Skip to content

Incorrect CAPA termination detection #19228

New issue
New issue
Closed
Closed
Incorrect CAPA termination detection#19228
Labels
POP3
@MegaManSec

Description

@MegaManSec
MegaManSec
opened on Oct 24, 2025

I did this

The CAPA response termination check treats any line that begins with '.' as the terminating line rather than requiring a single '.' line. According to POP3 multi-line response rules, the terminator is a line consisting of only a single dot ("."), so a line like ".capability" would be misinterpreted as the end of the CAPA response. This can cause premature termination of capability parsing and missing or incorrect capability handling.

The affected code is here:

curl/lib/pop3.c

Lines 324 to 334 in f4293cd

/* Are we processing CAPA command responses? */
if(pop3c->state == POP3_CAPA) {
/* Do we have the terminating line? */
if(len >= 1 && line[0] == '.')
/* Treat the response as a success */
*resp = '+';
else
/* Treat the response as an untagged continuation */
*resp = '*';
return TRUE;

From https://www.rfc-editor.org/rfc/rfc1939: "When all lines of the response have been sent, a final line is sent, consisting of a termination octet '.' and a CRLF pair"
From https://datatracker.ietf.org/doc/html/rfc2449: "The capability list is terminated by a line containing a termination octet '.' and a CRLF pair"

This bug was found with ZeroPath.

I expected the following

No response

curl/libcurl version

newest

operating system

all

Metadata

Metadata

Assignees

No one assigned

    Labels

    POP3

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions