Software-update: Squirrelmail 1.4.17

Squirrelmail is een in php geschreven programma om webbased e-mail mogelijk te maken. Het wordt door verschillende isp's gebruikt om webmail functionaliteiten aan te bieden. Het programma heeft ondersteuning voor de imap- en smtp-protocollen en alle schermen worden in html 4.0 opgebouwd, zonder dat hiervoor javascript nodig is. De ontwikkelaars hebben versie 1.4.17 de deur uit gedaan met de volgende aankondiging en lijst met veranderingen sinds de vorige vermelding in de Meuktracker:

SquirrelMail 1.4.17 Released

The SquirrelMail team is happy to announce the release of version 1.4.17. The most notable change is a security fix that prevents certain specially-crafted hyperlinks within messages from executing cross-site scripting attacks. For other details, see the ReleaseNotes file included in this release. We advise all users of SquirrelMail software to upgrade.

Version 1.4.17:

• Allow control over white space wrapping of auto-generated SquirrelMail option widgets.
• Fix matching of alternate identities when replying.
• Fix HTTPS detection under Windows IIS that was incorrectly setting cookies to be transmitted only over a secure connections when none existed (#2318118).

Version 1.4.16:

• Added support for Latvian.
• Add submit button type option widget
• Allow address book lookups by fields other than nickname/alias
• Include hooks in databased-based preference backend that have long been in the file-based preference backend
• Removed the Address Take (abook_take) plugin; please see the Add Address (third party) plugin.
• Allow a different server address for the POP server to be configured when using POP before SMTP.
• Update the left_main_after_each_folder hook to work on the trash folder as well as all other folders.
• Fix HTML validity issue with IE conditional construct (#1985916).
• Backported sqsetcookie() from 1.5.2, so cookies won't be transmitted under non-SSL connections if the session is started under an SSL (https) connection (CVE-2008-3663). Also limits cookies to HTTPOnly, a feature of IE and Firefox to counter cross site scripting attacks.

Version 1.4.15:

• Fix saving of Read Receipts to Sent folder.
• Converted Romanian (ro_RO) to UTF-8.
• Converted Slovak (sk_SK) to UTF-8.
• Converted Swedish (sv_SE) to UTF-8.
• Added support for Macedonian.
• Don't allow invalid plugin names in conf.pl --install-plugin.
• Fix warning in Printer Friendly due to missing include (#1849101).
• Let configtest.php use optional PEAR dynamic extension loading, patch by Walter Huijbers (#1833123).
• Fix for IMAP servers that were having problems saving sent messages.
• Fix broken <style> tag parsing for some HTML messages, thanks Roalt Zijlstra.
• Re-added support for Vietnamese.
• Fixed broken MDN functionality (send read confirmation).
• Converted Norwegian (nb_NO) to UTF-8.
• Converted traditional Chinese (zh_TW) to UTF-8.
• Avoid deprecation notices on get_magic_quotes_* functions.
• Improved Message-ID generation code.
• Added edit list, checkbox, radio group, multiple-select folderlist and multiple-select string list option widget types, as well as support for the "trailing_text" widget attribute.
• Boolean option widgets are henceforth presented as checkboxes.
• Tidied up fortune plugin to be inline with specifications for plugins.
• Enhanced address book page: added 'Compose to' button, put labels around address entries tied to checkboxes, improved column spacing, added hook for plugins that can filter address book listings. Complements RisuMail team (risumail.jp).

Version 1.4.14 - Skipped; version number abused by spammers.

Version 1.4.13:

• Include compatibility plugin files if available.
• Some IMAP servers send nil for an empty email body (See RFC2180, section 4.1.3 on empty strings).
• New release to clear up any confusion with respect to compromised 1.4.11 and 1.4.12 packages [CVE-2007-6348].

Version 1.4.12:

• Enabled user selection of address format when adding from address book during message composition.
• Fixed issue with adding attachments in PHP 4.x environments (#1805471).
• Backport size setting on "newmail" popup window.
• Added a "short_open_tag" configuration test.
• Undefined notice in error message box when no default folder prefix is set.
• Undefined index error when downloading. Possibly caused by using tabs and opening multiple mailboxes.
• PAGE_NAME might not be defined in all plugins, which might cause a "not defined" error on session timeouts.
• Fixed outgoing messages to allow addresses such as "0@..." or "000@...", etc. (#1818398).
• Fixed issue with in-reply-to and reference headers not being retained on reply (#1810659).
• Revived logout_error hook (#1800015).
• Allow custom session handlers to work correctly (and be defined at the application level with SquirrelMail).
• Fix off-by-one in bodystructure parsing triggered by servers sending a body location part (e.g. Sun Java System Messaging Server). Thanks John Callahan (#1808382).
• Invalid initialization of To: header (#1772893).
• Includes cleanup in include/validate.php.
• Cleanup in multiple files to remove unneeded includes.
• Added sort by size (#812233 and #159997, plus multiple list requests). Patch provided by Christopher E. Brown.
• Fix bug in sitewide SMTP settings still using authenticated user, rather than configured settings (#1835942).
• Fixed mailto: functionality.
• Added mailto: link handling when viewing messages.
• Handle PHP's insistence on setting the value to 'deleted' for destroyed sessions (#1829098).

Version 1.4.11:

• Minimum PHP requirement raised from 4.0.6 to 4.1.0. SquirrelMail has been broken for a while with 4.0.x without anyone noticing, this move merely reflects reality.
• Fix broken set_url_var function in functions/html.php (#1729814).
• Fix config.pl not detecting auth support correctly (#1727033).
• Fix display of X-Priority in message view.
• Work around mailers sending broken Date headers with no space after the first comma.
• Let POP3 class properly cope with lines starting with a '.'.
• Some HTML validation cleanups.
• Invalid year in sent_subfolders plugin (#1607380).
• Always treat Content-Type case-insensitively (#1732092).
• Fix typo: html/plain should be text/html.
• Fix en/decode header swith in MDN (#1694687).
• Fix compatibility with Windows path in administrator plugin (#1740469).
• Fix disabling password encryption in mail_fetch (#1738001).
• Fix busy loop and notice when two literals in IMAP fetch (#1739433).
• Backported code for site wide SMTP authentication (#1531889).
• Fixed issue with compose session not being cleaned after message is saved or sent.
• Added ability to detect HTTP_X_FORWARDED_PROTO in get_location(), thanks to Daniel Watts
• Fix test for signout.php in the logged in check in is_logged_in() so it cannot be circumvented by manipulating the URL. External plugins might rely on this function guaranteeing that the user is logged in.
• Use attachment_dir only at the point where we're actually reading from / writing to the files, do not carry it around in the object. This makes us safer in the event the object is somehow exposed to the outside world.
• Better support mailboxes named 'None' (#1598890).
• Sort readdir() output in conf.pl (#1755886).
• Fix message cache in printer friendly, thanks Tomas Kuliavas.
• Made the webmail_top hook work again for plugins that want to change the URI of the "right" frame; plugins have to change the value of the global variable $right_frame_url
• Fix issue in darkness theme with extra closing bracket.
• No longer store all message composition sessions in the PHP session, since it was not made use of and in rare cases, made sessions too big.
• Composition restoration functionality now correctly restores attachments.
• Added smtp_auth hook.
• Change default Selection List Style to Indented.
• Added "preselected" query argument to mailbox list.
• Added mailbox_display_buttons hook.
• Removed "Include CCs when Forwarding Messages", which had no functionality whatsoever.
• Make the Message Details plugin actually show the correct entity when viewing details of attached messages.
• Add PAGE_NAME constant to all src/ pages for use in detecting what page has been requested by the client.