2011-05-04 23:09:42 -07:00
|
|
|
<?php
|
|
|
|
|
|
|
|
/*
|
2012-02-27 12:57:57 -08:00
|
|
|
* Copyright 2012 Facebook, Inc.
|
2011-05-04 23:09:42 -07:00
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
2012-03-13 16:21:04 -07:00
|
|
|
final class PhabricatorMetaMTAReceivedMail extends PhabricatorMetaMTADAO {
|
2011-05-04 23:09:42 -07:00
|
|
|
|
|
|
|
protected $headers = array();
|
|
|
|
protected $bodies = array();
|
|
|
|
protected $attachments = array();
|
|
|
|
|
|
|
|
protected $relatedPHID;
|
|
|
|
protected $authorPHID;
|
|
|
|
protected $message;
|
|
|
|
|
|
|
|
public function getConfiguration() {
|
|
|
|
return array(
|
|
|
|
self::CONFIG_SERIALIZATION => array(
|
|
|
|
'headers' => self::SERIALIZATION_JSON,
|
|
|
|
'bodies' => self::SERIALIZATION_JSON,
|
|
|
|
'attachments' => self::SERIALIZATION_JSON,
|
|
|
|
),
|
|
|
|
) + parent::getConfiguration();
|
|
|
|
}
|
|
|
|
|
2011-05-30 11:07:05 -07:00
|
|
|
public function setHeaders(array $headers) {
|
|
|
|
// Normalize headers to lowercase.
|
|
|
|
$normalized = array();
|
|
|
|
foreach ($headers as $name => $value) {
|
|
|
|
$normalized[strtolower($name)] = $value;
|
|
|
|
}
|
|
|
|
$this->headers = $normalized;
|
|
|
|
return $this;
|
|
|
|
}
|
|
|
|
|
2011-06-22 12:41:19 -07:00
|
|
|
public function getMessageID() {
|
|
|
|
return idx($this->headers, 'message-id');
|
|
|
|
}
|
|
|
|
|
2011-07-04 09:45:42 -07:00
|
|
|
public function getSubject() {
|
|
|
|
return idx($this->headers, 'subject');
|
|
|
|
}
|
|
|
|
|
2011-05-04 23:09:42 -07:00
|
|
|
public function processReceivedMail() {
|
2012-05-22 06:02:05 -07:00
|
|
|
|
|
|
|
// If Phabricator sent the mail, always drop it immediately. This prevents
|
|
|
|
// loops where, e.g., the public bug address is also a user email address
|
|
|
|
// and creating a bug sends them an email, which loops.
|
|
|
|
$is_phabricator_mail = idx(
|
|
|
|
$this->headers,
|
|
|
|
'x-phabricator-sent-this-message');
|
|
|
|
if ($is_phabricator_mail) {
|
|
|
|
$message = "Ignoring email with 'X-Phabricator-Sent-This-Message' ".
|
|
|
|
"header to avoid loops.";
|
|
|
|
return $this->setMessage($message)->save();
|
|
|
|
}
|
|
|
|
|
2011-05-04 23:09:42 -07:00
|
|
|
$to = idx($this->headers, 'to');
|
2011-07-04 09:45:42 -07:00
|
|
|
$to = $this->getRawEmailAddress($to);
|
|
|
|
|
|
|
|
$from = idx($this->headers, 'from');
|
|
|
|
|
|
|
|
$create_task = PhabricatorEnv::getEnvConfig(
|
|
|
|
'metamta.maniphest.public-create-email');
|
|
|
|
|
|
|
|
if ($create_task && $to == $create_task) {
|
2011-10-14 13:11:58 -07:00
|
|
|
$receiver = new ManiphestTask();
|
|
|
|
|
2011-07-04 09:45:42 -07:00
|
|
|
$user = $this->lookupPublicUser();
|
2011-10-14 13:11:58 -07:00
|
|
|
if ($user) {
|
|
|
|
$this->setAuthorPHID($user->getPHID());
|
|
|
|
} else {
|
|
|
|
$default_author = PhabricatorEnv::getEnvConfig(
|
2011-10-28 08:04:13 -07:00
|
|
|
'metamta.maniphest.default-public-author');
|
2011-10-14 13:11:58 -07:00
|
|
|
|
|
|
|
if ($default_author) {
|
|
|
|
$user = id(new PhabricatorUser())->loadOneWhere(
|
|
|
|
'username = %s',
|
|
|
|
$default_author);
|
|
|
|
if ($user) {
|
|
|
|
$receiver->setOriginalEmailSource($from);
|
|
|
|
} else {
|
|
|
|
throw new Exception(
|
|
|
|
"Phabricator is misconfigured, the configuration key ".
