Roundcube Webmail is a browser-based multilingual IMAP client with an application-like user interface.

Overview

Roundcube Webmail

roundcube.net

Tests Status

ATTENTION

This is just a snapshot from the GIT repository and is NOT A STABLE version of Roundcube. It's not recommended to replace an existing installation of Roundcube with this version. Also using a separate database for this installation is highly recommended.

INTRODUCTION

Roundcube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an email client, including MIME support, address book, folder management, message searching and spell checking. Roundcube Webmail is written in PHP and requires the MySQL, PostgreSQL or SQLite database. With its plugin API it is easily extendable and the user interface is fully customizable using skins.

The code designed to run on a webserver is mainly written in PHP and Javascript. It includes a custom framework with an IMAP library derived from IlohaMail and requires a set of external libraries (see composer.json and jsdeps.json files).

INSTALLATION

For detailed instructions on how to install Roundcube webmail on your server, please refer to the INSTALL document in the same directory as this document.

If you're updating an older version of Roundcube please follow the steps described in the UPGRADING file.

BROWSER SUPPORT

Roundcube uses jQuery 3.x (and other libs) for its client and therefore inherits the browser support from there. This currently includes:

  • Chrome: (Current - 1) and Current
  • Edge: (Current - 1) and Current
  • Firefox: (Current - 1) and Current, ESR
  • Internet Explorer: 11+
  • Safari: (Current - 1) and Current
  • Opera: Current

LICENSE

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License (with exceptions for skins & plugins) as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see www.gnu.org/licenses/.

This file forms part of the Roundcube Webmail Software for which the following exception is added: Plugins and Skins which merely make function calls to the Roundcube Webmail Software, and for that purpose include it by reference shall not be considered modifications of the software.

If you wish to use this file in another project or create a modified version that will not be part of the Roundcube Webmail Software, you may remove the exception above and use this source code under the original version of the license.

For more details about licensing and the exceptions for skins and plugins see roundcube.net/license

CONTRIBUTION

Want to help make Roundcube the best webmail solution ever? Roundcube is open source software. Our developers and contributors all are volunteers and we're always looking for new additions and resources. For more information visit roundcube.net/contribute

CONTACT

For bug reports or feature requests please refer to the tracking system at Github or subscribe to our mailing list. See roundcube.net/support for details.

You're always welcome to send a message to the project admin: hello(at)roundcube(dot)net

Comments
  • Scrolling message list obscures column headers

    Scrolling message list obscures column headers

    Reported by willm23 on 19 Sep 2005 13:32 UTC as Trac ticket #1295420

    On the message list page, the scrollbar for the message list scrolls the entire table, including the column headers.

    Suggest that the correct behaviour would be to leave the column headers and scroll the message rows themselves?

    Keywords: jquery plugin Migrated-From: http://trac.roundcube.net/ticket/1295420

    bug C: User Interface 
    opened by rcubetrac 71
  • Attachment Excessive Memory Use Error

    Attachment Excessive Memory Use Error

    Reported by JohnDoh on 12 Nov 2007 10:49 UTC as Trac ticket #1484660

    Hi,

    I know tickets have been created about this before but I cant find the exact one and many of them seem to be lost in some kind of "dupicate of" hell. I thought it was probably easier to just start a new one. I applogies if I am repeating others informaiton but I cant find the previous tickets.

    The amount of memory required to send an email with attachments seems to massivly out way the size of the attachments giving an error like:

    "Fatal error: Allowed memory size of blah bytes exhausted (tried to allocate blah bytes)"

    in the error log.

    (thrown by the quotedata() function in program/lib/Net/SMTP.php)

    Examples: required more than 64mb to send 7mb attachment or 25mb to send 5.5

    More people are now reporting this on the forum (http://roundcubeforum.net/forum/index.php?topic=1811.0)

    I know that the attachment size limits (which I think only apply to individual files, not the combined size) and the php memory limits can be altered but i dont think this counts as a solution when the difference in requirements is so great

    This still occurs in SVN890

    Thanks and sorry again if I am repeating stuff but I cant track down the previos tickets which I know exist about this exact issue.

    Keywords: pear mail mime encode memory optimize Migrated-From: http://trac.roundcube.net/ticket/1484660

    enhancement C: PHP backend 
    opened by rcubetrac 61
  • OAuth/XOauth support

    OAuth/XOauth support

    Hi All, I just got this Message from Office 365:

    `Beginning October 13, 2020, we will retire Basic Authentication for EWS, EAS, IMAP, POP and RPS to access Exchange Online. Note: this change does not impact SMTP AUTH.

    There are several actions that you and/or your users can take to avoid service disruptions on client applications, and we describe them below. If no action is taken, client applications using Basic Authentication for EWS will be retired on October 13, 2020.`

    Is it possible to support Office 365 Oauth 2.0 By Default?

    enhancement C: IMAP C: SMTP 
    opened by rayflexcom 51
  • Add support for shared folders - patch

    Add support for shared folders - patch

    Reported by geeojr on 12 Jan 2006 01:53 UTC as Trac ticket #1403507

    I can't see shared folders with Courier. Courier-imap makes shared folders available at the root level. Root level contains: INBOX. & shared. -- need to check for both.

    Migrated-From: http://trac.roundcube.net/ticket/1403507

    enhancement C: Core functionality 
    opened by rcubetrac 49
  • Signature above original message on reply

    Signature above original message on reply

    Reported by HYS on 7 Mar 2007 12:01 UTC as Trac ticket #1484272

    Now the signature is placed completely below the body of the message. I'd like to have my signature under my answer and above the original message.

    Keywords: signature Migrated-From: http://trac.roundcube.net/ticket/1484272

    enhancement C: User Interface worksforme 
    opened by rcubetrac 46
  • GnuPG/PGP Support

    GnuPG/PGP Support

    Reported by nobody on 28 Feb 2006 15:29 UTC as Trac ticket #1440396

    This would be a nice feature, altough it could probably
    only be implemented on Unix/Linux boxes.
    

    Keywords: glu Migrated-From: http://trac.roundcube.net/ticket/1440396

    enhancement C: Plugins 
    opened by rcubetrac 45
  • HTML mails have wrong Content-Type

    HTML mails have wrong Content-Type

    The attached mail was written with the built-in message composer in mode HTML and stored as draft. Being a multipart mail the Content-Type "text/plain" is wrong. Also the boundary delimiter is not defined in the header.

    Roundcube-HTML-mail.txt

    bug C: Mail composing 
    opened by ghmail 43
  • Unvoluntary session hijacking

    Unvoluntary session hijacking

    Reported by bartd on 5 Nov 2009 11:30 UTC as Trac ticket #1486281

    Rouncube will sometimes display messages from other user's mailboxes given the fact that both users are accessing rcm from the same ip address but independent of the time in between their sessions.

    The messagelist always shows the real user's messages but the preview pane or opening the e-mail will show headers & body from another mailbox that was accessed from the same client ip address.

    I've seen cases were user B logs in 3 days after user A and somehow gets old of his old session which is reused to retrieve the messages. It only happens with users who share the same ip address, ie large corporate networks using NAT.

    using double_auth did not fix the issue. neither did upgrading to 0.3.1. Is REMOTE_ADDR somehow used to reuse sessions?

    PHP version: 5.3.1 RCM: 0.3.1 imapd: dovecot 1.2.5 through perdition browser: problem is independent of browser, has occured in IE7 and FF3 reproducable: yes and no, I've haven't been able to reproduce but it happens on a daily basis with a large userbase.

    I do have a screenshot demonstrating the problem, but I shouldn't upload it where it's publicly viewable.

    Migrated-From: http://trac.roundcube.net/ticket/1486281

    bug C: Security 
    opened by rcubetrac 43
  • Referrer-Policy:

    Referrer-Policy: "strict-origin" breaks some functionality

    Hi,

    I've recently started using the 1.5RC version of Roundcube due to Mailcow's move to PHP8. So far Roundcube has been fine but when I click Allow button on "To protect your privacy remote resources have been blocked." The request URL it takes is incorrect, its missing the base path, from the looks of it.

    URL browser requests

    https://mail.domain.com/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1%2Cpgpmime%3D0&_uid=5812&_mbox=INBOX&_safe=1&_action=show
    

    What I expect it to request

    https://mail.domain.com/rc/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1%2Cpgpmime%3D0&_uid=5812&_mbox=INBOX&_safe=1&_action=show
    

    Roundcube installed to https://mail.domain.com/rc/

    bug C: User Interface 
    opened by FingerlessGlov3s 42
  • Session Timeout on Compose Screen

    Session Timeout on Compose Screen

    Reported by afladmark on 11 Aug 2006 16:09 UTC as Trac ticket #1483951

    When I sit on the compose screen for a while, (on my system its less than 15 minutes) I eventually get thrown out of RoundCube (I think during an auto-save) with an error that my session has expired or is invalid. Shouldn't the Draft auto-save be keeping my session alive?

    Migrated-From: http://trac.roundcube.net/ticket/1483951

    bug C: Client Scripts 
    opened by rcubetrac 40
  • internal error on sending mail with special chars

    internal error on sending mail with special chars

    Reported by fsu on 14 Jan 2009 14:19 UTC as Trac ticket #1485687

    I got "internal error occured" -error on sending mail with scandinavian chars.

    I also made patch to fix it. it's not optimal solution but I got my webmail working again..

    Keywords: attachment Migrated-From: http://trac.roundcube.net/ticket/1485687

    bug C: PHP backend worksforme 
    opened by rcubetrac 39
  • Release new roundcube version to bump net_stmp version

    Release new roundcube version to bump net_stmp version

    The problem below is fixed, but not yet released. Roundcube fixes its dependencies. So all versions built from the release tarball don't include the fix in the updated dependency net_smtp.

