Only with these symbols (){ %] can add double quotes at password both, if passworld includes symbol " or \ but exclude (){ %] , it doesn't.

Are you saying that the password you sent contained one of those symbols but curl didn't send it quoted? I just tested with -u user*:secret{ and it seemed to send them quoted just fine.

Can you show us a protocol trace of what curl did and what you expected curl to send instead?

you can use password following:
admin"123
The password sent by curl is admin"123, but the correct one should be "admin\"123"
if the password includs one of those symbols (){ %], for example following:
admin"{123, the curl will sent the password that is "admin\"{123".

@bagder What he's referring to is imap_atom the string is only wrapped in double quotes when escape_only param is true false and some atom-special was found which sets others_exists is true , and then that only happens for the atom_specials characters (){ %*].

According to the IMAP RFC:

atom-specials   = "(" / ")" / "{" / SP / CTL / list-wildcards /
                  quoted-specials / resp-specials
list-wildcards  = "%" / "*"
quoted-specials = DQUOTE / "\"
resp-specials   = "]"

(CTL is %x00-1F / %x7F and DQUOTE is double quote).

I can only find one reference to atom-specials in the entire RFC:

   1)    Any character which is one of the atom-specials (see the Formal
         Syntax) will require that the mailbox name be represented as a
         quoted string or literal.

It would seem, at least in that case, that escape_only when atom-specials are present may not be appropriate unless the calling function is going to quote the string.

I think we could expand our character set of atom-specials at least. Whether the password should be sent as admin"123 admin\"123 or "admin\"123" I'm not seeing it.

you can use password following:
admin"123
The password sent by curl is admin"123, but the correct one should be "admin"123"

This doesn't match my test. I've modified test 800 to use this command line:

curl 'imap://%HOSTIP:%IMAPPORT/800/;UID=1' -u '"user*:sec"ret{'

It makes curl send this line:

A002 LOGIN "\"user*" "sec\"ret{" (followed by CRLF)

Surely the double quote used in the atom needs to be backslash-escaped ?

@jay wrote:

It would seem, at least in that case, that escape_only when atom-specials are present may not be appropriate unless the calling function is going to quote the string.

The only current user of imap_atom() that sets the escape_only parameter to TRUE is within imap_perform_list, and it does quote the string itself...

Aha!

When using a string like "user it creates an atom like \"user that isn't quoted!

To sum up, if the username or password is included " or \, not included one of (){ %*] , curl will sends password without double quotes.
if like this, It will not be compatible with some mail system.e.g coremail mail server.
i tested some mail client ,e.g foxmail, if send password like 111111, the password "111111" will be sent.

i tested some mail client ,e.g foxmail, if send password like 111111, the password "111111" will be sent.

Sure, I'm sure some clients default to always quoting but that's a different thing. The IMAP protocol doesn't mandate quoting for a string like 111111.

Maybe this?

--- a/lib/imap.c
+++ b/lib/imap.c
@@ -1795,20 +1795,20 @@ static char *imap_atom(const char *str, bool escape_only)
   /* Does the input contain any "atom-special" characters? */
   if(!backsp_count && !quote_count && !others_exists)
     return strdup(str);
 
   /* Calculate the new string length */
-  newlen = strlen(str) + backsp_count + quote_count + (others_exists ? 2 : 0);
+  newlen = strlen(str) + backsp_count + quote_count + (escape_only ? 0 : 2);
 
   /* Allocate the new string */
   newstr = (char *) malloc((newlen + 1) * sizeof(char));
   if(!newstr)
     return NULL;
 
   /* Surround the string in quotes if necessary */
   p2 = newstr;
-  if(others_exists) {
+  if(!escape_only) {
     newstr[0] = '"';
     newstr[newlen - 1] = '"';
     p2++;
   }