IMAP: fix: backslash in password quoted string #378
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change introduces a method StringUtil::parseQuotedImapString that will return the string value of a quoted-string according to the RFC 3501 (imap v4rev1) ABNF. While the method might not be concise, it hopefully is correct. This added method is then used in ImapConnection to correctly unquote a quoted string token, which was previously done with some deviations from RFC3501. Specifically, when the quoted string token was a password transporting a string value that (also) contained one backslash (encoded as a double-backslash), it would not be unquoted correctly to a single backslash. As a side-effect, ImapConnection::parseCredentials() needs not unquote the first backslash in a username anymore, as all backslashes in all quoted strings are unquoted correctly. In order to limit the change in size, the previously existing processing in ImapConnection::ImapTokenizer::nextToken() is left in-tact by still calling removeQuotes() in all other cases. Patch By: Max-Julian Pogner <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello Mickaël,
i recently noticed, that a backslash special character as part of my password was not accepted when accessing the exchange server through davmail's imap interface.
according to tshark, the password was transported from the imap client to davmail as a quoted string, approximately like so:
LOGIN "username" "foo\\bar".My reading of RFC3501 (IMAP version 4 rev 1) is, that after tokenizing and unquoting this would give a password value of
foo\barwith a single backslash character (which is the correct password in this example). However, davmail did not correctly unquote the password string token and used thusfoo\\bar(with two backslash characters) as password when communicating with the exchange server resulting in failed login.I used RFC3501 as reference (and not RFC 9051), because davmail announces
IMAP4REV1(and not IMAP4rev2) in ImapConnection.java capability response code.My analysis of the davmail source code resulted in the following changes:
For a detailed description, see the commit message and code-comments.
Best regards,
Max