    Please release a new version that bump at least this dependency.

    Thank you!

    Reading [https://www.rfc-editor.org/rfc/rfc4954#section-4](RFC 4954 secton 4):

    Note that the AUTH command is still subject to the line length limitations defined in [SMTP]. If use of the initial response argument would cause the AUTH command to exceed this length, the client MUST NOT use the initial response parameter (and instead proceed as defined in Section 5.1 of [SASL]).

    I assume that the command that roundcube is sending is not standard compliant. In fact in my installation the length of the auth command is 2149 characters.

    Microsoft has a sample exchange.

    This leads to problems with dovecot's submissiond, which enforces a limit (of 500 characters, maybe: I did not read the source closely).

    opened by ibotty 0
  • Prevent adding redirect to yourself in sieve

    Prevent adding redirect to yourself in sieve

    Prevent user from adding redirect to itself. This is causing a loop in postfix if user does.

    status=bounced (mail forwarding loop for [email protected])

    need feedback 
    opened by Borgso 2
  • Managesieve: base64 encoded vacation :from field

    Managesieve: base64 encoded vacation :from field

    Hello,

    I have faced the following problem:

    When I create a vacation in roundcube and set the from field (Reply sender address) to Ratting Gábor [email protected] , the vacation e-mail that get's delivered has the from field: From: "=?UTF-8?B?UmF0dGluZyBHw6Fib3I=?=" [email protected]

    image

    If I remove the =?UTF-8?B? part and base64 decode the remaining UmF0dGluZyBHw6Fib3I=?= I get Ratting Gábor. The problem occurs in thunderbird, webmail and gmail, in chrome and in firefox too.

    When I use only ascii characters, there is no problem. Ratting Gabor [email protected] works well, only names with accents and other special characters are encoded to base64.

    This was the commit that made able to add name part before the email address: https://github.com/roundcube/roundcubemail/pull/6763/commits/fca01abb6a0b476434aea7bc707fbdc69d47268e

    As far as I could debug the issue, the following block causes the problem, here gets the plain text base64 encoded, but only if it has special characters (like űáéúő): https://github.com/roundcube/roundcubemail/blob/a7f25ffb25a9199644761e49d21be92d7a23e3a8/plugins/managesieve/lib/Roundcube/rcube_sieve_vacation.php#L243

    Thank you for looking into it, Best regards!

    opened by rgergo67 1
  • Email content is not rendered with

    Email content is not rendered with "oops error"

    Hi, Some e-mailes can't be displayed. Server shows error:

    [03-Jan-2023 09:37:01 Europe/Tallinn] PHP Fatal error:  Uncaught IntlException: filemtime(): stat failed for /usr/local/www/roundcub
    e/plugins/jqueryui/js/i18n/datepicker-et.min.js in /usr/local/www/roundcube/program/include/rcmail_output_html.php:1068
    Stack trace:
    #0 /usr/local/www/roundcube/program/include/rcmail_output_html.php(1068): filemtime('/usr/local/www/...')
    #1 /usr/local/www/roundcube/program/include/rcmail_output_html.php(1029): rcmail_output_html->file_mod('plugins/jqueryu...')
    #2 [internal function]: rcmail_output_html->file_callback(Array)
    #3 /usr/local/www/roundcube/program/include/rcmail_output_html.php(1008): preg_replace_callback('!(src|href|back...', Array, '<!DOCT
    YPE html>...')
    #4 /usr/local/www/roundcube/program/include/rcmail_output_html.php(2148): rcmail_output_html->fix_paths('<!DOCTYPE html>...')
    #5 /usr/local/www/roundcube/program/include/rcmail_output_html.php(706): rcmail_output_html->_write('<!DOCTYPE html>...')
    #6 /usr/local/www/roundcube/program/include/rcmail_output_html.php(845): rcmail_output_html->write('<!DOCTYPE html>...')
    #7 /usr/local/www/roundcube/program/include/rcmail_output_html.php(654): rcmail_output_html->parse('message', false)
    #8 /usr/local/www/roundcube/program/actions/mail/show.php(164): rcmail_output_html->send('message', false)
    #9 /usr/local/www/roundcube/program/include/rcmail.php(275): rcmail_action_mail_show->run(Array)
    #10 /usr/local/www/roundcube/index.php(278): rcmail->action_handler()
    #11 {main}
    
    

    What can be wrong? Thanks.

    need feedback 
    opened by vadimkim 2
  • strip TYPE=OTHER from QR contact export

    strip TYPE=OTHER from QR contact export

    When I view the raw data of QR codes, exported by Roundcube 1.6.0 ,they contain lines like

    EMAIL;TYPE=INTERNET;TYPE=OTHER:[email protected]
    EMAIL;TYPE=INTERNET;TYPE=WORK:[email protected]
    TEL:TYPE=other:+123 456
    EMAIL:TYPE=INTERNET;TYPE=HOME:[email protected]
    
    • Please remove TYPE=OTHER from the QR code, this is not defined and only adds extra data.
    • Consider removing TYPE=INTERNET. vCard data exchange works perfectly well without spelling explicitly TYPE=INTERNET
    • In case TYPE=INTERNET will be kept, please combine TYPE=INTERNET;TYPE=HOME: into TYPE=INTERNET,HOME:

    As removig TYPE=OTHER reduces the transferred data over the QR image, please consider exporting to QR something else in addition, e.g. birthday of the contact

    bug C: Addressbook C: Framework 
    opened by dilyanpalauzov 3
Releases(1.6.0)
  • 1.6.0(Jul 28, 2022)

    This is the stable release of the next major version 1.6 of Roundcube webmail.

    With this milestone we cleaned up the codebase and bring full support for PHP 8.1. The most noteworthy changes, as already announced with the beta release, are:

    • PHP 8.1 support
    • Dropped support for PHP < 7.3
    • Support responses (snippets) in HTML format
    • Option to purge deleted mails older than 30, 60 or 90 days
    • Unified and simplified services connection config options
    • Removed the Classic and Larry skins from the release packages
    • SQLite: Use foreign keys, require SQLite >= 3.6.19

    See the full changelog below.

    Breaking Changes to 1.5 and prior versions

    The following config options have either been removed or renamed:

    1. IMAP:
      • renamed default_host to imap_host
      • removed default_port option (non-standard port can be set via imap_host)
      • set "localhost:143" as a default for imap_host
    2. SMTP:
      • renamed smtp_server to smtp_host
      • removed smtp_port option (non-standard port can be set via smtp_host)
      • set "localhost:587" as a default for smtp_host
    3. LDAP:
      • removed port option from ldap_public array (non-standard port can be set via host)
      • removed use_tls option from ldap_public array (use tls:// prefix in host)
    4. Managesieve:
      • removed managesieve_port option (non-standard port can be set via managesieve_host)
      • removed managesieve_usetls option (set tls:// prefix to managesieve_host)

    The skins Larry and Classic are no longer part of the release packages. If you used them in your deployment, you need to install them manually. That can easily be done via Composer:

    $ composer require roundcube/larry
    

    This release is considered stable and we encourage you to update your productive installations after carefully testing the upgrade scenario. Download it from roundcube.net.

    With the release of Roundcube 1.6.0, the previous stable release branches 1.5.x and 1.5.x will change into LTS low maintenance mode which means they will only receive important security updates. The 1.3.x series is no longer supported and maintained.

    CHANGELOG (since 1.6-rc)

    • Fix SMTP XCLIENT extension when not using STARTTLS (#8581)
    • Fix call to undefined method rcube_ldap_generic::option_set() (#8564)
    • Fix PHP Fatal error on incompatible method declaration of rcmail_output_json::command() and rcmail_output::command() (#8579)
    • Fix support for DSN specification without host e.g. pgsql:///dbname (#8558)
    • Fix TinyMCE configuration for handling styles of pasted content in webkit browsers (#8555)
    • Fix bug where some checkboxes could be selected unintentinally (#8565)
    • Fix css styles of the email recipient element while dragging (#8580)
    • Fix PHP 8.1 warnings in the LDAP backend code (#8572)
    • Fix various PHP 8.1 warnings (#8584)
    • Fix bug where a recipient address containing UTF-8 characters was ignored when sending an email (#8493, #8546)
    • Fix so rcmail::contact_exists() works with IDNA addresses (#8545)
    • Fix password option in storage_init hook after refreshing oauth access token (#8436)
    • Fix attachment Options popover menu after attachment delete (#8602)
    • Fix so "Found unconstructed Spoofchecker" error is not fatal (#8537)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.6.0.tar.gz(1.78 MB)
    roundcube-framework-1.6.0.tar.gz.asc(862 bytes)
    roundcubemail-1.6.0-complete.tar.gz(5.69 MB)
    roundcubemail-1.6.0-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.6.0.tar.gz(3.70 MB)
    roundcubemail-1.6.0.tar.gz.asc(862 bytes)
  • 1.5.3(Jun 26, 2022)

    This is the second service release to update the new stable version 1.5. It provides a bunch of small fixes and improvements for the PHP8 compatibility.

