IMAP: Literal parsing {size} isn't ignored inside quoted strings

[Jvr2022]

Summary

The IMAP parser in libcurl seems to scan for literals ({size}) naively, without checking if it's currently inside a quoted string.

For example, if a server sends a header like:
* 1 FETCH (BODY[HEADER] "Subject: {50} Test")

Curl ignores the double quotes, sees the {50}, and immediately switches to binary read mode expecting 50 bytes. This causes it to swallow the next part of the protocol stream (like the subsequent OK response) and desynchronize.

According to RFC 3501, content inside double quotes should be treated as an opaque string. The parser likely needs to track an in_quote state so it ignores { characters when they are part of a header value.

curl/libcurl version

curl 8.18.0-rc3

operating system

Linux pc-363 6.17.10+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.17.10-1kali1 (2025-12-08) x86_64 GNU/Linux

[calm329]

@Jvr2022 @vszakats May I work on this issue?

[vszakats]

@Jvr2022 @vszakats May I work on this issue?

Sure!

[calm329]

@vszakats I've fixed this issue, could you please review it to see if it's correct since it's my first contribution?

[vszakats]

@vszakats I've fixed this issue, could you please review it to see if it's correct since it's my first contribution?

To my non-IMAP-expert eye: it looks fine. Feel free to open a PR with it, to see what CI says.
It may also benefit from a test case to verify.

[Jvr2022]

Reference: https://hackerone.com/reports/3509396