SquirrelMail 1.4.17 Released
The SquirrelMail team is happy to announce the release of version 1.4.17. The most notable change is a security fix that prevents certain specially-crafted hyperlinks within messages from executing cross-site scripting attacks. For other details, see the ReleaseNotes file included in this release. We advise all users of SquirrelMail software to upgrade.
- Allow control over white space wrapping of auto-generated SquirrelMail option widgets.
- Fix matching of alternate identities when replying.
- Fix HTTPS detection under Windows IIS that was incorrectly setting cookies to be transmitted only over a secure connections when none existed (#2318118).
- Added support for Latvian.
- Add submit button type option widget
- Allow address book lookups by fields other than nickname/alias
- Include hooks in databased-based preference backend that have long been in the file-based preference backend
- Removed the Address Take (abook_take) plugin; please see the Add Address (third party) plugin.
- Allow a different server address for the POP server to be configured when using POP before SMTP.
- Update the left_main_after_each_folder hook to work on the trash folder as well as all other folders.
- Fix HTML validity issue with IE conditional construct (#1985916).
- Backported sqsetcookie() from 1.5.2, so cookies won't be transmitted under non-SSL connections if the session is started under an SSL (https) connection (CVE-2008-3663). Also limits cookies to HTTPOnly, a feature of IE and Firefox to counter cross site scripting attacks.
Version 1.4.14 - Skipped; version number abused by spammers.
- Fix saving of Read Receipts to Sent folder.
- Converted Romanian (ro_RO) to UTF-8.
- Converted Slovak (sk_SK) to UTF-8.
- Converted Swedish (sv_SE) to UTF-8.
- Added support for Macedonian.
- Don't allow invalid plugin names in conf.pl --install-plugin.
- Fix warning in Printer Friendly due to missing include (#1849101).
- Let configtest.php use optional PEAR dynamic extension loading, patch by Walter Huijbers (#1833123).
- Fix for IMAP servers that were having problems saving sent messages.
- Fix broken <style> tag parsing for some HTML messages, thanks Roalt Zijlstra.
- Re-added support for Vietnamese.
- Fixed broken MDN functionality (send read confirmation).
- Converted Norwegian (nb_NO) to UTF-8.
- Converted traditional Chinese (zh_TW) to UTF-8.
- Avoid deprecation notices on get_magic_quotes_* functions.
- Improved Message-ID generation code.
- Added edit list, checkbox, radio group, multiple-select folderlist and multiple-select string list option widget types, as well as support for the "trailing_text" widget attribute.
- Boolean option widgets are henceforth presented as checkboxes.
- Tidied up fortune plugin to be inline with specifications for plugins.
- Enhanced address book page: added 'Compose to' button, put labels around address entries tied to checkboxes, improved column spacing, added hook for plugins that can filter address book listings. Complements RisuMail team (risumail.jp).
- Include compatibility plugin files if available.
- Some IMAP servers send nil for an empty email body (See RFC2180, section 4.1.3 on empty strings).
- New release to clear up any confusion with respect to compromised 1.4.11 and 1.4.12 packages [CVE-2007-6348].
- Enabled user selection of address format when adding from address book during message composition.
- Fixed issue with adding attachments in PHP 4.x environments (#1805471).
- Backport size setting on "newmail" popup window.
- Added a "short_open_tag" configuration test.
- Undefined notice in error message box when no default folder prefix is set.
- Undefined index error when downloading. Possibly caused by using tabs and opening multiple mailboxes.
- PAGE_NAME might not be defined in all plugins, which might cause a "not defined" error on session timeouts.
- Fixed outgoing messages to allow addresses such as "0@..." or "000@...", etc. (#1818398).
- Fixed issue with in-reply-to and reference headers not being retained on reply (#1810659).
- Revived logout_error hook (#1800015).
- Allow custom session handlers to work correctly (and be defined at the application level with SquirrelMail).
- Fix off-by-one in bodystructure parsing triggered by servers sending a body location part (e.g. Sun Java System Messaging Server). Thanks John Callahan (#1808382).
- Invalid initialization of To: header (#1772893).
- Includes cleanup in include/validate.php.
- Cleanup in multiple files to remove unneeded includes.
- Added sort by size (#812233 and #159997, plus multiple list requests). Patch provided by Christopher E. Brown.
- Fix bug in sitewide SMTP settings still using authenticated user, rather than configured settings (#1835942).
- Fixed mailto: functionality.
- Added mailto: link handling when viewing messages.
- Handle PHP's insistence on setting the value to 'deleted' for destroyed sessions (#1829098).
- Minimum PHP requirement raised from 4.0.6 to 4.1.0. SquirrelMail has been broken for a while with 4.0.x without anyone noticing, this move merely reflects reality.
- Fix broken set_url_var function in functions/html.php (#1729814).
- Fix config.pl not detecting auth support correctly (#1727033).
- Fix display of X-Priority in message view.
- Work around mailers sending broken Date headers with no space after the first comma.
- Let POP3 class properly cope with lines starting with a '.'.
- Some HTML validation cleanups.
- Invalid year in sent_subfolders plugin (#1607380).
- Always treat Content-Type case-insensitively (#1732092).
- Fix typo: html/plain should be text/html.
- Fix en/decode header swith in MDN (#1694687).
- Fix compatibility with Windows path in administrator plugin (#1740469).
- Fix disabling password encryption in mail_fetch (#1738001).
- Fix busy loop and notice when two literals in IMAP fetch (#1739433).
- Backported code for site wide SMTP authentication (#1531889).
- Fixed issue with compose session not being cleaned after message is saved or sent.
- Added ability to detect HTTP_X_FORWARDED_PROTO in get_location(), thanks to Daniel Watts
- Fix test for signout.php in the logged in check in is_logged_in() so it cannot be circumvented by manipulating the URL. External plugins might rely on this function guaranteeing that the user is logged in.
- Use attachment_dir only at the point where we're actually reading from / writing to the files, do not carry it around in the object. This makes us safer in the event the object is somehow exposed to the outside world.
- Better support mailboxes named 'None' (#1598890).
- Sort readdir() output in conf.pl (#1755886).
- Fix message cache in printer friendly, thanks Tomas Kuliavas.
- Made the webmail_top hook work again for plugins that want to change the URI of the "right" frame; plugins have to change the value of the global variable $right_frame_url
- Fix issue in darkness theme with extra closing bracket.
- No longer store all message composition sessions in the PHP session, since it was not made use of and in rare cases, made sessions too big.
- Composition restoration functionality now correctly restores attachments.
- Added smtp_auth hook.
- Change default Selection List Style to Indented.
- Added "preselected" query argument to mailbox list.
- Added mailbox_display_buttons hook.
- Removed "Include CCs when Forwarding Messages", which had no functionality whatsoever.
- Make the Message Details plugin actually show the correct entity when viewing details of attached messages.
- Add PAGE_NAME constant to all src/ pages for use in detecting what page has been requested by the client.