Aggregated bug-fixes for 7.10.2

Last Update: 2019-05-21

Release 7.10.2 (2019-05-16)

Shipped Components and Versions

Fixed Vulnerabilities

64703 CVE-2019-11522

CVSS: 5.4

64682 CVE-2019-11522

CVSS: 5.4

64680 CVE-2019-11521

CVSS: 6.5

63411 CVE-2019-9739

62465 CVE-2019-11806

CVSS: 3.3

61771 CVE-2019-7159

CVSS: 4.1

47790 CVE-2016-6849

CVSS: 7.1

Fixed Bugs

64811 Stopping synchronization due to an db error

Different checks for folder name equality may cause the INSERT statement to fail during folder creation under certain circumstances.This has been fixed by using lowercased binary collation when comparing names during folder creation.

64722 With categories, Drag and Drop from one tab to another doesn’t update unread count

This has been solved by fixing broken collection invalidation.

64674 Error while trying to copy users to different context

The copy task for events failed in case there is an event without an organizer.Adjusted the behavior to make copy possible for this scenario.

64670 Timestamp of file in drive does not get set via webDAV

The last-modified / timestamp handling for WebDAV documents in the middleware could not be used reliably by some clients to detect if a file contents was changed.This has been solved by considering sequence number during ETag generation / Map {DAV:}getlastmodified to the sequence number property / Write out “Last-Modified” HTTP header in GET/HEAD responses by default / Actively set “last-modified” during updates unless overridden by client / Added support for commonly used {DAV:}lastmodified to read/write an infostore document’s last modified property.

64482 Creation of subfolders throws “NO Public namespaces have no owner”

IMAP server advertises multiple public namespaces, but Open-Xchange Middleware only checks for one.This has been solved by paying respect to possibly multiple public namespaces when determining proper ACL identifier.

64467 Delete appointment in Portal doesn’t work

If model was not in pool, it was not requested by the API.Fixed boolean expression for filter.

64421 When creating a new task with reminder-time < local-time + (local-time - gmt-time) then immediately the notification is shown

Local timestamp was used in one check.This has been solved by using correct utc timestamp.

64407 Unable to retrieve updates for timezone, unexpected EOF at

Ensure to follow redirects when retrieving updated timezone definitions to solve this.

64337 Broken address book layout

Race condition during app start. The app was initialized and resumed at the same time.Do not resume apps that are currently starting anyway to solve this issue.

64217 Customer unable to accept meeting invite sent from outlook with IMAP to OX mailbox

When an iMIP request is received whose organizer can be resolved to an internal user within the current context, he was treated as internal entity. As creating events such events is forbidden, an error was raised when reypling to such an event.This has been solved by not resolving organizer when importing event from iTIP message.

64146 Forwarded message cannot be opened

Duplicate re-parsing of the corrupt message avoid further processing.Re-parse a message only one time to prvent this error.

64119 Appointment can not be accepted on appointment change from external (insufficient permissions)

If an attendee removes himself from one occurrence of an externally organized event series, and a consecutive organizer update to the series is applied later on, a check preventing from reinstantiating previously deleted occurrences kicks in and a permission denied error is raised.This has been fixed by taking over delete exception dates from externally organized events as-is.

64086 Calendar-query request is returning several etags for the same uri

In certain CalDAV reports, calendar object resources consisting of multiple events were listed multiple times in responses.Only include a calendar object resource once in responses.

63965 SQLException: Duplicate entry for key ‘PRIMARY’ after upgrade to the latest version

Ensure no duplicate entries are left in “filestore2user” table when trying to change its PRIMARY KEY to prevent this issue.

63951 Save signature fails with ‘An error occurred: No known registration name for: …’

External images are erroneously considered during content id extraction.Now ignore external images to solve this..

63876 Moving appointment to another calendar sends an email to the event creator

Move only updates are not ignored within itip handling.This has been fixed by ignoring move only updates within itip handling.

63867 Import of .ics file wrong with daylight setting

Java’s date format parsing routine does not work when a partial timezone defintion is used.Retry parsing using a built-in timezone definition in case of parsing errors as a workaround.

