We've just released the largest upgrade to the Roundcube Plus plugins and skins in a long time. Every plugin and skin has been touched, and the work covers compatibility, security, functionality, user interface, and a significant modernization of the code base. Here's an overview of what's included.
Roundcube 1.7 Compatibility
All our plugins and skins are now officially compatible with Roundcube 1.7. If you're planning to move to the new Roundcube release, or already have, this upgrade is what you'll need to keep everything working as expected.
Starting with this upgrade we no longer support Roundcube 1.5. The skins and plugins may still work on 1.5, but we no longer test against it or provide technical support for it. If you're still on 1.5, we recommend upgrading your Roundcube installation to a newer version.
Security Audit and Fixes
Most of our plugins underwent an extensive security audit, and this release addresses all the discovered issues. The fixes span a range of vulnerability types, including SSRF, XSS, URL injection, and path traversal issues. The highlights include:
The Framework plugin, which all our other plugins are built on, received particular attention, with fixes to how it sanitizes HTML and handles data from the cloud integration plugins, as well as a crucial security update to the svg-sanitize library.
The 2FA plugin had its one-time-password handling strengthened.
The Email Scheduler plugin had an issue fixed that could potentially allow access to other users' scheduled messages.
The Dropbox plugin had a potential vulnerability closed when attaching files.
The WebDAV plugin had its connection handling hardened against SSRF and related issues.
The News Feed plugin had a potential SSRF vulnerability fixed in how it handles RSS feed URLs.
The Last Login plugin had potential XSS, URL injection, and path traversal issues resolved.
The Skin plugin had potential XSS vulnerabilities fixed in its preferences and mobile popups.
The Signature plugin gained data validation to prevent injection and tampering.
The Weather plugin had potential HTML injection and connection security issues fixed.
Running current, audited software is the best way to keep your Roundcube installation secure. Even if no other change mattered to you, the security fixes in this release alone are a good reason to upgrade.
A Modernized Front End
Several plugins relied on AngularJS for their interface. AngularJS has been discontinued and no longer receives security updates, so we've replaced it. The 2FA, AI Assistant, Signature, and WebDAV plugins have all been migrated to Alpine.js, a modern, actively maintained JavaScript framework. The result is a more secure and more maintainable code base. Calendar is the last plugin still using AngularJS, and it's scheduled to follow in an upcoming upgrade.
Updated Libraries and Dependencies
Beyond AngularJS, a number of underlying APIs and libraries were updated.
The Google Drive plugin was migrated away from two end-of-life Google components. The old authentication libraries were replaced with Google Identity Services, and the integration moved from Drive API v2 to v3.
The Calendar plugin's Sabre libraries were upgraded, and the Framework plugin received updates to its geolocation and device detection libraries.
These updates keep the software current and reduce reliance on components that are no longer supported.
New Functionality and Improvements
While this upgrade is primarily about compatibility and security, several plugins also gained new features.
The Google Drive plugin saw the most additions. It now supports shared drives, lets you export Google Docs, Sheets, and Slides as attachments, and includes a folder picker dialog when saving attachments.
The Calendar plugin added an option to duplicate events, along with visual indicators when deleting events and a database fix for slow alarm queries. The Calendar also had a number of bugs corrected, including a long-standing issue where January birthdays were not displayed and compatibility problems with iCloud CalDAV servers.
The Signature plugin's design editor was improved, and the 2FA plugin's email and SMS verification were made more reliable.
Skins
All our skins are now compatible with Roundcube 1.7 and received upgraded color management. The Skin plugin itself had extensive cleanup, with a range of UI fixes for both modern and Larry-based skins, and the removal of obsolete compatibility code for several legacy systems.
Available Now
The upgraded plugins and skins are available for download in the customer area of our website. The full list of changes for each plugin and skin is available in the change log files on their respective pages.
Given the scope of the security work and the move to Roundcube 1.7, we recommend upgrading as soon as possible.
