[Dovecot] 2.1.3: Overly lax FETCH parsing
Michael M Slusarz
slusarz at curecanti.org
Thu Apr 5 21:59:20 EEST 2012
These commands both work in Dovecot (as of 2.1.3):
1 UID FETCH 1:* () (CHANGEDSINCE 1)
* 1 FETCH (UID 30097 MODSEQ (19554))
[...]
1 OK Fetch completed.
2 FETCH 1:* () (CHANGEDSINCE 1)
* 2 FETCH (MODSEQ (19554))
[...]
2 OK Fetch completed.
However, RFC 3501 indicates that an empty FETCH attribute list is incorrect:
fetch = "FETCH" SP sequence-set SP ("ALL" / "FULL" / "FAST" /
fetch-att / "(" fetch-att *(SP fetch-att) ")")
fetch-att = "ENVELOPE" / "FLAGS" / "INTERNALDATE" /
"RFC822" [".HEADER" / ".SIZE" / ".TEXT"] /
"BODY" ["STRUCTURE"] / "UID" /
"BODY" section ["<" number "." nz-number ">"] /
"BODY.PEEK" section ["<" number "." nz-number ">"]
In other words, fetch-att is not allowed to be empty. (RFC 4466 does
not alter this requirement when using FETCH modifiers).
While useful that Dovecot is more liberal about what it receives, 3501
seems pretty clear that incorrect FETCH parameters must return a BAD.
I can verify that the above commands fail on Cyrus.
I don't disagree that the way Dovecot handles this is correct - or at
least is the way that I wish the RFCs were written. Since this seems
a bit redundant, but is necessary under the ABNF:
1 UID FETCH 1:* UID (CHANGEDSINCE 1)
-or-
1 UID FETCH 1:* (UID) (CHANGEDSINCE 1)
michael
More information about the dovecot
mailing list