63677 A lot of FETCHes from middleware kills dovecot backend

The contents of all message-mapped file attachments were queried that matches a client-given search expression.Solution: Try to map given sort criteria to an IMAP sort term to perform a filtered sort command. Extract the requested chunk (…&limit=10) from that sorted result set to only fetch the content of relevant messages.

63611 ics import fails from attachment

This was caused by a combination of invalid data and unnecessary email address parsing.Invalid data cannot be fixed by OX, but we disabled the check for mail addresses.

63482 Address picker displays incorrect items for “All folders”

During the closing process the Address Picker was not properly reseted.Now the folder selection is reseted during the closing of the address picker.

63477 About model shows old copyright date

The default copyright is now displayed correctly.

63470 Encoding wrong in plain text mails

All html entities below 255 do not require a semicolon. Therefore &quot &times &pound etc. are encoded.This has been fixed by encoding ampersand to prevent encoding of html entities.

63452 Sharing Links / What’s New Tour Errors

The menu entry for “What’s new” and “Guided Tour” wasn’t disabled for guest.

63443 Feedback Module: Text message is not aligned properly when the mouse is hovered on the rating/selecting rating icon in IE browser

Some misinterpretation of CSS from IE 11 caused this issue.This has been solved by adding a CSS fix only for IE11 to handle this issue.

63435 Vacation notice cannot be changed after migration to 7.10

This was caused by a vacation notice which makes use of the date range (current date test) and the zone option in this test is missing. This happens if the vacation notice was created with a older appsuite version. A missing zone option will now be compensated based on the current values.

63392 Recurring appointment can’t changed to “Never ends”

For initial values or changes of recurrence type, the other field does not need to be explicitedly set to null. In fact, the middleware throws an error if it is set.Solution: Only set these values to null if the recurrence type is set to never.

63387 Additional empty line on signature

This is just an improvement for signatures: Signature with empty content (only whitespace) will not be added anymore.

63386 Google calendar 410 gone

The root cause seems to be a bad token used for list query against the google api. Now a full sync as fallback is done in case of bad sync tokens.

63360 Joplin app not working with appsuite

Conditional headers have only been matched on resources with an entity tag present (i.e. not for collections that have no body).Solution: Also match conditional headers against resources without entity.

63357 Customer sees errors after restarting - attempting autologin or destroying session

Remote parameter names were not correctly initialized when fetching a session representation from Hazelcast IMDG.This has been solved by orderly initializing remote parameter names when fetching a session representation from Hazelcast IMDG.

63333 Periodic Cleaners triggers update tasks

Update process is triggered automatically when loading a context and context-associated DB schema has pending update tasks.Solution: Do not trigger update if context is disabled.

63331 Redirection if schemata is disabled

In case context-associated server does not match the server associated with target node a CTX-0012 error is thrown, which initiates automatic redirection to another node (as configured through “com.openexchange.server.migrationRedirectURL” property).Solution: Do not throw CTX-0012 error in case context is disabled to avoid automatic redirection to another node. Instead, outer logic recognizes tat context is disabled through authorization service.

63298 HTML mail throws console error

Broken encoding in style tag caused js error.This has been fixed by making sanitizer more robust so no error occurs.

63240 Cannot open newsletters with new google chrome 72

Links opened by blankshield are blocked due to security reasons.Solution: Open links with rel=“noopener” directly in chrome 72 and above. Note that this is just an intermediate fix and will be replaced as soon as the issue is fixed in blankshield.

63222 Not possible to switch appointment visibility from private to secret

Fixed wrong comparing on server side.

63216 Update task fails: UPD-0014 Duplicate key name action

UpdateTask was missing an index exists check.Solution: Added an index exists check.

63211 Expired Vacation notice shows up “active” within the popup of the settings area

In contrast to the main activation button the little toggle is considering the date range.The little toggle now only depends on the active state of the rule.

63184 Recipient disappears if double-clicked then click away

Bundling orginal tokenfield file (static) lead to loading it’s content twice and custom ‘prototype’ fixes in our tokenfiled.js was overwritten by the second load.Solution: Clean up bundle.

63135 Tasks not working correctly

The reminder was not parsed properly since a recent change.

63126 Draft mail opened after migration

Savepoints were created in old versions (7.8.3), that were not supposed to be created.Solution: Cleanup savepoints once in any higher version than 7.8.3

63027 Set given name to ‘*’ for user in same context returns an error

User input was translated to SQL wildcard.This has been solved by avoiding wildcard in special contact search.

62883 compatibility changes to make DC server available for DC clients, using prior API versions

By adding poppler-data content to the open-xchange-pdftool package and using the correct data path, approprioate unicode code points can be displayed when rendering PDF pages. The package license has been changed to GPL in order to be compliant.

62862 Guided tour compose window doesn’t display

The security attribute is always reapplied even if there is no previous object.This has been solved by making sure that at least an empty object as previous object exists.

62835 Edit Copy Button in Draft folder does not work as expected for externally linked accounts

The unified mail storage returned normal mail ids instead of unified ones for copy/move commands.Solution: Return proper unified mail ids.

62800 Documentation for Mail Authentication Configuration Incomplete

Updated the User Docu to have all needed informations.

62794 No drag and drop of pictures while composing a new mail

Dropping images to an iframe caused the browser to reload the whole view which might lead to data loss. Since no easy fix was found, we disabled drag and drop.Reenable drag and drop by attaching listeners inside the iframe which will prevent reload of the page with the dropped content on the one hand and on the other hand correctly uploads image based on the previous mechanisms.

62773 NullPointerException with checkcountconsistency

There was no check to determine whether the ‘contexts_per_dbschema’ table contained any schemata of a database object, before beginning with the insertion of the schemata tied to that database object.This has been fixed by performing a check to determine whether the ‘contexts_per_dbschema’ table contains any schemata of a database object before blindly beginning with the insertion.

62770 In IE11 opening multiple compose windows can make subject field uneditable

Web accessibility steals the focus on clicking into the subject field on Internet Explorer.Do not apply refocus on click because this should only happen with keyboard navigation to solve this issue.

62764 Settings - security - active clients shows “unknown application / unknown device” for Android Device using *DAV

Some *DAV-clients were not detected and used wrong fallback.This has been fixed by improving detection of *DAV-clients and set correct fallback by checking session’s origin.

62761 Moving an appointment from an invitation to a private calendar is not possible

UI was too restrictive regarding move action.This has been solved by enabling move action but grey out unsupported folders.

62755 Guided Tours for document apps called two times without any user interaction

Backend writes configuration for recently opened documents while the tour is running. This (wrongly) deletes the “shown” flag of the tour. After the tour has been finished, the “shown” flag will be saved again to the configuration.

62746 Changes in custom theme #2

Added a workaround for IE11 in the appcontrol.

62730 Wrong weekly view with appointments over several days

Only checked weekdays and not if it’s the same week.This has been solved by adding check if it overlapps into next week.

62704 Unable to click on Save button in Create new rule window with right click pasting

Pasting a value into an input field triggered no validation and may result in a disabled save button.

62666 Error message “Unable to save draft, due to exceeded quota.” even quota is not reached

The causing exception was hidden, which has been changed to find the root cause of this bug.

62608 Tasks changing start and due time for a tasks changes date

Always used UTC as the timezone to calculate the recurrence position of an task.This has been solved by using server default timezone instead.

62605 Contact Print Action ‘details’ option is displaying City and Postal code in the same line

Print used own format of address where it was not possible to internationalize the address.This has been fixed by using internationalization approach which is already used to display the address in the contacts detail pane.

62572 Outlook for android causes runaway mysqlbinlogs;Outlook-App uses EAS-protocol version 14.0: FilterType inside Option

does not use CertificateRetrieval within ResolveRecipients, but EAS expected it (is allowed in 12.1).This has been solved by improving parsing of ResolveRecipients (according to 12.1) and GetItemEstimate (according to 14.0).

62525 No Connection Available to Access Mailbox

Caused by trying to access IMAP via an unconnected socket due to a previous I/O error (socket closed unexpectedly by remote host/IMAP).Now a re-connect to IMAP server on unexpected socket closure is done.

