1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 22:10:55 +01:00

Upgrade object reply addresses to SHA256 and remove "phabricator.mail-key"

Summary:
Ref T12509.

  - Upgrade an old SHA1 to SHA256.
  - Replace an old manually configurable HMAC key with an automatically generated one.

This is generally both simpler (less configuration) and more secure (you now get a unique value automatically).

This causes a one-time compatibility break that invalidates old "Reply-To" addresses. I'll note this in the changelog.

If you leaked a bunch of addresses, you could force a change here by mucking around with `phabricator_auth.auth_hmackey`, but AFAIK no one has ever used this value to react to any sort of security issue.

(I'll note the possibility that we might want to provide/document this "manually force HMAC keys to regenerate" stuff some day in T6994.)

Test Plan: Grepped for removed config. I'll vet this pathway more heavily in upcoming changes.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T12509

Differential Revision: https://secure.phabricator.com/D19945
This commit is contained in:
epriestley 2019-01-03 05:10:55 -08:00
parent a0668df75a
commit 93e6dc1c1d
4 changed files with 6 additions and 20 deletions

View file

@ -385,6 +385,9 @@ final class PhabricatorExtraConfigSetupCheck extends PhabricatorSetupCheck {
'Mail thread IDs are now generated automatically.'), 'Mail thread IDs are now generated automatically.'),
'metamta.placeholder-to-recipient' => pht( 'metamta.placeholder-to-recipient' => pht(
'Placeholder recipients are now generated automatically.'), 'Placeholder recipients are now generated automatically.'),
'metamta.mail-key' => pht(
'Mail object address hash keys are now generated automatically.'),
); );
return $ancient_config; return $ancient_config;

View file

@ -169,20 +169,6 @@ EOTEXT
'in a vague, mostly theoretical way. But it will take you like 3 '. 'in a vague, mostly theoretical way. But it will take you like 3 '.
'seconds of mashing on your keyboard to set it up so you might '. 'seconds of mashing on your keyboard to set it up so you might '.
'as well.')), 'as well.')),
$this->newOption(
'phabricator.mail-key',
'string',
'5ce3e7e8787f6e40dfae861da315a5cdf1018f12')
->setHidden(true)
->setSummary(
pht('Hashed with other inputs to generate mail tokens.'))
->setDescription(
pht(
"This is hashed with other inputs to generate mail tokens. If ".
"you want, you can change it to some other string which is ".
"unique to your install. In particular, you will want to do ".
"this if you accidentally send a bunch of mail somewhere you ".
"shouldn't have, to invalidate all old reply-to addresses.")),
$this->newOption( $this->newOption(
'uri.allowed-protocols', 'uri.allowed-protocols',
'set', 'set',

View file

@ -200,9 +200,9 @@ abstract class PhabricatorObjectMailReceiver extends PhabricatorMailReceiver {
} }
public static function computeMailHash($mail_key, $phid) { public static function computeMailHash($mail_key, $phid) {
$global_mail_key = PhabricatorEnv::getEnvConfig('phabricator.mail-key'); $hash = PhabricatorHash::digestWithNamedKey(
$mail_key.$phid,
$hash = PhabricatorHash::weakDigest($mail_key.$global_mail_key.$phid); 'mail.object-address-key');
return substr($hash, 0, 16); return substr($hash, 0, 16);
} }

View file

@ -79,9 +79,6 @@ authenticating senders in the general case (e.g., where you are an open source
project and need to interact with users whose email accounts you have no control project and need to interact with users whose email accounts you have no control
over). over).
If you leak a bunch of reply-to addresses by accident, you can change
`phabricator.mail-key` in your configuration to invalidate all the old hashes.
You can also set `metamta.public-replies`, which will change how Phabricator You can also set `metamta.public-replies`, which will change how Phabricator
delivers email. Instead of sending each recipient a unique mail with a personal delivers email. Instead of sending each recipient a unique mail with a personal
reply-to address, it will send a single email to everyone with a public reply-to reply-to address, it will send a single email to everyone with a public reply-to