Merge pull request #75 from YetiForceCompany/developer

upgrade Roundcube Webmail 1.5.0
YetiForceCompany · Nov 15, 2021 · 47f92fd · 47f92fd
2 parents a58818d + 05af2b2
commit 47f92fd
Show file tree

Hide file tree

Showing 1,702 changed files with 129,129 additions and 41,367 deletions.
diff --git a/.htaccess b/.htaccess
@@ -12,13 +12,20 @@ RewriteRule ^(?!installer|\.well-known\/|[a-zA-Z0-9]{16})(\.?[^\.]+)$ - [F]
 # - deny access to some locations
 RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|vendor|program\/(include|lib|localization|steps)) - [F]
 # - deny access to some documentation files
-RewriteRule /?(README.*|meta\.json|composer\..*|jsdeps.json)$ - [F]
+RewriteRule /?(README.*|CHANGELOG.*|SECURITY.*|meta\.json|composer\..*|jsdeps.json)$ - [F]
 </IfModule>
 
 <IfModule mod_deflate.c>
 SetOutputFilter DEFLATE
 </IfModule>
 
+# prefer to brotli over gzip if brotli is available
+<IfModule mod_brotli.c>
+SetOutputFilter BROTLI_COMPRESS
+# some assets have been compressed, so no need to do it again
+SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|web[pm]|woff2?)$ no-brotli
+</IfModule>
+
 <IfModule mod_expires.c>
 ExpiresActive On
 ExpiresDefault "access plus 1 month"
@@ -34,8 +41,8 @@ Options -Indexes
 # Disable page indexing
 Header set X-Robots-Tag "noindex, nofollow"
 
-# replace 'append' with 'merge' for Apache version 2.2.9 and later
-#Header append Cache-Control public env=!NO_CACHE
+# replace 'merge' with 'append' for Apache < 2.2.9
+#Header merge Cache-Control public env=!NO_CACHE
 
 # Optional security headers
 # Only provides increased security if the browser supports those features
@@ -61,9 +68,4 @@ Header set X-Robots-Tag "noindex, nofollow"
 # It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.
 #Header set X-Content-Type-Options: "nosniff"
 
-# CSP - Content Security Policy
-# for better privacy/security ask browsers to not set the Referer
-# more flags for script, stylesheets and images available, read RFC for more information
-# Note: "Referrer-Policy: same-origin" is already set by php code.
-#Header set Content-Security-Policy "referrer no-referrer"
 </IfModule>
diff --git a/CHANGELOG.md b/CHANGELOG.md
diff --git a/INSTALL b/INSTALL
@@ -11,23 +11,14 @@ REQUIREMENTS
 
 * An IMAP, HTTP and SMTP server
 * .htaccess support allowing overrides for DirectoryIndex
-* PHP Version 5.4 or greater including:
-   - PCRE, DOM, JSON, Session, Sockets, OpenSSL, Mbstring, Filter, Ctype (required)
+* PHP Version 5.5 or greater including:
+   - PCRE, DOM, JSON, Session, Sockets, OpenSSL, Mbstring, Filter, Ctype, Intl (required)
    - PHP PDO with driver for either MySQL, PostgreSQL, SQL Server, Oracle or SQLite (required)
-   - Iconv, Zip, Fileinfo, Intl, Exif (recommended)
+   - Iconv, Zip, Fileinfo, Exif (recommended)
    - LDAP for LDAP addressbook support (optional)
    - GD, Imagick (optional thumbnails generation, QR-code)
-* PEAR and PEAR packages distributed with Roundcube or external:
-   - Mail_Mime 1.10.0 or newer
-   - Net_SMTP 1.8.1 or newer
-   - Net_Socket 1.0.12 or newer
-   - Net_IDNA2 0.1.1 or newer
-   - Auth_SASL 1.0.6 or newer
-   - Net_Sieve 1.4.3 or newer (for managesieve plugin)
-   - Crypt_GPG 1.6.3 or newer (for enigma plugin)
-   - Endroid/QrCode 1.6.0 or newer (https://github.com/endroid/QrCode)
-   - Kolab/Net_LDAP3 1.0.6 or newer (for LDAP addressbook)
-   - Masterminds/HTML5 2.5.x (optional HTML parser)
+* PEAR and PEAR packages distributed with Roundcube or external.
+  See composer.json-dist for the list of required packages.
 * php.ini options:
    - error_reporting E_ALL & ~E_NOTICE & ~E_STRICT
    - memory_limit > 16MB
@@ -37,7 +28,7 @@ REQUIREMENTS
    - mbstring.func_overload disabled
    - pcre.backtrack_limit >= 100000
 * A MySQL, PostgreSQL, MS SQL Server (2005 or newer), Oracle database
-  or SQLite support in PHP - with permission to create tables
+  or SQLite v3 support in PHP - with permission to create tables
 * Composer installed either locally or globally (https://getcomposer.org)
 
