2011-05-10 01:31:26 +02:00
|
|
|
<?php
|
|
|
|
|
|
|
|
/*
|
2012-02-27 21:57:57 +01:00
|
|
|
* Copyright 2012 Facebook, Inc.
|
2011-05-10 01:31:26 +02:00
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
abstract class PhabricatorMailReplyHandler {
|
|
|
|
|
|
|
|
private $mailReceiver;
|
|
|
|
private $actor;
|
|
|
|
|
|
|
|
final public function setMailReceiver($mail_receiver) {
|
|
|
|
$this->validateMailReceiver($mail_receiver);
|
|
|
|
$this->mailReceiver = $mail_receiver;
|
|
|
|
return $this;
|
|
|
|
}
|
|
|
|
|
|
|
|
final public function getMailReceiver() {
|
|
|
|
return $this->mailReceiver;
|
|
|
|
}
|
|
|
|
|
|
|
|
final public function setActor(PhabricatorUser $actor) {
|
|
|
|
$this->actor = $actor;
|
|
|
|
return $this;
|
|
|
|
}
|
|
|
|
|
|
|
|
final public function getActor() {
|
|
|
|
return $this->actor;
|
|
|
|
}
|
|
|
|
|
|
|
|
abstract public function validateMailReceiver($mail_receiver);
|
|
|
|
abstract public function getPrivateReplyHandlerEmailAddress(
|
|
|
|
PhabricatorObjectHandle $handle);
|
|
|
|
abstract public function getReplyHandlerDomain();
|
|
|
|
abstract public function getReplyHandlerInstructions();
|
2011-05-16 21:31:18 +02:00
|
|
|
abstract public function receiveEmail(PhabricatorMetaMTAReceivedMail $mail);
|
2011-05-10 01:31:26 +02:00
|
|
|
|
|
|
|
public function supportsPrivateReplies() {
|
Allow Phabricator to be configured to use a public Reply-To address
Summary:
We already support this (and Facebook uses it) but it is difficult to configure
and you have to write a bunch of code. Instead, provide a simple flag.
See the documentation changes for details, but when this flag is enabled we send
one email with a reply-to like "D2+public+23hf91fh19fh@phabricator.example.com".
Anyone can reply to this, and we figure out who they are based on their "From"
address instead of a unique hash. This is less secure, but a reasonable tradeoff
in many cases.
This also has the advantage over a naive implementation of at least doing object
hash validation.
@jungejason: I don't think this affects Facebook's implementation but this is an
area where we've had problems in the past, so watch out for it when you deploy.
Also note that you must set "metamta.public-replies" to true since Maniphest now
looks for that key specifically before going into public reply mode; it no
longer just tests for a public reply address being generateable (since it can
always generate one now).
Test Plan:
Swapped my local install in and out of public reply mode and commented on
objects. Got expected email behavior. Replied to public and private email
addresses.
Attacked public addresses by using them when the install was configured to
disallow them and by altering the hash and the from address. All this stuff was
rejected.
Reviewed By: jungejason
Reviewers: moskov, jungejason, tuomaspelkonen, aran
CC: aran, epriestley, moskov, jungejason
Differential Revision: 563
2011-06-30 22:01:35 +02:00
|
|
|
return (bool)$this->getReplyHandlerDomain() &&
|
|
|
|
!$this->supportsPublicReplies();
|
|
|
|
}
|
|
|
|
|
|
|
|
public function supportsPublicReplies() {
|
|
|
|
if (!PhabricatorEnv::getEnvConfig('metamta.public-replies')) {
|
|
|
|
return false;
|
|
|
|
}
|
2012-02-27 21:57:57 +01:00
|
|
|
if (!$this->getReplyHandlerDomain()) {
|
|
|
|
return false;
|
|
|
|
}
|
Allow Phabricator to be configured to use a public Reply-To address
Summary:
We already support this (and Facebook uses it) but it is difficult to configure
and you have to write a bunch of code. Instead, provide a simple flag.
See the documentation changes for details, but when this flag is enabled we send
one email with a reply-to like "D2+public+23hf91fh19fh@phabricator.example.com".
Anyone can reply to this, and we figure out who they are based on their "From"
address instead of a unique hash. This is less secure, but a reasonable tradeoff
in many cases.
