On my Red Hat Enterprise Linux box all hosted email accounts have home directories that contain a "%" 
character and look like this (this example is for the email address, "john@example.com"):

/home/john%example.com

This causes Spam Assassin to complain like this in various circumstances (for example, when running 
sa-learn):

security: cannot untaint path: "/home/john%example.com/.spamassassin"

This is because the "%" character in the path causes the regex in the untaint_file_path() function (in 
"Util.pm") to fail to match:

  my $chars = '-_A-Za-z\xA0-\xFF0-9\.\@\=\+\,\/\\\:';
  my $re = qr/^\s*([$chars][${chars}~ ]*)$/o;

Now, this may be a bug in Spam Assassin, or an unfortunate consequence of the server policy to 
substitute "%" for "@" in email account home directories. I am not aware of any adverse consequences of 
adding "%" to the regex; am I missing something here? Should Spam Assassin be changed to allow the 
"%" character when untainting file paths?

  my $chars = '-_A-Za-z\xA0-\xFF0-9\.\@\%\=\+\,\/\\\:';
  my $re = qr/^\s*([$chars][${chars}~ ]*)$/o;