Re: [Fetchmail-devel] XOAUTH2 bug in pop3.c, "next" branch

[Matthias A. <mat...@gm...>]

Am 11.11.20 um 03:22 schrieb Geoff Bailey:
> G'day all,
>
> I'm trying to use fetchmail with Office 365 and XOAUTH2 enabled.  So far
> unsuccessfully, alas.  Anyway, this section in lines 650 to 662 of pop3.c
> is not helping:
>
>         if (ctl->server.authenticate == A_OAUTHBEARER)
>         {
>             if (has_oauthbearer || !has_xoauth2)
>             {
>                 ok = do_oauthbearer(sock, ctl, FALSE); /* OAUTHBEARER */
>             }
>             if (ok != PS_SUCCESS && has_xoauth2)
>             {
>                 ok = do_oauthbearer(sock, ctl, TRUE); /* XOAUTH2 */
>             }
>                 break;
>         }
>
> As you can see, if has_xoauth2 is true and has_oauthbearer is false, as it
> is in this case, then a very old value of ok is incorrectly used and the
> XOAUTH2 branch is skipped.
>
> The simplest adjustment would be to insert
>
>             ok = PS_AUTHFAIL;   /* anything other than PS_SUCCESS */
>
> or similar before the has_oauthbearer check.
>
Hi Geoff,

thanks for the report. Does it help to rewrite the code as:

        if (ctl->server.authenticate == A_OAUTHBEARER)
        {
            if (has_oauthbearer || !has_xoauth2)
            {
                ok = do_oauthbearer(sock, ctl, FALSE); /* OAUTHBEARER */
            }
            else
            {
                ok = do_oauthbearer(sock, ctl, TRUE); /* XOAUTH2 */
            }
            if (ok == PS_SUCCESS)
             break;

        }

This will change behaviour however, in that there is no fall-through
from OAUTHBEARER if it fails to XOAUTH2.

Cheers,
Matthias