This also has the advantage over a naive implementation of at least doing object
hash validation.
@jungejason: I don't think this affects Facebook's implementation but this is an
area where we've had problems in the past, so watch out for it when you deploy.
Also note that you must set "metamta.public-replies" to true since Maniphest now
looks for that key specifically before going into public reply mode; it no
longer just tests for a public reply address being generateable (since it can
always generate one now).
Test Plan:
Swapped my local install in and out of public reply mode and commented on
objects. Got expected email behavior. Replied to public and private email
addresses.
Attacked public addresses by using them when the install was configured to
disallow them and by altering the hash and the from address. All this stuff was
rejected.
Reviewed By: jungejason
Reviewers: moskov, jungejason, tuomaspelkonen, aran
CC: aran, epriestley, moskov, jungejason
Differential Revision: 563
2011-06-30 22:01:35 +02:00
|
|
|
return (bool)$this->getPublicReplyHandlerEmailAddress();
|
2011-05-10 01:31:26 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
final public function supportsReplies() {
|
|
|
|
return $this->supportsPrivateReplies() ||
|
Allow Phabricator to be configured to use a public Reply-To address
Summary:
We already support this (and Facebook uses it) but it is difficult to configure
and you have to write a bunch of code. Instead, provide a simple flag.
See the documentation changes for details, but when this flag is enabled we send
one email with a reply-to like "D2+public+23hf91fh19fh@phabricator.example.com".
Anyone can reply to this, and we figure out who they are based on their "From"
address instead of a unique hash. This is less secure, but a reasonable tradeoff
in many cases.
This also has the advantage over a naive implementation of at least doing object
hash validation.
@jungejason: I don't think this affects Facebook's implementation but this is an
area where we've had problems in the past, so watch out for it when you deploy.
Also note that you must set "metamta.public-replies" to true since Maniphest now
looks for that key specifically before going into public reply mode; it no
longer just tests for a public reply address being generateable (since it can
always generate one now).
Test Plan:
Swapped my local install in and out of public reply mode and commented on
objects. Got expected email behavior. Replied to public and private email
addresses.
Attacked public addresses by using them when the install was configured to
disallow them and by altering the hash and the from address. All this stuff was
rejected.
Reviewed By: jungejason
Reviewers: moskov, jungejason, tuomaspelkonen, aran
CC: aran, epriestley, moskov, jungejason
Differential Revision: 563
2011-06-30 22:01:35 +02:00
|
|
|
$this->supportsPublicReplies();
|
2011-05-10 01:31:26 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
public function getPublicReplyHandlerEmailAddress() {
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
|
|
|
final public function multiplexMail(
|
|
|
|
PhabricatorMetaMTAMail $mail_template,
|
|
|
|
array $to_handles,
|
|
|
|
array $cc_handles) {
|
2012-04-03 21:10:45 +02:00
|
|
|
assert_instances_of($to_handles, 'PhabricatorObjectHandle');
|
|
|
|
assert_instances_of($cc_handles, 'PhabricatorObjectHandle');
|
2011-05-10 01:31:26 +02:00
|
|
|
|
|
|
|
$result = array();
|
|
|
|
|
|
|
|
// If private replies are not supported, simply send one email to all
|
|
|
|
// recipients and CCs. This covers cases where we have no reply handler,
|
|
|
|
// or we have a public reply handler.
|
|
|
|
if (!$this->supportsPrivateReplies()) {
|
|
|
|
$mail = clone $mail_template;
|
|
|
|
$mail->addTos(mpull($to_handles, 'getPHID'));
|
|
|
|
$mail->addCCs(mpull($cc_handles, 'getPHID'));
|
|
|
|
|
2011-07-09 08:16:58 +02:00
|
|
|
if ($this->supportsPublicReplies()) {
|
|
|
|
$reply_to = $this->getPublicReplyHandlerEmailAddress();
|
2011-05-10 01:31:26 +02:00
|
|
|
$mail->setReplyTo($reply_to);
|
|
|
|
}
|
|
|
|
|
|
|
|
$result[] = $mail;
|
|
|
|
|
|
|
|
return $result;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Merge all the recipients together. TODO: We could keep the CCs as real
|
|
|
|
// CCs and send to a "noreply@domain.com" type address, but keep it simple
|
|
|
|
// for now.