62463 NPE on changing mapping default folders

In case the account details for the internal is hidden default values (null) were send to validate call.This is fixed by extending the list of properties that do not have to be verified by all folder-fullname properties

62453 Failed deletecontext leaves context in an inconsistent state

Invoke a “post deletion” call-back to reseller plug-in to let reseller information being cleared when context has been successfully removed, to solve this issue.

62452 Spelling issue for Dutch language

Two wrong translations were adjusted to fix this.

62393 Sieve validation with 2 pgp keys not possible

When the arguments of the action commands ‘enotify’, ‘vacation’ and ‘pgp_encrypt’ are extending over multiple lines and those action commands have more than one arguments, then only the first argument was considered while counting.Solution: Iterate over all arguments of the previous mentioned action commands.

62378 Document with japanese / korean / chinese characters is not displayed in Viewer due to missing font resources for PDF.js

Adobe external CMaps were not copied to the build folder and pdf.js was not configure to use them.This has been fixed by adding CMaps folder to the thirdparty copy script and configured pdf.js to use them.

62360 Disabling/enabling contexts in environments with hazelcast shards

Disablecontext throws exception if context was already disabled.Solution: Idempotent handling of disablecontext which means each call results in a db statement like “UPDATE context SET enabled = 0, reason_id = 42 WHERE cid = 1”.

62345 Html part of mail always shown

UI accidentally used ‘noimg’ or ‘trusted’ as value for api parameter ‘view’. In case ‘Allow html formatted emails’ is disabled the only valid value is ‘text’, this was adjusted to fix this issue.

62305 Vacation alias settings are broken and no autoresponder for all mail addresses

The “select all” button has no effect on the vacation notice model due to a wrong naming.This has been fixed by changing the attribute name accordingly so the model can be handled correctly.

62300 C&P from a mailaddress includes OX AppSuiteURL

This has been solved by changing the href property to ‘mailto:’ in the from widget (mail compose) an the participants widget (calendar, tasks) so only the mail address get’s pasted.

62294 Login rate limiter does not work com.openexchange.ajax.login.maxRate

Root cause: Long overflow during calculation of the rate limit window.Solution: Don’t always double the window on each consecutive login attempt.

62282 Max sessions exceeded while real usage is much lower

Config option “com.openexchange.servlet.maxInactiveInterval” is not orderly applied to spawned HTTP sessions and therefore they don’t get removed.This has been fixed by orderly setting timeout for HTTP sessions.

62281 Appointment time incorrectly displayed in Japanese

The Moment and moment-interval framework used inconsistent time formats in japanese. Update locales in moment-interval plugin to be consistent.

62263 Add mail account on mobile: buttons hide text field for input

Removes button ‘manual’ cause is it used as fallback in case autodiscover fails and should not be handled as a separate option for ux reasons.

62258 ics file can’t be impoted from attachment if mail was encrypted

Added support for importing encrypted ical files.

62243 Inconsistent sort order between address book and distribution list

Missing sortname for list members.Address picker issue has been fixed, Distributionlist issue is still there, because backendpart cannot be backported, this will be available with 7.10.2.

62240 Creating tasks while on a different time zone with a yearly or monthly repeat leads to wrong dates

Too generic approach in the recurrence view. All timezones with negative offset are affected. In detail, the timezone of a task (utc) wasn’t considered when creating the recurrence rule.This has been solved by considering different timezones when using calendar or task. StartDate of calendar knows its timezone whereas tasks are always in utc.

62237 Maileditor shows ‘0’ as size for drive attachments

Size calculation was not correctly taking external files into account.This has been fixed by changing the calculation to respect all sizes of the attached files including external files.

62222 Send / reply not possible for some users, blank page, loads forever

UI waits for timeout of the middleware which might take a lot of time.This has been solved by introducing a timeout for snippets which aborts the request after 15 seconds. Nevertheless, this is still a workaround since the actual issue is the slow/non-responding S3.

62218 Basic Accounts can still use Drive as a Standard App although it is disabled

Settings considered all apps which where rendered in the launcher and did no dedicated capability check.Filter for apps, which are disabled by capabilities but might be visible due to upsell to solve this issue.

