pop3: fix CAPA response termination detection

The code was checking if a line starts with '.', which would
incorrectly match capability names starting with dots. Per RFC 2449,
the terminator must be a line containing only a single dot.

RFC 2449 also explicitly excludes '.' from valid capability name
starting characters, so this is purely theoretical, but the code
should match the spec.

Changed to check for exact match: line length of 3 with '.\r' or
length 2 with '.\n' to handle both CRLF and LF-only servers.

(Mistake detected with ZeroPath)

Fixes #19228
Reported-by: Joshua Rogers
Closes #19245

diff --git a/lib/pop3.c b/lib/pop3.c
index 2fd496cb314280298a4136f35aeae77c7eb994bb..c6b6ed659c9d2ddeb748ee8ed6959c3fe6359c1a 100644 (file)
--- a/lib/pop3.c
+++ b/lib/pop3.c
@@ -323,8 +323,10 @@ static bool pop3_endofresp(struct Curl_easy *data, struct connectdata *conn,
 
   /* Are we processing CAPA command responses? */
   if(pop3c->state == POP3_CAPA) {
-    /* Do we have the terminating line? */
-    if(len >= 1 && line[0] == '.')
+    /* Do we have the terminating line? Per RFC 2449 this is a line
+       containing only a single dot */
+    if((len == 3 && line[0] == '.' && line[1] == '\r') ||
+       (len == 2 && line[0] == '.' && line[1] == '\n'))
       /* Treat the response as a success */
       *resp = '+';
     else