Hashcash plugin bugs

[Clarke Brunt <cl...@yeomannavigation.co.uk>]

Hello

I'm using SpamAssassin 3.0.1 (and have checked Bugzilla and latest snapshot
in case this was fixed already).

I was attempting to verify that the Hashcash plugin was working. I created a
'stamp' using the Java applet on http://www.hashcash.org/, and inserted it
into a test email, which I then piped into SpamAssassin (after setting
hashcash_accept appropriately).

The Hashcash stamp wasn't detected, so I investigated and believe I found
_two_ problems in the code in Hashcash.pm:

Firstly, the above Java applet by default adds some pointless-looking
example extended data to the stamp (foo=e,r,t,w;bar=certain,key;), which you
can see contains semicolons. I'm no Perl expert, but I believe that the
following code in Hashcash.pm:

# untaint the string for paranoia, making sure not to allow \n \0 \' \"
  $hc =~ /^([-A-Za-z0-9\xA0-\xFF:_\/\%\@\.\,\= \*\+]+)$/; $hc = $1;

isn't allowing the semicolon ';' character to be present in the stamp (which
means that the stamp then doesn't work). Assuming that semicolon is supposed
to be allowed, then this code needs to avoid removing it from the string. If
I generated a stamp without semicolons, then it worked fine. I wonder if
there are any other likely characters which this could apply to also?

And secondly, the code which attempts to check that the Hashcash version is
either 0 or 1:

  my ($ver, $bits, $date, $rsrc, $exts, $rand, $trial);
  if ($hc =~ /^0:/) {
    ($ver, $date, $rsrc, $trial) = split (/:/, $hc, 4);
  }
  elsif ($hc =~ /^1:/) {
    ($ver, $bits, $date, $rsrc, $exts, $rand, $trial) =
                                    split (/:/, $hc, 7);
    # extensions are, as yet, unused by SpamAssassin
  }
  else {
    dbg("hashcash: version $ver stamps not yet supported");
    return 0;
  }

encounters undefined variable $ver in the dbg statement if the version
_isn't_ 0 or 1 (which is probably unlikely, but was something I tried while
trying to work out what was going on).

Hope that the users list was a good place to post this - I didn't (yet) feel
qualified either to post to 'dev' or to subscribe to Bugzilla.

Regards,
 Clarke Brunt

Re: Hashcash plugin bugs

[Loren Wilton <lw...@earthlink.net>]

This sounds like it is probably worth a bugzilla report.

        Loren

----- Original Message ----- 
From: "Clarke Brunt" <cl...@yeomannavigation.co.uk>
To: <us...@spamassassin.apache.org>
Sent: Thursday, December 09, 2004 5:29 AM
Subject: Hashcash plugin bugs


> Hello
>
> I'm using SpamAssassin 3.0.1 (and have checked Bugzilla and latest
snapshot
> in case this was fixed already).
>
> I was attempting to verify that the Hashcash plugin was working. I created
a
> 'stamp' using the Java applet on http://www.hashcash.org/, and inserted it
> into a test email, which I then piped into SpamAssassin (after setting
> hashcash_accept appropriately).
>
> The Hashcash stamp wasn't detected, so I investigated and believe I found
> _two_ problems in the code in Hashcash.pm:
>
> Firstly, the above Java applet by default adds some pointless-looking
> example extended data to the stamp (foo=e,r,t,w;bar=certain,key;), which
you
> can see contains semicolons. I'm no Perl expert, but I believe that the
> following code in Hashcash.pm:
>
> # untaint the string for paranoia, making sure not to allow \n \0 \' \"
>   $hc =~ /^([-A-Za-z0-9\xA0-\xFF:_\/\%\@\.\,\= \*\+]+)$/; $hc = $1;
>
> isn't allowing the semicolon ';' character to be present in the stamp
(which
> means that the stamp then doesn't work). Assuming that semicolon is
supposed
> to be allowed, then this code needs to avoid removing it from the string.
If
> I generated a stamp without semicolons, then it worked fine. I wonder if
> there are any other likely characters which this could apply to also?
>
> And secondly, the code which attempts to check that the Hashcash version
is
> either 0 or 1:
>
>   my ($ver, $bits, $date, $rsrc, $exts, $rand, $trial);
>   if ($hc =~ /^0:/) {
>     ($ver, $date, $rsrc, $trial) = split (/:/, $hc, 4);
>   }
>   elsif ($hc =~ /^1:/) {
>     ($ver, $bits, $date, $rsrc, $exts, $rand, $trial) =
>                                     split (/:/, $hc, 7);
>     # extensions are, as yet, unused by SpamAssassin
>   }
>   else {
>     dbg("hashcash: version $ver stamps not yet supported");
>     return 0;
>   }
>
> encounters undefined variable $ver in the dbg statement if the version
> _isn't_ 0 or 1 (which is probably unlikely, but was something I tried
while
> trying to work out what was going on).
>
> Hope that the users list was a good place to post this - I didn't (yet)
feel
> qualified either to post to 'dev' or to subscribe to Bugzilla.
>
> Regards,
>  Clarke Brunt
>