Merge pull request #52 from YetiForceCompany/developer

Developer

.htaccess

@@ -1,23 +1,4 @@
-# WARNING: For PHP 7 the module name in the line below need to be modified!
-<IfModule mod_php5.c>
-php_flag    display_errors  Off
-php_flag    log_errors      On
-# php_value    error_log    logs/errors
-
-php_value   upload_max_filesize   5M
-php_value   post_max_size         6M
-php_value   memory_limit          64M
-
-php_flag    zlib.output_compression     Off
-php_flag    suhosin.session.encrypt     Off
-
-#php_value   session.cookie_path     /
-#php_value   session.hash_function   sha256
-php_flag    session.auto_start       Off
-php_value   session.gc_maxlifetime   21600
-php_value   session.gc_divisor       500
-php_value   session.gc_probability   1
-</IfModule>
+# This is a sample with suggested security and performance options
 
 <IfModule mod_rewrite.c>
 Options +SymLinksIfOwnerMatch
@@ -29,11 +10,9 @@ RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico
 #   in all locations except installer directory
 RewriteRule ^(?!installer|\.well-known\/|[a-zA-Z0-9]{16})(\.?[^\.]+)$ - [F]
 # - deny access to some locations
-RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
-# - deny access to composer binaries
-RewriteRule ^/vendor\/bin\/.* - [F]
+RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|vendor|program\/(include|lib|localization|steps)) - [F]
 # - deny access to some documentation files
-RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml|jsdeps.json|Dockerfile)$ - [F]
+RewriteRule /?(README.*|meta\.json|composer\..*|jsdeps.json)$ - [F]
 </IfModule>
 
 <IfModule mod_deflate.c>
@@ -49,7 +28,7 @@ FileETag MTime Size
 
 <IfModule mod_autoindex.c>
 Options -Indexes
-</ifModule>
+</IfModule>
 
 <IfModule mod_headers.c>
 # Disable page indexing
@@ -58,9 +37,9 @@ Header set X-Robots-Tag "noindex, nofollow"
 # replace 'append' with 'merge' for Apache version 2.2.9 and later
 #Header append Cache-Control public env=!NO_CACHE
 
-# Optional security header
-# Only increased security if the browser support those features
-# Be careful! Testing is required! They should be adusted to your intallation / user environment
+# Optional security headers
+# Only provides increased security if the browser supports those features
+# Be careful! Testing is required! They should be adjusted to your installation / user environment
 
 # HSTS - HTTP Strict Transport Security
 #Header always set Strict-Transport-Security "max-age=31536000; preload" env=HTTPS
@@ -85,5 +64,6 @@ Header set X-Robots-Tag "noindex, nofollow"
 # CSP - Content Security Policy
 # for better privacy/security ask browsers to not set the Referer
 # more flags for script, stylesheets and images available, read RFC for more information
+# Note: "Referrer-Policy: same-origin" is already set by php code.
 #Header set Content-Security-Policy "referrer no-referrer"
 </IfModule>