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Enigma: Fix initial synchronization of private keys
    • Enigma: Fix double quoted-printable encoding of pgp-signed messages with no attachments (#8413)
    • Fix various PHP8 warnings (#8392)
    • Fix mail headers injection via the subject field on mail compose (#8404)
    • Fix bug where small message/rfc822 parts could not be decoded (#8408)
    • Fix setting HTML mode on reply/forward of a signed message (#8405)
    • Fix handling of RFC2231-encoded attachment names inside of a message/rfc822 part (#8418)
    • Fix bug where some mail parts (images) could have not be listed as attachments (#8425)
    • Fix bug where attachment icons were stuck at the top of the messages list in Safari (#8433)
    • Fix handling of message/rfc822 parts that are small and are multipart structures with a single part (#8458)
    • Fix bug where session could time out if DB and PHP timezone were different (#8303)
    • Fix bug where DSN flag state wasn't stored with a draft (#8371)
    • Fix broken encoding of HTML content encapsulated in a RTF attachment (#8444)
    • Fix problem with aria-hidden=true on toolbar menus in the Elastic skin (#8517)
    • Fix bug where title tag content was displayed in the body if it contained HTML tags (#8540)
    • Fix support for DSN specification without host e.g. pgsql:///dbname (#8558)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.5.3.tar.gz(1.78 MB)
    roundcube-framework-1.5.3.tar.gz.asc(862 bytes)
    roundcubemail-1.5.3-complete.tar.gz(7.49 MB)
    roundcubemail-1.5.3-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.5.3.tar.gz(4.37 MB)
    roundcubemail-1.5.3.tar.gz.asc(862 bytes)
  • 1.6-rc(Jun 12, 2022)

    This is the release candidate for the next major version 1.6 of Roundcube webmail.

    It includes a small number of improvements and fixes in comparison to 1.6-beta release.

    We believe it is production ready, but we recommend to test it on a separate environment. And don't forget to backup your data before installing it.

    CHANGELOG

    • Update to jQuery-UI 1.13.1 (#8455)
    • Added possibility to make the logo image a link via the 'skin_logo' option (#8501)
    • Use navigator.pdfViewerEnabled for PDF viewer detection
    • Remove use of unreliable charset detection (#8344)
    • Don't list images attached to multipart/related part as attachments (#7184)
    • Password: Add support for ssha256 algorithm (#8459)
    • Fix so unix:// URI is supported in various host spec. options again (#8468)
    • Fix slow loading of long HTML content into the HTML editor (#8108)
    • Fix bug where SMTP password didn't work if it contained '%p' (#8435)
    • Enigma: Fix initial synchronization of private keys
    • Enigma: Fix double quoted-printable encoding of pgp-signed messages with no attachments (#8413)
    • Fix handling of message/rfc822 parts that are small and are multipart structures with a single part (#8458)
    • Fix bug where session could time out if DB and PHP timezone were different (#8303)
    • Fix bug where DSN flag state wasn't stored with a draft (#8371)
    • Fix broken encoding of HTML content encapsulated in a RTF attachment (#8444)
    • Fix problem with aria-hidden=true on toolbar menus in the Elastic skin (#8517)
    • Fix so links (e.g. www.some.page or http://some.page) are not considered mispellings (#8527)
    • Fix bug where title tag content was displayed in the body if it contained HTML tags (#8540)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.6-rc.tar.gz(1.78 MB)
    roundcube-framework-1.6-rc.tar.gz.asc(862 bytes)
    roundcubemail-1.6-rc-complete.tar.gz(5.68 MB)
    roundcubemail-1.6-rc-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.6-rc.tar.gz(3.68 MB)
    roundcubemail-1.6-rc.tar.gz.asc(862 bytes)
  • 1.6-beta(Mar 6, 2022)

    This is a beta release for the next major version 1.6 of Roundcube webmail. With this milestone we cleaned up the codebase and bring full support for PHP 8.1. The most noteworthy changes are:

    • PHP 8.1 support
    • Dropped support for PHP < 7.3
    • Support responses (snippets) in HTML format
    • Option to purge deleted mails older than 30, 60 or 90 days
    • Unified and simplified services connection config options
    • Removed the Classic and Larry skins from the release packages
    • SQLite: Use foreign keys, require SQLite >= 3.6.19

    Adding support for PHP 8.1 again required some refactoring of the Roundcube codebase and removing/replacing now deprecated PHP code. We also used this cleaning efforts and simplified Roundcube's config options a bit.

    Breaking Changes

    The following config options have either been removed or renamed:

    1. IMAP:
      • renamed default_host to imap_host
      • removed default_port option (non-standard port can be set via imap_host)
      • set "localhost:143" as a default for imap_host
    2. SMTP:
      • renamed smtp_server to smtp_host
      • removed smtp_port option (non-standard port can be set via smtp_host)
      • set "localhost:587" as a default for smtp_host
    3. LDAP:
      • removed port option from ldap_public array (non-standard port can be set via host)
      • removed use_tls option from ldap_public array (use tls:// prefix in host)
    4. Managesieve:
      • removed managesieve_port option (non-standard port can be set via managesieve_host)
      • removed managesieve_usetls option (tls:// prefix in managesieve_host have to be used)

    If you used the Larry or the Classic skin in your deployment, you need to install them manually as they are no longer part of the release packages. They can easily be installed via Composer:

    $ composer require roundcube/larry
    

    This is a beta release and we recommend to test it on a separate environment. Migrate existing configs with eiither the installto.sh or the update.sh scripts. And don't forget to backup your data before installing it.

    CHANGELOG

    • Unified and simplified services connection options (#8310)
    • Plugin API: Removed smtp_port parameter in smtp_connect hook
    • Plugin API: Renamed smtp_server parameter to smtp_host in smtp_connect hook
    • Plugin API: Removed port parameter in managesieve_connect hook
    • Plugin API: Removed usetls parameter in managesieve_connect hook
    • Added support for PHP 8.1 (#8151)
    • Dropped support for PHP < 7.3 (#7976)
    • Dropped support for strftime-like format (with % sign) in date and time format configuration
    • Moved the Classic and Larry skins to their own repository (#8271)
    • SQLite: Use foreign keys, require SQLite >= 3.6.19
    • Replace Endroid QrCode with BaconQrCode (#8173)
    • Support responses (snippets) in HTML format (#5315)
    • Purge also subfolders of Trash (and/or messages in them) on logout (#1037)
    • Add support for encryption with AEAD ciphers, e.g. aes-256-gcm (#7097)
    • Add option to purge deleted mails older than 30, 60 or 90 days (#5493)
    • Add ability to mark multiple messages as not deleted at once (#5133)
    • Add possibility to disable line-wrapping of sent mail body (#5101)
    • Improve/Fix wrapping of plain text messages on preview and reply (#6974, #8391, #8378, #8289)
    • Improve searching by sender/recipient headers, support Reply-To and Followup-To (#6582)
    • Add option to control links handling behavior on html to text conversion (#6485)
    • Add 'loginform_content' plugin hook (#8273, #6569)
    • SMTP: If requested use TLS also without authentication (#4590, #8111)
    • Display a generic error page on initial DB/configuration errors (#8222)
    • Display telephone numbers as tel: links (#8240)
    • Elastic: Move scrollbar settings to variables (#8352)
    • Elastic: Use thin scrollbars in both light and dark mode
    • Elastic: Make the scrollbar color lighter in dark mode (#8345)
    • Autologout: A new plugin to auto log out users with a POST request (#8270)
    • Enigma: Upgrade to OpenPGP.js v5.0
    • Identicon: Make background color of the image to match the current skin colors (#8256)
    • Newmail_notifier: Update favicon to match the current favicon style and size (#7826)
    • Password: Remove password_blowfish_cost option, in favor of password_algorithm_options
    • Password: Remove support for password_algorithms crypt, hash and cram-md5
    • Password: Remove support for %c, %d, %n, %q variables in password_query
    • Password: Add support for passwords based on PHP's password_hash() function (#7724)
    • Password: Verify current password with IMAP (#8142)
    • Password: Improve handling errors on executed commands (#8200)
    • Password: Add Mailcow driver (#8291)
    • Fix compatibility with Referrer-Policy: "strict-origin" (#8170)
    • Fix locked SQLite database for the CLI tools (#8035)
    • Fix Makefile on Linux (#8211)
    • Fix so PHP warnings are ignored when resizing a malformed image attachment (#8387)
    • Fix various PHP8 warnings (#8392)
    • Fix mail headers injection via the subject field on mail compose (#8404)
    • Fix bug where small message/rfc822 parts could not be decoded (#8408)
    • Fix setting HTML mode on reply/forward of a signed message (#8405)
    • Fix handling of RFC2231-encoded attachment names inside of a message/rfc822 part (#8418)
    • Fix bug where some mail parts (images) could have not be listed as attachments (#8425)
    • Fix bug where attachment icons were stuck at the top of the messages list in Safari (#8433)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.6-beta.tar.gz(1.78 MB)
    roundcube-framework-1.6-beta.tar.gz.asc(862 bytes)
    roundcubemail-1.6-beta-complete.tar.gz(5.66 MB)
    roundcubemail-1.6-beta-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.6-beta.tar.gz(3.69 MB)
    roundcubemail-1.6-beta.tar.gz.asc(862 bytes)
  • 1.5.2(Dec 30, 2021)

    This is the second service release to update the new stable version 1.5. It provides a bunch of small fixes and improvements to the OAuth feature as well as a security fix to a recently reported XSS vulnerability. See the full changelog below.