62216 Task section > progress bar doesn’t work on Chrome, Opera and Safari

CSS background-size’s implicit height value ‘auto’.Solution: Use 100% as value for height.

62212 All day event uses multiple days when printed from monthly view

Not considered the special case for all-day events which were then printed the day before they started and the day after.This has been solved by filtering correctly for all-day appointments.

62205 Using poppler-data path when building/using PDFTool package and packaging of poppler-data within PDFTOOL package under GPL liense

Running the PDFTool, the internally used poppler library had no access to externally provided poppler-data character classes. By adding poppler-data content to the open-xchange-pdftool package and using the correct data path, approprioate unicode code points can be displayed when rendering PDF pages. The package license has been changed to GPL in order to be compliant.

62201 Unable to determine next update task

The defined dependency of the update task (com.openexchange.groupware.update.tasks.ContextAttributeConvertUtf8ToUtf8mb4Task) might be excluded and could not be solved.This has been fixed by setting dependency to com.openexchange.groupware.update.tasks.CreateIndexOnContextAttributesTask.

62178 Translation issue for “autoforward” in Filter Rules

The rule title was missing the translation capability.This has been solved by adding the translation capability.

62163 Italian translation issue in Calendar search

Adjusted translation for place.

62160 adding configurable autoCleanup implementation for stateful resources, allocated in #beginConvert

There persistent and runtime memory leaks in some kind of user environment, related to stateful requests, for which the final endConvert call is not performed. A new mechanism has been added to the DC server code base in order to be able to automatically finalize stateful beginConvert/getPage/../endConvert call sequences in cases, the final endConvert is not called at all (e.g. routed to the wrong DC server node. a broken HTTP connection, …

62106 Ical import fails with 503 error

Out Of Memory when importing large iCal files.This has been solved by reducing the used heap space. Detailed informations about the import limit “com.openexchange.imort.ical.limit” are available here:See

62076 Replies to Guard emails broken

When replying to an encrypted email, the compose dialog shows the ENCRYPTED mail rather than the proper decrypted content. This also breaks the Guest replies. This is limited to Customer that have the feature setting io.ox/mail//features/fixContentType=true.Now it is possible to reply to Guard emails also io.ox/mail//features/fixContentType is “true”.

62034 Appointment series ends one day to early

UNTIL in the recurrence rule has been interpreted as a date value by the UI, whereas it should be a datetime value.The UNTIL part of the recurrence rule now contain as a datetime value. Therefore, the zulu timestamp in UNTIL is now after the startdate of the last occurrence.

61998 Not able to change access control in emClient

The OX permission model requires the “DAV:read-acl” and “DAV:read-current-user-privilege-set” privileges to be granted in each ACE. When attempting to set an ACE without those privileges, a “DAV:not-supported-privilege” error is raised.This has been solved by automatically assume “DAV:read-acl” and “DAV:read-current-user-privilege-set” if missing instead of throwing an error.

61989 Imported contacts are not shown in contact picker

Tis was casued by using of cached data.This has been solved by clearing cache on import.

61893 Guard Guest Accounts gives Timeout or Mails are not shown

This was caused by a timeout because guest sessions were not synced between servers.Now guest sessions are synced between hazelcast server.

61887 Relative dates (today, yesterday) in search facet are only evaluated once

Cache generated smart date catalogue only for current day.

61884 Date search results displaying results of a search DAY and DAY+1

Parsed date wrong for IMAP results.Now just one date is used for results. This is just a partial fix. A full solution would be to request a longer timeframe and to do the slicing manually. But this rather requires a larger change to the search module and can not be handled inside a patch.

61859 CardDAV: weird / unexpected behaviour when entering / syncing CardDAV addresses

The EMAIL mapping for vCards ignored a third email address in case there are others explicitly marked as HOME or WORK.This has been fixed by using first non work/home/other address as fallback if no distinguishing e-mail type found.

61823 Drive shows main folder content instead of content from selected folder

Wrong root folder selected after removing a folder.This has been solved by removing superfluous event trigger and fixed regular expression.