|
|
|
|
$recipients = mpull($to_handles, null, 'getPHID') +
|
|
|
|
mpull($cc_handles, null, 'getPHID');
|
|
|
|
|
|
|
|
// This grouping is just so we can use the public reply-to for any
|
|
|
|
// recipients without a private reply-to, e.g. mailing lists.
|
|
|
|
$groups = array();
|
|
|
|
foreach ($recipients as $recipient) {
|
|
|
|
$private = $this->getPrivateReplyHandlerEmailAddress($recipient);
|
|
|
|
$groups[$private][] = $recipient;
|
|
|
|
}
|
|
|
|
|
2011-05-12 05:32:30 +02:00
|
|
|
// When multiplexing mail, explicitly include To/Cc information in the
|
|
|
|
// message body and headers.
|
|
|
|
$add_headers = array();
|
|
|
|
|
|
|
|
$body = $mail_template->getBody();
|
|
|
|
$body .= "\n";
|
|
|
|
if ($to_handles) {
|
|
|
|
$body .= "To: ".implode(', ', mpull($to_handles, 'getName'))."\n";
|
|
|
|
$add_headers['X-Phabricator-To'] = $this->formatPHIDList($to_handles);
|
|
|
|
}
|
|
|
|
if ($cc_handles) {
|
|
|
|
$body .= "Cc: ".implode(', ', mpull($cc_handles, 'getName'))."\n";
|
|
|
|
$add_headers['X-Phabricator-Cc'] = $this->formatPHIDList($cc_handles);
|
|
|
|
}
|
|
|
|
|
2011-05-10 01:31:26 +02:00
|
|
|
foreach ($groups as $reply_to => $group) {
|
|
|
|
$mail = clone $mail_template;
|
|
|
|
$mail->addTos(mpull($group, 'getPHID'));
|
|
|
|
|
2011-05-12 05:32:30 +02:00
|
|
|
$mail->setBody($body);
|
|
|
|
foreach ($add_headers as $header => $value) {
|
|
|
|
$mail->addHeader($header, $value);
|
|
|
|
}
|
|
|
|
|
2011-07-09 08:16:58 +02:00
|
|
|
if (!$reply_to && $this->supportsPublicReplies()) {
|
2011-05-10 01:31:26 +02:00
|
|
|
$reply_to = $this->getPublicReplyHandlerEmailAddress();
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($reply_to) {
|
|
|
|
$mail->setReplyTo($reply_to);
|
|
|
|
}
|
|
|
|
|
|
|
|
$result[] = $mail;
|
|
|
|
}
|
|
|
|
|
|
|
|
return $result;
|
|
|
|
}
|
|
|
|
|
2011-05-12 05:32:30 +02:00
|
|
|
protected function formatPHIDList(array $handles) {
|
2012-04-03 21:10:45 +02:00
|
|
|
assert_instances_of($handles, 'PhabricatorObjectHandle');
|
2011-05-12 05:32:30 +02:00
|
|
|
$list = array();
|
|
|
|
foreach ($handles as $handle) {
|
|
|
|
$list[] = '<'.$handle->getPHID().'>';
|
|
|
|
}
|
|
|
|
return implode(', ', $list);
|
|
|
|
}
|
|
|
|
|
Allow Phabricator to be configured to use a public Reply-To address
Summary:
We already support this (and Facebook uses it) but it is difficult to configure
and you have to write a bunch of code. Instead, provide a simple flag.
See the documentation changes for details, but when this flag is enabled we send
one email with a reply-to like "D2+public+23hf91fh19fh@phabricator.example.com".
Anyone can reply to this, and we figure out who they are based on their "From"
address instead of a unique hash. This is less secure, but a reasonable tradeoff
in many cases.
This also has the advantage over a naive implementation of at least doing object
hash validation.
@jungejason: I don't think this affects Facebook's implementation but this is an
area where we've had problems in the past, so watch out for it when you deploy.
Also note that you must set "metamta.public-replies" to true since Maniphest now
looks for that key specifically before going into public reply mode; it no
longer just tests for a public reply address being generateable (since it can
always generate one now).
Test Plan:
Swapped my local install in and out of public reply mode and commented on
objects. Got expected email behavior. Replied to public and private email
addresses.
Attacked public addresses by using them when the install was configured to
disallow them and by altering the hash and the from address. All this stuff was
rejected.