    Security fix

    • Cross-site scripting (XSS) via HTML messages with malicious CSS content

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • OAuth: pass 'id_token' to 'oauth_login' plugin hook (#8214)
    • OAuth: fix expiration of short-lived oauth tokens (#8147)
    • OAuth: fix relative path to assets if /index.php/foo/bar url is used (#8144)
    • OAuth: no auto-redirect on imap login failures (#8370)
    • OAuth: refresh access token in 'refresh' plugin hook (#8224)
    • Fix so folder search parameters are honored by subscriptions_option plugin (#8312)
    • Fix password change with Directadmin driver (#8322, #8329)
    • Fix so css files in plugins/jqueryui/themes will be minified too (#8337)
    • Fix handling of unicode/special characters in custom From input (#8357)
    • Fix some PHP8 compatibility issues (#8363)
    • Fix chpass-wrapper.py helper compatibility with Python 3 (#8324)
    • Fix scrolling and missing Close button in the Select image dialog in Elastic/mobile (#8367)
    • Security: fix cross-site scripting (XSS) via HTML messages with malicious CSS content
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.5.2.tar.gz(1.78 MB)
    roundcube-framework-1.5.2.tar.gz.asc(862 bytes)
    roundcubemail-1.5.2-complete.tar.gz(7.48 MB)
    roundcubemail-1.5.2-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.5.2.tar.gz(4.36 MB)
    roundcubemail-1.5.2.tar.gz.asc(862 bytes)
  • 1.4.13(Dec 30, 2021)

    This is a security update to the stable version 1.4 of Roundcube Webmail. It provides a fix to a recently reported XSS vulnerability:

    • Cross-site scripting (XSS) via HTML messages with malicious CSS content

    This version is considered stable and we recommend to update all productive installations of Roundcube 1.4.x with it. Please do backup your data before updating!

    CHANGELOG

    • Security: fix cross-site scripting (XSS) via HTML messages with malicious CSS content
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.13.tar.gz(1.96 MB)
    roundcube-framework-1.4.13.tar.gz.asc(862 bytes)
    roundcubemail-1.4.13-complete.tar.gz(6.71 MB)
    roundcubemail-1.4.13-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.13.tar.gz(4.16 MB)
    roundcubemail-1.4.13.tar.gz.asc(862 bytes)
  • 1.5.1(Nov 28, 2021)

    This is the first service release to update the new stable version 1.5. It provides a bunch of small fixes and improvements after getting your feedback from the 1.5.0 release. See the full changelog below.

    Important note for MySQL and MariaDB database backends

    The change to full UTF-8 support in MySQL/MariaDB didn't work for everybody migrating an existing DB. Hence here's an important notice from the UPGRADING instructions:

    If you use MySQL < 5.7.7 or MariaDB < 10.2.2 make sure to configure it with:

      innodb_large_prefix=1
      innodb_file_per_table=1
      innodb_file_format=Barracuda
    

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Fix importing contacts with no email address (#8227)
    • Fix so session's search scope is not used if search is not active (#8199)
    • Fix some PHP8 warnings (#8239)
    • Fix so dark mode state is retained after closing the browser (#8237)
    • Fix bug where new messages were not added to the list on refresh if skip_deleted=true (#8234)
    • Fix colors on "Show source" page in dark mode (#8246)
    • Fix handling of dark_mode_support:false setting in skins meta.json - also when devel_mode=false (#8249)
    • Fix database initialization if db_prefix is a schema prefix (#8221)
    • Fix undefined constant error in Installer on Windows (#8258)
    • Fix installation/upgrade on MySQL 5.5 - Index column size too large (#8231)
    • Fix regression in setting of contact listing name (#8260)
    • Fix bug in Larry skin where headers toggle state was reset on full page preview (#8203)
    • Fix bug where \u200b characters were added into the recipient input preventing mail delivery (#8269)
    • Fix charset conversion errors on PHP < 8 for charsets not supported by mbstring (#8252)
    • Fix bug where adding a contact to trusted senders via "Always allow from..." button didn't work (#8264, #8268)
    • Fix bug with show_images setting where option 1 and 3 were swapped (#8268)
    • Fix PHP fatal error on an undefined constant in contacts import action (#8277)
    • Fix fetching headers of multiple message parts at once in rcube_imap_generic::fetchMIMEHeaders() (#8282)
    • Fix bug where attachment download could sometimes fail with a CSRF check error (#8283)
    • Fix an infinite loop when parsing environment variables with float/integer values (#8293)
    • Fix so 'small-dark' logo has more priority than the 'small' logo (#8298)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.5.1.tar.gz(1.78 MB)
    roundcube-framework-1.5.1.tar.gz.asc(862 bytes)
    roundcubemail-1.5.1-complete.tar.gz(7.46 MB)
    roundcubemail-1.5.1-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.5.1.tar.gz(4.34 MB)
    roundcubemail-1.5.1.tar.gz.asc(862 bytes)
  • 1.4.12(Nov 12, 2021)

    This is a service and security update to the stable version 1.4 of Roundcube Webmail. It provides fixes for two recently discovered SQL injection and XSS vulnerabilities as well a some general improvements from our issue tracker. See the full changelog below.

    Security fixes

    • Fix XSS issue in handling attachment filename extension in mimetype mismatch warning
    • Fix possible SQL injection via some session variables

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919)
    • Fix bug where contacts search didn't work with addressbook_search_mods set to an empty array (#7974)
    • Fix bug causing some HTML message content to be not centered in Elastic skin (#7911)
    • Fix bug where consecutive LDAP searches could return wrong results (#8064)
    • Fix bug where plus characters in attachment filename could have been ignored (#8074)
    • Fix displaying HTML body with inline images encapsulated using TNEF format (winmail.dat)
    • Fix handling of custom sender addresses with names (#8106)
    • Fix shift + drag'n'drop menu not working in Elastic skin with Chrome browser (#8107)
    • Fix Firefox infinite loading display on mail screen (#8128)
    • Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
    • Fix SQL injection via some session variables
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.12.tar.gz(1.96 MB)
    roundcube-framework-1.4.12.tar.gz.asc(862 bytes)
    roundcubemail-1.4.12-complete.tar.gz(6.72 MB)
    roundcubemail-1.4.12-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.12.tar.gz(4.16 MB)
    roundcubemail-1.4.12.tar.gz.asc(862 bytes)
  • 1.3.17(Nov 12, 2021)

    This is a security update to the LTS version 1.3. It fixes two recently discovered vulnerabilities:

    • Fix XSS issue in handling attachment filename extension in mimetype mismatch warning
    • Fix possible SQL injection via some session variables

    This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.3.17.tar.gz(1.20 MB)
    roundcube-framework-1.3.17.tar.gz.asc(862 bytes)
    roundcubemail-1.3.17-complete.tar.gz(5.23 MB)
    roundcubemail-1.3.17-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.3.17.tar.gz(3.08 MB)
    roundcubemail-1.3.17.tar.gz.asc(862 bytes)
  • 1.5.0(Oct 18, 2021)

    This is the stable release of the next major version of Roundcube webmail. With this milestone we introduce new features and full PHP 8.0 support. The most noteworthy additions are:

    • Dark mode for Elastic skin
    • OAuth2/XOauth support (with plugin hooks)
    • Collected recipients and trusted senders
    • Moving recipients between inputs with drag & drop
    • Full unicode support with MySQL database
    • Support of IMAP LITERAL- extension [RFC 7888]
    • Support of RFC 2231 encoded names
    • Cache refactoring

    See the full changelog below.

    We also disabled the spell checking feature using spell.roundcube.net by default because some privacy concerns were raised. It now needs to be enabled explicitly by setting the enable_spellcheck config option to true.

    In case you're running Roundcube directly from source or if you're not using the complete package, you need to install 3rd party javascript modules using the bin/install-jsdeps.sh script. In the 1.5.x series the toolchain required to build a functional package has changed a bit:

    • bin/jsshrink.sh: replaced google-closure-compiler with UglifyJS
    • bin/cssshrink.sh: replaced yuicompressor with csso
    • Elastic theme: require lessc >= 2.5.2 (and add support for v4) with less-plugin-clean-css

    This release is considered stable and we encourage you to update your productive installations after carefully testing the upgrade scenario.

    With the release of Roundcube 1.5.0, the previous stable release branches 1.4.x and 1.3.x will change into LTS low maintenance mode which means they will only receive important security updates but no longer any regular improvement updates. The 1.2.x series is no longer supported and maintained.

    CHANGELOG (since 1.5-rc)

    • Support displaying RTF content (including encapsulated HTML) from a TNEF attachment
    • Disable the default spellchecker option using spell.roundcube.net (#8182)
    • Newmail_notifier: Improved the notification sound (#8155)
    • Fix size of Mailvelope iframe for PGP-inlined mail, again (#8126)
    • Fix handling of group names with @ character in autocomplete and contacts widget (#8098)
    • Fix Firefox infinate loading display on mail screen (#8128)
    • Fix converting >1MB of HTML content into plain text (#8137)
    • Fix bug where expanding a group in the recipient input could corrupt the input content (#7569)
    • Fix fatal error/warning on invalid input to user parameter (#8152)
    • Fix changing password with dovecot_passwdfile driver (#8145)
    • Fix handling of headers that occur multiple times by show_additional_headers plugin (#8157)
    • Fix bug where vertical scrollbar in new HTML message bounced back on scroll (#8046)
    • Fix displaying inline images with incorrectly declared content-type (#8158)
    • Fix so addr-spec with missing closing angle bracket can be parsed (#8164)
    • Fix handling of spellcheck connection errors (#8172)
    • Fix a couple of PHP8 warnings (#8175, #8176)
    • Fix bug where "from my contacts" and "from trusted senders" values were mixed up (#8177)
    • Fix password/token length check on OAuth login (#8178)
    • Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
    • Fix SQL injection via some session variables
    • Fix handling of dark_mode_support:false setting in skins meta.json (#8186)
    • Fix security issues regarding server name and trusted_host_patterns setting
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.5.0.tar.gz(1.78 MB)
    roundcube-framework-1.5.0.tar.gz.asc(862 bytes)
    roundcubemail-1.5.0-complete.tar.gz(7.44 MB)
    roundcubemail-1.5.0-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.5.0.tar.gz(4.32 MB)
    roundcubemail-1.5.0.tar.gz.asc(862 bytes)
  • 1.5-rc(Jul 3, 2021)

    This is the release candidate for the next major version 1.5 of Roundcube webmail. Based on the feedback we received from the beta release and some new features from the backlog, we have now finalized the development branch to prepare the final version. See the changelog below for details.