INSTALL

@@ -12,27 +12,30 @@ REQUIREMENTS
 * An IMAP, HTTP and SMTP server
 * .htaccess support allowing overrides for DirectoryIndex
 * PHP Version 5.4 or greater including:
-   - PCRE, DOM, JSON, Session, Sockets, OpenSSL, Mbstring (required)
+   - PCRE, DOM, JSON, Session, Sockets, OpenSSL, Mbstring, Filter, Ctype (required)
    - PHP PDO with driver for either MySQL, PostgreSQL, SQL Server, Oracle or SQLite (required)
    - Iconv, Zip, Fileinfo, Intl, Exif (recommended)
    - LDAP for LDAP addressbook support (optional)
    - GD, Imagick (optional thumbnails generation, QR-code)
 * PEAR and PEAR packages distributed with Roundcube or external:
    - Mail_Mime 1.10.0 or newer
-   - Net_SMTP 1.7.1 or newer
+   - Net_SMTP 1.8.1 or newer
    - Net_Socket 1.0.12 or newer
    - Net_IDNA2 0.1.1 or newer
    - Auth_SASL 1.0.6 or newer
-   - Net_Sieve 1.3.2 or newer (for managesieve plugin)
+   - Net_Sieve 1.4.3 or newer (for managesieve plugin)
    - Crypt_GPG 1.6.3 or newer (for enigma plugin)
    - Endroid/QrCode 1.6.0 or newer (https://github.com/endroid/QrCode)
-* php.ini options (see .htaccess file):
+   - Kolab/Net_LDAP3 1.0.6 or newer (for LDAP addressbook)
+   - Masterminds/HTML5 2.5.x (optional HTML parser)
+* php.ini options:
    - error_reporting E_ALL & ~E_NOTICE & ~E_STRICT
-   - memory_limit > 16MB (increase as suitable to support large attachments)
-   - file_uploads enabled (for attachment upload features)
+   - memory_limit > 16MB
+   - file_uploads enabled (for uploading attachments and import files)
    - session.auto_start disabled
    - suhosin.session.encrypt disabled
    - mbstring.func_overload disabled
+   - pcre.backtrack_limit >= 100000
 * A MySQL, PostgreSQL, MS SQL Server (2005 or newer), Oracle database
   or SQLite support in PHP - with permission to create tables
 * Composer installed either locally or globally (https://getcomposer.org)
@@ -41,7 +44,9 @@ REQUIREMENTS
 INSTALLATION
 ============
 
-1. Decompress and put this folder somewhere inside your document root
+1. Decompress and put this folder somewhere inside your document root.
+  Note: Make sure files have proper owner/group for your setup. If you use
+  tar command `--no-same-owner` option might be helpful.
 2. In case you don't use the so-called "complete" release package,
   you have to install PHP and javascript dependencies.
   2.1. Install PHP dependencies using composer:
@@ -60,7 +65,16 @@ INSTALLATION
 5. Point your browser to http://url-to-roundcube/installer/
 6. Follow the instructions of the install script (or see MANUAL CONFIGURATION)
 7. After creating and testing the configuration, remove the installer directory
-8. Check Known Issues section of this file
+   ------------------------------------------
+   IMPORTANT: REMOVE THE INSTALLER DIRECTORY!
+   ------------------------------------------
+8. If you use git sources compile css files for the Elastic skin (required
+   lessc >= 1.5.0):
+   $ cd skins/elastic
+   $ lessc -x styles/styles.less > styles/styles.css
+   $ lessc -x styles/print.less > styles/print.css
+   $ lessc -x styles/embed.less > styles/embed.css
+9. Check Known Issues section of this file
 
 
 CONFIGURATION HINTS
@@ -69,15 +83,17 @@ CONFIGURATION HINTS
 IMPORTANT! Read all comments in defaults.inc.php, understand them
 and configure your installation to be not surprised by default behaviour.
 
-Roundcube writes internal errors to the 'errors' log file located in the logs
+Roundcube writes internal errors to the 'errors.log' log file located in the logs
 directory which can be configured in config/config.inc.php. If you want ordinary
-PHP errors to be logged there as well, enable the 'php_value error_log' line
-in the .htaccess file and set the path to the log file accordingly.
+PHP errors to be logged there as well, set error_log in php.ini or .htaccess file.
 
-By default the session_path settings of PHP are not modified by Roundcube.
+Roundcube forces display_errors=Off and log_errors=On.
+
+By default the session cookie settings of PHP are not modified by Roundcube.
 However if you want to limit the session cookies to the directory where
-Roundcube resides you can uncomment and configure the according line
-in the .htaccess file.
+Roundcube resides you can set session.cookie_path in the php.ini or .htaccess file.
+
+More about PHP settings: https://github.com/roundcube/roundcubemail/wiki/Installation#php-configuration
 
 
 DATABASE SETUP
@@ -93,9 +109,9 @@ importing the table layout and granting the proper permissions to the
 roundcube user. Here is an example of that procedure:
 
 # mysql
-> CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;
-> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost
-    IDENTIFIED BY 'password';
+> CREATE DATABASE roundcubemail CHARACTER SET utf8 COLLATE utf8_general_ci;
+> CREATE USER roundcube@localhost IDENTIFIED BY 'password';
+> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost;
 > quit
 
 # mysql roundcubemail < SQL/mysql.initial.sql
@@ -151,11 +167,9 @@ Read the comments above the individual configuration options to find out what
 they do or read https://github.com/roundcube/roundcubemail/wiki/Installation
 for even more guidance.
 
