Package: roundcube Version: 1.6.5+dfsg-1+deb12u4 Severity: normal Dear Maintainer,
this bug report describes several related bugs, related to a) whitespace (space, tab) in imported vCard files, and b) vCard object separators (`BEGIN:VCARD`, `END:VCARD`). ------------------------------------------------------------------------ Bug 1: Leading whitespace in line continuation silently dropped Example (note that vCard mandates CRLF as newline sequence): --- BEGIN:VCARD VERSION:3.0 N:Doe;Jane;;; FN:Jane Doe NOTE:an example END:VCARD --- The NOTE value is parsed as `anexample` instead of `an example` (only the first whitespace character should be dropped - see RFC 2426). In particular, this means that a Roundcube export followed by a Roundcube import may silently fail to recreate the original data. ------------------------------------------------------------------------ Note 2: Leading and trailing whitespace in a logical line is silently dropped Any number of space/tab characters at the start or end of a logical line (or a component value, such as in `N`) is dropped. This is not a bug, IMHO, given that Roundcube also strips surrounding whitespace when entering data via its web UI. I think it might be related, however. ------------------------------------------------------------------------ Note 3: Repeated `BEGIN:VCARD`: All ignored until last If there are multiple `BEGIN:VCARD` lines before any `END:VCARD` line, all lines (not only `BEGIN:VCARD` lines) until the last of those `BEGIN:VCARD` lines are ignored. I would say this is also not a bug, because such input is invalid. A warning or error message would certainly be nice, though. ------------------------------------------------------------------------ Note 4: Repeated `END:VCARD` cause duplication If a VCard object is terminated by more than one `END:VCARD` line, the entry is imported as often as there are `END:VCARD` lines. If on import, one does *not* choose to "[r]eplace the entire address book", only one instance is imported, but with the note "Skipped (n-1) existing entries: [...]". Any physical lines after the first `END:VCARD` that are neither `BEGIN:VCARD` nor `END:VCARD` are apparently ignored. Again, not necessarily a bug, because any such input is of invalid syntax (but a warning or error message would be nice). ------------------------------------------------------------------------ Bug 5: vCard object separators wrongly recognized in line continuations If a physical line is of the form `[ \t]+(BEGIN|END):VCARD`, it is used as line continuation, but also recognized as vcard object start/end marker. Example: --- NOTE:example END:VCARD --- This is treated the same as: --- NOTE:exampleEND:VCARD END:VCARD --- Note: For `BEGIN:VCARD`, the use as line continuation can only be assumed, given that preceding lines are ignored (see Note 3). While this bug may seem unlikely in practice, I actually witnessed it with real data, likely due to past import/export errors. ------------------------------------------------------------------------ Bug 6: vCard object separators not parsed as logical lines (6.1) Any logical line `BEGIN:VCARD` or `END:VCARD` that is broken into multiple physical lines using `\r\n[ \t]\r\n` is not recognized as such. (6.2) On the other hand, if a physical line `BEGIN:VCARD` or `END:VCARD` is followed by a line continuation (i.e., a line starting with `[ \t]`), this is (incorrectly) recognized as the corresponding vCard object separator, and the line continuation is silently ignored. Example for (6.1): --- BEGIN:VCARD VERSION:3.0 N:Doe;Jane;;; FN:Jane Doe EMAIL:jane....@example.net END: VCARD --- The above example fails to import (and is instead attempted to be parsed as CSV--without success). I acknowledge that this bug hardly occurs in practice. I found it while investigating the other bugs. - Einhard Leichtfuß -- System Information: Debian Release: 12.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-23-cloud-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages roundcube-core depends on: ii dbconfig-common 2.0.24 ii debconf [debconf-2.0] 1.5.82 ii dpkg 1.21.22 ii libjs-bootstrap4 4.6.1+dfsg1-4 ii libjs-codemirror 5.65.0+~cs5.83.9-2 ii libjs-jquery 3.6.1+dfsg+~3.5.14-1 ii libjs-jquery-minicolors 2.3.5+dfsg-4 ii libjs-jquery-ui 1.13.2+dfsg-1 ii libjs-jstimezonedetect 1.0.7+~1.0.3-1 ii libmagic1 1:5.44-3 ii php 2:8.2+93 ii php-auth-sasl 1.1.0-1 pn php-cli <none> ii php-common 2:93 ii php-guzzlehttp-guzzle 7.4.5-1 ii php-intl 2:8.2+93 ii php-mail-mime 1.10.11-1 ii php-masterminds-html5 2.7.6+dfsg-1 ii php-mbstring 2:8.2+93 ii php-net-sieve 1.4.6-1 ii php-net-smtp 1.10.1-1 ii php-pear 1:1.10.13+submodules+notgz+2022032202-2 ii php8.2 [php] 8.2.20-1~deb12u1 ii php8.2-cli [php-json] 8.2.20-1~deb12u1 ii php8.2-fpm [php-json] 8.2.20-1~deb12u1 ii php8.2-intl [php-intl] 8.2.20-1~deb12u1 ii php8.2-mbstring [php-mbstring] 8.2.20-1~deb12u1 ii roundcube-pgsql 1.6.5+dfsg-1+deb12u4 ii ucf 3.0043+nmu1 Versions of packages roundcube-core recommends: ii nginx [httpd-cgi] 1.22.1-9 ii php-enchant 2:8.2+93 ii php-fpm 2:8.2+93 pn php-gd <none> ii php8.2-enchant [php-enchant] 8.2.20-1~deb12u1 ii php8.2-fpm [php-fpm] 8.2.20-1~deb12u1 pn roundcube-skin-classic <none> ii roundcube-skin-larry 1.6.0+ds-2 Versions of packages roundcube-core suggests: pn php-bacon-qr-code <none> pn php-bjeavons-zxcvbn-php <none> pn php-crypt-gpg <none> pn php-net-ldap3 <none> pn php-roundcube-rtf-html-php <none> pn roundcube-plugins <none> Versions of packages roundcube depends on: ii dpkg 1.21.22 -- Configuration Files: /etc/cron.d/roundcube-core changed: MAILTO=root 0 5 * * * www-data test -d /run/systemd/system || /usr/share/roundcube/bin/cleandb.sh >/dev/null 5,35 * * * * www-data test -d /run/systemd/system || /usr/share/roundcube/bin/gc.sh -- debconf information: roundcube/upgrade-backup: true roundcube/pgsql/method: TCP/IP roundcube/db/dbname: roundcube roundcube/db/app-user: roundcube@localhost roundcube/remote/port: roundcube/pgsql/no-empty-passwords: roundcube/hosts: localhost:143 roundcube/dbconfig-reinstall: false roundcube/language: en_US roundcube/passwords-do-not-match: roundcube/dbconfig-remove: true roundcube/remote/newhost: localhost roundcube/pgsql/authmethod-admin: ident roundcube/pgsql/changeconf: false roundcube/pgsql/authmethod-user: password roundcube/internal/skip-preseed: false roundcube/pgsql/manualconf: roundcube/remote/host: localhost roundcube/purge: false * roundcube/dbconfig-install: false roundcube/dbconfig-upgrade: true roundcube/pgsql/admin-user: postgres roundcube/reconfigure-webserver: apache2, lighttpd roundcube/internal/reconfiguring: false roundcube/remove-error: abort roundcube/database-type: pgsql roundcube/install-error: abort roundcube/missing-db-package-error: abort roundcube/restart-webserver: true roundcube/upgrade-error: abort