    Some noteworthy additions since 1.5-beta are

    • Support of XOAUTH2 in Managesieve plugin
    • Support of IMAP LITERAL- extension [RFC 7888]
    • Support of RFC 2231 encoded names
    • Plugin hooks for OAuth events

    We believe it is production ready, but we recommend to test it on a separate environment. And don't forget to backup your data before installing it.

    CHANGELOG

    • Upgrade to TinyMCE 5.8.2
    • SMTP XCLIENT support (#7893, #6411)
    • Add IDN homograph attack (spoofing) detection [CVE-2019-15237] (#6891)
    • Add configuration options for subject prefixes (#7929, #4981)
    • Support IMAP LITERAL- extension [RFC 7888] (#6878)
    • Warn the user about a potential data leak on mail bounce or forward (#7993)
    • Make the Empty action available for every non-empty folder, not only Trash (#7948)
    • Remove (incorrect) use of Return-Receipt-To header (#8069)
    • Submit various simple dialog forms with the Enter key (#7133)
    • Add RFC2231 support to rcube_mime_decode (#7390)
    • Plugin API: Allow modification of 'error' argument in message_send_error hook (#7914)
    • OAuth: add plugin hooks oauth_login and oauth_refresh_token for oauth events (#8028, #8040)
    • Debug_logger: Fix the main plugin functionality and documentation (#8041)
    • Enigma: Fix bug where signature verification could fail for non-ascii bodies (#7919)
    • Enigma: Fix invalid expiration dates of PGP keys on a 32bit system (#7531)
    • Enigma: Display an information that public and private keys are stored on the server (#7941)
    • Enigma: Optional support for passwordless keys (#7265)
    • Managesieve: Fix removing nested rules in scripts (#8011)
    • Managesieve: Support XOAUTH2, requires Net_Sieve 1.4.5 (#7925)
    • Managesieve: Added ability to remove 'redirect' option from UI (#7922)
    • New_user_dialog: Use the identity_update hook (#8023)
    • Password: Fix broken 'hmail' driver (#7966)
    • Password: Set password_minimum_length to 8 by default (#8003)
    • Vcard_attachments: Improve handling of multiple contacts (#7027)
    • Fix inserting a group from non-default source using the Insert contact(s) dialog (#8095)
    • Fix invalid search fields after search scope change (#6919)
    • Fix so "Always allow from..." button appears also when allow_images=3 (#7961)
    • Fix Elastic's pretty select scroll position in Chrome (#7964)
    • Fix bug where invalid non-unicode characters in JSON output could make the UI unresponsive (#7955)
    • Fix PHP 8 fatal error when allowing images in an email (#7968)
    • Fix so session expiration is more precise and do not depend on the garbage collector (#7576)
    • Fix bug where imap_conn_options settings were ignored (#7912)
    • Fix bug causing some HTML message content to be not centered in Elastic skin (#7911)
    • Fix bug when sending an email and recipient's email address contains a trailing dot (#7899)
    • Fix bug where the list page wasn't reset when changing a folder on mail view page (#7932)
    • Fix so selecting the same folder to reset search resets also the page number (#7125)
    • Fix login page rendering after oauth failure (#7812,#7923)
    • Fix bug where assigning users to groups via menu (not drag'n'drop) could fail in Elastic theme (#7973)
    • Fix HTML5 parser issue with a messy HTML code from Outlook (#7356)
    • Fix handling of multiple link references with the same index in plain text message (#8021)
    • Fix various actions on folders with angle brackets in name (#8037)
    • Fix inconsistent fowarding actions statuses on drafts (#8039)
    • Fix bug where start and reversed attributes of ol tag were ignored (#8059)
    • Fix bug where consecutive LDAP searches could return wrong results (#8064)
    • Fix bug where plus characters in attachment filename could have been ignored (#8074)
    • Fix displaying HTML body with inline images encapsulated using TNEF format (winmail.dat)
    • Fix handling of custom sender addresses with names (#8106)
    • Fix shift + drag'n'drop menu not working in Elastic skin with Chrome browser (#8107)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.5-rc.tar.gz(3.25 MB)
    roundcube-framework-1.5-rc.tar.gz.asc(862 bytes)
    roundcubemail-1.5-rc-complete.tar.gz(7.32 MB)
    roundcubemail-1.5-rc-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.5-rc.tar.gz(4.25 MB)
    roundcubemail-1.5-rc.tar.gz.asc(862 bytes)
  • 1.5-beta(Feb 25, 2021)

    This is a beta release for the next major version 1.5 of Roundcube webmail. With this milestone we introduce new features and long-awaited improvements. The most noteworthy additions are:

    • PHP 8.0 support
    • OAuth2/XOauth support
    • Dark mode for Elastic skin
    • Collected recipients and trusted senders
    • Moving recipients between inputs with drag & drop
    • Full unicode support with MySQL database
    • Cache refactoring

    Adding support for PHP 8 required some deep refactoring of the Roundcube codebase which started with early PHP 5 versions. However, this refactoring also was a bit of a cleaning procedure and resulted in more testable components.

    In case you're running Roundcube directly from source or if you're not using the complete package, you need to install 3rd party javascript modules using the bin/install-jsdeps.sh script. With this release the toolchain required to build a functional package has changed a bit:

    • bin/jsshrink.sh: replaced google-closure-compiler with UglifyJS
    • bin/cssshrink.sh: replaced yuicompressor with csso
    • Elastic theme: require lessc >= 2.5.2 (and add support for v4) with less-plugin-clean-css

    This is a beta release and we recommend to test it on a separate environment. And don't forget to backup your data before installing it.

    CHANGELOG

    • Require PHP >= 5.5
    • Support PHP 8.0 (#7625)
    • Require php-intl
    • Remove use of Net_IDNA2 package
    • Require GuzzleHttp\Client
    • Upgrade to TinyMCE 5.5.1
    • Upgrade to jQuery 3.5.1 (#7464)
    • Update build tools (#7800, #7804, #7497):
      • jsshrink.sh: Replace google-closure-compiler with UglifyJS
      • cssshrink.sh: Replace yuicompressor with csso
      • require lessc >= 2.5.2 (and add support for v4) with less-plugin-clean-css for Less files compilation
    • Automatically collected recipients and trusted senders (#6904)
      • Added configurable Collected Recipients addressbook source (#4971)
      • Added configurable Trusted Senders addressbook source (#5046)
      • Added 'contact_exists' hook
      • Added separate "trusted senders" options for show_images and mdn_request preferences (#7614)
    • Contact form mode: private/business (#7630)
    • OAuth/XOauth support (#7425, #6933)
    • Cache refactoring (#6312)
    • Added special value 'email' to login_username_filter, it changes also logon input type (#7179)
    • Allow array in smtp_host config (#7296)
    • Support proxy for server-side HTTP requests (#7658)
    • By default do not set the User-Agent header (#7731)
    • Add posibility to (re-)define field mapping on contacts import from a CSV file (#7045, #6668)
    • Move "On request for return receipt" from "Mailbox View" to "Displaying Messages" (#7614)
    • Support RFC8438: IMAP STATUS=SIZE - for faster folder size calculation (#7269)
    • MySQL: Use utf8mb4 charset and utf8mb4_unicode_ci collation (#6535, #7113)
    • Allow NULL in users.preferences column in postgres and sqlite db, the same as for other engines (#7767)
    • Support for language codes up to 16 chars long (e.g. es-419) in database schema (#6851)
    • Relaxed domain name validation for extended TLDs support (#5588)
    • Allow opening application/octet-stream attachments according to filename extension (#6821)
    • Added support for INSERT OR REPLACE queries (#6771)
    • Allow skins to define which layout options they support (#7235)
    • Extract RFC2231 attachment name from message headers (#6729, #6783)
    • Add support for SameSite cookie attribute via session_samesite option (req PHP >= 7.3.0) (#6772)
    • Change folders sorting so shared/other users namespaces are listed last (#5012)
    • Display a warning and do not try to open empty attachments (#7332)
    • Return 204 rather than 404 on missing contact photo (#7777)
    • Add 'reconnect' plugin to retry IMAP connection (#7844)
    • Plugin API: Added 'message' argument to 'message_compose_body' hook
    • Plugin API: Added 'preferences' parameter to 'user_create' hook (#7692)
    • Elastic: Dark mode (#6709)
    • Elastic: Display email size on the list of messages (#7162)
    • Elastic: Replace properties sidebar with a dialog on the attachment preview page (#7635)
    • Elastic: Minimize forms/colors blink on page load
    • Elastic: Improve mail header "detailed mode" (#7224)
    • Elastic: Moving single recipients between recipient inputs with drag-n-drop (#5069)
    • Elastic: Display a special icon for other users and shared namespace roots (#5012)
    • Elastic: Support space-separated email addresses in recipient input (#6529, #6457)
    • Elastic: Remember list checkbox selection state (#7148)
    • Elastic: Add "Open in new window" in mail compose (#7260)
    • Elastic: Make custom less files optional (#7497)
    • Elastic: Prevent from opening mail preview in a new window on touch devices using double tap (#7732)
    • Templates: Add support for expressions in object attributes (#7237)
    • Templates: Add support for nested if conditions (#6818)
    • Templates: Make [space][slash] ending of condition objects optional (#6954)
    • Mailvelope: Fix size of iframe for PGP-inlined mail (#7348)
    • Mailvelope: Add config option to use Main Keyring (#7348, #7157)
    • Mailvelope: Add config option to set the size for new keys (#7348)
    • Mailvelope: Always ask before discarding email currently being composed (#7348)
    • Mailvelope: Fix unnecessary warning to re-add attachments when restoring a draft (#7348)
    • Archive: Added options to split archive by year or year+month and folder (#7216)
    • Enigma: Support ECC key generation - when using GnuPG >= 2.1.7 (#6853)
    • Managesieve: Add support for 'spamtest' extension - RFC3685 (#6950)
    • Managesieve: Allow display name with email address in vacation :from field (#6760)
    • Managesieve: Improve UX on custom header input (#7207)
    • Managesieve: Fix bug where activation of forward/vacation rule could activate a wrong script (#7423)
    • Managesieve: Fix bug where forward/vacation rule could end up being duplicated (#7349)
    • new_user_identity: Fix missing password for user-specific LDAP operations (#7667)
    • Password: Added 'pwned' password strength driver (#7274)
    • Password: Added Mail-in-a-Box (miab) driver (#7824)
    • Password: Added TinyCP driver (#7510)
    • Password: Added httpapi driver to connect to generic HTTP/HTTPS APIs (#7439)
    • Password: Added dovecot_passwdfile driver (#5786)
    • Password: Removed old 'cpanel' driver, 'cpanel_webmail' driver renamed to 'cpanel' (#7780)
    • Fix handling of address groups in email headers by ignoring their names (#7663)
    • Fix so message flags are updated on refresh also for multifolder search results (#7774)
    • Fix so IMAP ID command is send only after authentication (#7517)
    • Fix bug where it wasn't possible to save Spanish (Latin America) locale preference (#7784)
    • Fix mail search error on invalid search_mods definition (#7789)
    • Fix error when dealing with message/rfc822 attachments using Gmail IMAP (#6854)
    • Fix ISO-2022-JP-MS encoding issues (#7091)
    • Fix so messages in threads with no root aren't displayed separately (#4999)
    • Fix so anchor tags without href attribute are not modified (#7413)
    • Fix invalid IMAP SEARCH command in some rare case on messages cache synchronization (#7895)
    • Fix so allowing remote resources does not add an entry to browser history (#6620)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.5-beta.tar.gz(2.02 MB)
    roundcube-framework-1.5-beta.tar.gz.asc(862 bytes)
    roundcubemail-1.5-beta-complete.tar.gz(7.22 MB)
    roundcubemail-1.5-beta-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.5-beta.tar.gz(4.23 MB)
    roundcubemail-1.5-beta.tar.gz.asc(862 bytes)
  • 1.4.11(Feb 8, 2021)

