Merge branch 'master' of https://github.com/roundcube/roundcubemail

* 'master' of https://github.com/roundcube/roundcubemail: (46 commits)
  Plugin API: Call message_part_structure hook for sub-parts of multipart/alternative message (roundcube#5678)
  Enigma: Set micalg parameter to real hash algorithm used for signing
  Skip iconv for problematic ISO-2022-JP strings  (roundcube#5668)
  Lock phpunit to version 5.7.x
  Fix/rephrase "unsaved changes" warning when cancelling a draft (roundcube#5610)
  Use stable release of Crypt_GPG 1.6
  small fix for current group detection and add similar rules for group-delete
  Managesieve: Fix parser issue with empty lines between comments (roundcube#5657)
  Minimize unwanted message loading in preview frame on drag (roundcube#5616)
  Small code simplification
  Fix bug where it was too easy accidentally move a folder when using the subscription checkbox (roundcube#5655)
  also fix source in group create function
  check group id matches current one before changing the title
  Add rewrite rule to disable access to /vendor/bin folder in .htaccess (roundcube#5630)
  Fix update of group name in the contacts list header on group rename (roundcube#5648)
  don't use env for group-rename action
  Add note about PinEntry issues with SELinux (roundcube#5620)
  Enigma: Fix handling of messages with nested PGP encrypted parts (roundcube#5634)
  Bring back lists buttons in TinyMCE toolbar
  Fix double http request regression (roundcube#5633)
  ...

.htaccess

@@ -30,8 +30,10 @@ RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico
 RewriteRule ^(?!installer|\.well-known\/|[a-zA-Z0-9]{16})(\.?[^\.]+)$ - [F]
 # - deny access to some locations
 RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
+# - deny access to composer binaries
+RewriteRule ^/vendor\/bin\/.* - [F]
 # - deny access to some documentation files
-RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml|Dockerfile)$ - [F]
+RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml|jsdeps.json|Dockerfile)$ - [F]
 </IfModule>
 
 <IfModule mod_deflate.c>

CHANGELOG

@@ -1,8 +1,25 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Plugin API: Call message_part_structure hook for sub-parts of multipart/alternative message (#5678)
+- Enigma: Always use detached signatures (#5624)
+- Enigma: Fix handling of messages with nested PGP encrypted parts (#5634)
+- Minimize unwanted message loading in preview frame on drag (#5616)
+- Fix autocomplete popup closing with click outside the input, don't handle Tab key as Enter (#5606)
+- Fix jsdeps.json synchronization on update, warn about missing requirements of install-jsdeps.sh (#5598)
+- Fix missing thread expand icon on search result in widescreen mode (#5613)
 - Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
 - Fix bug where external content in src attribute of input/video tags was not secured (#5583)
+- Fix PHP error on update of a contact with multiple email addresses when using PHP 7.1 (#5587)
+- Fix bug where mail content frame couldn't be reset in some corner cases (#5608)
+- Fix bug where some classic skin images were not displayed in IE/Edge (#5614)
+- Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628)
+- Fix regression where groups with email address were resolved to its members' addresses
+- Fix update of group name in the contacts list header on group rename (#5648)
+- Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630)
+- Fix bug where it was too easy accidentally move a folder when using the subscription checkbox (#5655)
+- Managesieve: Fix parser issue with empty lines between comments (#5657)
+- Fix/rephrase "unsaved changes" warning when cancelling a draft (#5610)
 
 RELEASE 1.3-beta
 ----------------

UPGRADING

@@ -41,15 +41,18 @@ it on a unix system, you need to do the following operations by hand:
    ./skins/
    ./plugins/
    ./vendor/
+4. Update dependencies:
 4a. If you previously installed plugins through composer, update dependencies
-   by running `php composer.phar update --no-dev`
+   by running `php composer.phar update --no-dev`.
 4b. Install/update dependencies using composer:
    - get composer from https://getcomposer.org/download/
    - rename the composer.json-dist file into composer.json
    - if you want to use LDAP address books, enable the LDAP libraries in your
      composer.json file by moving the items from "suggest" to the "require"
      section (remove the explanation texts after the version!).
-   - run `php composer.phar install --no-dev`
+   - run `php composer.phar install --no-dev`.
+4c. If you use git sources or the release package without dependencies
+   update javascript dependencies by executing `bin/install-jsdeps.sh` script.
 5. Run `./bin/update.sh` from the commandline OR
    open http://url-to-roundcube/installer/ in a browser and choose "3 Test config".
    To enable the latter one, you have to temporary set 'enable_installer'

bin/install-jsdeps.sh

@@ -34,6 +34,16 @@ $WGET = trim(`which wget`);
 $UNZIP = trim(`which unzip`);
 $FILEINFO = trim(`which file`);
 
