Hello I'm using SpamAssassin 3.0.1 (and have checked Bugzilla and latest snapshot in case this was fixed already).
I was attempting to verify that the Hashcash plugin was working. I created a 'stamp' using the Java applet on http://www.hashcash.org/, and inserted it into a test email, which I then piped into SpamAssassin (after setting hashcash_accept appropriately). The Hashcash stamp wasn't detected, so I investigated and believe I found _two_ problems in the code in Hashcash.pm: Firstly, the above Java applet by default adds some pointless-looking example extended data to the stamp (foo=e,r,t,w;bar=certain,key;), which you can see contains semicolons. I'm no Perl expert, but I believe that the following code in Hashcash.pm: # untaint the string for paranoia, making sure not to allow \n \0 \' \" $hc =~ /^([-A-Za-z0-9\xA0-\xFF:_\/[EMAIL PROTECTED],\= \*\+]+)$/; $hc = $1; isn't allowing the semicolon ';' character to be present in the stamp (which means that the stamp then doesn't work). Assuming that semicolon is supposed to be allowed, then this code needs to avoid removing it from the string. If I generated a stamp without semicolons, then it worked fine. I wonder if there are any other likely characters which this could apply to also? And secondly, the code which attempts to check that the Hashcash version is either 0 or 1: my ($ver, $bits, $date, $rsrc, $exts, $rand, $trial); if ($hc =~ /^0:/) { ($ver, $date, $rsrc, $trial) = split (/:/, $hc, 4); } elsif ($hc =~ /^1:/) { ($ver, $bits, $date, $rsrc, $exts, $rand, $trial) = split (/:/, $hc, 7); # extensions are, as yet, unused by SpamAssassin } else { dbg("hashcash: version $ver stamps not yet supported"); return 0; } encounters undefined variable $ver in the dbg statement if the version _isn't_ 0 or 1 (which is probably unlikely, but was something I tried while trying to work out what was going on). Hope that the users list was a good place to post this - I didn't (yet) feel qualified either to post to 'dev' or to subscribe to Bugzilla. Regards, Clarke Brunt