    This is a service and security update to the stable version 1.4 of Roundcube Webmail. It provides a fix for a recently reported stored XSS vulnerability as well a some general improvements from our issue tracker. See the full changelog below.

    Security fix

    • Fix cross-site scripting (XSS) via HTML messages with malicious CSS content

    Credits for this finding go to Mateusz Szymaniec (CERT Polska).

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Display a nice error informing about no PHP8 support
    • Elastic: Fix compatibility with Less v3 and v4 (#7813)
    • Fix bug with managesieve_domains in Settings > Forwarding form (#7849)
    • Fix errors in MSSQL database update scripts (#7853)
    • Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.11.tar.gz(1.96 MB)
    roundcube-framework-1.4.11.tar.gz.asc(862 bytes)
    roundcubemail-1.4.11-complete.tar.gz(6.72 MB)
    roundcubemail-1.4.11-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.11.tar.gz(4.16 MB)
    roundcubemail-1.4.11.tar.gz.asc(862 bytes)
  • 1.4.10(Dec 27, 2020)

    This is a service and security update to the stable version 1.4 of Roundcube Webmail. It contains a fix for a recently reported stored XSS vulnerability as well a small number of general improvements from our issue tracker. See the full changelog below.

    Security fix

    • Stored cross-site scripting (XSS) via HTML or plain text messages with malicious content [CVE-2020-35730]

    Credits for this finding go to Alex Birnberg.

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655)
    • Fix folder list issue when special folder is a subfolder (#7647)
    • Fix Elastic's folder subscription toggle in search result (#7653)
    • Fix state of subscription toggle on folders list after changing folder state from the search result (#7653)
    • Security: Fix cross-site scripting (XSS) via HTML or plain text messages with malicious content
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.10.tar.gz(1.96 MB)
    roundcube-framework-1.4.10.tar.gz.asc(862 bytes)
    roundcubemail-1.4.10-complete.tar.gz(6.71 MB)
    roundcubemail-1.4.10-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.10.tar.gz(4.16 MB)
    roundcubemail-1.4.10.tar.gz.asc(862 bytes)
  • 1.3.16(Dec 27, 2020)

    This is a security update to the LTS version 1.3. It fixes a recently reported stored cross-site scripting (XSS) vulnerability via HTML or plain text messages with malicious content [CVE-2020-35730].

    Credits for this finding go to Alex Birnberg.

    This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.3.16.tar.gz(1.20 MB)
    roundcube-framework-1.3.16.tar.gz.asc(862 bytes)
    roundcubemail-1.3.16-complete.tar.gz(5.23 MB)
    roundcubemail-1.3.16-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.3.16.tar.gz(3.08 MB)
    roundcubemail-1.3.16.tar.gz.asc(862 bytes)
  • 1.2.13(Dec 27, 2020)

    This is a security update to the LTS version 1.2. It fixes a recently reported stored cross-site scripting (XSS) vulnerability via HTML or plain text messages with malicious content [CVE-2020-35730].

    Credits for this finding go to Alex Birnberg.

    We strongly recommend to update all productive installations of Roundcube 1.2.x if you cannot upgrade to a more recent version. Please do backup your data before updating!

    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.2.13.tar.gz(1.18 MB)
    roundcube-framework-1.2.13.tar.gz.asc(862 bytes)
    roundcubemail-1.2.13-complete.tar.gz(3.79 MB)
    roundcubemail-1.2.13-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.2.13.tar.gz(3.50 MB)
    roundcubemail-1.2.13.tar.gz.asc(862 bytes)
  • 1.4.9(Sep 27, 2020)

    This is a service update to the stable version 1.4 of Roundcube Webmail. It contains fixes and general improvements from our issue tracker, mainly related to email composition and UI oddities in Elastic skin and with the TinyMCE richtext editor. See the full changelog below.

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Fix HTML editor in latest Chrome 85.0.4183.102, update to TinyMCE 4.9.11 (#7615)
    • Add missing localization for some label/legend elements in userinfo plugin (#7478)
    • Fix importing birthday dates from Gmail vCards (BDAY:YYYYMMDD)
    • Fix restoring Cc/Bcc fields from local storage (#7554)
    • Fix jstz.min.js installation, bump version to 1.0.7
    • Fix incorrect PDO::lastInsertId() use in sqlsrv driver (#7564)
    • Fix link to closure compiler in bin/jsshrink.sh script (#7567)
    • Fix bug where some parts of a message could have been missing in a reply/forward body (#7568)
    • Fix empty space on mail printouts in Chrome (#7604)
    • Fix empty output from HTML5 parser when content contains XML tag (#7624)
    • Fix scroll jump on key press in plain text mode of the HTML editor (#7622)
    • Fix so autocompletion list does not hide on scroll inside it (#7592)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.9.tar.gz(1.96 MB)
    roundcube-framework-1.4.9.tar.gz.asc(862 bytes)
    roundcubemail-1.4.9-complete.tar.gz(6.71 MB)
    roundcubemail-1.4.9-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.9.tar.gz(4.16 MB)
    roundcubemail-1.4.9.tar.gz.asc(862 bytes)
  • 1.4.8(Aug 10, 2020)

    This is a service and security update to the stable version 1.4 of Roundcube Webmail. It contains fixes for recently reported security vulnerabilities as well a small number of general improvements from our issue tracker. See the full changelog below.

    Security fixes

    • Fix potential XSS issue in HTML editor of the identity signature input
    • Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
    • Fix cross-site scripting (XSS) via HTML messages with malicious math content

    Credits for the latter two findings go to Łukasz Pilorz from Pentesters.

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Managesieve: Fix too-small input field in Elastic when using custom headers (#7498)
    • Fix support for an error as a string in message_before_send hook (#7475)
    • Elastic: Fix redundant scrollbar in plain text editor on mail reply (#7500)
    • Elastic: Fix deleted and replied+forwarded icons on messages list (#7503)
    • Managesieve: Allow angle brackets in out-of-office message body (#7518)
    • Fix bug in conversion of email addresses to mailto links in plain text messages (#7526)
    • Fix format=flowed formatting on plain text part derived from the HTML content (#7504)
    • Fix incorrect rewriting of internal links in HTML content (#7512)
    • Fix handling links without defined protocol (#7454)
    • Fix paging of search results on IMAP servers with no SORT capability (#7462)
    • Fix detecting special folders on servers with both SPECIAL-USE and LIST-STATUS (#7525)
    • Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507)
    • Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
    • Security: Fix cross-site scripting (XSS) via HTML messages with malicious math content
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.8.tar.gz(1.96 MB)
    roundcube-framework-1.4.8.tar.gz.asc(862 bytes)
    roundcubemail-1.4.8-complete.tar.gz(6.70 MB)
    roundcubemail-1.4.8-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.8.tar.gz(4.16 MB)
    roundcubemail-1.4.8.tar.gz.asc(862 bytes)
  • 1.3.15(Aug 10, 2020)

    This is a security update to the LTS version 1.3. It fixes two recently reported cross-site scripting (XSS) vulnerabilities via HTML messages with malicious svg and math contents.