61799 Sending email to participants with only second email not possible

It was not possible to send an email to an appointment participant if he had only a secondary emails address entered inside the address book.This has been fixed by using provided data instead of fetching everything.

61784 Using OX with Dovecot XOAUTH / OAUTHBEARER seems to be broken

Proper check if mail account can be connected to with respect to possible OAuth authentication type has been added.

61777 Out of office information in Mail module not wrapped

The three dots shown at the end of the shortened message were hidden by the close icon.This has been solved by adjusting the padding to prevent the overlapping.

61756 Calendar: Sunday day name in year view not in red color

Index overflow (day 8 instead of 1) let to a non-red marked Sunday.Now using correct modulo to display the Sunday in red.

61726 Properties in Tasks-Burger-Menu is missing

Properties menu was disabled for tasks and extension points where not working with tasks.This has been solved by reenabling properties menu and adjusted extension points to support tasks again.

61660 Add a google calendar for not working

The reason for this is that the default implementation of the google calendar is a read only provider and therefore requires an activated calendar_ro module. You can find the info here: Even though it is stated that the ‘calendar_ro’ module is required, it isn’t clear that the ‘calendar’ module is not applicable here. Therefore improved the documentation on this part.

61645 No weekdays name are shown when printing Calendar

When a language with a different start of the week than sunday was selected, the loop to generate the days was not generic enough.This has been fixed by creating week-days more generic depending on the start of the week.

61525 Small glitch in mail counter for unread messages

Detail view set mail to read although the selection did not change.After manually setting to unread keep unread state until selection changes to solve this issue.

61427 Wrong hint in the Settings page for reload or relogin

Adjusted reload/relogin hint and added translations.

61412 Expires on check box is not getting edited when user tries editing for an existing calendar folder

When a second modal dialog is opened, the focusin-listener of the second dialog is registered before the listener of the previous dialog is removed. Since the keepFocus function is bound to the prototype of the dialog, the unregistration removes the listeners for all instances. Therefore, the keepfocus function is not correctly registered and will not keep the dropdown open when the dialog loses focus. That leads to the problem, that no click events are triggered on the elements of the dropdown and thereforce, no model updates are triggered.This has been solved by adjusting focusin events, so they are also correctly registered for the second (or third or fourth) modal dialog. Therefore, bind keepFocus to the current this value and make it unique.

61388 Signatures not above quoted text

If in ‘Settings -> Mail -> Signatures’ the option “Add signature above quoted text” is selected, the signature in forwarded mail is not above, it’s placed at the bottom of mail.Solution: Added “com.openexchange.mail.forwardUnquoted” setting to JSlob under path
“io.ox/mail//forwardunquoted” and use different ‘selector’ in forwarding context when mail are forwarded unquoted.

61167 Mail folder could not be found: confirmed-spam

Spam/ham information advertised mail account data even though no spam handler was available or concrete spam handler tells to not create such folders.This has been fixed by suppressing spam/ham information in mail account data if spam is disabled or no such folders are supposed to be created according to spam handler specification.

61017 Messages in Create new rule window for filter is not intuitive

Editing the size condition is not intuitive since there is no hint how to handle different units.This has been solved by adding the possible units next to the comparison dropdown.

60826 Sharing is not fully capable to deal with “segmented updates”

The LOCATED_IN_ANOTHER_SERVER exception was not properly handled in the ShareServlet. This has been fixed by handling the exception properly, i.e. redirect the client to the appropriate node. Introduced a new migrationRedirectURL property for the servlet to use in order to send a redirect to the correct node.

59957 Mail selected after login, might not be visible to user

Selected mail not scrolled into view.Now scroll selected mail into view to have this mail displayed.

55916 After creating an event in korganizer, the cal-dav agent crash

We adjusted this now to properly respond with the CALDAV:no-uid-conflict precondition, see for details. With these changes the client at least no longer crashed in our tests. However, creating different calendar object resources with the same UID value is still not allowed.

55298 Maximum configured sized needs to be fixed for Japanese Error message

Response format was strangely encoded HTML.This has been solved by forcing response format to be correct HTML with JSON data.