Commit 9f260b5d authored by Steve Holme's avatar Steve Holme
Browse files

pop3: Fixed selection of APOP when server replies with an invalid timestamp 

Although highlighted by a bug in commit 1cfb436a, APOP
authentication could be chosen if the server was to reply with an empty
or missing timestamp in the server greeting and APOP was given in the
capability list by the server.
parent 04529767

lib/pop3.c

+6 −2
Original line number Diff line number Diff line
@@ -561,7 +561,8 @@ static CURLcode pop3_perform_authentication(struct connectdata *conn) 
    }

#ifndef CURL_DISABLE_CRYPTO_AUTH

    else if((pop3c->authtypes & POP3_TYPE_APOP) &&

            (pop3c->preftype & POP3_TYPE_APOP))

            (pop3c->preftype & POP3_TYPE_APOP) &&

            (pop3c->apoptimestamp))

      /* Perform APOP authentication */

      result = pop3_perform_apop(conn);

#endif
@@ -663,6 +664,8 @@ static CURLcode pop3_state_servergreet_resp(struct connectdata *conn, 
        if(line[i] == '<') {

          /* Calculate the length of the timestamp */

          size_t timestamplen = len - 2 - i;

          if(!timestamplen)

            break;



          /* Allocate some memory for the timestamp */

          pop3c->apoptimestamp = (char *)calloc(1, timestamplen + 1);
@@ -1198,7 +1201,8 @@ static CURLcode pop3_state_auth_cancel_resp(struct connectdata *conn, 
    }

#ifndef CURL_DISABLE_CRYPTO_AUTH

    else if((pop3c->authtypes & POP3_TYPE_APOP) &&

            (pop3c->preftype & POP3_TYPE_APOP))

            (pop3c->preftype & POP3_TYPE_APOP) &&

            (pop3c->apoptimestamp))

      /* Perform APOP authentication */

      result = pop3_perform_apop(conn);

#endif