    Credits for these findings go to Łukasz Pilorz from Pentesters.

    This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.3.15.tar.gz(1.20 MB)
    roundcube-framework-1.3.15.tar.gz.asc(862 bytes)
    roundcubemail-1.3.15-complete.tar.gz(5.23 MB)
    roundcubemail-1.3.15-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.3.15.tar.gz(3.08 MB)
    roundcubemail-1.3.15.tar.gz.asc(862 bytes)
  • 1.2.12(Aug 10, 2020)

    This is a security update to the LTS version 1.2. It fixes two recently reported cross-site scripting (XSS) vulnerabilities via HTML messages with malicious svg and math contents.

    Credits for these findings go to Łukasz Pilorz from Pentesters.

    We strongly recommend to update all productive installations of Roundcube 1.2.x if you cannot upgrade to a more recent version. Please do backup your data before updating!

    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.2.12.tar.gz(1.18 MB)
    roundcube-framework-1.2.12.tar.gz.asc(862 bytes)
    roundcubemail-1.2.12-complete.tar.gz(3.79 MB)
    roundcubemail-1.2.12-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.2.12.tar.gz(3.50 MB)
    roundcubemail-1.2.12.tar.gz.asc(862 bytes)
  • 1.4.7(Jul 5, 2020)

    This is a service and security update to the stable version 1.4 of Roundcube Webmail. It contains a fix for recently reported security vulnerability as well a small number of general improvements from our issue tracker. See the full changelog below.

    Security fix

    Prevent cross-site scripting (XSS) via HTML messages with malicious svg/namespace (CVE-2020-15562)

    Credits for this finding go to SSD Secure Disclosure.

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Fix bug where subfolders of special folders could have been duplicated on folder list
    • Increase maximum size of contact jobtitle and department fields to 128 characters
    • Fix missing newline after the logged line when writing to stdout (#7418)
    • Elastic: Fix context menu (paste) on the recipient input (#7431)
    • Fix problem with forwarding inline images attached to messages with no HTML part (#7414)
    • Fix problem with handling attached images with same name when using database_attachments/redundant_attachments (#7455)
    • Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.7.tar.gz(1.96 MB)
    roundcube-framework-1.4.7.tar.gz.asc(862 bytes)
    roundcubemail-1.4.7-complete.tar.gz(6.70 MB)
    roundcubemail-1.4.7-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.7.tar.gz(4.16 MB)
    roundcubemail-1.4.7.tar.gz.asc(862 bytes)
  • 1.3.14(Jul 5, 2020)

    This is a security update to the LTS version 1.3. It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562).

    Credits for this finding go to SSD Secure Disclosure.

    This version in considered stable and we strongly recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.3.14.tar.gz(1.20 MB)
    roundcube-framework-1.3.14.tar.gz.asc(862 bytes)
    roundcubemail-1.3.14-complete.tar.gz(5.23 MB)
    roundcubemail-1.3.14-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.3.14.tar.gz(3.08 MB)
    roundcubemail-1.3.14.tar.gz.asc(862 bytes)
  • 1.2.11(Jul 5, 2020)

    This is a security update to the LTS version 1.2. It fixes a recently reported cross-site scripting (XSS) vulnerability via HTML messages with malicious svg/namespace (CVE-2020-15562).

    Credits for this finding go to SSD Secure Disclosure.

    We strongly recommend to update all productive installations of Roundcube 1.2.x if you cannot upgrade to a more recent version. Please do backup your data before updating!

    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.2.11.tar.gz(1.18 MB)
    roundcube-framework-1.2.11.tar.gz.asc(862 bytes)
    roundcubemail-1.2.11-complete.tar.gz(3.79 MB)
    roundcubemail-1.2.11-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.2.11.tar.gz(3.50 MB)
    roundcubemail-1.2.11.tar.gz.asc(862 bytes)
  • 1.4.6(Jun 7, 2020)

    This is a follow-up release to the recently published version 1.4.5 of Roundcube Webmail.

    It contains a single fix for the installer's test step which was broken with the last release. The update is therefore only relevant for new installations which use the installer to set up Roundcube.

    CHANGELOG

    • Installer: Fix regression in SMTP test section (#7417)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.6.tar.gz(1.96 MB)
    roundcube-framework-1.4.6.tar.gz.asc(862 bytes)
    roundcubemail-1.4.6-complete.tar.gz(6.70 MB)
    roundcubemail-1.4.6-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.6.tar.gz(4.16 MB)
    roundcubemail-1.4.6.tar.gz.asc(862 bytes)
  • 1.3.13(Jun 7, 2020)

    This is a follow-up release to the recently published version 1.3.12 of Roundcube Webmail.

    It contains a single fix for the installer's test step which was broken with the last release. The update is therefore only relevant for new installations which use the installer to set up Roundcube.

    CHANGELOG

    • Installer: Fix regression in SMTP test section (#7417)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.3.13.tar.gz(1.20 MB)
    roundcube-framework-1.3.13.tar.gz.asc(862 bytes)
    roundcubemail-1.3.13-complete.tar.gz(5.23 MB)
    roundcubemail-1.3.13-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.3.13.tar.gz(3.08 MB)
    roundcubemail-1.3.13.tar.gz.asc(862 bytes)
  • 1.3.12(Jun 2, 2020)

    This is a service and security update to the LTS version 1.3 of Roundcube Webmail. It contains four fixes for recently reported security vulnerabilities as well a small number of general improvements backported from the latest stable version. See the full changelog below.

    Security fixes

    • Fix XSS issue in template object 'username' (#7406)
    • Fix cross-site scripting (XSS) via malicious XML attachment
    • Fix a couple of XSS issues in Installer (#7406)
    • Better fix for CVE-2020-12641

    The latter two vulnerabilities again are related to public access to the Roundcube installer and are therefore classified minor.

    This version in considered stable and we recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

    CHANGELOG

    • Security: Better fix for CVE-2020-12641
    • Security: Fix XSS issue in template object 'username' (#7406)
    • Security: Fix couple of XSS issues in Installer (#7406)
    • Security: Fix cross-site scripting (XSS) via malicious XML attachment
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.3.12.tar.gz(1.20 MB)
    roundcube-framework-1.3.12.tar.gz.asc(862 bytes)
    roundcubemail-1.3.12-complete.tar.gz(5.23 MB)
    roundcubemail-1.3.12-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.3.12.tar.gz(3.08 MB)
    roundcubemail-1.3.12.tar.gz.asc(862 bytes)
  • 1.4.5(Jun 2, 2020)

    This is a service and security update to the stable version 1.4 of Roundcube Webmail. It contains fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. See the full changelog below.

    Security fixes

    • Fix XSS issue in template object 'username' (#7406)
    • Fix cross-site scripting (XSS) via malicious XML attachment
    • Fix a couple of XSS issues in Installer (#7406)
    • Better fix for CVE-2020-12641

    The latter two vulnerabilities again are related to public access to the Roundcube installer and are therefore classified minor.

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Fix bug in extracting required plugins from composer.json that led to spurious error in log (#7364)
    • Fix so the database setup description is compatible with MySQL 8 (#7340)
    • Markasjunk: Fix regression in jsevent driver (#7361)
    • Fix missing flag indication on collapsed thread in Larry and Elastic (#7366)
    • Fix default keyservers (use keys.openpgp.org), add note about CORS (#7373, #7367)
    • Password: Fix issue with Modoboa driver (#7372)
    • Mailvelope: Use sender's address to find pubkeys to check signatures (#7348)
    • Mailvelope: Fix Encrypt button hidden in Elastic (#7353)
    • Fix PHP warning: count(): Parameter must be an array or an object... in ID command handler (#7392)
    • Fix error when user-configured skin does not exist anymore (#7271)
    • Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
    • Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)
    • Security: Fix a couple of XSS issues in Installer (#7406)
    • Security: Fix XSS issue in template object 'username' (#7406)
    • Security: Fix cross-site scripting (XSS) via malicious XML attachment
    • Security: Better fix for CVE-2020-12641
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.5.tar.gz(1.96 MB)
    roundcube-framework-1.4.5.tar.gz.asc(862 bytes)
    roundcubemail-1.4.5-complete.tar.gz(6.70 MB)
    roundcubemail-1.4.5-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.5.tar.gz(4.16 MB)
    roundcubemail-1.4.5.tar.gz.asc(862 bytes)
  • 1.4.4(Apr 29, 2020)

    This is a service and security update to the stable version 1.4 of Roundcube Webmail. It contains four fixes for recently reported security vulnerabilities as well a number of general improvements from our issue tracker. See the full changelog below.

    Security fixes

    • Cross-Site Scripting (XSS) via malicious HTML content
    • CSRF attack can cause an authenticated user to be logged out
    • Remote code execution via crafted config options
    • Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

    The latter two vulnerabilities are classified minor because they only affect Roundcube installations with public access to the Roundcube installer. That's generally a high-risk situation and is expected to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done in core in order to also prevent from future and yet unknown attack vectors.

