diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2018-11-15 17:00:16 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2018-11-16 23:36:53 +0100 |
| commit | 6d0e487f9f546560593f2aeed7f9e90c7f8f9684 (patch) | |
| tree | 8be7c6d1c2a86d5220c7661413914446dd10fc55 | |
| parent | 27e4ac24cd1f8fcfac4d0673482b382f14613016 (diff) | |
| download | curl-6d0e487f9f546560593f2aeed7f9e90c7f8f9684.tar.gz | |
pop3: only do APOP with a valid timestamp
Brought-by: bobmitchell1956 on github
Fixes #3278
Closes #3279
| -rw-r--r-- | lib/pop3.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/lib/pop3.c b/lib/pop3.c index 5e0fd2299..c1f974d40 100644 --- a/lib/pop3.c +++ b/lib/pop3.c @@ -629,6 +629,7 @@ static CURLcode pop3_state_servergreet_resp(struct connectdata *conn, if(line[i] == '<') { /* Calculate the length of the timestamp */ size_t timestamplen = len - 1 - i; + char *at; if(!timestamplen) break; @@ -642,8 +643,15 @@ static CURLcode pop3_state_servergreet_resp(struct connectdata *conn, memcpy(pop3c->apoptimestamp, line + i, timestamplen); pop3c->apoptimestamp[timestamplen] = '\0'; - /* Store the APOP capability */ - pop3c->authtypes |= POP3_TYPE_APOP; + /* If the timestamp does not contain '@' it is not (as required by + RFC-1939) conformant to the RFC-822 message id syntax, and we + therefore do not use APOP authentication. */ + at = strchr(pop3c->apoptimestamp, '@'); + if(!at) + Curl_safefree(pop3c->apoptimestamp); + else + /* Store the APOP capability */ + pop3c->authtypes |= POP3_TYPE_APOP; break; } } |