-You can also modify the default .htaccess file. This is necessary to
-increase the allowed size of file attachments, for example:
-
-  php_value   upload_max_filesize     5M
-  php_value   post_max_size           6M
+The maximum size of email attachments and other file uploads is controlled by
+PHP settings: upload_max_filesize and post_max_size. Read more about PHP
+settings at https://github.com/roundcube/roundcubemail/wiki/Installation#php-configuration.
 
 
 SECURE YOUR INSTALLATION
@@ -277,3 +291,25 @@ KNOWN ISSUES
 
 Installations with uw-imap server should set imap_disabled_caps = array('ESEARCH')
 in main configuration file. ESEARCH implementation in this server is broken (#1489184).
+
+PHP >= 5.6 validates the ssl certificates by default. It means that
+if IMAP/SMTP certificates are self-signed or use wrong host name you'll get
+connection errors. A solution in such cases is to set imap_conn_options,
+smtp_conn_options and managesieve_conn_options in a way described in config/defaults.inc.php.
+
+If you have problems with temp files or non-working logs make sure temp and logs folders
+are writeable to the user used by http server. Access to them may also be blocked by
+SELINUX. Here's some sample commands for SELINUX:
+
+    $ semanage fcontext -a -t httpd_sys_rw_content_t "/path_to_roundcube/logs(/.*)?"
+    $ semanage fcontext -a -t httpd_sys_rw_content_t "/path_to_roundcube/temp(/.*)?"
+    $ restorecon -Rv /path_to_roundcube/
+
+Microsoft IIS Server by default does not support WOFF fonts used in Elastic skin. It might be
+needed to add following MIME Types definitions (via web.config or IIS Manager):
+
+    .woff   application/font-woff
+    .woff2  application/font-woff2
+
+When installing on Windows be aware we're using symbolic links which may need an additional
+attention. See https://github.com/roundcube/roundcubemail/issues/7151.

README.md

@@ -1,8 +1,8 @@
 Roundcube Webmail 
 =================
-[roundcube.net](http://roundcube.net)
+[roundcube.net](https://roundcube.net)
 
-[![Build Status](https://api.travis-ci.org/roundcube/roundcubemail.svg?branch=release-1.3)](https://travis-ci.org/roundcube/roundcubemail)
+[![Build Status](https://api.travis-ci.org/roundcube/roundcubemail.svg?branch=master)](https://travis-ci.org/roundcube/roundcubemail)
 
 
 INTRODUCTION
@@ -12,17 +12,11 @@ application-like user interface. It provides full functionality you expect
 from an email client, including MIME support, address book, folder management,
 message searching and spell checking. Roundcube Webmail is written in PHP and
 requires the MySQL, PostgreSQL or SQLite database. With its plugin API it is
-easily extendable and the user interface is fully customizable using skins
-which are pure XHTML and CSS 2.
+easily extendable and the user interface is fully customizable using skins.
 
-The code is mainly written in PHP and is designed to run on a webserver.
-It includes other open-source classes/libraries from [PEAR][pear],
-an IMAP library derived from [IlohaMail][iloha] the [TinyMCE][tinymce] rich
-text editor, [Googiespell][googiespell] library for spell checking or
-the [WASHTML][washtml] sanitizer by Frederic Motte.
-
-The current default skin 'Larry' was kindly created by FLINT / Büro für
-Gestaltung, Berne, Switzerland.
+The code designed to run on a webserver is mainly written in PHP and Javascript.
+It includes a custom framework with an IMAP library derived from [IlohaMail][iloha]
+and requires a set of external libraries (see composer.json and jsdeps.json files).
 
 
 INSTALLATION
@@ -34,6 +28,19 @@ If you're updating an older version of Roundcube please follow the steps
 described in the UPGRADING file.
 