 
@@ -69,11 +60,11 @@ INSTALLATION
    IMPORTANT: REMOVE THE INSTALLER DIRECTORY!
    ------------------------------------------
 8. If you use git sources compile css files for the Elastic skin (required
-   lessc >= 1.5.0):
+   lessc >= 2.5.2):
    $ cd skins/elastic
-   $ lessc -x styles/styles.less > styles/styles.css
-   $ lessc -x styles/print.less > styles/print.css
-   $ lessc -x styles/embed.less > styles/embed.css
+   $ lessc --clean-css="--s1 --advanced" styles/styles.less > styles/styles.min.css
+   $ lessc --clean-css="--s1 --advanced" styles/print.less > styles/print.min.css
+   $ lessc --clean-css="--s1 --advanced" styles/embed.less > styles/embed.min.css
 9. Check Known Issues section of this file
 
 
@@ -120,10 +111,15 @@ Note 1: 'password' is the master password for the roundcube user. It is strongly
 recommended you replace this with a more secure password. Please keep in
 mind: You need to specify this password later in 'config/db.inc.php'.
 
+Note 2: When using MySQL < 5.7.7 or MariaDB < 10.2.2 it is required to configure
+the database engine with:
+    innodb_large_prefix=true
+    innodb_file_format=Barracuda
+
 
 * SQLite
 --------
-Versions of sqlite database engine older than 3 aren't supported.
+Versions of sqlite database engine older than 3.0 aren't supported.
 Database file and structure is created automatically by Roundcube.
 Make sure your configuration points to some file location and that the
 webserver can write to the file and the directory containing the file.
@@ -212,7 +208,7 @@ please refer to the instructions in UPGRADING guide.
 OPTIMISING
 ==========
 
-There are two forms of optimisation here, compression and caching, both aimed
+There are two forms of optimization here, compression and caching, both aimed
 at increasing an end user's experience using Roundcube Webmail. Compression
 allows the static web pages to be delivered with less bandwidth. The index.php
 of Roundcube Webmail already enables compression on its output. The settings
@@ -247,17 +243,12 @@ To enable these features in apache the following modules need to be enabled:
  * mod_expires
  * mod_headers
 
-The optimisation is already included in the .htaccess file in the top 
+The optimization is already included in the .htaccess file in the top 
 directory of your installation.
 
-If you are using Apache version 2.2.9 and later, in the .htaccess file
-change the 'append' word to 'merge' for a more correct response. Keeping
-as 'append' shouldn't cause any problems though changing to merge will 
-eliminate the possibility of duplicate 'public' headers in Cache-control.
-
 Lighttpd:
 ---------
-With Lightty the addition of Expire: tags by mod_expire is incompatible with
+With Lighttpd the addition of Expire: tags by mod_expire is incompatible with
 the addition of "Cache-control: public". Using Cache-control 'public' is 
 used below as it is assumed to give a better caching result.
 

diff --git a/README.md b/README.md
@@ -2,8 +2,7 @@ Roundcube Webmail
 =================
 [roundcube.net](https://roundcube.net)
 
-[![Build Status](https://api.travis-ci.org/roundcube/roundcubemail.svg?branch=master)](https://travis-ci.org/roundcube/roundcubemail)
-
+[![Tests Status](https://github.com/roundcube/roundcubemail/actions/workflows/tests.yml/badge.svg?branch=master)](https://github.com/roundcube/roundcubemail/actions/workflows/tests.yml)
 
 INTRODUCTION
 ------------
@@ -30,13 +29,13 @@ described in the UPGRADING file.
 
