pop3: fix CAPA response termination detection The code was checking if a line starts with '.', which would incorrectly match capability names starting with dots. Per RFC 2449, the terminator must be a line containing only a single dot. RFC 2449 also explicitly excludes '.' from valid capability name starting characters, so this is purely theoretical, but the code should match the spec. Changed to check for exact match: line length of 3 with '.\r' or length 2 with '.\n' to handle both CRLF and LF-only servers. (Mistake detected with ZeroPath) Fixes #19228 Reported-by: Joshua Rogers Closes #19245

commit: a49e4e3d16991465144558f405b2d7972824abb0 [log] [tgz]
author: TheBitBrine <blacknomex08@gmail.com> Sun Oct 26 03:15:07 2025 +0000
committer: Daniel Stenberg <daniel@haxx.se> Sun Oct 26 10:59:20 2025 +0100
tree: d3243e86dee39fa0efa43be42b295a2572f90929
parent: b602de775ed59f6f40c76c5b928ba677613c3923 [diff]
diff --git a/lib/pop3.c b/lib/pop3.c
index 2fd496c..c6b6ed6 100644
--- a/lib/pop3.c
+++ b/lib/pop3.c

@@ -323,8 +323,10 @@
 
   /* Are we processing CAPA command responses? */
   if(pop3c->state == POP3_CAPA) {
-    /* Do we have the terminating line? */
-    if(len >= 1 && line[0] == '.')
+    /* Do we have the terminating line? Per RFC 2449 this is a line
+       containing only a single dot */
+    if((len == 3 && line[0] == '.' && line[1] == '\r') ||
+       (len == 2 && line[0] == '.' && line[1] == '\n'))
       /* Treat the response as a success */
       *resp = '+';
     else
commit	a49e4e3d16991465144558f405b2d7972824abb0	[log] [tgz]
author	TheBitBrine <blacknomex08@gmail.com>	Sun Oct 26 03:15:07 2025 +0000
committer	Daniel Stenberg <daniel@haxx.se>	Sun Oct 26 10:59:20 2025 +0100
tree	d3243e86dee39fa0efa43be42b295a2572f90929
parent	b602de775ed59f6f40c76c5b928ba677613c3923 [diff]