From 801f3758d20111bc7ec1c03272dd70de8411cf60 Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Mon, 16 Sep 2024 14:53:19 +0200
Subject: [PATCH 01/15] Send a configurable CSP in every HTML response

The CSP gets adapted to remote objects being allowed or not.
It can be configured or disabled via the config option
`content_security_policy` (and
`content_security_policy_add_allow_remote`).
---
 config/defaults.inc.php                | 11 +++++++++++
 program/include/rcmail_output_html.php | 18 ++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/config/defaults.inc.php b/config/defaults.inc.php
index 35901ab698e..bb61f16cc8b 100644
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
@@ -1563,3 +1563,14 @@
 // 0 - Reply-All always
 // 1 - Reply-List if mailing list is detected
 $config['reply_all_mode'] = 0;
+
+// The Content-Security-Policy to use if no remote objects are allowed to
+// be loaded. If you use plugins you might need to extend this.
+// Only change this if you know what you're doing! You can break the whole
+// application with changes to this setting!
+// To disable completely set the value to `false`;
+$config['content_security_policy'] = "default-src 'self' data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";
+
+// Additions to the Content-Security-Policy to use if remote objects *are*
+// allowed to be loaded.
+$config['content_security_policy_add_allow_remote'] = 'img-src *; media-src *; font-src: *; frame-src: *;';
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 75e9fbf0e17..07a8cb5e38b 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -728,6 +728,8 @@ public function page_headers()
                 $this->header('X-Frame-Options: sameorigin', true);
             }
         }
+
+        $this->add_csp_header();
     }
 
     /**
@@ -2717,4 +2719,20 @@ protected function get_template_logo($type = null, $match = null)
 
         return $template_logo;
     }
+
+    /**
+     * Add the Content-Security-Policy to the HTTP response headers (unless it
+     * is disabled).
+     */
+    protected function add_csp_header(): void
+    {
+        $csp = $this->app->config->get('content_security_policy');
+        if (!in_array($csp, ['', false, 'false'])) {
+            $csp_header = "Content-Security-Policy: {$csp}";
+            if (isset($this->env['safemode']) && $this->env['safemode'] === true) {
+                $csp_header .= $this->app->config->get('content_security_policy_add_allow_remote');
+            }
+            $this->header($csp_header);
+        }
+    }
 }

From 0d1b036f7aabdc64a9cbc73ac3bb1052bcd0108c Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Mon, 28 Oct 2024 16:19:37 +0100
Subject: [PATCH 02/15] Ensure proper semicolons between CSP-parts.

---
 program/include/rcmail_output_html.php | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 07a8cb5e38b..7d7522e03a2 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -2726,13 +2726,26 @@ protected function get_template_logo($type = null, $match = null)
      */
     protected function add_csp_header(): void
     {
-        $csp = $this->app->config->get('content_security_policy');
+        $csp = $this->get_csp_value('content_security_policy');
         if (!in_array($csp, ['', false, 'false'])) {
             $csp_header = "Content-Security-Policy: {$csp}";
             if (isset($this->env['safemode']) && $this->env['safemode'] === true) {
-                $csp_header .= $this->app->config->get('content_security_policy_add_allow_remote');
+                $csp_allow_remote = $this->get_csp_value('content_security_policy_add_allow_remote');
+                $csp_header .= "; {$csp_allow_remote}";
             }
             $this->header($csp_header);
         }
     }
+
+    /**
+     * Get a CSP-related value from the config, stripped by surrounding
+     * whitespace and semicolons (and NUL byte, because it's included in the
+     * default second argument to trim(), too).
+     *
+     * @param $name string The key of the wanted config value
+     */
+    protected function get_csp_value($name): string
+    {
+        return trim($this->app->config->get($name), "; \n\r\t\v\x00");
+    }
 }

From 3882b73408551b0aa95f9f287203b7a9c99be16a Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Mon, 28 Oct 2024 17:47:21 +0100
Subject: [PATCH 03/15] Also use default value in case of `null`

---
 program/include/rcmail_output_html.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 7d7522e03a2..6dc08225931 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -2727,7 +2727,7 @@ protected function get_template_logo($type = null, $match = null)
     protected function add_csp_header(): void
     {
         $csp = $this->get_csp_value('content_security_policy');
-        if (!in_array($csp, ['', false, 'false'])) {
+        if (!in_array($csp, ['', false, 'false', null])) {
             $csp_header = "Content-Security-Policy: {$csp}";
             if (isset($this->env['safemode']) && $this->env['safemode'] === true) {
                 $csp_allow_remote = $this->get_csp_value('content_security_policy_add_allow_remote');

