Last Update: 2024-04-23
Bug impact and solution description for Bug #2
Bug impact and solution description
This was caused by missing max-width.This has been solved by adding max-width without an auto width.
This was caused by missing cache invalidation.This has been fixed by adding missing cache invalidation.
No check for an invalid day/month.Now, if an invalid date will be detected during input, an error message is displayed.
Uploading multipart/* parts messed up mail’s MIME structure during compose.Now don’t mess-up MIME structure by adding multipart/* parts through attachment API.
Unreliable S3 endpoint and no possibility to compile ZIP archives locally on the hard disk first.Mitigate with possible “java.io.IOException: Resetting to invalid mark” when writing ZIP entries to file storage location. Added possibility to have ZIP archive compiled for a certain module being spooled to a local disk.
Not able to parse addresses with multiple opening angles ‘<’ e.g. “<jane@nowhere.com>”.This has been solved by improving parsing routine to cope with multiple opening angles ‘<’.
Event w/o set TRANSP value not found when searching overlapping events.This has been solved by including events with unset TRANSP when loading overlapping events from storage.
CVSS:5.4
CVSS:5.4
CVSS:5.4
CVSS:6.1
CVSS:10
Exceeded the specified limit for the number of items returned breaks exact comparison to identify incomplete results.This has been fixed by using “equal or greater than”.
Check for HTTPS logout location.Solution: Allow HTTP logout location. Note: It is not recommended. Https should be preferred.
Was caused by misleading labels.This has been solved by better UI error handling and improved labels (public link).
Unexpected error when handing down search query with wildcards into LDAP mapping for distribution lists.Solution: Transfer search query as display name to distribution list entries.
Possible endless attempts to delete the same items when a calendar folder is cleared.This has been solved by not retrying to delete the same events repeatedly when clearing a folder.
Empty address string advertised on corrupt address.Don’t advertise an empty address string on a corrupt address to solve this issue.
Lowercase “content-length” header re-inserted for S3 CopyObjectRequest under certain circumstances.This has been solved by using default object metadata when initializing CopyObjectRequest.
Was caused by an incomplete translation.This has been solved by correcting the missing header entries.
Missing check for selection length.This has been solved by adding check for selection length.
Message move operation did not consider possibly “UTF8=ACCEPT” capability when passing mailbox names.This has been fixed by writing mailbox name as UTF-8 if IMAP server advertises “UTF8=ACCEPT” capability.
IMAP entity’s display name used when listing shared folders.This has been fixed by adding config option “com.openexchange.imap.useIMAPEntityDisplayNameIfPossible” to control whether to use IMAP entity’s display name when listing shared folders. Customer is supposed to set that property to false.
Personal folder re-assigned to context admin if last changed by deleted user.Solutionn: Ensure to only re-assign “changed_from” column upon user deletion.
Was caused by NPE at AbstractCompositingIDBasedAccess.java:334.This has been solved by avoiding NPE by explicitly setting an initial value.
Possible null-reference when checking mail’s content disposition parameters.Solution: Guarded access to mail structure’s content-type and -disposition.
CVSS: 5.4
CVSS: 7.1
CVSS: 6.5
CVSS: 6.5
CVSS: 6.5
CVSS: 6.1
Shared folders from different owners with the same display name lead to conflict.This has been solved by orderly dealing with shared folders from different owners with the same display name.
The login source wasn’t correctly identified in case session-full-login was used.This has been fixed by properly identifying session-full-login as the login source.
Handling for “move” was missing.Just added missing move-handling to solve this issue.
Middleware is unable to parse inline, base64 encoded images in ‘img’ tags.This has been solved by removing inline SVGs from mails before issuing the first save action on a new composition space/draft.
Wrong part number indicated in multipart upload to S3.This has been solved by indicating the correct part number in multipart upload to S3.
MySQL denies modifying a column belonging to PRIMARY KEY.This has been solved by dropping PRIMARY KEY before modifying column belonging to PK, then re-create PRIMARY KEY.
Provisioning related log properties not dropped after log message has been issued.Ensure provisioning-related log properties are dropped once the message has been logged.
Optimized moving folder (and its subtree) to trash to solve this.
Unsupported image format prevents from replying to a mail.This has been solved by handling unsupported image format as illegal image upload.
EAS uses UTC datetime, but HTTP API call mail filter uses local time zone.This has been fixed by adding 12 hours to datetime to retain the correct day during data exchange.
Fixed reading of properties for external ical files to solve this issue.
Unified Mail message confuses user look-up by E-Mail adress.Solution: Orderly handle Unified Mail messages when examining a message for scheduling information.
assuming a UIDL is at most 15 characters.This has been solved by not limiting POP3 server response when querying UIDLs of available messages.
S3 API does not allow to delete more than 1,000 objects at once.This has been solved by not batch-deleting more than 1,000 objects from S3 storage using DeleteObjects request, see https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObjects.html
Newly introduced reserved words were not escaped properly in statements.This has been solved by adding proper escaping.
CVSS:5.4
CVSS:5.4
CVSS:8.1
Converters were broken due to an added bundle to the backend which is required for the correct start-up.This has been fixed by adding the bundle to the launcher for Imageconverter and Documentconverter.
This was caused by wrong usage of line height.This has been solved by removing line height using flex instead.
Annoying ERROR log message if “User” cache key is not an integer.This has been solved by avoiding unnecessary ERROR log message.
“INBOX” folder was not translated for secondary accounts.This has been fixed by adding the translation for “INBOX” folder for secondary accounts.
Missing SOAP interface to manage user sessions, but available via closesessions command-line tool.This has been solved by adding the possibility to clear user sessions through the new OXSessionService SOAP interface.
CVSS:5.4
CVSS:7.6
CVSS:8.8
Consistency check not working due to missing reference to user filestore, utility output incomplete when per-user filestores are used.This has been solved by taking over selected filestore ID properly during user creation, introducing update task to re-insert missing filestore references, and collecting and outputting records properly during “list_unassigned”.
Different max. sizes for user name, mail login, primary mail address, and further user aliases.Solution: Have a max. common size of 191 characters for user name, mail login, primary mail address, and further user aliases.
CVSS:5.4
CVSS:7.6
CVSS:8.8
Consistency check not working due to missing reference to user filestore, utility output incomplete when per-user filestores are used.This has been solved by taking over selected filestore ID properly during user creation, introducing update task to re-insert missing filestore references, and collecting and outputting records properly during “list_unassigned”.
Different max. sizes for user name, mail login, primary mail address, and further user aliases.Solution: Have a max. common size of 191 characters for user name, mail login, primary mail address, and further user aliases.
io.ox/mail//viewOptions/virtual/all-unseen/thread set to true was not supported.This has been solved by making code more robust and use unthreaded option for all-unseen folder in any case.
If the Drive Mail dialogue is cancelled, the original settings will not be restored correctly.This is solved by ensuring that the original data is not deleted.
Option for a “hard delete” was not available until the latest update of the compose API.Now empty/unchanged compositions space will use the new param “harddelete”, to solve this issue.
Broken mail. CSS commented out using HTML style () while style tags need to use CSS style (/* */)This has been solved by fixing comments in style tags. Mail still doesn’t look good but that is just the mail styling itself.
Context was disabled but it was directly enabled again even though the task was executed asynchronously.This has been solved by only enabling the context after the task has finished and also properly invalidating the context cache.
Wrong range passed to contained sub-accounts when checking for available mails.Now pass proper range to contained sub-accounts when checking for available mails to solve this.
Property “com.openexchange.imap.maxNumConnections” not strictly obeyed.This has been solved by improving implementation for “com.openexchange.imap.maxNumConnections” property.
NO FIX!Added logging for IMAP protocol error.
CVSS:5.6
CVSS:4.3
CVSS:6.1
CVSS:5.4
CVSS:5.4
CVSS:9.6
CVSS:9.6
CVSS:9.6
CVSS:7.4
Outdated help Version which accidentally contains the Chat topic.This has been fixed by installing the fixed Help version.
Standard folders of secondary accounts were not translated.Now translate standard folders of secondary accounts as well.
Invalid check against blocked hosts/allowed ports when obtaining status for subscribed mail accounts.This has been fixed by not checking against blocked hosts/allowed ports when obtaining status for subscribed mail accounts.
Database statements were not closed on user deletion.Orderly closing database statements have fixed this on user deletion.
Solved by fixing the typo in log message.
Modified Chrome behavior. After opening the software keyboard, a change in Chrome triggers immediate close of the software keyboard.This has been solved by adding a timeout, so that event for immediate closing of the software keyboard is not handled.
