[Dovecot] CATENATE doesn't support literal+ url

Mike Abbott michael.abbott at apple.com
Mon Apr 29 21:38:42 EEST 2013


Dovecot-2.2.1 does not appear to support URLs specified via non-synchronizing literals (RFC 2088 LITERAL+), and also does not read and discard the literal+ input after reporting the error.  This results in the literal+ input being interpreted as IMAP commands, which could alter the user's mail store in unexpected ways and/or lead to the abrupt disconnection of the client for exceeding the maximum number of bad IMAP commands.

Example using dovecot-2.2.1 (note that the text nonsync literal includes the invisible CRLFs:  "foobarCRLFbarbazCRLF"):
a3 append inbox catenate (url {9+}
/some-url text {16+}
foobar
barbaz
)
a4 noop
a3 BAD Error in IMAP command APPEND: Invalid arguments.
foobar BAD Error in IMAP command : Unknown command.
barbaz BAD Error in IMAP command : Unknown command.
) BAD Error in IMAP command : Unknown command.
a4 OK NOOP completed.

Example using Apple's enhanced dovecot in OS X Server:
a3 append inbox catenate (url {9+}
/some-url text {16+}
foobar
barbaz
)
a4 noop
a3 NO [BADURL /some-url] missing or invalid uid
a4 OK NOOP completed.

I believe the RFCs indicate that nonsync literal URLs should be permitted.
RFC 4469 section 5:
   append-data =/ "CATENATE" SP "(" cat-part *(SP cat-part) ")"
   cat-part = text-literal / url
   url = "URL" SP astring
RFC 3501 section 9:
   astring         = 1*ASTRING-CHAR / string
   string          = quoted / literal
RFC 2088 section 4:
   literal         ::= "{" number ["+"] "}" CRLF *CHAR8



More information about the dovecot mailing list