 BROWSER SUPPORT
 ---------------
-Roundcube uses jQuery 3.x for its client and therefore inherits the browser
-support from there. This currently includes:
+Roundcube uses jQuery 3.x (and other libs) for its client and therefore
+inherits the browser support from there. This currently includes:
 
 - Chrome: (Current - 1) and Current
 - Edge: (Current - 1) and Current
 - Firefox: (Current - 1) and Current, ESR
-- Internet Explorer: 9+ (11+ for the Elastic skin)
+- Internet Explorer: 11+
 - Safari: (Current - 1) and Current
 - Opera: Current
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,18 @@
+# Security Policy
+
+## Supported Versions
+
+Check our website's [download page](https://roundcube.net/download/) to see which versions are still supported and will receive security updates.
+
+## Reporting a Vulnerability
+
+If you found a security issue or vulnerability of the software, please report with direct and encrypted email to *thomas[at]roundcube.net*
+and *alec[at]alec.pl*. You can find the according PGP public keys on the major public keyservers like [pgp.key-server.io](https://pgp.key-server.io).
+
+Your report should include clear steps for reproduction and a classification of the found vulnerability.
+
+## Publishing and Credits
+
+We're dedicated to analyze and fix the reported issues as fast a possible. Usually within days we'll have an update ready.
+Together with the reporter we plan the releasing and the disclosure of the found and fixed vulnerability.
+Credits to the reporter are granted and can be included in all public communication if desired.
diff --git a/UPGRADING b/UPGRADING
@@ -23,6 +23,9 @@ removed again.
 WARNING: Make sure files have proper owner/group for your setup. If you use
          tar to extract the package, `--no-same-owner` option might be helpful.
 WARNING: See Post-Upgrade Activities section below.
+WARNING: If you use MySQL < 5.7.7 or MariaDB < 10.2.2 make sure to configure it with:
+            innodb_large_prefix=true
+            innodb_file_format=Barracuda
 
 
 Updating manually
@@ -56,11 +59,11 @@ it on a unix system, you need to do the following operations by hand:
 4c. If you use git sources or the release package without dependencies
    update javascript dependencies by executing `bin/install-jsdeps.sh` script.
 4d. If you use git sources compile css files for the Elastic skin (required
-   lessc >= 1.5.0):
+   lessc >= 2.5.2):
    $ cd skins/elastic
-   $ lessc -x styles/styles.less > styles/styles.css
-   $ lessc -x styles/print.less > styles/print.css
-   $ lessc -x styles/embed.less > styles/embed.css
+   $ lessc --clean-css="--s1 --advanced" styles/styles.less > styles/styles.min.css
+   $ lessc --clean-css="--s1 --advanced" styles/print.less > styles/print.min.css
+   $ lessc --clean-css="--s1 --advanced" styles/embed.less > styles/embed.min.css
 5. Run `./bin/update.sh` from the commandline OR
    open http://url-to-roundcube/installer/ in a browser and choose "3 Test config".
    To enable the latter one, you have to temporary set 'enable_installer'
@@ -83,10 +86,20 @@ Post-Upgrade Activities
    in configured temp_dir are removed. Since this version we use constant filename
    prefix and do not remove files not starting with "RCMTEMP".
 
