[Dovecot] 2.1.3: Overly lax FETCH parsing
These commands both work in Dovecot (as of 2.1.3):
1 UID FETCH 1:* () (CHANGEDSINCE 1)
- 1 FETCH (UID 30097 MODSEQ (19554)) [...] 1 OK Fetch completed.
2 FETCH 1:* () (CHANGEDSINCE 1)
- 2 FETCH (MODSEQ (19554)) [...] 2 OK Fetch completed.
However, RFC 3501 indicates that an empty FETCH attribute list is incorrect:
fetch = "FETCH" SP sequence-set SP ("ALL" / "FULL" / "FAST" / fetch-att / "(" fetch-att *(SP fetch-att) ")") fetch-att = "ENVELOPE" / "FLAGS" / "INTERNALDATE" / "RFC822" [".HEADER" / ".SIZE" / ".TEXT"] / "BODY" ["STRUCTURE"] / "UID" / "BODY" section ["<" number "." nz-number ">"] / "BODY.PEEK" section ["<" number "." nz-number ">"]
In other words, fetch-att is not allowed to be empty. (RFC 4466 does
not alter this requirement when using FETCH modifiers).
While useful that Dovecot is more liberal about what it receives, 3501
seems pretty clear that incorrect FETCH parameters must return a BAD.
I can verify that the above commands fail on Cyrus.
I don't disagree that the way Dovecot handles this is correct - or at
least is the way that I wish the RFCs were written. Since this seems
a bit redundant, but is necessary under the ABNF:
1 UID FETCH 1:* UID (CHANGEDSINCE 1) -or- 1 UID FETCH 1:* (UID) (CHANGEDSINCE 1)
michael
On 5.4.2012, at 21.59, Michael M Slusarz wrote:
While useful that Dovecot is more liberal about what it receives, 3501 seems pretty clear that incorrect FETCH parameters must return a BAD. I can verify that the above commands fail on Cyrus.
It's a SHOULD, not a MUST:
Servers SHOULD enforce the syntax outlined in this specification strictly. Any client command with a protocol syntax error, including (but not limited to) missing or extraneous spaces or arguments, SHOULD be rejected, and the client given a BAD server completion response.
But since it's not much trouble to fix it: http://hg.dovecot.org/dovecot-2.1/rev/19e09ab09383
participants (2)
-
Michael M Slusarz
-
Timo Sirainen