Blocked hosts (see “com.openexchange.mail.account.blacklist”) applied to configured IMAP host used for IMAP authentication.Now assume configured IMAP host for IMAP authentication does not need to be checked against blocked hosts (see “com.openexchange.mail.account.blacklist”).
Wrong URI defaults for IMAP when parsing SMTP server on changeuser invocation was used.This has been fixed by using SMTP default settings when changing a user’s assigned SMTP server.
Orphaned event instances can’t be imported.This has been solved by removing references to series event for orphaned event instances. Thus, the orphaned event instances will be transformed to “normal” single events.
Instead of an authorization header a query string was used.This has been fixed by using an authorization header instead of a query string.
iCAL feed couldn’t be added because the name of the feed matched a reserved folder name (Calendar).This has been solved by allowing reserved folder names for iCAL feed based calendar (folder).
macOS calendar uses a new User Agent.macOS/13.4 (22F66) dataaccessd/1.0 This identifier is unknown to the server and thus special handling can’t be applied. Therefore, X-CALENDARSERVER-ACCESS parameter is ignored, and therefore private flag isn’t translated correctly.This has been solved by adding the new user agent to the set of known macOS calendar clients. Also, see SCR-1220.
On mobile, appointments were only added to the starting date.Appointments now get added to every date in their duration.
e.g. “bob@example.com (Bob Smith)“.This has been solved by avoiding excessive parsing of E-Mail addresses possibly containing CFWS personal names.
Accidental expunge of POP3 messages that could not be synced due to over-quota error.Don’t expunge messages from POP3 storage that could not be added to backing primary mail storage to solve this issue.
Moment-timezone library was not upgraded.This has been solved by bumping moment-timezone release to latest.
Under some circumstances, the MW sends the vacation domains as part of the rule, in some cases, it does not. UI does not expect the tests to be part of the API response and fails with a runtime error.This has been solved by correctly handling the test in the vacation filter rule.
Unguarded access to user’s (potentially unset) given name under certain circumstances.This has been fixed by checking the user’s given-/surname prior serialization.
This was caused by unoptimized cleanup job configuration and SQL statements.This has been solved by optimizing the cleanup job and SQL query, now only delete when there were use counts to decrement.
This has been solved by adding the missing word.
Now start report generation in parallel to identifying the schema contexts.
Parser rules don’t support illegal escaped characters.This has been solved by adding an additional rule which accepts illegal escaped characters.
There was another possible occurrence when serving the OPTIONS method that still used INFO logging.
CVSS:5.4
CVSS:5.4
CVSS:5.4
CVSS:5.4
CVSS:5.4
CVSS:5.4
CVSS:7.5
CVSS:5.5
CVSS:3.5
CVSS:4.3
Filepath was undefined instead of empty string.This has been solved by making the check less specific. Sidenote: Firefox mobile is not officially supported but it should work now.
Caused by some CSS issues.This has been fixed by adding some CSS.
No option to prevent the creation of guest users with specific email addresses.Introduced new property “com.openexchange.share.guestEmailCheckRegex” to allow additional checks (SCR-1203).
IOException when using POP3 account. Some methods weren’t implemented, thus the Java internal object reference was used instead of the value stored in the object (the commands used for communication to the POP3 server).This has been solved by implementing toString() method of newly introduced appenders in LineLimitedBufferedReader along MWB-2048.
Unnecessary Data Retrieved from Filestore when Serving WebDAV Requests with Range(s).This has been solved by forwarding requested range(s) to underlying filestore if possible.
Each message of a multiple mail forward is NOT marked as forwarded.This has been fixed by marking each message of a multiple mails forward as forwarded.
Connect parameters not orderly parsed on mail account update.This has been solved by orderly accepting connect parameters when updating a mail account’s attributes.
Missing Set-Cookie directive when resolving share link under certain circumstances.Orderly set session- and share-cookie when resolving share link to solve this issue.
Public task folders were not properly deleted in case no-reassign was set.This has been solved by properly handling task folders in case no-reassign is set.
Log level was too high.This has been solved by changing log level regarding forbidden devices from info to debug.
The “guest” capability can also include guests with administrator rights and authors.Now only if a user is “anonymous” the function “move” is not offered.
Deletion of user prevented by guest users with references to user’s filestore.This has been solved by auto-deleting guests when owner of per-user filestore is deleted (SCR-1193).
Baseline library version for commons-text has been incremented to 1.10.0.Rebuilding the affected branches for backend based services fixes the problem.
Last patch broke documents on RHEL due to updated unzip with zip bomb detection.This has been solved by disabling jar repacking of open-xchange-documents-backend on RHEL.
CVSS:4.3
CVSS:4.3
CVSS:4.3
CVSS:5
CVSS:3.5
CVSS:6.5
CVSS:3.2
CVSS:8.3
CVSS:5
Height calculation was too early and missed margin/padding etc.This has been fixed by triggering height calculation a second time, slightly later so that the css is applied correctly.
Missing sorting by folder name.This has been solved by adding sorting on client side.
Missing option to exclude specific log files.This has bbeen solved by adding a new optional parameter for excluding specific log files. /opt/open-xchange/sbin/oxsysreport –exclude-logs-filter ‘/oxnotifyd.log|/auth.log’
Unexpected hard coded log location for osci and console log.This has been fixed by always including default log location /var/log/open-xchange.
Missing Set-Cookie directive when resolving share link under certain circumstances.This has been solved by orderly setting session- and share-cookie when resolving share link.
i18n name set for multiple public IMAP namespace.Don’t set i18n name for public IMAP namespace if there are multiple ones configured to solve this issue.
File Picker displayed available space instead of total space.This has been fixed by upgrading to File Picker 1.0.3, where the bug is fixed.
File Picker returns errors only after closing.This has been fixed by upgrading to a new version of File Picker with the new option closeOnError.
Folders in ‘Public files’ folder tree were sorted by date of creation.Now sort alphabetically by folder name.
Chrome behaves differently when using ‘display: flex’.This has been solved by removing ‘pull-left’ from element since this eliminates the issue.
Too narrow for default focus style.This has been solved by adding some padding.
TNEF attachments cannot be downloaded/viewed.Fixed look-up of attachments in case IMAP message has TNEF content.
Missing error message argument on SQL error.This has been solved by specifying missing error message argument on SQL error.
Connection loss errors during mail export operation.This has been solved by trying to recover from possible connection loss errors during mail export operation.
Error while loading nonexistent user for DEBUG logging.Fixed avoidable exception on DEBUG logging.
ArchiveUtility seems to have problems with certain compression levels.This has been solved by using the default compression level for generating GDPR exports.
Folder meta information not correctly set.This has been solved by only changing meta information for a folder if set.
Malformed organizer value in change exception leads to problems when deleting appointment series along with overridden instances.Solution: Don’t let delete operation fail upon malformed change exception data while tracking changes.
used_for_sync was not evaluated properly.Properly set and evaluate “used for sync” for task folders to solve this issue.
The document provided does not follow the specification of the OOXML file format.The docx filter is now more fault tolerant with the w:cryptAlgorithmSid attribute of the settings.xml.
New multi-factor checks were to restrictive for API endpoints delivering multi-factor UI/Frontend code.This has been solved by adding “apps/load” to the multi-factor whitelist.
Only the subject was returned for search requests.This has been solved by inserting all mail details into search result (similar to syncing mails).
Missing properties for secondary accounts as they are available for primary account.This has been solved by adding dedicated properties for secondary accounts according to the ones already in place for primary account.
CVSS: 4.2
CVSS: 4.6
CVSS: 4.6
CVSS: 4.3
CVSS: 5.9
CVSS: 6.5
CVSS: 4.3
CVSS: 4.3
CVSS: 7.1
Domain parameter of a Cookie is set to localhost when dropping the cookie.This has been fixed by only setting “domain” parameter when dropping a cookie if domain value is considered as valid: Not “localhost”. Not an IPv4 identifier. Not an IPv6 identifier.
Updates were applied in wrong order.This has been fixed by first deleting all appointments, then adding new created appointments (since master appointment with same id gets re-created as well).
Sorting by folder name was missing.This has been solved by adding sorting on client side.
In some cases, the calendar would use a start date in the future when selecting in the mini calendar.This has been solved by making sure the calendar start date is on or before the chosen date, never after it.
Selecting multiple rows of text always used the top point of the selection as anchor to jump to.Now depending on the direction in which the selection is shrinking or expanding a different point to scroll to is chosen.
Public task folders were not properly deleted in case no-reassign was set.Now properly handle task folders in case no-reassign is set to solve this.
The entry is not actually deleted but one of the entry’s mail address is overridden by the mail address of the other. Because they are now basically the same the UI only shows one of those elements.This has been solved by improving matching of distribution list members by including the mail field for equality checks. Now only two entries are the same if their mail field is the same. This should prevent unwanted updates.
Guest users accounted to context filestore quota by default.Solution: Let guest inherit sharing user’s filestore if applicable.
Temporary IMAP authentication error after backchannel logout on other node under certain circumstancesRemove sessions from remote nodes during backchannel logout synchronously
UI only knows settings of provisioned state.This has been solved by hiding ‘Connection security’ settings if primary or secondary account or if set to false.
Sender collection was not properly updated.This has been fixed by triggering update to get the current display name.
There is a request limit set by middleware while fetching all mails that leads to an error.This has been solved by considering the limit and only fetch mails within the range of the setting ‘mailFetchLimit’.
This was caused by a scroll handler that loads additional entries.This has been fixed by supporting scrolling on the dialog as well to trigger paging.
This was caused by broken css for compact mode.Fixed this broken css to solve the issue.
Customers tend to change the default OX log directory and as a result, the logs are missing inside the support tarball.Providing a new optional parameter which defaults to the old behavior: oxsysreport –ox-log-dir ‘/my/changed/log/path’
Problems in Connector/J when storing timestamps on DST shifts.This has been solved by configuring useLegacyDatetimeCode: false by default in dbconnector.yaml
There was a problem when parsing negative durations as defined in https://www.w3.org/TR/xmlschema11-2/#durationNow using java time implementation to parse duration values to solve this.
Tab API is used to open a new window for print as pdf. With single tab, the API is not available, hence not opening a new window, but notifying that a new window can’t be opened.This has been fixed by moving the secure window open function to a util class that can also be imported without the enabled tab API.
CVSS: 5.0
Resize function used underscore to determine browser version. Importing underscore was not supported by firefox.Because the browser version was only necessary when using chrome, it is now checked if underscore is defined. If not, the browser is Firefox and the use of underscore is unnecessary.
Added missing translation.
Fixed the Dutch guided tour typos.
Temporary IMAP authentication error after backchannel logout on other node under certain circumstances.This has been solved by removing sessions from remote nodes during backchannel logout synchronously.
Checks were inconsistent throughout the middleware.Aligned the checks with the documentation.
HTTP 400 in case client attempts to change resource in read-only collection under certain circumstances.Solution: Properly indicate ‘DAV:need-privilege’ precondition with HTTP 403 for PUT requests w/o sufficient privileges.
Group names in API responses not subject to translation.This has been solved by using localized display name for groups towards clients.
Possibly excessively big database transaction when clearing Drive trash folder.This has been solved by deleting folders chunk-wise to avoid excessively big database transaction & fire events with a separate thread avoiding unnecessary occupation of deletion-performing main thread.
This was caused by an empty Disposition-Notification-To header.This has been solved by adding a handle for empty Disposition-Notification-To header.
Images of nested messages were not parsed.This has been fixed by adding possibility to parse nested messages. This can be controlled via the new com.openexchange.mail.handler.image.parseNested property which defaults to true. This way it can easily be disabled in case it causes problems.
This has been solved by adding missing translations.
Quite outdated list of https status codes that cause the message to appear.Now the message shown for special cases and http status code 408, 503 and 504.
Column 664 was part of all and list requests. This column is potentially slow on DC side.This has been fixed by removing the column from all and list requests.
Deputy service considered as mandatory in case user replies to a message residing in a shared mail folder.Solution: Do not require deputy service in case user replies to a message residing in a shared mail folder.
Malformed organizer value in change exception leads to problems when deleting “this and future” appointments.This has been solved by not letting delete operation fail upon malformed change exception data while tracking changes.
Removed email addresses in contact referenced by distribution list member handled incorrectly.This has been fixed by removing references to contact in distribution list member when contact’s email is cleared.
CVSS: 4.3
CVSS: 4.3
CVSS: 9.8
CVSS: 5.0
CVSS: 5.0
CVSS: 4.3
CVSS: 9.8
Before http code 301 was used that caused the browser to cache the redirection to unsupported.html (301 represents “Moved permanently”).Now http code 302 is used that should not cache the redirection at all (302 represents “Moved temporarily”).
This was caused by conflicting lists of (default-)folders: io.ox/mail//defaultFolders and list of types in folders/extensions.jsThis has been solved by removing hardcoded entry in folders/extensions.js
This was caused by missing check for organizer rights.Now checking for organizer rights and render as disabled if applicable. Info: We decided that the organizer shall not affect the participant’s calendars folder color. The appointment will always appear in the participant’s folder color. In the edit mode, the color setting for non-organizers will be disabled.
Mail included an element with height of 100%.This has been solved by setting height of root/html tag within iframe to 0 to lever out the 100% height - but only for mails with sender Paypal.
When a new account is created, it is classified as “new” until a refresh is executed. Therefore, “Account added successfully” is displayed until the refresh.Solution: A newly created account is now only recognized as new when it is created. Afterwards, “Account updated” is used.
When using the “send by email” function from drive, the quota is not checked.When using the “send by email” function from drive, the quota will now be checked accordingly and DriveMail will be used if necessary.
USM/EAS client is requesting too many emails with too much information, which is too dangerous for the middleware in terms of memory consumption and unfortunately must be prevented so that the middleware process remains responsive.Don’t put restrictions on such requests in case associated client is USM/EAS to solve this issue.
Guest users who were invited with “author” permissions can adjust permissions of newly created folders, hence remove the sharing user later on.This has been fixed by ensuring internal entity is admin, prevent permission changes by guests.
An individual thread is used to perform asynchronous session storage tasks. In case Hazelcast gets unresponsive, those threads pile up rendering the system unresponsive as too many threads need to be handled by JVM.This has been solved by introducing separate worker(s) for issuing operations against Hazelcast-backed session storage.
Check was only done in contact picker.This has been solved by making a proper check when members are added to the list.
Was caused by incomplete (but still valid) freebusy data.This has been solved by making the planning view more robust, using the data that is there and using defaults for the rest.
Added DEBUG logging.
Failed parsing of RFC 822 E-Mail addresses having “mailto:” prefix in address part.Solution: Orderly parse RFC 822 E-Mail addresses having “mailto:” prefix in address part.
Reminders which are not accessible anymore are usually deleted. This didn’t work in this case because a sligtly different exceeption was thrown.This has been fixed by extending the check to encompass more error codes.
Files/items that require Zip64 support abort creation of resulting data export ZIP archive.This has been solved by introducing new config option “com.openexchange.gdpr.dataexport.useZip64” whether ZIP64 format should be used which supports files larger than 4GB (default is true).
This only includes the partial fix for the potential null pointer that occurred for a user.
False-positive detection of a JavaScript event handler.Fixed false-positive detection of a JavaScript event handler to solve this issue.
Using “SELECT … FOR UPDATE” statements are likely to timeout in distributed/bigger setups.This has been solved by using another (simpler) lock mechanism than using “SELECT … FOR UPDATE” statements that are likely to timeout in distributed/bigger setups.
Event order of TinyMCE is inconsistent which can lead to undefined values.Solution: Be robust when event order is wrong. The scroll position must only be fixed when the order is messed up. That indicates, that the paste-plugin of TinyMCE suffers from the same issue in the 4.x stream and has only been fixed in the 5.x stream.
Improper checks for rendering (1) condition of context sharing options and (2) sharing dialog content.Solution: (1) Improve checks to show correct context options: Files can always be shared to internal users. Distinguish to name context entry “Permissions” or “Share / Permissions” depending on the dialogs content (only permissions information or sharing options)(2) Improve sharing dialog to only permit internal invites when capabilities invite_guests and share_links are set to true.
Mail included an element with height of 100%.This has been solved by setting height of root/html tag within iframe to 0 to lever out the 100% height - but only for mails with sender Paypal.
Js error because of missing event.This has been solved by checking for missing event to prevent error.
Autostart was used every time instead only if logoaction=autoStart.This has been solved by only using autostart if it is configured like that.
Js error because of missing event.This has been solved by checking for missing event to prevent error.
This has been solved by changing the wrong wording.
Inefficient SQL statement to delete Drive items/documents leading to timeout.This has been solved by improving SQL statement to delete Drive items/documents to better utilize existent indexes/primary key.
Failed/timed-out look-up of possible references to shared folders abort clearing a mail folder.Solution: Don’t let failed/timed-out look-up of possible references to shared folders abort clearing a mail folder.
Security settings were not properly applied with next composition space update.Fixed issue with security settings not being properly updated when signing enabled.
Wrong composing of auto-config URL.Fixed auto-config URL string and correctly specify the protocol.
Infostore User-Permissions were checked in case of removed permission.This has been fixed by splitting touched permissions into changed/new and removed permissions. Checking the infostore user -permissions only for changed and new permissions, not removed permissions.
Special “References” header might grow infinitely.Ensure that length of “References” header does not exceed 998 characters - aligned to RFC 2822 - Section 2.1.1 - to solve this issue.
Drive Mail attachments not accessible via mail API.This has been fixed by making Drive Mail attachments accessible via mail API.
Wrapper css class got wrongly applied to body tag.This has been solved by adding exception handling for css rules on body tag.
Attribute ‘draggable=“false”’ was missing.This has been solved by adding missing attribute to disable dragging.
Width of colorpicker was wider than screen width.This has been solved by setting max width to 100% to make all colors visible.
Max filesize was reduced to last selected size on redraw.This has been solved by saving the original max filesize.
All mails in a conversation would get archived.Now only not-sent mails will get archived.
When a new account is created, it is classified as “new” until a refresh is executed. Therefore, “Account added successfully” is displayed until the refresh.A newly created account is now only recognized as new when it is created. Afterwards, “Account updated” is used.
Something in tinyMCE’s paste plug-in caused the described behavior.This has been solved by updating tinyMCE.
This was caused by typos in print.html and print-detail.js.This has been solved by fixing typos in print.html and print-detail.js.
Several change requests for Swedish.This has been solved by applying some changes and rejecting others.
Distribution list entries were not correctly identified in case multiple entries had the same email address.This has been fixed by identifying the entries via their entry id.
Client-given maximum width and maximum height of the target image exceed configured max. supported values.This has been fixed by adjusting client-given maximum width and maximum height of the target image to configured max. supported values.
The reply-to header was ignored in case the mail was sent to one’s own mail address.Don’t ignore the reply-to header to solve this issue.
Messed-up file holder reference when checking for possible image transformation.This has been solved by orderly managing file holder reference when checking for possible image transformation.
CVSS: 4.3
CVSS: 5.4
CVSS: 5.4
CVSS: 5.4
CVSS: 4.3
CVSS: 5.3
CVSS: 5.3
CVSS: 5.0
We introduced restrictions on apps that can be launched. This broke some actions with “closable” apps. Namely edit/create distribution list and invite to appointment actions.This has been solved by introducing list of valid edit apps so the actions work again.
Initials used outdated rampup data.Do not use rampupdata once userdata was changed (we still use them initially to speed things up).
An upload aborted in the UI may be saved in the draft if the upload is already complete but the transfer has not yet been completed.Now allow client to pass “attachments” on final send/save action to drop attachments before sending/saving -> Those attachments not referenced in given “attachments” are removed.
Messed-up file holder reference when checking for possible image transformation.Now orderly manage file holder reference when checking for possible image transformation to solve this.
Only 10 most recent messages are considered regardless if sent or received.Now letting Halo’s investigate call return 10 most recently received and 10 most recent sent messages.
This was caused by wrong implementation of comperator.This has been solved by orderly implementing the comperator and test all restrictions.
The tar argument –exclude-from is positional and was not in the correct place, thus rendering that option ineffective.This has been fixed by setting the –exclude-from argument to the correct position in the oxsysreport tool.
Drive settings were defined as disabled for guests in the past.This has been solved by enabling Drive settings for guests (anon & external guest).
The log message was unclear.In case of a complexity too high error we no longer log the stack trace instead we use this log message: “LoadableDocProcessor: Document could not be loaded because it exceeds the maxWordCount / maxCells limit.”
Was caused by static tooltip.This has been solved by using state depending tooltip for closeaction.
String was not recognized as translatable string.This has been fixend by adding gt calls for this.
Was caused by wrong implementation of comperator.This has been solved by orderly implementing the comperator and test all restrictions.
IDN to ACE conversion for domain parts that are too long keeps processing thread busy for a while.This has been solved by avoiding IDN to ACE conversion for domain parts that are too long.
Now don’t generate preview images if content is password-protected to solve this issue.
Generated token might contain characters which got URL-encoded and do confuse token round-trip.This has been fixed by using only url-safe (hex) characters in generated token.
Last-active time stamp not tracked for CalDAV/CardDAV sessions.Now tracking last-active time stamp for CalDAV/CardDAV sessions, too.
Possible I/O error when trying to write export data to file storage.This has been solved by retrying on possible I/O error when trying to write export data to file storage.
Whether the “To” addresses shall be used as recipient on a reply to a certain message was determined by the folder in which the originating message resides.This has been handled by prefering “To” as recipient on reply when originating message’s “From” address belongs to composing user.
Excessive reading of mail parts on inline view of video files or when outputting images.This has been solved by avoiding excessive reading of MIME part content.
Infinite traversing of calendar folder during data export.This has been solved by avoiding infinite traversing of calendar folders.
This was caused by too old build dependency on buildservice.This has been solved by using latest build dependency on buildservice.
Toolbar rendering was broken.Now all actions are rendered correctly.
Wrong label was used.This has been solved by using the right label.
Missing parameter to keep “prefix” on mobile also.This has been fixed by adding missing parameter to prevent a “cleanup”.
Unnecessary removal of event listener leads to images not being loaded correctly.This has been solved by not removing the event listener to fix image loading.
Mobile selection variable was used to early.Now properly initialize the mobile selection variable to solve this issue.
Safari needs a width to render the initials SVG.This has been fixed by adding CSS for this.
It was possible to set the mail filters in the backend to a different status than in the UI with a quick multiple clicks.This has been fixed by only evaluating the last click.
User needs at least read permission to download a folder. System folders cannot be downloaded (even if they have the zippable_folder capability).Solution: Make sure read permission is properly checked. Prevent download of system folders.
Wrong selection when trying to update associated entry in a distribution list.Now orderly select the distribution list member to update.
Unexpected byte sequence which does not map to standard rfc822 charset.This has been fixed by applying proper charset when reading line of bytes from message rfc822 source.
Non-distinct values are collected to a map raising a runtime exception (coding error).This has been solved by ensuring distinct values are collected to a map.
Duplicate entries in distribution list are allowed.Solution: Deduplicate entries in distribution list: - for independent contacts by email -for internal contacts by email field.
Whenever free/busy data for a single attendee was loaded, for some events information was hidden, even though the information is viewable by the user. Main reason for that was, that we loaded too less data from the DB and thus the decision-making to obfuscate event data in free/busy responses went wrong.This has been solved by loading additional data from the DB for correct decision-making.
Root collection path statically set to “com.openexchange.dav.prefixPath”.This has been solved by applying proper internal/external path translation for DAV root collection.
CVSS:5.4
CVSS:4.3
CVSS:5.4
CVSS:8.2
There is no control whether a password has been stored when the option “using password” is activated.Now “Using password” can only be used if a password has also been stored.
Missing folder data because of insufficient permissions.This has been solved by checking if event is in all public appointments folder. This way we can make some assumptions even without full folder data.
User needs at least read permission to download a folder.Solution: Make sure read permission is properly checked.
Failed upload of inline images was no longer propagated to TinyMCE.This has been fixed by propagating and catching failed upload again.
Missing error handling when creating composition spaces.This has been solved by implementing general error handling for creating new composition spaces.
Mismatch in order of displayed contact fields.This has been fixed by moving fields to match edit form.
No possibility to circumvent Dovecot issue failing to server “PREVIEW” capability.This has been solved by introducing property “com.openexchange.imap.preferredPreviewMode” for IMAP connector to specify preferred preview mode. See SCR-1087.
Wrong detection of standard SSL protocols.This has been solved by orderly detecting (and using) standard SSL protocols.
With introduction of clean-up framework tasks get executed per database schema. Thus the start and end information are unnecessarily printed per database schema.This has been fixed by restoring previous behavior to log those info only once at start and termination of that task for all database schemas.
Wrong folder traversal on data export of contacts.This has been solved by orderly considering subfolders on export.
Log level ERROR used for CATEGORY_CONFLICT exceptions.Now using log level DEBUG for CATEGORY_CONFLICT exceptions.
The dependencies must have changed and Jolokia support was not part of the DCS anymore.This has been solved by adding explicit Jolokia support into the DCS build.gradle / pom.xml.
Improvement: Do not complain when client tries to delete a non-existing attachment.
File storage account will be accidentally removed locally once a single (sub) folder of an external account gets removed.This has been solved by adding check to remove file account only when root folder get’s deleted.
Was caused by a missing gt call.This has been fixed by adding the missing gt call.
String was not recognized as translatable string.This has been fixed by adding gt calls to boot/i18n.
In case client-passed token does not match the one currently associated with requested composition space while trying to perform an update ends in an infinite retry loop.This has been solved by using dedicated error code in case client-passed token does not match the one currently associated with requested composition space.