|
2011-10-28 08:05:49 -07:00
|
|
|
"'metamta.maniphest.default-public-author' is set to user ".
|
2011-10-14 13:11:58 -07:00
|
|
|
"'{$default_author}' but that user does not exist.");
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
// TODO: We should probably bounce these since from the user's
|
|
|
|
// perspective their email vanishes into a black hole.
|
|
|
|
return $this->setMessage("Invalid public user '{$from}'.")->save();
|
|
|
|
}
|
2011-07-04 09:45:42 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
$receiver->setAuthorPHID($user->getPHID());
|
|
|
|
$receiver->setPriority(ManiphestTaskPriority::PRIORITY_TRIAGE);
|
|
|
|
|
|
|
|
$editor = new ManiphestTransactionEditor();
|
|
|
|
$handler = $editor->buildReplyHandler($receiver);
|
|
|
|
|
|
|
|
$handler->setActor($user);
|
|
|
|
$handler->receiveEmail($this);
|
|
|
|
|
|
|
|
$this->setRelatedPHID($receiver->getPHID());
|
|
|
|
$this->setMessage('OK');
|
2011-05-04 23:09:42 -07:00
|
|
|
|
2011-07-04 09:45:42 -07:00
|
|
|
return $this->save();
|
|
|
|
}
|
|
|
|
|
|
|
|
// We've already stripped this, so look for an object address which has
|
|
|
|
// a format like: D291+291+b0a41ca848d66dcc@example.com
|
2011-05-04 23:09:42 -07:00
|
|
|
$matches = null;
|
2011-08-16 11:31:51 +02:00
|
|
|
$single_handle_prefix = PhabricatorEnv::getEnvConfig(
|
|
|
|
'metamta.single-reply-handler-prefix');
|
|
|
|
|
|
|
|
$prefixPattern = ($single_handle_prefix)
|
|
|
|
? preg_quote($single_handle_prefix, '/') . '\+'
|
|
|
|
: '';
|
2012-02-27 12:57:57 -08:00
|
|
|
$pattern = "/^{$prefixPattern}((?:D|T|C)\d+)\+([\w]+)\+([a-f0-9]{16})@/U";
|
2011-08-16 11:31:51 +02:00
|
|
|
|
2011-05-04 23:09:42 -07:00
|
|
|
$ok = preg_match(
|
2011-08-16 11:31:51 +02:00
|
|
|
$pattern,
|
2011-05-04 23:09:42 -07:00
|
|
|
$to,
|
|
|
|
$matches);
|
|
|
|
|
|
|
|
if (!$ok) {
|
|
|
|
return $this->setMessage("Unrecognized 'to' format: {$to}")->save();
|
|
|
|
}
|
|
|
|
|
|
|
|
$receiver_name = $matches[1];
|
|
|
|
$user_id = $matches[2];
|
|
|
|
$hash = $matches[3];
|
|
|
|
|
Allow Phabricator to be configured to use a public Reply-To address
Summary:
We already support this (and Facebook uses it) but it is difficult to configure
and you have to write a bunch of code. Instead, provide a simple flag.
See the documentation changes for details, but when this flag is enabled we send
one email with a reply-to like "D2+public+23hf91fh19fh@phabricator.example.com".
Anyone can reply to this, and we figure out who they are based on their "From"
address instead of a unique hash. This is less secure, but a reasonable tradeoff
in many cases.
This also has the advantage over a naive implementation of at least doing object
hash validation.
@jungejason: I don't think this affects Facebook's implementation but this is an
area where we've had problems in the past, so watch out for it when you deploy.
Also note that you must set "metamta.public-replies" to true since Maniphest now
looks for that key specifically before going into public reply mode; it no
longer just tests for a public reply address being generateable (since it can
always generate one now).
