'net/pop' bug: username/pass containing %-sign

‘net/pop’ library (POP3/APOP client) has a bug: Authentication fails
if username or password contain %-sign. The library uses:
…get_response('USER ’ + account)
… sprintf(fmt, *fargs)
Percent sign ‘%’ in a username/password are interpreted by sprintf()
as format specifiers.

The fix is in POP3Command.auth() line#793. Instead of

    check_response_auth(get_response('USER ' + account))
    get_response('PASS ' + password)

use

    check_response_auth(get_response('USER %s', account))
    get_response('PASS %s', password)

Regards,

···


-Laza
http://lazax.com/blog/

Hi,

In mail “‘net/pop’ bug: username/pass containing %-sign”

···

zoranlazarevic@yahoo.com (Zoran Lazarevic) wrote:

‘net/pop’ library (POP3/APOP client) has a bug: Authentication fails
if username or password contain %-sign. The library uses:
…get_response('USER ’ + account)
… sprintf(fmt, *fargs)
Percent sign ‘%’ in a username/password are interpreted by sprintf()
as format specifiers.

The fix is in POP3Command.auth() line#793. Instead of

Thank you for your report. Fixed now.

Best Regards,
Minero Aoki