Missing recurrence identifier in change exception set of stored recurrence master event.Solution: Orderly incorporate intermediate results when handling calendar resource updates, also consider change exception instances when building recurrence set during update.
USM combines original mail and forward text into a new mail which is sent in base64 format. This seems to be invalid and is rejected by the backend. ICS attachments are filtered by USM if the mime-header content-type contains application/ics or text/calendar.This has been solved by sending combined mail in text format. Create correct mail with hierarchical multipart. ICS attachments will be filtered only if corresponding calendar objects exist.
This functionality was disabled during a restructuring.now it has been adjusted accordingly.
Resizing an email attachment could cause individual attachments to be duplicated.The process has been revised so that resizing an image attachment cannot be interpreted as a new attachment.
User were listed twice.This has been solved by avoiding listing of duplicate users.
There was a typo in bot the documentation as well as in the implementation.Fixed the typo in both places.
Uploaded attachments were spooled to local temporary file while unnecessarily holding lock on affected composition space. This holds that lock for too long.Solution: Spool attachment to local temporary file w/o acquiring lock. However, actually adding the attachment to the draft mail is required to be performed mutually exclusive.
Cached data providing the draft mail identifier might be outdated.Cached data providing the draft mail identifier might be outdated.Perform look-up of draft mail by composition space identifier in case there is no draft mail for cached information.Unfortunately, based on the information provided, it was not possible to understand why all of a sudden the associated draft mail of a composition space cannot be found based on the information managed in memory. Therefore, in such a case, an attempt is now made to find the associated mail by a look-up per composition space identifier. If that also fails, the draft mail must have actually been deleted.
Checked local state for possible too many composition spaces which might not be up to date.This has been solved by always checking content of standard drafts folder on mail server to reliably test for too many composition spaces.
Length of VARCHAR columns in generic_use_count table too big to be used for a PRIMARY KEY or UNIQUE KEY.This has been solved by shrinking VARCHAR columns in generic_use_count table to proper size to be used for a PRIMARY KEY or UNIQUE KEY.
Subfolder flag for Shared files folder was always set.This has been solved by adding proper subfolder detection for ‘Shared Files’ folder.
LibreOffice is having a problem with the default property in styles, regardless of the value LO interprets it as default = “true”. There should only be one default paragraph style in a document. LO thinks that there are twice and lets the latter win. So In this case the correct paragraph style “Normal” is overwritten by the paragraph style “ListParagraph”.Solution: We will no longer write the property “default” in styles when its value is “false”, this is also valid. The bugfix only works for newly created documents and documents that are saved again in our editor.
Was caused by glitches in the manual creation of these templates.This has been solved by fixing the Inconsistency.
Feature toggle was checked to late in code.This has been solved by moving feature check to an earlier point.
Missing max-width and default line/word break behavior.This has been fixed by adding Max width and set proper line break behavior. This makes ellipsis work as intended.
Missing organizer caused js error in UI.This has been solved by making UI more robust so it doesn’t break if an appointment has no organizer.
DELETE statement not matching targeted distribution list entry under certain circumstances.This has been fixed by correctly deleting/updating distribution list members by parent contact identifier.
Wrong slicing of sorted message set.Solution: Fixed slicing of sorted message set.
Slow upload leads to timeouts.Solution: Do not let upload time out since not measurable whether there is slow connection bandwidth or poor performing file storage end-point.
Dav does not call the session hit that the MW does. As a result, the check for multifactor is missed.This has been solved by adding additional check for multifactor in DAV servlet. Should simply reject if found. There is no way to authenticate multifactor in DAV. Application passwords should be used.
Content-Length of last chunk wrong in case requested range is greater than actual file length.Solution: Correctly set content-length header if client-requested range is beyond file length.
Broken folder references in stored distribution list members lead to runtime exception in custom address book plugin.Solution: Unmangle folder id in distribution list members prior passing down to contacts access, skip invalid references when post-processing loaded distribution list members.
Chrome removed U2F support.Utilize webauthn U2F mechanisms to support the logins in Chrome.
Misleading error description for hidden subfolder.This has been solved by returning dedicated errors for the scenario, pointing to the folder causing the error (if visible for the user).
Applied regular expression leading to excessive resource consumption. Too heavyweight logic to convert HTML to plain text.This has been fixed by avoiding using regular expression to split HTML content to lines and fixed possible NPE when querying available composition spaces. Improved html-to-text conversion to be faster and use less memory.
It’s not yet implemented to share all folders except folders without access rights.Now showing “Ignore Warnings” Dialog to share only folders with access right and send ‘ignoreWarnings=true’ to the MW.
Was unsupported.Solution: ‘apps’ can now be hidden via jslob setting “io.ox/onboarding//hidden/apps”, syncapp is hidden by default.
There was no need to URL-encode the URL in the previous OX versions because the token was not base64 encoded.When using the io.ox/core/tk/iframe with the option acquireToken, the token is sent without being URL-encoded. Now it will be URL-encoded.
This wasn´t considered yet.This has been solved by extending the regex.
Wrong check if given sender address is possibly associated with an external account.This has been solved by a proper check if given sender address is possibly associated with an external account.
Max. number of composition spaces not orderly considered when opening a new one.This has been solved by Considering max. number of composition spaces when opening a new one.
Parse errors if a MIME message contains a corrupt Content-Type string.This has been fixed by sanitizing Content-Type string in case a corrupt one is present in MIME message or one of its parts.
Missing help text for dynamic options.This has been fixed by adding a help text for dynamic options.
Update of DAV:displayname property permitted through CalDAV for default Birthdays calendar.Treat DAV:displayname property as protected for Birthdays calendar, and indicate forbidden property updates via DAV:cannot-modify-protected-property precondition.
Errors while trying to resume a previously paused data export.Solution: Handle possible connect failure while exporting mails. Avoid pausing running data export tasks. Let started ones complete and avoid unnecessarily stopping data export tasks in case a continuous timeframe is configured, e.g. “com.openexchange.gdpr.dataexport.schedule=Mon-Sun”.
Plain connection established although SSL connection expected.Solution: Orderly signal whether a direct SSL connection should be established or not.
InputStream.available() might not indicate available content.Solution: Probe for next byte instead of relying on InputStream.available().
This is a bit of a design problem. The settings dialog suggests only one date format, but UI is using 2 formats. A long (with leading zeros) and a short format (without leading zeros). Since there is only one format to choose from we are always wrong one way or the other.Solution: If a user explicitly sets a specific format (customized locale data) we overwrite both, the long and short format with the chosen format. If the user uses the language specific default we use long and short format as before.
Wrong action type leads to creating a copy instead of editing the draft.This has been solved by changing the type from ‘copy’ to ‘edit’.
No sufficient checks for quicklauncher app availability.This has been solved by hiding unavailable apps in quicklauncher and config dialog. Apps that have upsell enabled are considered available. Guests do not have upsell so they will not see upsell enabled apps they lack the capabilities for.
Missing organizer caused js error in UI.Solution: Make UI more robust so it doesn’t break if an appointment has no organizer.
Editing an image with the createImageBitmap function within a worker in Chrome Browser version = 77 leads to incorrect results.Solution: For Chrome Browser version = 77, the editing process with createImageBitmap is no longer performed in the worker.
Client-wise specified expiration date got adjusted by user’s time zone.Now passing client-wise specified expiration date as-is (assume GMT+0) and do not adjust by user’s time zone to solve this issue.
Different mail address in FROM header and mail text.This has been solved by respecting the property com.openexchange.notification.fromSource and use the default sender address in mail text, too.
This has been solved by fixing a typo in Czech .po file.
CVSS:8.2
The first fix was only for form login.Now this has also been fixed for token login.
Retry mechanism circumvented through introduction of client tokens for any reason.This has been solved by re-enabling retry mechanism.
Was caused by too strict permission check when processing CANCEL messages.Solution: Require delete permissions for targeted user attendee when applying CANCEL messages.
Was caused by sporadicaly timeouts when obtaining a connection to the storage.Solution: Retry establishing a connection to file storage in case caught exception indicates a timeout while connecting to an HTTP server or waiting for an available connection from connection pool.
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:5.3
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
CVSS:3.1
Unnecessary double capability check, which broke upsell configuration.This has been solved by just checking for one capability for each entry.
Wrong calculation of end time slot (was not based of endtime, but starttime and length).This has been solved by fixing calculation of endtime slot so the slot that contains the end time is included correctly.
Fixes translation.
Rampup extensions trying to fetch data without session requiring multifactor.This has been fixed by exiting the rampup stage early if multifactor is required after login.
UI does not have a way to display cancelled appointments.Mark cancelled appointments by striked through text, grey color and an info message in the detail view.