Test Plan:
Swapped my local install in and out of public reply mode and commented on
objects. Got expected email behavior. Replied to public and private email
addresses.
Attacked public addresses by using them when the install was configured to
disallow them and by altering the hash and the from address. All this stuff was
rejected.
Reviewed By: jungejason
Reviewers: moskov, jungejason, tuomaspelkonen, aran
CC: aran, epriestley, moskov, jungejason
Differential Revision: 563
2011-06-30 13:01:35 -07:00
|
|
|
if ($user_id == 'public') {
|
|
|
|
if (!PhabricatorEnv::getEnvConfig('metamta.public-replies')) {
|
|
|
|
return $this->setMessage("Public replies not enabled.")->save();
|
|
|
|
}
|
|
|
|
|
2011-07-04 09:45:42 -07:00
|
|
|
$user = $this->lookupPublicUser();
|
Allow Phabricator to be configured to use a public Reply-To address
Summary:
We already support this (and Facebook uses it) but it is difficult to configure
and you have to write a bunch of code. Instead, provide a simple flag.
See the documentation changes for details, but when this flag is enabled we send
one email with a reply-to like "D2+public+23hf91fh19fh@phabricator.example.com".
Anyone can reply to this, and we figure out who they are based on their "From"
address instead of a unique hash. This is less secure, but a reasonable tradeoff
in many cases.
This also has the advantage over a naive implementation of at least doing object
hash validation.
@jungejason: I don't think this affects Facebook's implementation but this is an
area where we've had problems in the past, so watch out for it when you deploy.
Also note that you must set "metamta.public-replies" to true since Maniphest now
looks for that key specifically before going into public reply mode; it no
longer just tests for a public reply address being generateable (since it can
always generate one now).
Test Plan:
Swapped my local install in and out of public reply mode and commented on
objects. Got expected email behavior. Replied to public and private email
addresses.
Attacked public addresses by using them when the install was configured to
disallow them and by altering the hash and the from address. All this stuff was
rejected.
Reviewed By: jungejason
Reviewers: moskov, jungejason, tuomaspelkonen, aran
CC: aran, epriestley, moskov, jungejason
Differential Revision: 563
2011-06-30 13:01:35 -07:00
|
|
|
|
|
|
|
if (!$user) {
|
|
|
|
return $this->setMessage("Invalid public user '{$from}'.")->save();
|
|
|
|
}
|
|
|
|
|
|
|
|
$use_user_hash = false;
|
|
|
|
} else {
|
|
|
|
$user = id(new PhabricatorUser())->load($user_id);
|
|
|
|
if (!$user) {
|
|
|
|
return $this->setMessage("Invalid private user '{$user_id}'.")->save();
|
|
|
|
}
|
|
|
|
|
|
|
|
$use_user_hash = true;
|
2011-05-04 23:09:42 -07:00
|
|
|
}
|
|
|
|
|
2011-05-12 10:06:54 -07:00
|
|
|
if ($user->getIsDisabled()) {
|
|
|
|
return $this->setMessage("User '{$user_id}' is disabled")->save();
|
|
|
|
}
|
|
|
|
|
2011-05-04 23:09:42 -07:00
|
|
|
$this->setAuthorPHID($user->getPHID());
|
|
|
|
|
|
|
|
$receiver = self::loadReceiverObject($receiver_name);
|
|
|
|
if (!$receiver) {
|
|
|
|
return $this->setMessage("Invalid object '{$receiver_name}'")->save();
|
|
|
|
}
|
|
|
|
|
|
|
|
$this->setRelatedPHID($receiver->getPHID());
|
|
|
|
|
Allow Phabricator to be configured to use a public Reply-To address
Summary:
We already support this (and Facebook uses it) but it is difficult to configure
and you have to write a bunch of code. Instead, provide a simple flag.
See the documentation changes for details, but when this flag is enabled we send
one email with a reply-to like "D2+public+23hf91fh19fh@phabricator.example.com".
Anyone can reply to this, and we figure out who they are based on their "From"
address instead of a unique hash. This is less secure, but a reasonable tradeoff
in many cases.
