Last Update: 2019-05-21
CVSS: 5.4
CVSS: 5.4
CVSS: 6.5
CVSS: 3.3
CVSS: 4.1
CVSS: 7.1
Different checks for folder name equality may cause the INSERT statement to fail during folder creation under certain circumstances.This has been fixed by using lowercased binary collation when comparing names during folder creation.
This has been solved by fixing broken collection invalidation.
The copy task for events failed in case there is an event without an organizer.Adjusted the behavior to make copy possible for this scenario.
The last-modified / timestamp handling for WebDAV documents in the middleware could not be used reliably by some clients to detect if a file contents was changed.This has been solved by considering sequence number during ETag generation / Map {DAV:}getlastmodified to the sequence number property / Write out “Last-Modified” HTTP header in GET/HEAD responses by default / Actively set “last-modified” during updates unless overridden by client / Added support for commonly used {DAV:}lastmodified to read/write an infostore document’s last modified property.
IMAP server advertises multiple public namespaces, but Open-Xchange Middleware only checks for one.This has been solved by paying respect to possibly multiple public namespaces when determining proper ACL identifier.
If model was not in pool, it was not requested by the API.Fixed boolean expression for filter.
Local timestamp was used in one check.This has been solved by using correct utc timestamp.
Ensure to follow redirects when retrieving updated timezone definitions to solve this.
Race condition during app start. The app was initialized and resumed at the same time.Do not resume apps that are currently starting anyway to solve this issue.
When an iMIP request is received whose organizer can be resolved to an internal user within the current context, he was treated as internal entity. As creating events such events is forbidden, an error was raised when reypling to such an event.This has been solved by not resolving organizer when importing event from iTIP message.
Duplicate re-parsing of the corrupt message avoid further processing.Re-parse a message only one time to prvent this error.
If an attendee removes himself from one occurrence of an externally organized event series, and a consecutive organizer update to the series is applied later on, a check preventing from reinstantiating previously deleted occurrences kicks in and a permission denied error is raised.This has been fixed by taking over delete exception dates from externally organized events as-is.
In certain CalDAV reports, calendar object resources consisting of multiple events were listed multiple times in responses.Only include a calendar object resource once in responses.
Ensure no duplicate entries are left in “filestore2user” table when trying to change its PRIMARY KEY to prevent this issue.
External images are erroneously considered during content id extraction.Now ignore external images to solve this..
Move only updates are not ignored within itip handling.This has been fixed by ignoring move only updates within itip handling.
Java’s date format parsing routine does not work when a partial timezone defintion is used.Retry parsing using a built-in timezone definition in case of parsing errors as a workaround.
The contents of all message-mapped file attachments were queried that matches a client-given search expression.Solution: Try to map given sort criteria to an IMAP sort term to perform a filtered sort command. Extract the requested chunk (…&limit=10) from that sorted result set to only fetch the content of relevant messages.
This was caused by a combination of invalid data and unnecessary email address parsing.Invalid data cannot be fixed by OX, but we disabled the check for mail addresses.
During the closing process the Address Picker was not properly reseted.Now the folder selection is reseted during the closing of the address picker.
The default copyright is now displayed correctly.
All html entities below 255 do not require a semicolon. Therefore " × £ etc. are encoded.This has been fixed by encoding ampersand to prevent encoding of html entities.
The menu entry for “What’s new” and “Guided Tour” wasn’t disabled for guest.
Some misinterpretation of CSS from IE 11 caused this issue.This has been solved by adding a CSS fix only for IE11 to handle this issue.
This was caused by a vacation notice which makes use of the date range (current date test) and the zone option in this test is missing. This happens if the vacation notice was created with a older appsuite version. A missing zone option will now be compensated based on the current values.
For initial values or changes of recurrence type, the other field does not need to be explicitedly set to null. In fact, the middleware throws an error if it is set.Solution: Only set these values to null if the recurrence type is set to never.
This is just an improvement for signatures: Signature with empty content (only whitespace) will not be added anymore.
The root cause seems to be a bad token used for list query against the google api. Now a full sync as fallback is done in case of bad sync tokens.
Conditional headers have only been matched on resources with an entity tag present (i.e. not for collections that have no body).Solution: Also match conditional headers against resources without entity.
Remote parameter names were not correctly initialized when fetching a session representation from Hazelcast IMDG.This has been solved by orderly initializing remote parameter names when fetching a session representation from Hazelcast IMDG.