    This version is considered stable and we recommend to update all productive installations of Roundcube with it. Please do backup your data before updating!

    CHANGELOG

    • Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
    • Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
    • Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
    • Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
    • Elastic: Fix color of a folder with recent messages (#7281)
    • Elastic: Restrict logo size in print view (#7275)
    • Fix invalid Content-Type for messages with only html part and inline images - Mail_Mime-1.10.7 (#7261)
    • Fix missing contact display name in QR Code data (#7257)
    • Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
    • Fix regression in testing database schema on MSSQL (#7227)
    • Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
    • Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
    • Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
    • Fix handling keyservers configured with protocol prefix (#7295)
    • Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
    • Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
    • Fix so imap error message is displayed to the user on folder create/update (#7245)
    • Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
    • Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
    • Fix characters encoding in group rename input after group creation/rename (#7330)
    • Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
    • Make install-jsdeps.sh script working without the file program installed (#7325)
    • Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
    • Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
    • Security: Fix XSS issue in handling of CDATA in HTML messages
    • Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
    • Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
    • Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.4.4.tar.gz(1.96 MB)
    roundcube-framework-1.4.4.tar.gz.asc(862 bytes)
    roundcubemail-1.4.4-complete.tar.gz(6.70 MB)
    roundcubemail-1.4.4-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.4.4.tar.gz(4.15 MB)
    roundcubemail-1.4.4.tar.gz.asc(862 bytes)
  • 1.3.11(Apr 29, 2020)

    This is a service and security update to the LTS version 1.3 of Roundcube Webmail. It contains four fixes for recently reported security vulnerabilities as well a small number of general improvements backported from the latest stable version. See the full changelog below.

    Security fixes

    • Cross-Site Scripting (XSS) via malicious HTML content
    • CSRF attack can cause an authenticated user to be logged out
    • Remote code execution via crafted config options
    • Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

    The latter two vulnerabilities are classified minor because they only affect Roundcube installations with public access to the Roundcube installer. That's generally a high-risk situation and is expected to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done in core in order to also prevent from future and yet unknown attack vectors.

    This version in considered stable and we recommend to update all productive installations of Roundcube 1.3.x with it. Please do backup your data before updating!

    CHANGELOG

    • Enigma: Fix compatibility with Mail_Mime >= 1.10.5
    • Fix permissions on some folders created by bin/install-jsdeps.sh script (#6930)
    • Fix bug where inline images could have been ignored if Content-Id header contained redundant spaces (#6980)
    • Fix PHP Warning: Use of undefined constant LOG_EMERGE (#6991)
    • Fix PHP warning: "array_merge(): Expected parameter 2 to be an array, null given in sendmail.inc (#7003)
    • Security: Fix XSS issue in handling of CDATA in HTML messages
    • Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
    • Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
    • Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.3.11.tar.gz.asc(862 bytes)
    roundcube-framework-1.4.4.tar.gz(1.96 MB)
    roundcubemail-1.3.11-complete.tar.gz(5.23 MB)
    roundcubemail-1.3.11-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.3.11.tar.gz(3.08 MB)
    roundcubemail-1.3.11.tar.gz.asc(862 bytes)
  • 1.2.10(Apr 29, 2020)

    This is a security update to the LTS version 1.2. It fixes four recently reported security vulnerabilities:

    • Cross-Site Scripting (XSS) via malicious HTML content
    • CSRF attack can cause an authenticated user to be logged out
    • Remote code execution via crafted config options
    • Path traversal vulnerability allowing local file inclusion via crafted 'plugins' option

    The latter two vulnerabilities are classified minor because they only affect Roundcube installations with public access to the Roundcube installer. That's generally a high-risk situation and is expected to be rare or practically non-existent in productive Roundcube deployments. However, the fixes are done in core in order to also prevent from future and yet unknown attack vectors.

    We strongly recommend to update all productive installations of Roundcube 1.2.x. if you cannot upgrade to a more recent version. Please do backup your data before updating!

    CHANGELOG

    • Fix missing message-htmlpart1 class breaking inline CSS (#6493)
    • Security: Fix XSS issue in handling of CDATA in HTML messages
    • Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
    • Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
    • Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
    Source code(tar.gz)
    Source code(zip)
    roundcube-framework-1.2.10.tar.gz(1.18 MB)
    roundcube-framework-1.2.10.tar.gz.asc(862 bytes)
    roundcubemail-1.2.10-complete.tar.gz(3.79 MB)
    roundcubemail-1.2.10-complete.tar.gz.asc(862 bytes)
    roundcubemail-1.2.10.tar.gz(3.50 MB)
    roundcubemail-1.2.10.tar.gz.asc(862 bytes)
Owner
Roundcube Webmail Project
Roundcube Webmail Project
amadeus-ws-client: PHP client for the Amadeus GDS SOAP Web Service interface

amadeus-ws-client: PHP client for the Amadeus GDS SOAP Web Service interface This client library provides access to the Amadeus GDS SOAP Web Service i

Amadeus Benelux 164 Nov 18, 2022
Multilingual PHP CMS built with Laravel and bootstrap

Lavalite This is an open source of Content Management System developed with Laravel framework. Documentation Visit Documentation section in the websit

LavaLite 2.6k Dec 26, 2022
This application is a simple application to watch movies like Netflix or DisneyPlus.

Movie Streaming React Web Apps This application is a simple application to watch streaming movies like Netflix or DisneyPlus. The application is built

Adim 2 Sep 25, 2022
yxorP is a PHP-based proxy application that is very lightweight and easily customizable per user needs.

Web Proxy Guzzler + SAAS(y) Cockpit (GUI Dashboard incl.). Feature Rich, Multi-tenancy, Headless, Plug & Play, Augmentation & Content Spinning Web Proxy with Caching - PHP CURL+Composer are Optional. Leveraging SAAS architecture to provide multi-tenancy, multiple threads, caching, and an article spinner service.

4D/ҵ.com Dashboards 9 Aug 14, 2022
Interface Network is an application about social media

Interface Network is an application about social media

Noval 3 Apr 20, 2022
Retrieve MySejahtera App's data from MySejahtera API and show to users via web browser. Written in PHP

MySejahtera-PHP-Web Retrieve MySejahtera App's data from MySejahtera API and show to users via web browser. Written in PHP. Disclaimer This web app is

Sam Sam 3 Oct 21, 2022
VMControl - Control your VirtualBox VMs from a web browser

VMControl - Control your VirtualBox VMs from a web browser Requirements Microsoft Windows XP or newer Oracle VM VirtualBox VBoxManage (included in Vir

null 1 Nov 6, 2021
Database browser for the WoW Alpha Core project

Database browser for the WoW Alpha Core project

null 4 Dec 9, 2022
Twitter like application made with Laravel in 10 hours. Demo at

Critter, A Twitter like application written with Laravel in under 10 hours by @msurguy Imagine Twitter is down again. It's dark outside, and how can y

Maksim Surguy 58 Nov 30, 2022
This application gives you the ability to send a newsletter to multiple subscribers with use of SMTP or an external driver like Mailgun

Laravel Newsletter Laravel Newsletter is an open source project that can be used for sending newsletters to multiple subscribers, mailing lists, ... a

Nathan Geerinck 59 Dec 29, 2022
A wiki to ease developers' work by providing a user authentication librariesthat can be used as middleware within a web application to authenticate

A wiki to ease developers' work by providing a user authentication librariesthat can be used as middleware within a web application to authenticate (their application user) requests.

Zuri Training 6 Aug 8, 2022
OroCRM is an open source Client Relationship Management (CRM) application

OroCRM is an open source Client Relationship Management (CRM) application that allows to create a 360° view of your customers across multiple channels, organize the sales pipeline, manage account and contact information, communicate with customers, run marketing campaigns and track campaign performance.

Oro, Inc. 611 Jan 3, 2023
Laravel 9 Web App - Our client José Gustavo, passionate about soccer and technology, wants to have an application that simulates the soccer leagues in his neighborhood, called My League.

Laravel 9 Web App - Our client José Gustavo, passionate about soccer and technology, wants to have an application that simulates the soccer leagues in his neighborhood, called My League.

Álisson Marques 2 May 3, 2022
A web interface for MySQL and MariaDB

phpMyAdmin A web interface for MySQL and MariaDB. https://www.phpmyadmin.net/ Code status Download You can get the newest release at https://www.phpmy

phpMyAdmin 6.3k Jan 2, 2023
Simple web interface to manage Redis databases.

phpRedisAdmin phpRedisAdmin is a simple web interface to manage Redis databases. It is released under the Creative Commons Attribution 3.0 license. Th

Erik Dubbelboer 3k Dec 31, 2022
A unified front-end for different queuing backends. Includes a REST server, CLI interface and daemon runners.

PHP-Queue A unified front-end for different queuing backends. Includes a REST server, CLI interface and daemon runners. Why PHP-Queue? Implementing a

CoderKungfu 646 Dec 30, 2022
A simple wrapper for PHP Intervention Library to provide a more simple interface and convenient way to convert images to webp

This package is a simple wrapper for PHP Intervention Library to provide a more simple interface and convenient way to convert images to webp - next generation format - extension, and resize them to render only needed sizes.

eyad hamza 18 Jun 28, 2022
Switch the DokuWiki interface language according to the accept-language request header

Switch the DokuWiki interface language according to the accept-language request header

CosmoCode GmbH 1 Jan 4, 2022
phpRedisAdmin is a simple web interface to manage Redis databases.

phpRedisAdmin phpRedisAdmin is a simple web interface to manage Redis databases. It is released under the Creative Commons Attribution 3.0 license. Th

Erik Dubbelboer 2.8k Dec 1, 2021