@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Fix a potentially lax hash comparison
Summary: Via HackerOne. See D14025. I missed this comparison when making the original change.
Test Plan:
- Used `cat mail.txt | scripts/mail/mail_handler.php --process-duplicates` to pipe mail in a whole lot of times.
- Tried bad hashes, saw rejections.
- Tried good hash, saw mail accepted.
Reviewers: chad
Reviewed By: chad
Differential Revision: https://secure.phabricator.com/D14455
+1
-1
+1
-1
src/applications/metamta/receiver/PhabricatorObjectMailReceiver.php
+1
-1
src/applications/metamta/receiver/PhabricatorObjectMailReceiver.php
···
126
126
127
127
$expect_hash = self::computeMailHash($object->getMailKey(), $check_phid);
128
128
129
-
if ($expect_hash != $parts['hash']) {
129
+
if (!phutil_hashes_are_identical($expect_hash, $parts['hash'])) {
130
130
throw new PhabricatorMetaMTAReceivedMailProcessingException(
131
131
MetaMTAReceivedMailStatus::STATUS_HASH_MISMATCH,
132
132
pht(