Issues

ZF-7674: APOP Handling buggy

Description

With latest ZF trunk, you cannot set if APOP should be used or not when logging to a pop3 server.

The following fix adds a "tryApop" parameter on constructor, and passed in to the login() function.

Corrected source Zend/Mail/Storage/Pop3.php [1 line aded, 1 line modified]


    public function __construct($params)
    {
        if (is_array($params)) {
            $params = (object)$params;
        }

        $this->_has['fetchPart'] = false;
        $this->_has['top']       = null;
        $this->_has['uniqueid']  = null;

        if ($params instanceof Zend_Mail_Protocol_Pop3) {
            $this->_protocol = $params;
            return;
        }

        if (!isset($params->user)) {
            /**
             * @see Zend_Mail_Storage_Exception
             */
            require_once 'Zend/Mail/Storage/Exception.php';
            throw new Zend_Mail_Storage_Exception('need at least user in params');
        }

        $host     = isset($params->host)     ? $params->host     : 'localhost';
        $password = isset($params->password) ? $params->password : '';
        $port     = isset($params->port)     ? $params->port     : null;
        $ssl      = isset($params->ssl)      ? $params->ssl      : false;
        $tryApop  = (isset($params->tryApop) && $params->tryApop) ? true : false;

        $this->_protocol = new Zend_Mail_Protocol_Pop3();
        $this->_protocol->connect($host, $port, $ssl);
        $this->_protocol->login($params->user, $password, $tryApop);
    }

Second fix: Maybe changing default value of $apop in Zend/Mail/Protocol/Pop3.php: login($user, $password, $tryApop) [to be discussed for backward compatibility]

Comments

Could you first explain the bug in the APOP handling?

Sending the password in clear text should be avoided if possible and therefor APOP should be used if the server signals its support. We still fallback to USER/PASS if the server sends a timestamp in the greeting but has problems with the APOP command.

I fail to see the use of an option to make it more insecure. Especially as you already have that option, as you can extend the POP3 class.

no response

Today I had the same problem.

The problem is that (certain) servers not supporting APOP will terminate the connection after receiving an APOP command. So there needs to be a way to set the tryApop parameter.

Today I had the same problem.

The problem is that (certain) servers not supporting APOP will terminate the connection after receiving an APOP command. So there needs to be a way to set the tryApop parameter.