From 6f00ac27eea7233db9c878f6233c2b8bf70fd8c4 Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Tue, 29 Oct 2024 17:38:37 +0100
Subject: [PATCH 04/15] Add unit-tests for adding CSP header

---
 tests/Rcmail/OutputHtmlTest.php | 68 +++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

diff --git a/tests/Rcmail/OutputHtmlTest.php b/tests/Rcmail/OutputHtmlTest.php
index 45c359b288b..159f045b89f 100644
--- a/tests/Rcmail/OutputHtmlTest.php
+++ b/tests/Rcmail/OutputHtmlTest.php
@@ -429,4 +429,72 @@ public function test_charset_selector()
         $this->assertTrue(strpos($result, '<select name="_charset">') === 0);
         $this->assertTrue(strpos($result, '<option value="UTF-8" selected="selected">UTF-8 (Unicode)</option>') !== false);
     }
+
+    /**
+     * Test adding the Content-Security-Policy with "safemode" off.
+     */
+    public function test_add_csp_header_default_without_safemode()
+    {
+        $headers = $this->run_add_csp_header_and_get_headers(false);
+
+        $this->assertCount(1, $headers);
+        $this->assertSame("Content-Security-Policy: default-src 'self' data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'", $headers[0]);
+    }
+
+    /**
+     * Test adding the Content-Security-Policy with "safemode" on.
+     */
+    public function test_add_csp_header_default_with_safemode()
+    {
+        $headers = $this->run_add_csp_header_and_get_headers(true);
+
+        $this->assertCount(1, $headers);
+        $this->assertSame("Content-Security-Policy: default-src 'self' data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src *; media-src *; font-src: *; frame-src: *", $headers[0]);
+    }
+
+    /**
+     * Test adding a custom configured Content-Security-Policy.
+     */
+    public function test_add_csp_header_custom()
+    {
+        $rcmail = \rcube::get_instance();
+        // Some a little strange strings.
+        $rcmail->config->set('content_security_policy', 'default-src * ; ');
+        $rcmail->config->set('content_security_policy_add_allow_remote', "; script-src 'unsafe-inline'");
+
+        $headers = $this->run_add_csp_header_and_get_headers(true);
+
+        $this->assertCount(1, $headers);
+        $this->assertSame("Content-Security-Policy: default-src *; script-src 'unsafe-inline'", $headers[0]);
+    }
+
+    protected function run_add_csp_header_and_get_headers(bool $safemode): array
+    {
+        // Use a subclass to get hands on the headers to be sent. There's not
+        // other way to do this, unfortunately, since the PHP CLI SAPI silently
+        // swallows all calls to `header()` (as done in
+        // `rcube_output::header()`).
+        // The class `OutputHtmlMock` is mocking a lot more than we need, so we
+        // rather roll our own.
+        $output = new class extends \rcmail_output_html {
+            public $http_headers = [];
+
+            #[\Override]
+            public function header($header, $replace = true)
+            {
+                $this->http_headers[] = $header;
+            }
+
+            #[\Override]
+            public function add_csp_header(): void
+            {
+                parent::add_csp_header();
+            }
+        };
+
+        $output->set_env('safemode', $safemode);
+        $output->add_csp_header();
+
+        return $output->http_headers;
+    }
 }

From feb8e9f0ae519321123ed78434b1c5394ccce86a Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Tue, 29 Oct 2024 17:39:59 +0100
Subject: [PATCH 05/15] Add additional CSP header values only if present

If people write a lax default CSP they might set the additional config
option to the blank string, or false. Then the CSP header should not
contain that value.
---
 program/include/rcmail_output_html.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 6dc08225931..2bf661912fc 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -2731,7 +2731,9 @@ protected function add_csp_header(): void
             $csp_header = "Content-Security-Policy: {$csp}";
             if (isset($this->env['safemode']) && $this->env['safemode'] === true) {
                 $csp_allow_remote = $this->get_csp_value('content_security_policy_add_allow_remote');
-                $csp_header .= "; {$csp_allow_remote}";
+                if (!in_array($csp_allow_remote, ['', false, 'false', null])) {
+                    $csp_header .= "; {$csp_allow_remote}";
+                }
             }
             $this->header($csp_header);
         }