+if (empty($UNZIP)) {
+  die("ERROR: Required program 'unzip' not found\n");
+}
+if (empty($FILEINFO)) {
+  die("ERROR: Required program 'file' not found\n");
+}
+if (empty($CURL) && empty($WGET)) {
+  die("ERROR: Required program 'wget' or 'curl' not found\n");
+}
+
 $CACHEDIR = sys_get_temp_dir();
 
 if (is_writeable(INSTALL_PATH . 'temp/js_cache') || mkdir(INSTALL_PATH . 'temp/js_cache', 0774, true)) {

bin/installto.sh

@@ -61,7 +61,7 @@ if (strtolower($input) == 'y') {
       rcube::raise_error("Failed to execute command: $command", false, true);
     }
   }
-  foreach (array('index.php','.htaccess','config/defaults.inc.php','composer.json-dist','CHANGELOG','README.md','UPGRADING','LICENSE','INSTALL') as $file) {
+  foreach (array('index.php','.htaccess','config/defaults.inc.php','composer.json-dist','jsdeps.json','CHANGELOG','README.md','UPGRADING','LICENSE','INSTALL') as $file) {
     $command = "rsync -a --out-format \"%n\" " . INSTALL_PATH . "$file $target_dir/$file";
     if (file_exists(INSTALL_PATH . $file) && (!system($command, $ret) || $ret > 0)) {
       rcube::raise_error("Failed to execute command: $command", false, true);

composer.json-dist

@@ -29,12 +29,12 @@
         "pear-pear.php.net/net_idna2": "~0.1.1",
         "pear-pear.php.net/mail_mime": "~1.10.0",
         "pear-pear.php.net/net_smtp": "~1.7.1",
-        "pear-pear.php.net/crypt_gpg": "~1.6.0@beta",
+        "pear-pear.php.net/crypt_gpg": "~1.6.0",
         "roundcube/net_sieve": "~1.5.0",
         "endroid/qrcode": "~1.6.5"
     },
     "require-dev": {
-        "phpunit/phpunit": "*"
+        "phpunit/phpunit": "~5.7.15"
     },
     "suggest": {
         "pear-pear.php.net/net_ldap2": "~2.2.0 required for connecting to LDAP address books",

config/config.inc.php.sample

@@ -27,7 +27,7 @@ $config = array();
 //       or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
 $config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';
 
-// The mail host chosen to perform the log-in.
+// The IMAP host chosen to perform the log-in.
 // Leave blank to show a textbox at login, give a list of hosts
 // to display a pulldown menu or set one host as string.
 // To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
@@ -40,7 +40,8 @@ $config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';
 $config['default_host'] = 'localhost';
 
 // SMTP server host (for sending mails).
-// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
+// Enter hostname with prefix tls:// to use STARTTLS, or use
+// prefix ssl:// to use the deprecated SSL over SMTP (aka SMTPS)
 // Supported replacement variables:
 // %h - user's IMAP hostname
 // %n - hostname ($_SERVER['SERVER_NAME'])

config/defaults.inc.php

@@ -120,7 +120,7 @@
 // IMAP
 // ----------------------------------
 
-// The mail host chosen to perform the log-in.
+// The IMAP host chosen to perform the log-in.
 // Leave blank to show a textbox at login, give a list of hosts
 // to display a pulldown menu or set one host as string.
 // To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
@@ -239,7 +239,8 @@
 // ----------------------------------
 
 // SMTP server host (for sending mails).
-// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
+// Enter hostname with prefix tls:// to use STARTTLS, or use
+// prefix ssl:// to use the deprecated SSL over SMTP (aka SMTPS)
 // Supported replacement variables:
 // %h - user's IMAP hostname
 // %n - hostname ($_SERVER['SERVER_NAME'])

installer/config.php

@@ -673,8 +673,7 @@
 
 <?php
 $plugins = $RCI->list_plugins();
-foreach($plugins as $p) 
-{
+foreach ($plugins as $p) {
     $p_check = new html_checkbox(array('name' => '_plugins_'.$p['name'], 'id' => 'cfgplugin_'.$p['name'], 'value' => $p['name']));
     echo '<dt class="propname"><label>';
     echo $p_check->show($p['enabled'] ? $p['name'] : 0);

plugins/debug_logger/debug_logger.php

@@ -74,7 +74,7 @@ function init()
 
         $log_config = rcmail::get_instance()->config->get('debug_logger',array());
 
