Skip to content

/curl

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue where APOP authentication is incorrectly used #3278

Closed
bobmitchell1956 opened this issue Nov 15, 2018 · 1 comment
Labels
POP3

Comments

@bobmitchell1956
Copy link

@bobmitchell1956 bobmitchell1956 commented Nov 15, 2018

Attempting to connect to a POP3 server with < and > characters in its greeting line fails because the logic in pop3_state_servergreet_resp in pop3.c assumes that text between the < and > characters is always a timestamp to be used for APOP authentication.

In this case the greeting was:
+OK E.Novation POP3 server ready <a.b.c>

where a.b.c is the domain name of the server.

APOP requires that the text within < > corresponds to the msg-id syntax of RFC-822. This means that at the very least it must contain the @ character.

As a result of the assumption that the characters between < > is a timestamp, a connection to this server cannot be established.

libcurl version 7.62
Windows 10 and macOS High Sierra

I have fixed the issue in my CURL source, and attached an updated pop3.c (uploaded as pop3.txt). The text marked rmm9831 is my fix.

pop3.txt
@bagder bagder added the POP3 label Nov 15, 2018
bagder added a commit that referenced this issue Nov 15, 2018
@bagder
pop3: only do APOP with a valid timestamp
Verified
This commit was signed with a verified signature.
bagder Daniel Stenberg
GPG key ID: 5CC908FDB71E12C2 Learn about signing commits
Loading status checks…
b4d4428 
Brought-by: bobmitchell1956 on github
Fixes #3278
@bagder bagder mentioned this issue Nov 15, 2018
Closed
@bagder

This comment has been minimized.

Sign in to view
Copy link
Member

@bagder bagder commented Nov 15, 2018

Thanks! You can see my slightly tweaked version of your patch in #3279.
@bagder bagder closed this in 6d0e487 Nov 16, 2018
@lock lock bot locked as resolved and limited conversation to collaborators Feb 14, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
POP3
Projects
None yet
Milestone
No milestone
2 participants
@bobmitchell1956 @bagder
You can’t perform that action at this time.