It was not possible to receive notifications for external mail accounts.This has been solved by implementing check for external inboxes. Note: This is done via periodic requests and not via sockets, since there is no MW support for this. Implemented a feature switch for this so the current behavior does not change for customers that don’t want this.io.ox/mail//notificationsForExternalInboxes default is false.
Was caused by an obsolete ui artefact.This has been fixed by removing whole part on accounts settings pane.
Addressbookpicker parameters were changed to expect an object but UI only sends a boolean.Send full option object so only the global addressbook is shown again.
Moment renamed en-SG to en-sg.This has been solved by updating the locale lookup table to new filename.
This has been solved by adding specific mapping for fr_CA when loading help.
CSS selector for steps was too generic.This has been fixed by using id selectors for wizard steps.
Feature handles SSO case not as good as it could be.Moved all relevant parts into extensions.
This was caused by immediate loading of drafts on mobile.This has been solved by introducing lazyload for mobile devices.
Since the redesign the default was set to author right for folders and viewer rights for files.Solution: Changed it to default to viewer rights in all cases.
Missing max length attribute in text field, missing meaningfull error message.Add max length of 65535 characters. Add better error message.
When redrawing the default configuration was used all the time.This has been fixed by only using default configuration when no download is pending. Show requested modules instead.
UI did not check for error codes and kept requesting long running jobs.This has been fixed by removing jobs from queue for error code JOB-0002 so they are not requested anymore.
Was caused by a missing check for capabilites carddav / caldav.This has been fixed by hiding toggle buttons when carddav or caldav is missing.
This was caused by missing check for ‘permissions’ of folders ‘supported_capabilites’ property.This has been solved by adding missing check.
Class ‘mail-detail-content’ was added to body element while plain text mails still add a wrapping DIV with that class name beneath the body element.This has been fixed by adjusting selector to allow adding ‘Show entire message’ button again.
Was caused by missing differentiation between success and error state.This has been solved by idling dialog only when error was returned.
The launcher drop-down moved to the left edge of the top bar and received its own section name in CSS.This has been solved by adding the new section to the others where topbarHover is applied.
Multiple clicks on close button were possible.This has been solved by disabling buttons in window header when app is closing.
Flex shrink was behaving strangely for small devices.This has been resolved by removing shrink for some components.
Feature checks were not sufficient.Federated sharing text now also checks if filestorage_xox or filestorage_xctx capabilities are present. Onboarding wizard now checks for capability client-onboarding and if the setting for the new wizard is actually enabled (io.ox/core//onboardingWizard).
The error was handled twice although it occurs only once.The double handling of the error is unnecessary. The error is now displayed in the tab only and this can be closed with “close”.
Missing customization for what’s new feature list.This has been solved by adding extension point to customize this list.
Was caused by wrong references.This has been fixed by using right references.
Onboarding-hint-popover is shown automatically and visual anchor is hidden behind “whats new”.This has been solved by using Stage instead of Extension to show popover and ensuring popover does not “collide” with other steps visually.
Missing style for drive download button.This has been solved by adding correct style to drive download button.
Missing differentiation between user and contact.This has been fixed by differentiating between user and contact mapping.
Missing QR code support for eas.This has been solved by adding QR code support and MWB-1179.
Browser have different focus styles.This has been fixed by adding consistent focus style for all browsers.
Was caused by wrong capability check for drive apps.This has been fixed by adding capability check for drive capability to disable drive menu options.
Timeout was introduced with an old Bugfix.Differentiate between compose and settings-pane as caller. Compose still uses default timeout (15s) when calling snippets getAll. Settings pane does not use any timeout when calling snippets getAll.
Wrong parameter within the translation made the warning hard to read.Fixed parameters within Spanish translations.
Wrapping of elements were disabled.This has been fixed by simply wrapping actions in toolbar if not enough space is available.
Appointments were drawn before the ‘injectVirtualCalendarFolder’ was called.Now register change listeners for appointments with incomplete folder data to solve this.
Was caused by wrong calculation of offset.This has been fixed by adjusting offset calculation.
This has been solved by fixing a typo.
Warning was not added to baton and therefore not processed.Warning gets added to baton now.
Wording and button position not clear enough.Moved button “Save and apply rule” to the alternative position. Improved wording.
Missing convert of ‘\n’ to ‘br‘ when HTML is preferred mode for mails.This has been solved by adding missing convert of ‘\n’ to ‘br‘.
The file attachment sizes was not orderly advertised with the first request for forwarded mails. File attachment sizes was always rendered if a size is returned in the response.Solution: Orderly advertise size of attachments with first request for forwarded mails and only render file sizes that are larger than 0 B, otherwise don’t render them at all.
Capabilities were not used correctly, selectors were no longer valid and tour accidentally opened the chat app.This has been solved by adjusting selectors and capabilities and no longer open the chat app.
Wrong dirty check caused request that was not needed.This has been solved by fixing wrong dirty check.
The local time zone was used to render the timestamp in the filter rule.This has been solved by now using UTC for rendering.
Wrong selection of day with certain (work)week settings.This has been fixed by removing basic setting dependent .startOf(‘week’) and replace with startOf(‘isoWeek’) in addition to a small adjustment for choosing the correct day.
Focus was not set to list after action.This has been fixed by setting focus to next list item after action.
Button was drawn but not visible.This has been fixed by triggering ‘complete’ to adjust height again.
Settings were not updated and may contain old account name.This has been solved by updating settings correctly.
Event listerners were still listening on an old collection.This has been fixed by adjusting event listeners after folder rename.
Single and double clicks on the same element were competing and led to inconsistent behavior.This has been fixed by treating double clicks as single clicks on list elements in list layouts.
Timing issue with extension point and DOM events.This has been solved by explicitly updating token field view after all extensions have been executed.
Buttons were not enabled after dialog gets idle.This has been solved by setting dialog to idle also when cropped image can’t be loaded.
ForwardUnquoted was not recognized by plaintext editor.This has been solved by adding forwardUnquoted detection for plaintext editor.
Very old implementation of tokenlogin mech hard wired into autologin code.Refactor tokenlogin to be a dedicated login plugin which is running independend of and before the autologin plugin.
Option button was drawn in any cases (not checking any conditions).Remove option completely if user is not allowed to apply changes and remove option completely if user is not allowed to apply changes.
When loading the Mail Compose dialog in the mobile view it is possible that the mail quota has not been updated yet and therefore the default value is stored. This leads to the assumption that the mail quota has been reached.The method with which the mail quota is evaluated has been adjusted to solve this issue.
Move field telephone_company “up” to match edit form.
In rare cases when adding the start hours for “only working hours” mode can lead to wrong calculations due to different offset values.Mind the offset and add it if necessary to solve this issue.
Input not wide enough.Decrease spaces between inputs to make them wider.
Check doesn’t check for number of apps.
GET/POST generally added a ‘?’ to the requesting URL.This has been solved by removing needless ‘?’ for GET/POST requests when no url params a set.
Configured value for special “all messages” folder (through property “com.openexchange.find.basic.mail.allMessagesFolder”) is not a fully-qualified mail folder identifier. UI had a 300ms delay before disabling the select button in the folder picker. This allowed picking invalid folders.Don’t expect fully-qualified mail folder identifiers when performing a mail search. Remove 300ms delay in UI and implement failsave for invalid folders, so invalid folders should no longer be selectable.
Inconsistencies left over after last refactoring, typo in “Confirm new Password”.This has been solved by cleaning up behavior of labels and placeholders to be consistent with the username field, fixed “Password” -> “password”.
Added missing check for guest folder id (16).
Failed virtual folder “request” caused error and error handler failed as ‘error’ and ‘options’ were undefined.This has been solved by adding fallback for ‘error’ and ‘options’.
Feature were accidentally removed during refactoring.This has been solved by adding feature again.
Rights changed to viewer for guests without notice.Now give a notice to user when rights are changed.
Wrong data from external calendar source taken over as-is.This has been fixed by adjusting bogus all-day dates prior to storing event data from subscriptions.
A broken image link leads to failure of send/transport attempt.Solution: Don’t let failed image URI resolution prevent from sending a mail.
Whitespaces and tel schema in URLs aren’t detected and thus URL checks might be bypassed.Remove whitespaces and handle URLs correctly. Add the tel scheme to com.openexchange.html.sanitizer.allowedUrlSchemes.
Existent data export tasks silently deleted if associated user/context do no more exist.This has been fixed by not deleting such “orphaned” data export tasks when invoking listdataexports command-line tool.