-        foreach($log_config as $type=>$file){
+        foreach ($log_config as $type => $file){
             $this->runlog->set_file(rcmail::get_instance()->config->get('log_dir').'/'.$file, $type);
         }
 

plugins/debug_logger/runlog/runlog.php

@@ -68,7 +68,7 @@ public function end()
         $this->indent--;
         if ($this->run_log[$lastk]['duration'] >= $this->threshold) {
             $tag_report = "";
-            foreach($this->tag_count as $tag => $count){
+            foreach ($this->tag_count as $tag => $count){
                 $tag_report .= "$tag: $count, ";
             }
             if (!empty($tag_report)) {

plugins/enigma/README

@@ -59,6 +59,7 @@ Possible reasons:
 - non-working loader in shebang (#! /usr/bin/env php)
   Make sure it works for the user the php scripts are executed upon
   (i.e. apache, www-date, etc.)
+- SELinux setting, try command: setsebool -P httpd_unified 0
 
 Note: pinentry is used with gpg >= 2.0 and <= 2.1.12.
 Note: for server use GnuPG developers still recommend version 1.4.

plugins/enigma/enigma.js

@@ -292,10 +292,10 @@ rcube_webmail.prototype.enigma_keylist_keypress = function(list)
 // load key frame
 rcube_webmail.prototype.enigma_loadframe = function(url)
 {
-    var frm, win;
+    var win;
 
-    if (this.env.contentframe && window.frames && (frm = window.frames[this.env.contentframe])) {
-        if (!url && (win = window.frames[this.env.contentframe])) {
+    if (win = this.get_frame_window(this.env.contentframe)) {
+        if (!url) {
             if (win.location && win.location.href.indexOf(this.env.blankpage) < 0)
                 win.location.href = this.env.blankpage;
             if (this.env.frame_lock)
@@ -304,7 +304,7 @@ rcube_webmail.prototype.enigma_loadframe = function(url)
         }
 
         this.env.frame_lock = this.set_busy(true, 'loading');
-        frm.location.href = this.env.comm_path + '&_framed=1&' + url;
+        win.location.href = this.env.comm_path + '&_framed=1' + url;
     }
 };
 

plugins/enigma/lib/enigma_driver.php

@@ -131,4 +131,12 @@ abstract function gen_key($data);
      * @return mixed True on success or enigma_error
      */
     abstract function delete_key($keyid);
+
+    /**
+     * Returns a name of the hash algorithm used for the last
+     * signing operation.
+     *
+     * @return string Hash algorithm name e.g. sha1
+     */
+    abstract function signature_algorithm();
 }

plugins/enigma/lib/enigma_driver_gnupg.php

@@ -23,6 +23,7 @@ class enigma_driver_gnupg extends enigma_driver
     protected $gpg;
     protected $homedir;
     protected $user;
+    protected $last_sig_algorithm;
 
 
     function __construct($user)
@@ -120,7 +121,13 @@ function encrypt($text, $keys, $sign_key = null)
 
             if ($sign_key) {
                 $this->gpg->addSignKey($sign_key->reference, $sign_key->password);
-                return $this->gpg->encryptAndSign($text, true);
+
+                $res     = $this->gpg->encryptAndSign($text, true);
+                $sigInfo = $this->gpg->getLastSignatureInfo();
+
+                $this->last_sig_algorithm = $sigInfo->getHashAlgorithmName();
+
+                return $res;
             }
 
             return $this->gpg->encrypt($text, true);
@@ -172,7 +179,13 @@ function sign($text, $key, $mode = null)
     {
         try {
             $this->gpg->addSignKey($key->reference, $key->password);
-            return $this->gpg->sign($text, $mode, CRYPT_GPG::ARMOR_ASCII, true);
+
+            $res     = $this->gpg->sign($text, $mode, CRYPT_GPG::ARMOR_ASCII, true);
+            $sigInfo = $this->gpg->getLastSignatureInfo();
+
+            $this->last_sig_algorithm = $sigInfo->getHashAlgorithmName();
+
+            return $res;
         }
         catch (Exception $e) {
             return $this->get_error_from_exception($e);
@@ -365,6 +378,17 @@ public function delete_key($keyid)
         return $result;
     }
 