Update process is triggered automatically when loading a context and context-associated DB schema has pending update tasks.Solution: Do not trigger update if context is disabled.
In case context-associated server does not match the server associated with target node a CTX-0012 error is thrown, which initiates automatic redirection to another node (as configured through “com.openexchange.server.migrationRedirectURL” property).Solution: Do not throw CTX-0012 error in case context is disabled to avoid automatic redirection to another node. Instead, outer logic recognizes tat context is disabled through authorization service.
Broken encoding in style tag caused js error.This has been fixed by making sanitizer more robust so no error occurs.
Links opened by blankshield are blocked due to security reasons.Solution: Open links with rel=“noopener” directly in chrome 72 and above. Note that this is just an intermediate fix and will be replaced as soon as the issue is fixed in blankshield.
Fixed wrong comparing on server side.
UpdateTask was missing an index exists check.Solution: Added an index exists check.
In contrast to the main activation button the little toggle is considering the date range.The little toggle now only depends on the active state of the rule.
Bundling orginal tokenfield file (static) lead to loading it’s content twice and custom ‘prototype’ fixes in our tokenfiled.js was overwritten by the second load.Solution: Clean up bundle.
The reminder was not parsed properly since a recent change.
Savepoints were created in old versions (7.8.3), that were not supposed to be created.Solution: Cleanup savepoints once in any higher version than 7.8.3
User input was translated to SQL wildcard.This has been solved by avoiding wildcard in special contact search.
By adding poppler-data content to the open-xchange-pdftool package and using the correct data path, approprioate unicode code points can be displayed when rendering PDF pages. The package license has been changed to GPL in order to be compliant.
The security attribute is always reapplied even if there is no previous object.This has been solved by making sure that at least an empty object as previous object exists.
The unified mail storage returned normal mail ids instead of unified ones for copy/move commands.Solution: Return proper unified mail ids.
Updated the User Docu to have all needed informations.
Dropping images to an iframe caused the browser to reload the whole view which might lead to data loss. Since no easy fix was found, we disabled drag and drop.Reenable drag and drop by attaching listeners inside the iframe which will prevent reload of the page with the dropped content on the one hand and on the other hand correctly uploads image based on the previous mechanisms.
There was no check to determine whether the ‘contexts_per_dbschema’ table contained any schemata of a database object, before beginning with the insertion of the schemata tied to that database object.This has been fixed by performing a check to determine whether the ‘contexts_per_dbschema’ table contains any schemata of a database object before blindly beginning with the insertion.
Web accessibility steals the focus on clicking into the subject field on Internet Explorer.Do not apply refocus on click because this should only happen with keyboard navigation to solve this issue.
Some *DAV-clients were not detected and used wrong fallback.This has been fixed by improving detection of *DAV-clients and set correct fallback by checking session’s origin.
UI was too restrictive regarding move action.This has been solved by enabling move action but grey out unsupported folders.
Backend writes configuration for recently opened documents while the tour is running. This (wrongly) deletes the “shown” flag of the tour. After the tour has been finished, the “shown” flag will be saved again to the configuration.
Added a workaround for IE11 in the appcontrol.
Only checked weekdays and not if it’s the same week.This has been solved by adding check if it overlapps into next week.
Pasting a value into an input field triggered no validation and may result in a disabled save button.
The causing exception was hidden, which has been changed to find the root cause of this bug.
Always used UTC as the timezone to calculate the recurrence position of an task.This has been solved by using server default timezone instead.
Print used own format of address where it was not possible to internationalize the address.This has been fixed by using internationalization approach which is already used to display the address in the contacts detail pane.
does not use CertificateRetrieval within ResolveRecipients, but EAS expected it (is allowed in 12.1).This has been solved by improving parsing of ResolveRecipients (according to 12.1) and GetItemEstimate (according to 14.0).
Caused by trying to access IMAP via an unconnected socket due to a previous I/O error (socket closed unexpectedly by remote host/IMAP).Now a re-connect to IMAP server on unexpected socket closure is done.
In case the account details for the internal is hidden default values (null) were send to validate call.This is fixed by extending the list of properties that do not have to be verified by all folder-fullname properties
Invoke a “post deletion” call-back to reseller plug-in to let reseller information being cleared when context has been successfully removed, to solve this issue.
Two wrong translations were adjusted to fix this.
When the arguments of the action commands ‘enotify’, ‘vacation’ and ‘pgp_encrypt’ are extending over multiple lines and those action commands have more than one arguments, then only the first argument was considered while counting.Solution: Iterate over all arguments of the previous mentioned action commands.