From bc6b241df7c33a0de9a504f72b11fcc3c1111c8b Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Wed, 30 Oct 2024 10:31:27 +0100
Subject: [PATCH 06/15] Use invokeMethod instead of overriding it in a mock

---
 tests/Rcmail/OutputHtmlTest.php | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/tests/Rcmail/OutputHtmlTest.php b/tests/Rcmail/OutputHtmlTest.php
index 159f045b89f..8fc9b524789 100644
--- a/tests/Rcmail/OutputHtmlTest.php
+++ b/tests/Rcmail/OutputHtmlTest.php
@@ -5,6 +5,8 @@
 use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\TestCase;
 
+use function Roundcube\Tests\invokeMethod;
+
 /**
  * Test class to test rcmail_output_html class
  */
@@ -484,16 +486,10 @@ public function header($header, $replace = true)
             {
                 $this->http_headers[] = $header;
             }
-
-            #[\Override]
-            public function add_csp_header(): void
-            {
-                parent::add_csp_header();
-            }
         };
 
         $output->set_env('safemode', $safemode);
-        $output->add_csp_header();
+        invokeMethod($output, 'add_csp_header');
 
         return $output->http_headers;
     }

From 5db41a1fa9d96ea469c254c6aca53448933a7d42 Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Wed, 30 Oct 2024 12:07:56 +0100
Subject: [PATCH 07/15] Use hardcoded defaults for CSP options

This way the code always has values it can work with, no matter how good
or broken the
configuration is.
---
 config/defaults.inc.php                |  4 ++--
 program/lib/Roundcube/rcube_config.php | 11 ++++++++++-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/config/defaults.inc.php b/config/defaults.inc.php
index bb61f16cc8b..760765c5522 100644
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
@@ -1569,8 +1569,8 @@
 // Only change this if you know what you're doing! You can break the whole
 // application with changes to this setting!
 // To disable completely set the value to `false`;
-$config['content_security_policy'] = "default-src 'self' data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";
+$config['content_security_policy'] = "default-src 'self' data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'";
 
 // Additions to the Content-Security-Policy to use if remote objects *are*
 // allowed to be loaded.
-$config['content_security_policy_add_allow_remote'] = 'img-src *; media-src *; font-src: *; frame-src: *;';
+$config['content_security_policy_add_allow_remote'] = 'img-src *; media-src *; font-src: *; frame-src: *';
diff --git a/program/lib/Roundcube/rcube_config.php b/program/lib/Roundcube/rcube_config.php
index 60833754254..2b635212187 100644
--- a/program/lib/Roundcube/rcube_config.php
+++ b/program/lib/Roundcube/rcube_config.php
@@ -24,6 +24,11 @@ class rcube_config
 {
     public const DEFAULT_SKIN = 'elastic';
 
+    public const DEFAULTS = [
+        'content_security_policy' => "default-src 'self' data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
+        'content_security_policy_add_allow_remote' => 'img-src *; media-src *; font-src: *; frame-src: *',
+    ];
+
     /** @var string A skin configured in the config file (before being replaced by a user preference) */
     public $system_skin = 'elastic';
 
@@ -376,8 +381,12 @@ public function get($name, $def = null)
     {
         if (isset($this->prop[$name])) {
             $result = $this->prop[$name];
-        } else {
+        } elseif (isset($def)) {
             $result = $def;
+        } elseif (isset(self::DEFAULTS[$name])) {
+            $result = self::DEFAULTS[$name];
+        } else {
+            $result = null;
         }
 
         $result = $this->getenv_default('ROUNDCUBE_' . strtoupper($name), $result);

From 383e8b5b1ba7fdf62af8dc26b601fa0efc22a4ca Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Wed, 30 Oct 2024 12:09:34 +0100
Subject: [PATCH 08/15] Test to check if hardcoded option values match defaults

