Track tasks and feature requests
Join 36 million developers who use GitHub issues to help identify, assign, and keep track of the features and bug fixes your projects need.
Sign up for free See pricing for teams and enterprisesIssue where APOP authentication is incorrectly used #3278
Comments
bagder
added
the
POP3
label
Nov 15, 2018
bagder
added a commit
that referenced
this issue
Nov 15, 2018
This comment has been minimized.
This comment has been minimized.
|
Thanks! You can see my slightly tweaked version of your patch in #3279. |
bagder
closed this
in
6d0e487
Nov 16, 2018
lock
bot
locked as resolved and limited conversation to collaborators
Feb 14, 2019
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
bobmitchell1956 commentedNov 15, 2018
Attempting to connect to a POP3 server with < and > characters in its greeting line fails because the logic in pop3_state_servergreet_resp in pop3.c assumes that text between the < and > characters is always a timestamp to be used for APOP authentication.
In this case the greeting was:
+OK E.Novation POP3 server ready <a.b.c>
where a.b.c is the domain name of the server.
APOP requires that the text within < > corresponds to the msg-id syntax of RFC-822. This means that at the very least it must contain the @ character.
As a result of the assumption that the characters between < > is a timestamp, a connection to this server cannot be established.
libcurl version 7.62
Windows 10 and macOS High Sierra
I have fixed the issue in my CURL source, and attached an updated pop3.c (uploaded as pop3.txt). The text marked rmm9831 is my fix.
pop3.txt