Checks case of inbound commitments before comparison.

Before this change, a malicious taker could send the same
commitment with different case/formatting, and it would not
be rejected as reuse, which is the intended behaviour. The
commitment is defined by the H(P2) value, not the string.
Reported by @m0wer

Author: AdamISZ

src/jmdaemon/daemon_protocol.py

@@ -81,16 +81,25 @@ def check_utxo_blacklist(commitment, persist=False):
     else return True.
     If flagged, persist the usage of this commitment to the above file.
     """
-    #TODO format error checking?
+    # Fix DOS potential: should check what is given as a value, not as a string;
+    # but since it's passed as a string, the format must be canonical:
+    try:
+        bytes.fromhex(commitment)
+    except ValueError:
+        return False
+    # note: bytes.fromhex allows whitespace, so remove it
+    commitment = commitment.strip().lower()
+
     fname = blacklist_location
     if os.path.isfile(fname):
         with open(fname, "rb") as f:
-            blacklisted_commitments = [x.decode('ascii').strip() for x in f.readlines()]
+            blacklisted_commitments = [x.decode('ascii').strip().lower() for x in f.readlines()]
     else:
         blacklisted_commitments = []
     if commitment in blacklisted_commitments:
         return False
     elif persist:
+        # persisted commitments guaranteed to be canonical format
         blacklisted_commitments += [commitment]
         with open(fname, "wb") as f:
             f.write('\n'.join(blacklisted_commitments).encode('ascii'))
@@ -843,8 +852,10 @@ def on_commitment_transferred(self, nick, commitment):
         with a commitment to announce in public (obfuscation of source).
         We simply post it in public (not affected by whether we ourselves
         are *accepting* commitment broadcasts.
+        Note that we canonicalize the format here; should not logically
+        be necessary because it's done in check_utxo_blacklist, but just in case.
         """
-        self.mcc.pubmsg("!hp2 " + commitment)
+        self.mcc.pubmsg("!hp2 " + commitment.strip().lower())
 
     @maker_only
     def on_push_tx(self, nick, tx):

test/jmdaemon/test_daemon_protocol.py

@@ -326,3 +326,56 @@ def test_waiter(self):
     def _called_by_deffered(self):
         global end_early
         end_early = False
+
+def test_check_utxo_blacklist_case_and_whitespace(tmp_path):
+      """Regression test: a commitment that has already been used must not
+      be accepted again, regardless of hex-digit case or surrounding
+      whitespace. Before the fix, check_utxo_blacklist did a case-sensitive
+      string comparison, so a taker could reuse a commitment by sending it
+      in a different case.
+      """
+      from jmdaemon.daemon_protocol import (check_utxo_blacklist,
+                                            set_blacklist_location)
+
+      # Fresh, isolated commitmentlist file per test run, courtesy of the
+      # pytest tmp_path fixture.
+      commitmentlist = tmp_path / "commitmentlist"
+      set_blacklist_location(str(commitmentlist))
+
+      # A plausible 32-byte (64 hex char) commitment.
+      lc = "deadbeef" * 8
+      uc = lc.upper()
+      mixed = "DeAdBeEf" * 8
+      padded = "  " + lc + "\n"
+
+      # First use: accepted, and persisted to disk.
+      assert check_utxo_blacklist(lc, persist=True) is True
+      assert commitmentlist.is_file()
+
+      # Exact reuse: rejected.
+      assert check_utxo_blacklist(lc) is False
+
+      # Case-variant reuse: must also be rejected. This is the regression
+      # the fix targets — before the fix these returned True.
+      assert check_utxo_blacklist(uc) is False
+      assert check_utxo_blacklist(mixed) is False
+
+      # Whitespace-variant reuse: also rejected.
+      assert check_utxo_blacklist(padded) is False
+
+      # A genuinely new commitment is still accepted.
+      other = "cafebabe" * 8
+      assert check_utxo_blacklist(other) is True
+
+      # Malformed input is rejected outright (defensive validation).
+      assert check_utxo_blacklist("not-a-hex-string!") is False
+      assert check_utxo_blacklist("abc") is False  # odd length
+
+      # Legacy-on-disk path: simulate a pre-fix commitmentlist that was
+      # written in uppercase (e.g. from an !hp2 broadcast that arrived in
+      # uppercase under the old code). A canonical lowercase query must
+      # still detect the reuse after the fix normalizes entries on read.
+      legacy = tmp_path / "legacy_commitmentlist"
+      legacy.write_bytes(("F00DF00D" * 8 + "\n").encode("ascii"))
+      set_blacklist_location(str(legacy))
+      assert check_utxo_blacklist("f00df00d" * 8) is False