Was caused by possible long-running Matcher.find() invocation.This has been fixed by adding fast plausibility check & introduced a timeout-aware matcher alternative that respects a passed timeout whenever matching the input sequence or finding a certain sub-sequence is requested to avoid possibly long-running matcher invocations.
Context names are checked case-insensitive for equality when attempting to change a context’s name and thus changing to the same context name, but different cases were considered as a no-op.This has been solved by checking case-sensitive for equal context names when attempting to change a context’s name.
No response status distinction for read-only operations in If-None-Match/If-Match checks.This has been solved by using HTTP 304 response during If-Match/If-None-Match checks for GET and HEAD.
Missing special handling for error codes that advertise actual transport succeeded, but append to standard sent folder failed.This has been fixed by adding special handling for error codes that advertise actual transport succeeded, but append to standard sent folder failed.
Wrong value inserted into guestCreatedBy field of guest users under certain circumstances.Ensure to reassign guestCreatedBy field to context admin during user deletion if no destination user specified.
Different generation of fallback attachment filename extension.This has been solved by using the common method to yield fall-back name with a reasonable file extension.
Unexpected trigger of update task for a schema that is currently checked for possible expired composition spaces.Skip clean-up of expired composition spaces for those schemas that are currently updated or need an update to solve this.
Sender’s full name for introduction in drive mail notifications escaped twice.This has been fixed by escaping sender’s full name for introduction in drive mail notifications only once.
Equal exceptions chained multiple times.This has been solved by avoiding chaining equal exceptions multiple times.
Inconsistent translation of ‘notes’.This has been fixed by adjusting translations.
Possible concurrent modification of storage objects is quitted with “HTTP/1.1 423 Locked” status response leading to abortion of request processing.This has been fixed by introducing retry mechanism with exponential back-off in case Sproxyd service quits request with “HTTP/1.1 423 Locked”.
Too many occurrences of low-level HTTP end-point pools for initialized Sproxyd clients.This has been fixed by adding cache for low-level Sproxyd HTTP end-point pools.
Intermediate clean-up task unexpectedly dropped file storage resources.This has been solved by not running clean-up task when there are currently running data export tasks.
One optimization was done: Resume reading an S3 object’s content when HTTP connection gets unexpectedly closed due to premature EOF (actually read bytes do not match advertised content length)
Clean-up task does only work for active users since a session is needed. Those belonging to inactive ones are not considered and might therefore remain.This has been solved by refactoring clean-up task for expired composition spaces to have a global task considering any open composition space.
The copy require was missing from the FILEINTO action command, hence the MailFilterService was generating the wrong require directive for the sieve script. The issue lies within the MailFilterService.getFilterRule when the method reconstructs the Rule object from the sieve script, i.e. the copy require is not added as an optional require.This has been solved by including the copy as an optional require for the FILEINTO action command.
Possible premature end of stream when reading a Scality object’s content.Gracefully deal with possible premature end of stream when reading a Scality object’s content.
RPM post installation script do not have information about the version from or to that is currently upgraded during post installation script execution. Therefore we have not been able in the past to write good post installation scripts that run only once. Today we have that and we can easily fix this issue.Run that part of the post installation script only once for each deployment.
try restarting transaction”.Follow the suggestion from MySQL server and repeat the user-copy execution in case an SQL transaction timeout is encountered.
Used same PayloadIdentifier for different users leading to profiles overwriting each other.Use unique PayloadIdentifier to avoid profiles for different users overwriting each other.
Possible “Missing attachment identifier in mail part” error when parsing draft mail.This has been fixed by avoiding “Missing attachment identifier in mail part” error.
Reset of participant status behaves differently then removing and adding of the same participant.When participant status is reset also remove hidden flag, so event is displayed for the attendee again (internal attendee). Also, send “invitation” notification (internal attendee) or iTIP (external attendee) mail to attendee with reset status.
Domains were applied to the existing rule object instead of the updated one.This has been fixed by applying domain checks to the updated rule.
Extensive logging of error afflicted file-storage accounts when performing a drive search.Adjusted log level of user-specific errors to “debug”.
Accessing a file during storage move signals file-not-found error although file list has been retrieved from storage itself.Pass an appropriate file-not-found handler if file listing was retrieved from storage, but accessing a file fails due to absence. This allows to perform checkconsistency to repair that.
E-Mail addresses without top-level domain part in address’ host-name part are considered as valid.Added new config option “com.openexchange.mail.checkTopLevelDomainOnAddressValidation” to enable top-level domain validation on E-Mail address validity check. By default that option is disabled to not mess-up existent installations.
oxsysreport does not consider Image-Converter configuration files.Let oxsysreport also collect Image-Converter configuration files.
Unclear requirement to run ‘deleteinvisible’ after downgrade, problem in database statement during downgrade.Added hint to ‘deleteinvisible’ in changeuser documentation, corrected SQL statement for folder deletions after downgrade.
Message’s delivery-status was not displayed.Now display message’s delivery-status.
Missing attendee data raised an exception when collecting deletions for userized result.Missing attendee data raised an exception when collecting deletions for userized result.
Password change not forwarded to cross-context database.Align guest reference in cross-context database after setting new password in “reset” dialog to solve this issue.
The alias is still supported but there was an issue with the implementation. For each soap alias a new servlet was created and registered but only the first one was filled with data.Instead of creating new servlets for each alias I registered the same servlet for each alias.
RestrictedAction.Type was missing from the getAttachmentAction.This has been solved by adding missing action type.
Final draft messages are not stored in appropriate account’s standard drafts folder.Final draft messages are now orderly stored in appropriate account’s standard drafts folder. Please note that storing intermediate draft messages associated with an alive/intact composition space are intentionally stored in primary account’s standard folder.See also: https://documentation.open-xchange.com/7.10.5/middleware/mail/mail_compose/01_drafts.html#mail-storage-utilization
com.openexchange.report.appsuite.storage.ContextLoader.getAllContextIdsInSameSchema(int, Connection) returns an empty abstract list if a schema has no results for contexts (see table context_server2db_pool).This has been solved by returning new ArrayList<> instead of Collections.emptyList().
Problems in the network stack of the underlying Hazelcast framework caused increased memory consumption and GC activities, eventually leading to nodes becoming unresponsive.Upgraded Hazelcast library to v5.0 where these kind of problems are mitigated according to Hazelcast.Introduced a new package open-xchange-hazelcast5-community which could be installed instead of open-xchange-hazelcast-community.
Repeatedly loading of resource files for JavaMail providers and address map.Solution: Cache loaded resource files for JavaMail providers and address map (reset cache on reloadconfiguration).
Multi-mime-encoded header value wasn’t properly decoded.Now properly decode a multi-mime-encoded header value.
Behaviour of the ApachePostRequestBuilder changed during lib upgrade.Restore old behaviour.
Broken encoding for standard google account nam ein slovak.This has been solved by using UTF-8 encoding instead if ISO-8859-1 encoding for the display name when creating the callback URL for Google.
Missing option to automatically convert login info to lower-case.This has been fixed by introducing boolean property “com.openexchange.authentication.imap.autoLowerCase” (default is false) to specify that login info is supposed to be automatically converted to lower-case when attempting to authenticate against IMAP server.
Folder of external accounts are not supposed being translated, but external account’s Inbox folder was.Avoid translate name for an external account’s Inbox folder.
In case a calendar user appears multiple times in the attendee lineup, a folder existence check may fail due to selecting the false one.This has been solved by considering further alternatives when checking if event is rendered in folder or not.
Generated SAML id is a simple UUID with possible digits, but SAML ID must not start with a digit.This has been solved by prepending a single character “a” to the ID.
Optimization: Avoid using regular expression to split HTML content to lines and fixed possible NPE when querying available composition spaces.
The exception’s display message was exposing internal Cassandra infrastructure information.Adjusted the exception’s display message to hide that information.
EAS support was missing.This has been solved by adding EAS support.
Userization of delete exception dates not working properly for event series in public folders.Solution: Don’t userize change- and delete exception dates for events in public folders.
Possible failed CREATE commands silently swallowed.Orderly advertise possible failed commands to client while considering possible IMAP response codes (like “[LIMIT]“).
Misleading documentation.Added a note to the documentation that explains that the image is not supported in the core UI.
Used always com.openexchange.x as a payload identifier.Use the reversed domain as the payload identifier.
Found paths in IMAP-IDLE backed push implementation for which notifications are published w/o providing basic message info (like subject).Always provide basic message info when publishing notification to solve this.
“<>” was not detected as empty address header.Better detection for missing or empty address headers.
Wrong package in mail authenticity config documentation.This has been solved by using correct package in mail authenticity config documentation.
Missing safety checks prior folder display name template replacements.Solution: Additional safety checks prior folder display name template replacements, added logging if replacements are unavailable.