Reviewed By: jungejason
Reviewers: moskov, jungejason, tuomaspelkonen, aran
CC: aran, epriestley, moskov, jungejason
Differential Revision: 563
2011-06-30 22:01:35 +02:00
|
|
|
protected function getDefaultPublicReplyHandlerEmailAddress($prefix) {
|
|
|
|
|
|
|
|
$receiver = $this->getMailReceiver();
|
|
|
|
$receiver_id = $receiver->getID();
|
|
|
|
$domain = $this->getReplyHandlerDomain();
|
|
|
|
|
|
|
|
// We compute a hash using the object's own PHID to prevent an attacker
|
|
|
|
// from blindly interacting with objects that they haven't ever received
|
|
|
|
// mail about by just sending to D1@, D2@, etc...
|
|
|
|
$hash = PhabricatorMetaMTAReceivedMail::computeMailHash(
|
|
|
|
$receiver->getMailKey(),
|
|
|
|
$receiver->getPHID());
|
|
|
|
|
2011-08-16 11:31:51 +02:00
|
|
|
$address = "{$prefix}{$receiver_id}+public+{$hash}@{$domain}";
|
|
|
|
return $this->getSingleReplyHandlerPrefix($address);
|
|
|
|
}
|
|
|
|
|
|
|
|
protected function getSingleReplyHandlerPrefix($address) {
|
|
|
|
$single_handle_prefix = PhabricatorEnv::getEnvConfig(
|
|
|
|
'metamta.single-reply-handler-prefix');
|
|
|
|
return ($single_handle_prefix)
|
|
|
|
? $single_handle_prefix . '+' . $address
|
|
|
|
: $address;
|
Allow Phabricator to be configured to use a public Reply-To address
Summary:
We already support this (and Facebook uses it) but it is difficult to configure
and you have to write a bunch of code. Instead, provide a simple flag.
See the documentation changes for details, but when this flag is enabled we send
one email with a reply-to like "D2+public+23hf91fh19fh@phabricator.example.com".
Anyone can reply to this, and we figure out who they are based on their "From"
address instead of a unique hash. This is less secure, but a reasonable tradeoff
in many cases.
This also has the advantage over a naive implementation of at least doing object
hash validation.
@jungejason: I don't think this affects Facebook's implementation but this is an
area where we've had problems in the past, so watch out for it when you deploy.
Also note that you must set "metamta.public-replies" to true since Maniphest now
looks for that key specifically before going into public reply mode; it no
longer just tests for a public reply address being generateable (since it can
always generate one now).
Test Plan:
Swapped my local install in and out of public reply mode and commented on
objects. Got expected email behavior. Replied to public and private email
addresses.
Attacked public addresses by using them when the install was configured to
disallow them and by altering the hash and the from address. All this stuff was
rejected.
Reviewed By: jungejason
Reviewers: moskov, jungejason, tuomaspelkonen, aran
CC: aran, epriestley, moskov, jungejason
Differential Revision: 563
2011-06-30 22:01:35 +02:00
|
|
|
}
|
|
|
|
|
2011-05-10 01:31:26 +02:00
|
|
|
protected function getDefaultPrivateReplyHandlerEmailAddress(
|
|
|
|
PhabricatorObjectHandle $handle,
|
|
|
|
$prefix) {
|
|
|
|
|
|
|
|
if ($handle->getType() != PhabricatorPHIDConstants::PHID_TYPE_USER) {
|
|
|
|
// You must be a real user to get a private reply handler address.
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
|
|
|
$receiver = $this->getMailReceiver();
|
|
|
|
$receiver_id = $receiver->getID();
|
|
|
|
$user_id = $handle->getAlternateID();
|
|
|
|
$hash = PhabricatorMetaMTAReceivedMail::computeMailHash(
|
|
|
|
$receiver->getMailKey(),
|
|
|
|
$handle->getPHID());
|
|
|
|
$domain = $this->getReplyHandlerDomain();
|
|
|
|
|
2011-08-16 11:31:51 +02:00
|
|
|
$address = "{$prefix}{$receiver_id}+{$user_id}+{$hash}@{$domain}";
|
|
|
|
return $this->getSingleReplyHandlerPrefix($address);
|
2011-05-10 01:31:26 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
}
|