 
+BROWSER SUPPORT
+---------------
+Roundcube uses jQuery 3.x for its client and therefore inherits the browser
+support from there. This currently includes:
+
+- Chrome: (Current - 1) and Current
+- Edge: (Current - 1) and Current
+- Firefox: (Current - 1) and Current, ESR
+- Internet Explorer: 9+ (11+ for the Elastic skin)
+- Safari: (Current - 1) and Current
+- Opera: Current
+
+
 LICENSE
 -------
 This program is free software: you can redistribute it and/or modify
@@ -82,14 +89,9 @@ You're always welcome to send a message to the project admin:
 hello(at)roundcube(dot)net
 
 
-[pear]:         http://pear.php.net
-[iloha]:        http://sourceforge.net/projects/ilohamail/
-[tinymce]:      http://www.tinymce.com/
-[googiespell]:  http://orangoo.com/labs/GoogieSpell/
-[washtml]:      http://www.ubixis.com/washtml/
-[kmgerich]:     http://kmgerich.com/
-[gpl]:          http://www.gnu.org/licenses/
-[license]:      http://roundcube.net/license
-[contrib]:      http://roundcube.net/contribute
-[support]:      http://roundcube.net/support
-[githubissues]: https://github.com/roundcube/roundcubemail/issues
+[iloha]:        https://sourceforge.net/projects/ilohamail/
+[gpl]:          https://www.gnu.org/licenses/
+[license]:      https://roundcube.net/license
+[contrib]:      https://roundcube.net/contribute
+[support]:      https://roundcube.net/support
+[githubissues]: https://github.com/roundcube/roundcubemail/issues

UPGRADING

@@ -14,18 +14,20 @@ and cd into that directory. From there, run the following command in a shell:
 
   ./bin/installto.sh <TARGET-FOLDER>
 
-For <TARGET-FOLDER> you specify the path to the Roundcube installation 
-which should be updated. The update script will then copy all new files to the 
+For <TARGET-FOLDER> you specify the path to the Roundcube installation
+which should be updated. The update script will then copy all new files to the
 target location and check and update the configuration and database schema.
-After all is done, the temporary folder with the new Roundcube files can be 
+After all is done, the temporary folder with the new Roundcube files can be
 removed again.
 
+WARNING: Make sure files have proper owner/group for your setup. If you use
+         tar to extract the package, `--no-same-owner` option might be helpful.
 WARNING: See Post-Upgrade Activities section below.
 
 
 Updating manually
 -----------------
-If you don't have shell access to the Roundcube installation or if not running 
+If you don't have shell access to the Roundcube installation or if not running
 it on a unix system, you need to do the following operations by hand:
 
 1. Replace index.php and all files in
@@ -53,6 +55,12 @@ it on a unix system, you need to do the following operations by hand:
    - run `php composer.phar install --no-dev`.
 4c. If you use git sources or the release package without dependencies
    update javascript dependencies by executing `bin/install-jsdeps.sh` script.
+4d. If you use git sources compile css files for the Elastic skin (required
+   lessc >= 1.5.0):
+   $ cd skins/elastic
+   $ lessc -x styles/styles.less > styles/styles.css
+   $ lessc -x styles/print.less > styles/print.css
+   $ lessc -x styles/embed.less > styles/embed.css
 5. Run `./bin/update.sh` from the commandline OR
    open http://url-to-roundcube/installer/ in a browser and choose "3 Test config".
    To enable the latter one, you have to temporary set 'enable_installer'
@@ -66,12 +74,14 @@ it on a unix system, you need to do the following operations by hand:
 
 Post-Upgrade Activities
 -----------------------
-1. Check .htaccess settings (some php settings could become required)
+1. Check system requirements in INSTALL file.
 2. If you're using build-in addressbook, run indexing script /bin/indexcontacts.sh.
 3. When upgrading from version older than 0.6-beta you should make sure
    your folder settings contain namespace prefix. For example Courier users
    should add INBOX. prefix to folder names in main configuration file.
-4. Check system requirements in INSTALL file.
+4. When upgrading from version older than 1.4.0 make sure old files
+   in configured temp_dir are removed. Since this version we use constant filename
+   prefix and do not remove files not starting with "RCMTEMP".
 
 SQLite database upgrade
 -----------------------