This also has the advantage over a naive implementation of at least doing object
hash validation.
@jungejason: I don't think this affects Facebook's implementation but this is an
area where we've had problems in the past, so watch out for it when you deploy.
Also note that you must set "metamta.public-replies" to true since Maniphest now
looks for that key specifically before going into public reply mode; it no
longer just tests for a public reply address being generateable (since it can
always generate one now).
Test Plan:
Swapped my local install in and out of public reply mode and commented on
objects. Got expected email behavior. Replied to public and private email
addresses.
Attacked public addresses by using them when the install was configured to
disallow them and by altering the hash and the from address. All this stuff was
rejected.
Reviewed By: jungejason
Reviewers: moskov, jungejason, tuomaspelkonen, aran
CC: aran, epriestley, moskov, jungejason
Differential Revision: 563
2011-06-30 13:01:35 -07:00
|
|
|
if ($use_user_hash) {
|
|
|
|
// This is a private reply-to address, check that the user hash is
|
|
|
|
// correct.
|
|
|
|
$check_phid = $user->getPHID();
|
|
|
|
} else {
|
|
|
|
// This is a public reply-to address, check that the object hash is
|
|
|
|
// correct.
|
|
|
|
$check_phid = $receiver->getPHID();
|
|
|
|
}
|
|
|
|
|
|
|
|
$expect_hash = self::computeMailHash($receiver->getMailKey(), $check_phid);
|
2011-12-18 11:00:39 -08:00
|
|
|
|
|
|
|
// See note at computeOldMailHash().
|
|
|
|
$old_hash = self::computeOldMailHash($receiver->getMailKey(), $check_phid);
|
|
|
|
|
|
|
|
if ($expect_hash != $hash && $old_hash != $hash) {
|
2011-05-04 23:09:42 -07:00
|
|
|
return $this->setMessage("Invalid mail hash!")->save();
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($receiver instanceof ManiphestTask) {
|
2011-05-16 12:31:18 -07:00
|
|
|
$editor = new ManiphestTransactionEditor();
|
|
|
|
$handler = $editor->buildReplyHandler($receiver);
|
2011-05-04 23:09:42 -07:00
|
|
|
} else if ($receiver instanceof DifferentialRevision) {
|
2011-05-16 12:31:18 -07:00
|
|
|
$handler = DifferentialMail::newReplyHandlerForRevision($receiver);
|
2012-02-27 12:57:57 -08:00
|
|
|
} else if ($receiver instanceof PhabricatorRepositoryCommit) {
|
|
|
|
$handler = PhabricatorAuditCommentEditor::newReplyHandlerForCommit(
|
|
|
|
$receiver);
|
2011-05-04 23:09:42 -07:00
|
|
|
}
|
|
|
|
|
2011-05-16 12:31:18 -07:00
|
|
|
$handler->setActor($user);
|
|
|
|
$handler->receiveEmail($this);
|
|
|
|
|
2011-05-04 23:09:42 -07:00
|
|
|
$this->setMessage('OK');
|
|
|
|
|
|
|
|
return $this->save();
|
|
|
|
}
|
|
|
|
|
2011-05-16 12:31:18 -07:00
|
|
|
public function getCleanTextBody() {
|
2011-05-04 23:09:42 -07:00
|
|
|
$body = idx($this->bodies, 'text');
|
|
|
|
|
2012-04-08 15:04:12 -07:00
|
|
|
$parser = new PhabricatorMetaMTAEmailBodyParser();
|
|
|
|
return $parser->stripTextBody($body);
|
2011-05-04 23:09:42 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
public static function loadReceiverObject($receiver_name) {
|
|
|
|
if (!$receiver_name) {
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
|
|
|
$receiver_type = $receiver_name[0];
|
|
|
|
$receiver_id = substr($receiver_name, 1);
|
|
|
|
|
|
|