Adobe external CMaps were not copied to the build folder and pdf.js was not configure to use them.This has been fixed by adding CMaps folder to the thirdparty copy script and configured pdf.js to use them.
Disablecontext throws exception if context was already disabled.Solution: Idempotent handling of disablecontext which means each call results in a db statement like “UPDATE context SET enabled = 0, reason_id = 42 WHERE cid = 1”.
UI accidentally used ‘noimg’ or ‘trusted’ as value for api parameter ‘view’. In case ‘Allow html formatted emails’ is disabled the only valid value is ‘text’, this was adjusted to fix this issue.
The “select all” button has no effect on the vacation notice model due to a wrong naming.This has been fixed by changing the attribute name accordingly so the model can be handled correctly.
This has been solved by changing the href property to ‘mailto:’ in the from widget (mail compose) an the participants widget (calendar, tasks) so only the mail address get’s pasted.
Root cause: Long overflow during calculation of the rate limit window.Solution: Don’t always double the window on each consecutive login attempt.
Config option “com.openexchange.servlet.maxInactiveInterval” is not orderly applied to spawned HTTP sessions and therefore they don’t get removed.This has been fixed by orderly setting timeout for HTTP sessions.
The Moment and moment-interval framework used inconsistent time formats in japanese. Update locales in moment-interval plugin to be consistent.
Removes button ‘manual’ cause is it used as fallback in case autodiscover fails and should not be handled as a separate option for ux reasons.
Added support for importing encrypted ical files.
Missing sortname for list members.Address picker issue has been fixed, Distributionlist issue is still there, because backendpart cannot be backported, this will be available with 7.10.2.
Too generic approach in the recurrence view. All timezones with negative offset are affected. In detail, the timezone of a task (utc) wasn’t considered when creating the recurrence rule.This has been solved by considering different timezones when using calendar or task. StartDate of calendar knows its timezone whereas tasks are always in utc.
Size calculation was not correctly taking external files into account.This has been fixed by changing the calculation to respect all sizes of the attached files including external files.
UI waits for timeout of the middleware which might take a lot of time.This has been solved by introducing a timeout for snippets which aborts the request after 15 seconds. Nevertheless, this is still a workaround since the actual issue is the slow/non-responding S3.
Settings considered all apps which where rendered in the launcher and did no dedicated capability check.Filter for apps, which are disabled by capabilities but might be visible due to upsell to solve this issue.
CSS background-size’s implicit height value ‘auto’.Solution: Use 100% as value for height.
Not considered the special case for all-day events which were then printed the day before they started and the day after.This has been solved by filtering correctly for all-day appointments.
Running the PDFTool, the internally used poppler library had no access to externally provided poppler-data character classes. By adding poppler-data content to the open-xchange-pdftool package and using the correct data path, approprioate unicode code points can be displayed when rendering PDF pages. The package license has been changed to GPL in order to be compliant.
The defined dependency of the update task (com.openexchange.groupware.update.tasks.ContextAttributeConvertUtf8ToUtf8mb4Task) might be excluded and could not be solved.This has been fixed by setting dependency to com.openexchange.groupware.update.tasks.CreateIndexOnContextAttributesTask.
The rule title was missing the translation capability.This has been solved by adding the translation capability.
Adjusted translation for place.
#beginConvertThere persistent and runtime memory leaks in some kind of user environment, related to stateful requests, for which the final endConvert call is not performed. A new mechanism has been added to the DC server code base in order to be able to automatically finalize stateful beginConvert/getPage/../endConvert call sequences in cases, the final endConvert is not called at all (e.g. routed to the wrong DC server node. a broken HTTP connection, …
Out Of Memory when importing large iCal files.This has been solved by reducing the used heap space. Detailed informations about the import limit “com.openexchange.imort.ical.limit” are available here:See https://documentation.open-xchange.com/components/middleware/config/7.10.1/index.html#mode=features&feature=Import/Export.
When replying to an encrypted email, the compose dialog shows the ENCRYPTED mail rather than the proper decrypted content. This also breaks the Guest replies. This is limited to Customer that have the feature setting io.ox/mail//features/fixContentType=true.Now it is possible to reply to Guard emails also io.ox/mail//features/fixContentType is “true”.
UNTIL in the recurrence rule has been interpreted as a date value by the UI, whereas it should be a datetime value.The UNTIL part of the recurrence rule now contain as a datetime value. Therefore, the zulu timestamp in UNTIL is now after the startdate of the last occurrence.
