However, running with register_globals enabled is completely unnecessary and a well-known security hazard. We've now changed the code such that when register_globals is enabled, all globals are deregistered. Reported by Denix Solutions, thanks!
- It was possible to steal a cookie of a user that ran on the same base domain. Since this setup is already inherently insecure we don't think the impact is big, but the code was of course fixed to also incorporate the path to SquirrelMail.
- Fixed that loading the options page always loaded the prefs initial_value on display, instead of the users' value.
- Enabled Ukrainian translation after updates by Serhij Dubyk.
- Fixed from address in case of MDN receipts (patch from Dimitar Pashev).
- Correct variable typo, causing Bogus sequence in FETCH errors (#1460338).
- Reduce references header in a smart way to avoid "header too long" errors from SMTP servers in really long threads (#1167754, #1465342).
- Undo extra sanitizing in decodeHeader() function (#1460638).
- Added workaround for broken OpenBSD 3.8+ setlocale() function (#1427512).
- Fixed session lockups on large attachment downloads.
- Fixed bug_report plugin connections to mapped and secured IMAP servers.
- Fixed possibility to use single quote in provider name (#1475744).
- Improved error handling for the help pages.
- Added new color themes by Jeremy Landes, Tammi Maggard and Lucas Austin-Howe (#1378332), (#1377567), (#1377529), (#1377528), (#1377527), (#1377526), (#1377525), (#1393188).
- Removed invalid $sendmail_path check in configuration utility.
- Backported calendar plugin updates from devel branch.
- Fixed display of multiline events (#1291081) and sanitizing of quotes (#705796).
- Fixed possible calendar corruption, when events contain special formating characters.
- Moved html sanitizing from backend functions to display code.
- Removed direct access to $_GET and $_POST variables and simplified form variable processing.
- Fixed some mailbox caching issues, when messages are deleted or moved not in first mailbox page. Fixed use of mailbox cache in right_main.php (#1304408).
- Stop URL parsing, if 8bit symbols or HTML entities are detected (#1356798).
- Improve recovery when EHLO not supported on legacy SMTP servers (#1031455).
- Don't move messages when target mailbox matches source mailbox (#1409453).
- Sanitized IMAP folder names in error_message() function and filters plugin.
- Take X-Forwarded-Host HTTP header in consideration when constructing base_uri for redirects; reduces problems with transparent proxies (#1488590).
- Don't use trailing delimiter when sqimap_mailbox_create() subscribes newly created mailbox.
- Undefined variable in src/right_main.php.
- Add note to conf.pl / config_default.php to warn users that set sensitive passwords in that file to properly secure it.
- Prevent modifications in advanced identities, when editing of identities is disabled.
- Fix incorrect parsing of From with nested parentheses (#1241506).
The SquirrelMail Project Team