You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2005/01/02 13:43:31 UTC

[Bug 4060] New: Hashcash fails if stamp contains ';', also fails to report correctly if version not 0 or 1

http://bugzilla.spamassassin.org/show_bug.cgi?id=4060

           Summary: Hashcash fails if stamp contains ';', also fails to
                    report correctly if version not 0 or 1
           Product: Spamassassin
           Version: 3.0.2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Plugins
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: clarke.brunt@viridis.net


I posted this a while ago to the users' mailing list, and someone responded
suggesting I file a bug. So here goes:

I was attempting to verify that the Hashcash plugin was working. I created a
'stamp' using the Java applet on http://www.hashcash.org/, and inserted it
into a test email, which I then piped into SpamAssassin (after setting
hashcash_accept appropriately).

The Hashcash stamp wasn't detected, so I investigated and believe I found
_two_ problems in the code in Hashcash.pm:

Firstly, the above Java applet by default adds some pointless-looking
example extended data to the stamp (foo=e,r,t,w;bar=certain,key;), which you
can see contains semicolons. I'm no Perl expert, but I believe that the
following code in Hashcash.pm:

# untaint the string for paranoia, making sure not to allow \n \0 \' \"
  $hc =~ /^([-A-Za-z0-9\xA0-\xFF:_\/\%\ <at> \.\,\= \*\+]+)$/; $hc = $1;

isn't allowing the semicolon ';' character to be present in the stamp (which
means that the stamp then doesn't work). Assuming that semicolon is supposed
to be allowed, then this code needs to avoid removing it from the string. If
I generated a stamp without semicolons, then it worked fine. I wonder if
there are any other likely characters which this could apply to also?

And secondly, the code which attempts to check that the Hashcash version is
either 0 or 1:

  my ($ver, $bits, $date, $rsrc, $exts, $rand, $trial);
  if ($hc =~ /^0:/) {
    ($ver, $date, $rsrc, $trial) = split (/:/, $hc, 4);
  }
  elsif ($hc =~ /^1:/) {
    ($ver, $bits, $date, $rsrc, $exts, $rand, $trial) =
                                    split (/:/, $hc, 7);
    # extensions are, as yet, unused by SpamAssassin
  }
  else {
    dbg("hashcash: version $ver stamps not yet supported");
    return 0;
  }

encounters undefined variable $ver in the dbg statement if the version
_isn't_ 0 or 1 (which is probably unlikely, but was something I tried while
trying to work out what was going on).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.