... and change it to: OP_PUSHDATA <Hi Mom!> OP_PUSHDATA <signature> OP_PUSHDATA <public key>

... and the modified transaction will pass all of the IsStandard(), IsValid(), and OP_CHECKSIG checks.

That is... unexpected, especially since it changes the transaction id. You might transmit a transaction with ID 123 but find out it has been mined as transaction ID 456. Satoshi's code doesn't care (it just looks like an attempted double-spend of the coins), but I wouldn't be surprised if it caused problems for other implementations or other transaction-handling software.

My patch will make transactions with extra stuff in the scriptSig non-standard, so they won't get relayed or mined by new nodes. Alternative implementations will still have to deal with all types of double-spends, of course, and there are other ways of producing two transactions that are identical except for their scriptSigs (you can generate an arbitrary number of valid signatures for a transaction if you have the private keys, for example) so this isn't a panacea for poorly-implemented bitcoin transaction handling software. But it does remove some "wiggle room," which is generally a good idea for improving security.

I'm still thinking about how much further to go with this:

+ I think requiring that the <signature> and <public key> be DER-encoded for the transaction to be IsStandard() is a good idea. DER encoding defines a canonical way of representing data; Satoshi's code relies on OpenSSL to decode signatures and public keys, and OpenSSL accepts any, more general, BER encoding.

+ I'm tempted to require that the "filler item" to workaround the OP_CHECKMULTISIG pops-one-too-many-items-off-the-stack bug be exactly OP_0.

Discussion welcome; I should be making a pull request for my patch this afternoon.

--
Gavin Andresen