---
 tests/Framework/ConfigTest.php | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/tests/Framework/ConfigTest.php b/tests/Framework/ConfigTest.php
index d3da1e8b8fa..b6bfbb2f631 100644
--- a/tests/Framework/ConfigTest.php
+++ b/tests/Framework/ConfigTest.php
@@ -96,4 +96,20 @@ public function test_parse_env()
         $this->assertSame([1], invokeMethod($object, 'parse_env', ['[1]', 'array']));
         $this->assertSame(['test' => 1], (array) invokeMethod($object, 'parse_env', ['{"test":1}', 'object']));
     }
+
+    // Test if values in defaults.inc.php and values in rcube_config::DEFAULTS match
+    public function test_defaults_values(): void
+    {
+        // Load the values from defaults.inc.php manually (we don't want to
+        // test the whole loading mechanics of `rcube_config` here).
+        ob_start();
+        require realpath(RCUBE_INSTALL_PATH . 'config/defaults.inc.php');
+        ob_end_clean();
+
+        $this->assertIsArray($config);
+
+        foreach (\rcube_config::DEFAULTS as $name => $hardcoded_value) {
+            $this->assertSame($hardcoded_value, $config[$name], "The value for '{$name}' in defaults.inc.php does not match the hardcoded default in rcube_config!");
+        }
+    }
 }

From 8b631abed8c1c728415281fb5961ea601a2debb8 Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Wed, 30 Oct 2024 14:39:01 +0100
Subject: [PATCH 09/15] Improve readability of CSP value checks

Previously the code also treated `'false'` (the string) as invalid, but
that's a very specific check against a specific edge case, which
wouldn't even break the code (but will only make the browser complain),
so I'm dropping that check.
---
 program/include/rcmail_output_html.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 2bf661912fc..7d8734d9b34 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -2727,11 +2727,11 @@ protected function get_template_logo($type = null, $match = null)
     protected function add_csp_header(): void
     {
         $csp = $this->get_csp_value('content_security_policy');
-        if (!in_array($csp, ['', false, 'false', null])) {
+        if (is_string($csp) && strlen($csp) > 0) {
             $csp_header = "Content-Security-Policy: {$csp}";
             if (isset($this->env['safemode']) && $this->env['safemode'] === true) {
                 $csp_allow_remote = $this->get_csp_value('content_security_policy_add_allow_remote');
-                if (!in_array($csp_allow_remote, ['', false, 'false', null])) {
+                if (is_string($csp_allow_remote) && strlen($csp_allow_remote) > 0) {
                     $csp_header .= "; {$csp_allow_remote}";
                 }
             }

From 10f759836e807c4f8ca15d3d9482a31567b02e96 Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Wed, 30 Oct 2024 14:44:39 +0100
Subject: [PATCH 10/15] Fix static analysis.

---
 tests/Framework/ConfigTest.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/Framework/ConfigTest.php b/tests/Framework/ConfigTest.php
index b6bfbb2f631..2fcee679182 100644
--- a/tests/Framework/ConfigTest.php
+++ b/tests/Framework/ConfigTest.php
@@ -100,6 +100,8 @@ public function test_parse_env()
     // Test if values in defaults.inc.php and values in rcube_config::DEFAULTS match
     public function test_defaults_values(): void
     {
+        // Initialize the variable to make the static analysis happy.
+        $config = null;
         // Load the values from defaults.inc.php manually (we don't want to
         // test the whole loading mechanics of `rcube_config` here).
         ob_start();

From 1afa897d7abbb40b80c7f7822b4b04ae05e4a436 Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Wed, 30 Oct 2024 15:18:33 +0100
Subject: [PATCH 11/15] Fix CSP option type handling

The config value might be something else than a string.
---
 program/include/rcmail_output_html.php | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 7d8734d9b34..b5d988d66c8 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -2727,11 +2727,11 @@ protected function get_template_logo($type = null, $match = null)
     protected function add_csp_header(): void
     {
         $csp = $this->get_csp_value('content_security_policy');
-        if (is_string($csp) && strlen($csp) > 0) {
+        if ($csp !== false) {
             $csp_header = "Content-Security-Policy: {$csp}";
             if (isset($this->env['safemode']) && $this->env['safemode'] === true) {
                 $csp_allow_remote = $this->get_csp_value('content_security_policy_add_allow_remote');
-                if (is_string($csp_allow_remote) && strlen($csp_allow_remote) > 0) {
+                if ($csp_allow_remote !== false) {
                     $csp_header .= "; {$csp_allow_remote}";
                 }
             }
@@ -2746,8 +2746,12 @@ protected function add_csp_header(): void
      *
      * @param $name string The key of the wanted config value
      */
-    protected function get_csp_value($name): string
+    protected function get_csp_value($name): string|false
     {
-        return trim($this->app->config->get($name), "; \n\r\t\v\x00");
+        $value = $this->app->config->get($name);
+        if (is_string($value)) {
+            return trim($value, "; \n\r\t\v\x00");
+        }
+        return false;
     }
 }

From 37db3ef3bedd7680eaf1c7750e3d4565b95e4a53 Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Wed, 30 Oct 2024 15:19:19 +0100
Subject: [PATCH 12/15] Make CSP header building more robust.