Possible null dereference when dropping a standard mail folder.Fixed possible null dereference when dropping a standard mail folder.
All-day appointments were not considered during recurrence id normalization.This has been solved by considering all-day appointments.
A very old bug still causes problems, so a security mechanism in the code doesn’t work as expected.Re-enable a self-healing mechanism of fix for bug 19128 and adjusted the code to avoid bug 55703.
Moby naming shipped with v4.x introduces human-friendly names for the Hazelcast instances to be shown in e.g. the Hazelcast Management Center and cluster statistics. It is enabled by default.Disable moby naming when programmatically compiling the Hazelcast configuration.
Static build URL used HTTP and not HTTPS.This has been fixed by preferring HTTPS URL and only retry with HTTP if the forceSecure flag is set (over HTTP API). Also, log a warning if HTTP is used.
Was caused by a NPE while sorting display names.This has been fixed by adding null guard and by preventing null values.
Was caused by broken update task dependencies.Has been solved by fixing update task dependencies.
Incompatible timezone identifier gets cached along with overridden instances, which causes problems when re-loading the data from the cache.Normalize recurrence identifiers prior processing events from external iCalendar source to solve this.
Content-dependent identifier for onboarding profile names were accidentally cropped.This has been fixed by re-adding content-dependent part to profile display name.
Priority not kept when restoring a compose window from formerly saved draft message.This has been solved by keeping priority when editing draft messages.
Filenames containing dashes confused the fulltext index tokenizer.Solution: OX Drive searches for files with “exact-match”, ignore fulltext index for those requests.
Remaining whitespace in tokenized query after non-word characters have been replaced.This has been solved by trimming pattern after replacing non-word characters in client-supplied token.
Wrong sequence number chosen while trying to apply attributes to shared Drive mail attachments.Fixed applying attributes to shared Drive mail attachments.
Listener could not be registered on a certain since there is already such a listener available in cluster, but registration at Dovecot side might no more be active.This has been solved by ensuring registration is set at Dovecot side when there is already a Dovecot-Push listener available in cluster.
Insufficient PROPFIND handling when querying files: Detection of whether the returned resource is a collection or not was done by checking for a trailing “/” character.Added “resourcetype” prop to the PROFIND query which will return whether the resource is a collection or not.
Iteration of checked event series begins too late.This has been solved by considering duration when initialize recurrence iterator for conflicting series events in checked period.
Too low settings for HTTP connection pools for both - auto-config server and ISPDB end-point.This has been solved by increasing settings for HTTP connection pool of both - auto-config server and ISPDB end-point - while lowering values for read and connect timeout.
Generic error returned when vCards exceed the maximum size during bulk import.This has been solved by explicitly handling too large vCard during bulk import requests.
SMTP host information advertised as “None” in case SMTP authentication is disabled through configuration.Now do not advertise SMTP host information as “None” in case SMTP authentication is disabled through configuration.
Possible java.lang.StringIndexOutOfBoundsException when trying to decode subject string obtained from ENVELOPE fetch item.Fixed possible java.lang.StringIndexOutOfBoundsException when trying to decode subject string obtained from ENVELOPE fetch item.
No fallback access used when collecting pending alarm triggers from disabled accounts.This has been solved by using fallback access when collecting pending alarm triggers from disabled accounts.
Missing section highlighting that a data export is a background task and should be handled as such.Added a section highlighting that a data export is a background task and should be handled as such.
Missing log message for failed authentication attempts against primary mail/transport server.This has been solved by adding logging failed authentication attempts against primary mail/transport server.
Premature cancellation of HTTP request leading to HTTP connection shutdown.Avoid premature cancellation of HTTP request leading to HTTP connection shutdown.
Lock entry not cleansed from database in case temporary database outage/inaccessibility occurs.This has been solved by enhancing acquired lock by a time stamp that gets periodically touched (every minute). Consider lock as expired if not touch for more than 5 minutes.
From address determined by examining user’s primary mail account data.Solution: Orderly pre-select user’s default send address when composing new mails.
Guest user handling was not perfect.This has been solved by improving guest user handling:1. When a guest user inserts a mention into a comment, the follwing text appears in the bottom of the comment: “You added people to this comment. Attention: Due to missing permissions no email will be sent!”2. When the guest user sends the comment, the dialog with the information, that no mail be sent, does not appear anymore.
Inserting PRIMARY keys more than once during IC server job proccessing gives DB server exceptions in some timing dependent cases. Inserting PRIMARY keys more than once during IC server job proccessing gives DB server exceptions in some timing dependent cases.Solution: Preventing mutliple access to PRIMARY DB keys fixes the problem with IC server DB communication. Replacing the emulated file storage update call (setFileLength(0)/appendToFile) with sequences of createNewFile/updateDB entry in every case within the IC server code base fixes the inconsistent SproxyD adapter behavior.
Missing sizing information on related Ox provided IC documentation pages.This has been solved by adding sizing section to IC documentation.
Creating the missing settings entry “portal//recents” deletes the existing settings entry “portal//fulltour/shown” causing the tour to start again.Now, when starting a portal app, the missing property “portal//recents” will explicitly be created in frontend code and sent to server.
Images with quite unusual width/height aspect rations (3.8 h/w / 0.26 w/h in this case) get too much distorted when scaled into a target rectangle so that e.g. text rendering within the target image gets distorted/unreadable after processing. Checking aspect ratios for source and target images for unusual ratios above 21:9 (2.33) when scale type CONTAIN is requested and w/h aspect ratios of source and target image differ significantly (e.g. source w/h > 1.0, target w/h < 1.0 and vice versa).Prevent scale processing of images completely in those cases so that as much source image information as possible gets transferred to the requester/browser as possible. This significantly improves readability of e.g. text like content in such images delivered to the frontend .
After configuring test system appropriately, exception logging (with appropriate description now) could be reproduced when viewing mail attachment documents. Instead of using a different algorithm to determine document URL, the standard file based approach was used that finally led to the exception logging without causing further harm.Solution: 1.) Removing newline within log output to log root cause of exception. 2.) Using different approach for mail attachments to determine document URL to be used in RE rendering stage for e.g. file fields. Schema used in mail attachment case is now: file:///Mail/filename
Exiting loop for tool bar expansion too early. After unhiding and unshrinking, but before maximizing the groups.This has been solved by not leaving toolbar expansion process always after unshrinking. Only, if this is required.
The filter cannot evaluate type ‘auto’ for text colors in shapes (Presentation and Spreadsheet, ooxml).Instead of sending ‘auto’ when the user selects ‘Auto’ as a text color, the best text color is evaluated corresponding to the shape background. This calculated color is sent to the filter.
When an image is inserted via the buttons in template drawings, the mousedown happens on the content root node, but the mouseup does not. But these events are registered for an optional scrolling. Therefore the scroll position was not correctly adapted, when the user changes the slide using the slide pane and does not click at least once into the document after inserting the image.Now checking the target nodes for mousedown and mouseup events that are required for scrolling.
Document was not flushed before the copy was created in Drive. Flushing causes to save all pending changes which, in Spreadsheet, includes to commit the cell edit mode.Flush document before starting to copy the file in Drive for user actions “Save As” and “Save As Template” tto solve this issue.
Templates contained more than 5 different languages on XML level.Fixed on XML level, replaced all (western) lang attrs to be only en-US for EN templates, de-DE for DE templates.
The files are not visible because it’s not possible to open the attachements in documents. Hide the attachments folder to not confuse the user
Global templates are not helpful with com.openexchange.capability.alone = true.With com.openexchange.capability.alone = true, global templates in office settings are not displayed anymore for users and also not for admin user.
Print as PDF did only work for Office files and PDF files. Enabled that images can be printed via “Print as PDF” too. Plain .txt files are enabled now, too for “Print as PDF”, which was also not possible before.
The whole list is loaded for a Viewer deeplink. For such big folders, the data can get very big (for 60k files it can be about 30mb). Even the transfer via a typical DSL connection can take a big amount of time. The next reason is that the viewer creates boilerplates for each item that is passed to the Viewer carousel. This adds a additional slowdown.When using a Drive Viewer deeplink (url pasted in the tab), now the Drive list for this folder is used. Instead of loading the whole file list for that folder with a new request. One further advantage is that the order in the Drive list and the Viewer carousel is the same (below the pagination limit). When the to be viewed file is outside of the pagination limit of the Drive list, this single file is added to the viewer carousel in addition.
PDFTool does not return at all with some rare, yet unknown PDF documents.Now we introduced a maximum runtime for each call to the PDFTool (similar to watchdog for RE processes), returning an error after the configured jobExecution timeout time and responding to the appropriate request in time.