[Dovecot] CATENATE doesn't support literal+ url
Mike Abbott
michael.abbott at apple.com
Mon Apr 29 21:38:42 EEST 2013
Dovecot-2.2.1 does not appear to support URLs specified via non-synchronizing literals (RFC 2088 LITERAL+), and also does not read and discard the literal+ input after reporting the error. This results in the literal+ input being interpreted as IMAP commands, which could alter the user's mail store in unexpected ways and/or lead to the abrupt disconnection of the client for exceeding the maximum number of bad IMAP commands.
Example using dovecot-2.2.1 (note that the text nonsync literal includes the invisible CRLFs: "foobarCRLFbarbazCRLF"):
a3 append inbox catenate (url {9+}
/some-url text {16+}
foobar
barbaz
)
a4 noop
a3 BAD Error in IMAP command APPEND: Invalid arguments.
foobar BAD Error in IMAP command : Unknown command.
barbaz BAD Error in IMAP command : Unknown command.
) BAD Error in IMAP command : Unknown command.
a4 OK NOOP completed.
Example using Apple's enhanced dovecot in OS X Server:
a3 append inbox catenate (url {9+}
/some-url text {16+}
foobar
barbaz
)
a4 noop
a3 NO [BADURL /some-url] missing or invalid uid
a4 OK NOOP completed.
I believe the RFCs indicate that nonsync literal URLs should be permitted.
RFC 4469 section 5:
append-data =/ "CATENATE" SP "(" cat-part *(SP cat-part) ")"
cat-part = text-literal / url
url = "URL" SP astring
RFC 3501 section 9:
astring = 1*ASTRING-CHAR / string
string = quoted / literal
RFC 2088 section 4:
literal ::= "{" number ["+"] "}" CRLF *CHAR8
More information about the dovecot
mailing list