In the previous way useless semicolons could have happened.
---
 program/include/rcmail_output_html.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index b5d988d66c8..e38c8caf18f 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -2728,14 +2728,14 @@ protected function add_csp_header(): void
     {
         $csp = $this->get_csp_value('content_security_policy');
         if ($csp !== false) {
-            $csp_header = "Content-Security-Policy: {$csp}";
+            $csp_parts = [$csp];
             if (isset($this->env['safemode']) && $this->env['safemode'] === true) {
                 $csp_allow_remote = $this->get_csp_value('content_security_policy_add_allow_remote');
                 if ($csp_allow_remote !== false) {
-                    $csp_header .= "; {$csp_allow_remote}";
+                    $csp_parts[] = $csp_allow_remote;
                 }
             }
-            $this->header($csp_header);
+            $this->header("Content-Security-Policy: " . join('; ', $csp_parts));
         }
     }
 

From ef5aae33457181a56d07acaea8a92090db1efdbe Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Wed, 30 Oct 2024 15:23:46 +0100
Subject: [PATCH 13/15] Remove type annotation because PHP v7

We still support PHP v7, which doesn't support union types.
---
 program/include/rcmail_output_html.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index e38c8caf18f..896a9e463a8 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -2745,8 +2745,9 @@ protected function add_csp_header(): void
      * default second argument to trim(), too).
      *
      * @param $name string The key of the wanted config value
+     * @return string|false
      */
-    protected function get_csp_value($name): string|false
+    protected function get_csp_value($name)
     {
         $value = $this->app->config->get($name);
         if (is_string($value)) {

From b1ea91320fc5925d606e706fc8ebb8b2b3a0fc9a Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Wed, 30 Oct 2024 15:25:25 +0100
Subject: [PATCH 14/15] Mitigate erronous complaint of phpstan

phpstan complains that `assertIsArray($config)` will always fail because
it doesn't know about the side effects of `require`ing the default
config.
---
 tests/Framework/ConfigTest.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/Framework/ConfigTest.php b/tests/Framework/ConfigTest.php
index 2fcee679182..ca551507709 100644
--- a/tests/Framework/ConfigTest.php
+++ b/tests/Framework/ConfigTest.php
@@ -100,7 +100,7 @@ public function test_parse_env()
     // Test if values in defaults.inc.php and values in rcube_config::DEFAULTS match
     public function test_defaults_values(): void
     {
-        // Initialize the variable to make the static analysis happy.
+        // Initialize the variable to avoid warnings.
         $config = null;
         // Load the values from defaults.inc.php manually (we don't want to
         // test the whole loading mechanics of `rcube_config` here).
@@ -108,7 +108,7 @@ public function test_defaults_values(): void
         require realpath(RCUBE_INSTALL_PATH . 'config/defaults.inc.php');
         ob_end_clean();
 
-        $this->assertIsArray($config);
+        $this->assertIsArray($config); // @phpstan-ignore-line
 
         foreach (\rcube_config::DEFAULTS as $name => $hardcoded_value) {
             $this->assertSame($hardcoded_value, $config[$name], "The value for '{$name}' in defaults.inc.php does not match the hardcoded default in rcube_config!");

From fda480b9e6051a627db3a4f68a74386e1e604a5b Mon Sep 17 00:00:00 2001
From: Pablo Zmdl <pablo@nextcloud.com>
Date: Wed, 30 Oct 2024 15:52:21 +0100
Subject: [PATCH 15/15] Tiny corrections to make the linter happy

---
 program/include/rcmail_output_html.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 896a9e463a8..1de462b33f8 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -2735,7 +2735,7 @@ protected function add_csp_header(): void
                     $csp_parts[] = $csp_allow_remote;
                 }
             }
-            $this->header("Content-Security-Policy: " . join('; ', $csp_parts));
+            $this->header('Content-Security-Policy: ' . implode('; ', $csp_parts));
         }
     }
 
@@ -2745,6 +2745,7 @@ protected function add_csp_header(): void
      * default second argument to trim(), too).
      *
      * @param $name string The key of the wanted config value
+     *
      * @return string|false
      */
     protected function get_csp_value($name)