Rocco Rutte <[EMAIL PROTECTED]> writes: > APOP IMHO should never be considered a secure way of authentication, > it's just more secure than sending plain passwords over the wire. But > yes, since the RfC says the "timestamp" must be syntacially valid > message-id and mutt doesn't check it, there's some room of improvement.
I've just added rfc822valid.c to fetchmail's SVN[1] (GNU GPL), which is a dangerously dedicated hand-written RD-parser to validate a token (const unsigned char *) against rfc-822's msg-id syntax and returns 0 for invalid and 1 for valid. It doesn't handle NUL characters yet, since fetchmail stomps over them anyways when downloading from the net. If NUL-proofing is desirable, we need to extend the API by a length argument and revise some functions. Feel free to adapt this stuff to mutt (and feed back improvements and fixes if you don't mind :-)). [1] http://mknod.org/svn/fetchmail/branches/BRANCH_6-3/rfc822valid.c Comments solicited. -- Matthias Andree