+
 SQLite database upgrade
 -----------------------
+
 Versions older than 0.9 were supporting SQLite v2 only. Newer versions require
 database in v3 format. The best what you can do is to convert database file
 to the new format using command line tools:
 
 sqlite OLD.DB .dump | sqlite3 NEW.DB
+
+
+Other tools
+-----------
+In case you need to only update the database schema you can use updatedb.sh script.
+For example, to update the Roundcube core database run:
+
+  ./bin/updatedb.sh --package=roundcube --dir=SQL
diff --git a/composer.json b/composer.json
@@ -1,31 +1,32 @@
 {
     "name": "roundcube/roundcubemail",
     "description": "The Roundcube Webmail suite",
-    "license": "GPL-3.0+",
+    "license": "GPL-3.0-or-later",
     "repositories": [
         {
             "type": "composer",
             "url": "https://plugins.roundcube.net"
         }
     ],
     "require": {
-        "php": ">=5.4.0",
+        "php": ">=5.5.0",
         "pear/pear-core-minimal": "~1.10.1",
         "pear/auth_sasl": "~1.1.0",
-        "pear/net_idna2": "~0.2.0",
         "pear/mail_mime": "~1.10.0",
-        "pear/net_smtp": "~1.8.1",
+        "pear/net_smtp": "~1.10.0",
         "pear/crypt_gpg": "~1.6.3",
-        "pear/net_sieve": "~1.4.3",
-        "roundcube/plugin-installer": "~0.2.0",
-        "masterminds/html5": "~2.5.0",
+        "pear/net_sieve": "~1.4.5",
+        "roundcube/plugin-installer": "~0.3.0",
+        "roundcube/rtf-html-php": "~2.1",
+        "masterminds/html5": "~2.7.0",
         "endroid/qr-code": "~1.6.5",
+        "guzzlehttp/guzzle": "^6.5.5",
         "kolab/net_ldap3": "~1.1.1"
     },
     "require-dev": {
-        "phpunit/phpunit": "^4.8.36 || ^5.7.21"
+        "phpunit/phpunit": "^4.8.36 || ^5.7.21 || ^6 || ^7"
     },
     "suggest": {
-        "mkopinsky/zxcvbn-php": "^4.4.2 required for Zxcvbn password strength driver"
+        "bjeavons/zxcvbn-php": "^1.0 required for Zxcvbn password strength driver"
     }
 }
diff --git a/composer.json-dist b/composer.json-dist
@@ -1,31 +1,32 @@
 {
     "name": "roundcube/roundcubemail",
     "description": "The Roundcube Webmail suite",
-    "license": "GPL-3.0+",
+    "license": "GPL-3.0-or-later",
     "repositories": [
         {
             "type": "composer",
             "url": "https://plugins.roundcube.net"
         }
     ],
     "require": {
-        "php": ">=5.4.0",
+        "php": ">=5.5.0",
         "pear/pear-core-minimal": "~1.10.1",
         "pear/auth_sasl": "~1.1.0",
-        "pear/net_idna2": "~0.2.0",
         "pear/mail_mime": "~1.10.0",
-        "pear/net_smtp": "~1.8.1",
+        "pear/net_smtp": "~1.10.0",
         "pear/crypt_gpg": "~1.6.3",
-        "pear/net_sieve": "~1.4.3",
-        "roundcube/plugin-installer": "~0.2.0",
-        "masterminds/html5": "~2.5.0",
-        "endroid/qr-code": "~1.6.5"
+        "pear/net_sieve": "~1.4.5",
+        "roundcube/plugin-installer": "~0.3.0",
+        "roundcube/rtf-html-php": "~2.1",
+        "masterminds/html5": "~2.7.0",
+        "endroid/qr-code": "~1.6.5",
+        "guzzlehttp/guzzle": "^6.5.5"
     },
     "require-dev": {
-        "phpunit/phpunit": "^4.8.36 || ^5.7.21"
+        "phpunit/phpunit": "^4.8.36 || ^5.7.21 || ^6 || ^7"
     },
     "suggest": {
         "kolab/net_ldap3": "~1.1.1 required for connecting to LDAP",
-        "mkopinsky/zxcvbn-php": "^4.4.2 required for Zxcvbn password strength driver"
+        "bjeavons/zxcvbn-php": "^1.0 required for Zxcvbn password strength driver"
     }
 }