|
$class_obj = null;
|
|
|
|
switch ($receiver_type) {
|
|
|
|
case 'T':
|
2012-05-30 16:38:53 -07:00
|
|
|
$class_obj = new ManiphestTask();
|
2011-05-04 23:09:42 -07:00
|
|
|
break;
|
|
|
|
case 'D':
|
2012-05-30 16:38:53 -07:00
|
|
|
$class_obj = new DifferentialRevision();
|
2011-05-04 23:09:42 -07:00
|
|
|
break;
|
2012-02-27 12:57:57 -08:00
|
|
|
case 'C':
|
2012-05-30 16:38:53 -07:00
|
|
|
$class_obj = new PhabricatorRepositoryCommit();
|
2012-02-27 12:57:57 -08:00
|
|
|
break;
|
2011-05-04 23:09:42 -07:00
|
|
|
default:
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
|
|
|
return $class_obj->load($receiver_id);
|
|
|
|
}
|
|
|
|
|
2011-05-09 16:31:26 -07:00
|
|
|
public static function computeMailHash($mail_key, $phid) {
|
2011-05-04 23:09:42 -07:00
|
|
|
$global_mail_key = PhabricatorEnv::getEnvConfig('phabricator.mail-key');
|
|
|
|
|
2011-12-18 11:00:39 -08:00
|
|
|
$hash = PhabricatorHash::digest($mail_key.$global_mail_key.$phid);
|
|
|
|
return substr($hash, 0, 16);
|
|
|
|
}
|
|
|
|
|
|
|
|
public static function computeOldMailHash($mail_key, $phid) {
|
|
|
|
|
|
|
|
// TODO: Remove this method entirely in a couple of months. We've moved from
|
|
|
|
// plain sha1 to sha1+hmac to make the codebase more auditable for good uses
|
|
|
|
// of hash functions, but still accept the old hashes on email replies to
|
|
|
|
// avoid breaking things. Once we've been sending only hmac hashes for a
|
|
|
|
// while, remove this and start rejecting old hashes. See T547.
|
|
|
|
|
|
|
|
$global_mail_key = PhabricatorEnv::getEnvConfig('phabricator.mail-key');
|
|
|
|
|
2011-05-09 16:31:26 -07:00
|
|
|
$hash = sha1($mail_key.$global_mail_key.$phid);
|
2011-05-04 23:09:42 -07:00
|
|
|
return substr($hash, 0, 16);
|
|
|
|
}
|
|
|
|
|
2011-07-04 09:45:42 -07:00
|
|
|
/**
|
|
|
|
* Strip an email address down to the actual user@domain.tld part if
|
|
|
|
* necessary, since sometimes it will have formatting like
|
|
|
|
* '"Abraham Lincoln" <alincoln@logcab.in>'.
|
|
|
|
*/
|
|
|
|
private function getRawEmailAddress($address) {
|
|
|
|
$matches = null;
|
|
|
|
$ok = preg_match('/<(.*)>/', $address, $matches);
|
|
|
|
if ($ok) {
|
|
|
|
$address = $matches[1];
|
|
|
|
}
|
|
|
|
return $address;
|
|
|
|
}
|
|
|
|
|
|
|
|
private function lookupPublicUser() {
|
|
|
|
$from = idx($this->headers, 'from');
|
|
|
|
$from = $this->getRawEmailAddress($from);
|
|
|
|
|
2012-05-07 10:29:33 -07:00
|
|
|
$user = PhabricatorUser::loadOneWithEmailAddress($from);
|
2011-08-21 12:03:57 -07:00
|
|
|
|
|
|
|
// If Phabricator is configured to allow "Reply-To" authentication, try
|
|
|
|
// the "Reply-To" address if we failed to match the "From" address.
|
|
|
|
$config_key = 'metamta.insecure-auth-with-reply-to';
|
|
|
|
$allow_reply_to = PhabricatorEnv::getEnvConfig($config_key);
|
|
|
|
|
|
|
|
if (!$user && $allow_reply_to) {
|
|
|
|
$reply_to = idx($this->headers, 'reply-to');
|
|
|
|
$reply_to = $this->getRawEmailAddress($reply_to);
|
|
|
|
if ($reply_to) {
|
2012-05-07 10:29:33 -07:00
|
|
|
$user = PhabricatorUser::loadOneWithEmailAddress($reply_to);
|
2011-08-21 12:03:57 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return $user;
|
2011-07-04 09:45:42 -07:00
|
|
|
}
|
2011-05-04 23:09:42 -07:00
|
|
|
|
|
|
|
}
|