mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 05:50:55 +01:00
Upgrade object reply addresses to SHA256 and remove "phabricator.mail-key"
Summary: Ref T12509. - Upgrade an old SHA1 to SHA256. - Replace an old manually configurable HMAC key with an automatically generated one. This is generally both simpler (less configuration) and more secure (you now get a unique value automatically). This causes a one-time compatibility break that invalidates old "Reply-To" addresses. I'll note this in the changelog. If you leaked a bunch of addresses, you could force a change here by mucking around with `phabricator_auth.auth_hmackey`, but AFAIK no one has ever used this value to react to any sort of security issue. (I'll note the possibility that we might want to provide/document this "manually force HMAC keys to regenerate" stuff some day in T6994.) Test Plan: Grepped for removed config. I'll vet this pathway more heavily in upcoming changes. Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T12509 Differential Revision: https://secure.phabricator.com/D19945
This commit is contained in:
parent
a0668df75a
commit
93e6dc1c1d
4 changed files with 6 additions and 20 deletions
|
@ -385,6 +385,9 @@ final class PhabricatorExtraConfigSetupCheck extends PhabricatorSetupCheck {
|
|||
'Mail thread IDs are now generated automatically.'),
|
||||
'metamta.placeholder-to-recipient' => pht(
|
||||
'Placeholder recipients are now generated automatically.'),
|
||||
|
||||
'metamta.mail-key' => pht(
|
||||
'Mail object address hash keys are now generated automatically.'),
|
||||
);
|
||||
|
||||
return $ancient_config;
|
||||
|
|
|
@ -169,20 +169,6 @@ EOTEXT
|
|||
'in a vague, mostly theoretical way. But it will take you like 3 '.
|
||||
'seconds of mashing on your keyboard to set it up so you might '.
|
||||
'as well.')),
|
||||
$this->newOption(
|
||||
'phabricator.mail-key',
|
||||
'string',
|
||||
'5ce3e7e8787f6e40dfae861da315a5cdf1018f12')
|
||||
->setHidden(true)
|
||||
->setSummary(
|
||||
pht('Hashed with other inputs to generate mail tokens.'))
|
||||
->setDescription(
|
||||
pht(
|
||||
"This is hashed with other inputs to generate mail tokens. If ".
|
||||
"you want, you can change it to some other string which is ".
|
||||
"unique to your install. In particular, you will want to do ".
|
||||
"this if you accidentally send a bunch of mail somewhere you ".
|
||||
"shouldn't have, to invalidate all old reply-to addresses.")),
|
||||
$this->newOption(
|
||||
'uri.allowed-protocols',
|
||||
'set',
|
||||
|
|
|
@ -200,9 +200,9 @@ abstract class PhabricatorObjectMailReceiver extends PhabricatorMailReceiver {
|
|||
}
|
||||
|
||||
public static function computeMailHash($mail_key, $phid) {
|
||||
$global_mail_key = PhabricatorEnv::getEnvConfig('phabricator.mail-key');
|
||||
|
||||
$hash = PhabricatorHash::weakDigest($mail_key.$global_mail_key.$phid);
|
||||
$hash = PhabricatorHash::digestWithNamedKey(
|
||||
$mail_key.$phid,
|
||||
'mail.object-address-key');
|
||||
return substr($hash, 0, 16);
|
||||
}
|
||||
|
||||
|
|
|
@ -79,9 +79,6 @@ authenticating senders in the general case (e.g., where you are an open source
|
|||
project and need to interact with users whose email accounts you have no control
|
||||
over).
|
||||
|
||||
If you leak a bunch of reply-to addresses by accident, you can change
|
||||
`phabricator.mail-key` in your configuration to invalidate all the old hashes.
|
||||
|
||||
You can also set `metamta.public-replies`, which will change how Phabricator
|
||||
delivers email. Instead of sending each recipient a unique mail with a personal
|
||||
reply-to address, it will send a single email to everyone with a public reply-to
|
||||
|
|
Loading…
Reference in a new issue