From b7cf1c88ead858f8441796949abceb20833b4001 Mon Sep 17 00:00:00 2001
From: Helmuth Breitenfellner <helmuth@breitenfellner.at>
Date: Tue, 1 Aug 2023 20:02:43 +0200
Subject: [PATCH 1/3] bugfix for gpg execution with roundcube

---
 webmails/snuffleupagus.rules | 1 +
 1 file changed, 1 insertion(+)

diff --git a/webmails/snuffleupagus.rules b/webmails/snuffleupagus.rules
index ca657719..b1d8b353 100644
--- a/webmails/snuffleupagus.rules
+++ b/webmails/snuffleupagus.rules
@@ -74,6 +74,7 @@ sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\
 sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 # This is **very** broad but doing better is non-straightforward
 sp.disable_function.function("proc_open").param("command").value_r("^gpg ").allow();
+sp.disable_function.function("proc_open").param("command").value_r("^/usr/bin/gpg ").allow();
 sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 
 # Prevent runtime modification of interesting things

From ca83152ad95b41c9a3ba1c3cfc95ec3e32452d64 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@users.noreply.github.com>
Date: Sat, 5 Aug 2023 18:27:26 +0200
Subject: [PATCH 2/3] Update snuffleupagus.rules

---
 webmails/snuffleupagus.rules | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/webmails/snuffleupagus.rules b/webmails/snuffleupagus.rules
index b1d8b353..5e619a8a 100644
--- a/webmails/snuffleupagus.rules
+++ b/webmails/snuffleupagus.rules
@@ -73,8 +73,7 @@ sp.disable_function.function("system").param("command").value_r("[$|;&`\\n\\(\\)
 sp.disable_function.function("shell_exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 sp.disable_function.function("exec").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 # This is **very** broad but doing better is non-straightforward
-sp.disable_function.function("proc_open").param("command").value_r("^gpg ").allow();
-sp.disable_function.function("proc_open").param("command").value_r("^/usr/bin/gpg ").allow();
+sp.disable_function.function("proc_open").param("command").value_r("^(/usr/bin/)?gpg ").allow();
 sp.disable_function.function("proc_open").param("command").value_r("[$|;&`\\n\\(\\)\\\\]").drop();
 
 # Prevent runtime modification of interesting things

From 5d8b1940e178fac22a096004e82c0ccb3debf1fd Mon Sep 17 00:00:00 2001
From: Helmuth Breitenfellner <helmuth@breitenfellner.at>
Date: Tue, 8 Aug 2023 21:45:11 +0200
Subject: [PATCH 3/3] Add a newsfragment for CHANGELOG

---
 towncrier/newsfragments/2892.bugfix | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 towncrier/newsfragments/2892.bugfix

diff --git a/towncrier/newsfragments/2892.bugfix b/towncrier/newsfragments/2892.bugfix
new file mode 100644
index 00000000..ccae6e43
--- /dev/null
+++ b/towncrier/newsfragments/2892.bugfix
@@ -0,0 +1 @@
+Fix GPG operations from Roundcube - calling gpg with full path was blocked