The OX permission model requires the “DAV:read-acl” and “DAV:read-current-user-privilege-set” privileges to be granted in each ACE. When attempting to set an ACE without those privileges, a “DAV:not-supported-privilege” error is raised.This has been solved by automatically assume “DAV:read-acl” and “DAV:read-current-user-privilege-set” if missing instead of throwing an error.
Tis was casued by using of cached data.This has been solved by clearing cache on import.
This was caused by a timeout because guest sessions were not synced between servers.Now guest sessions are synced between hazelcast server.
Cache generated smart date catalogue only for current day.
Parsed date wrong for IMAP results.Now just one date is used for results. This is just a partial fix. A full solution would be to request a longer timeframe and to do the slicing manually. But this rather requires a larger change to the search module and can not be handled inside a patch.
The EMAIL mapping for vCards ignored a third email address in case there are others explicitly marked as HOME or WORK.This has been fixed by using first non work/home/other address as fallback if no distinguishing e-mail type found.
Wrong root folder selected after removing a folder.This has been solved by removing superfluous event trigger and fixed regular expression.
It was not possible to send an email to an appointment participant if he had only a secondary emails address entered inside the address book.This has been fixed by using provided data instead of fetching everything.
Proper check if mail account can be connected to with respect to possible OAuth authentication type has been added.
The three dots shown at the end of the shortened message were hidden by the close icon.This has been solved by adjusting the padding to prevent the overlapping.
Index overflow (day 8 instead of 1) let to a non-red marked Sunday.Now using correct modulo to display the Sunday in red.
Properties menu was disabled for tasks and extension points where not working with tasks.This has been solved by reenabling properties menu and adjusted extension points to support tasks again.
The reason for this is that the default implementation of the google calendar is a read only provider and therefore requires an activated calendar_ro module. You can find the info here: https://documentation.open-xchange.com/7.10.1/middleware/components/calendar/implementation_details.html#google-calendar. Even though it is stated that the ‘calendar_ro’ module is required, it isn’t clear that the ‘calendar’ module is not applicable here. Therefore improved the documentation on this part.
When a language with a different start of the week than sunday was selected, the loop to generate the days was not generic enough.This has been fixed by creating week-days more generic depending on the start of the week.
Detail view set mail to read although the selection did not change.After manually setting to unread keep unread state until selection changes to solve this issue.
Adjusted reload/relogin hint and added translations.
When a second modal dialog is opened, the focusin-listener of the second dialog is registered before the listener of the previous dialog is removed. Since the keepFocus function is bound to the prototype of the dialog, the unregistration removes the listeners for all instances. Therefore, the keepfocus function is not correctly registered and will not keep the dropdown open when the dialog loses focus. That leads to the problem, that no click events are triggered on the elements of the dropdown and thereforce, no model updates are triggered.This has been solved by adjusting focusin events, so they are also correctly registered for the second (or third or fourth) modal dialog. Therefore, bind keepFocus to the current this value and make it unique.
If in ‘Settings -> Mail -> Signatures’ the option “Add signature above quoted text” is selected, the signature in forwarded mail is not above, it’s placed at the bottom of mail.Solution: Added “com.openexchange.mail.forwardUnquoted” setting to JSlob under path “io.ox/mail//forwardunquoted” and use different ‘selector’ in forwarding context when mail are forwarded unquoted.
Spam/ham information advertised mail account data even though no spam handler was available or concrete spam handler tells to not create such folders.This has been fixed by suppressing spam/ham information in mail account data if spam is disabled or no such folders are supposed to be created according to spam handler specification.
Editing the size condition is not intuitive since there is no hint how to handle different units.This has been solved by adding the possible units next to the comparison dropdown.
The LOCATED_IN_ANOTHER_SERVER exception was not properly handled in the ShareServlet. This has been fixed by handling the exception properly, i.e. redirect the client to the appropriate node. Introduced a new migrationRedirectURL property for the servlet to use in order to send a redirect to the correct node.
Selected mail not scrolled into view.Now scroll selected mail into view to have this mail displayed.
We adjusted this now to properly respond with the CALDAV:no-uid-conflict precondition, see https://tools.ietf.org/html/rfc4791#section-5.3.2.1 for details. With these changes the client at least no longer crashed in our tests. However, creating different calendar object resources with the same UID value is still not allowed.
Response format was strangely encoded HTML.This has been solved by forcing response format to be correct HTML with JSON data.