+    /**
+     * Returns a name of the hash algorithm used for the last
+     * signing operation.
+     *
+     * @return string Hash algorithm name e.g. sha1
+     */
+    public function signature_algorithm()
+    {
+        return $this->last_sig_algorithm;
+    }
+
     /**
      * Private key deletion.
      */

plugins/enigma/lib/enigma_driver_phpssl.php

@@ -146,6 +146,16 @@ public function delete_key($keyid)
     {
     }
 
+    /**
+     * Returns a name of the hash algorithm used for the last
+     * signing operation.
+     *
+     * @return string Hash algorithm name e.g. sha1
+     */
+    public function signature_algorithm()
+    {
+    }
+
     /**
      * Converts Crypt_GPG_Key object into Enigma's key object
      *

plugins/enigma/lib/enigma_engine.php

@@ -164,11 +164,7 @@ function sign_message(&$message, $mode = null)
         case self::SIGN_MODE_MIME:
             $pgp_mode = Crypt_GPG::SIGN_MODE_DETACHED;
             break;
-/*
-        case self::SIGN_MODE_SEPARATE:
-            $pgp_mode = Crypt_GPG::SIGN_MODE_NORMAL;
-            break;
-*/
+
         default:
             if ($mime->isMultipart()) {
                 $pgp_mode = Crypt_GPG::SIGN_MODE_DETACHED;
@@ -220,7 +216,7 @@ function sign_message(&$message, $mode = null)
             $message->setParam('text_charset', $text_charset);
         }
         else {
-            $mime->addPGPSignature($body);
+            $mime->addPGPSignature($body, $this->pgp_driver->signature_algorithm());
             $message = $mime;
         }
     }
@@ -430,11 +426,6 @@ function parse_plain(&$p, $body = null)
     {
         $part = $p['structure'];
 
-        // exit, if we're already inside a decrypted message
-        if (in_array($part->mime_id, $this->encrypted_parts)) {
-            return;
-        }
-
         // Get message body from IMAP server
         if ($body === null) {
             $body = $this->get_part_body($p['object'], $part);

plugins/enigma/lib/enigma_mime_message.php

@@ -25,6 +25,7 @@ class enigma_mime_message extends Mail_mime
     protected $body;
     protected $signature;
     protected $encrypted;
+    protected $micalg;
 
 
     /**
@@ -119,10 +120,12 @@ public function getOrigBody()
      * Register signature attachment
      *
      * @param string Signature body
+     * @param string Hash algorithm name
      */
-    public function addPGPSignature($body)
+    public function addPGPSignature($body, $algorithm = null)
     {
         $this->signature = $body;
+        $this->micalg    = $algorithm;
 
         // Reset Content-Type to be overwritten with valid boundary
         unset($this->headers['Content-Type']);
@@ -157,8 +160,8 @@ public function setPGPEncryptedBody($body)
      */
     public function get($params = null, $filename = null, $skip_head = false)
     {
-        if (isset($params)) {
-            while (list($key, $value) = each($params)) {
+        if (!empty($params)) {
+            foreach ($params as $key => $value) {
                 $this->build_params[$key] = $value;
             }
         }
@@ -168,10 +171,14 @@ public function get($params = null, $filename = null, $skip_head = false)
         if ($this->type == self::PGP_SIGNED) {
             $params = array(
                 'preamble'     => "This is an OpenPGP/MIME signed message (RFC 4880 and 3156)",
-                'content_type' => "multipart/signed; micalg=pgp-sha1; protocol=\"application/pgp-signature\"",
+                'content_type' => "multipart/signed; protocol=\"application/pgp-signature\"",
                 'eol'          => $this->build_params['eol'],
             );
 
+            if ($this->micalg) {
+                $params['content_type'] .= "; micalg=pgp-" . $this->micalg;
+            }
+
             $message = new Mail_mimePart('', $params);
 
             if (!empty($this->body)) {
@@ -279,9 +286,13 @@ protected function contentHeaders()
         $this->build_params['boundary'] = $boundary;
 
         if ($this->type == self::PGP_SIGNED) {
-            $headers['Content-Type'] = "multipart/signed; micalg=pgp-sha1;$eol"
+            $headers['Content-Type'] = "multipart/signed;$eol"
                 ." protocol=\"application/pgp-signature\";$eol"
                 ." boundary=\"$boundary\"";
+
+            if ($this->micalg) {
+                $headers['Content-Type'] .= ";{$eol} micalg=pgp-" . $this->micalg;
+            }
         }
         else if ($this->type == self::PGP_ENCRYPTED) {
             $headers['Content-Type'] = "multipart/encrypted;$eol"

plugins/enigma/lib/enigma_ui.php

@@ -1079,7 +1079,7 @@ function message_ready($p)
         }
         else if (!$savedraft && $sign_enable) {
             $engine = $this->enigma->load_engine();
-            $status = $engine->sign_message($p['message']);
+            $status = $engine->sign_message($p['message'], enigma_engine::SIGN_MODE_MIME);
             $mode   = 'sign';
         }