This sounds like it is probably worth a bugzilla report.
Loren
----- Original Message -----
From: "Clarke Brunt" <[EMAIL PROTECTED]>
To: <users@spamassassin.apache.org>
Sent: Thursday, December 09, 2004 5:29 AM
Subject: Hashcash plugin bugs
> Hello
>
> I'm using SpamAssassin 3.0.1 (and have checked Bugzilla and latest
snapshot
> in case this was fixed already).
>
> I was attempting to verify that the Hashcash plugin was working. I created
a
> 'stamp' using the Java applet on http://www.hashcash.org/, and inserted it
> into a test email, which I then piped into SpamAssassin (after setting
> hashcash_accept appropriately).
>
> The Hashcash stamp wasn't detected, so I investigated and believe I found
> _two_ problems in the code in Hashcash.pm:
>
> Firstly, the above Java applet by default adds some pointless-looking
> example extended data to the stamp (foo=e,r,t,w;bar=certain,key;), which
you
> can see contains semicolons. I'm no Perl expert, but I believe that the
> following code in Hashcash.pm:
>
> # untaint the string for paranoia, making sure not to allow \n \0 \' \"
> $hc =~ /^([-A-Za-z0-9\xA0-\xFF:_\/[EMAIL PROTECTED],\= \*\+]+)$/; $hc = $1;
>
> isn't allowing the semicolon ';' character to be present in the stamp
(which
> means that the stamp then doesn't work). Assuming that semicolon is
supposed
> to be allowed, then this code needs to avoid removing it from the string.
If
> I generated a stamp without semicolons, then it worked fine. I wonder if
> there are any other likely characters which this could apply to also?
>
> And secondly, the code which attempts to check that the Hashcash version
is
> either 0 or 1:
>
> my ($ver, $bits, $date, $rsrc, $exts, $rand, $trial);
> if ($hc =~ /^0:/) {
> ($ver, $date, $rsrc, $trial) = split (/:/, $hc, 4);
> }
> elsif ($hc =~ /^1:/) {
> ($ver, $bits, $date, $rsrc, $exts, $rand, $trial) =
> split (/:/, $hc, 7);
> # extensions are, as yet, unused by SpamAssassin
> }
> else {
> dbg("hashcash: version $ver stamps not yet supported");
> return 0;
> }
>
> encounters undefined variable $ver in the dbg statement if the version
> _isn't_ 0 or 1 (which is probably unlikely, but was something I tried
while
> trying to work out what was going on).
>
> Hope that the users list was a good place to post this - I didn't (yet)
feel
> qualified either to post to 'dev' or to subscribe to Bugzilla.
>
> Regards,
> Clarke Brunt
>
