1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-29 00:40:57 +01:00

Fix a potentially lax hash comparison

Summary: Via HackerOne. See D14025. I missed this comparison when making the original change.

Test Plan:
  - Used `cat mail.txt | scripts/mail/mail_handler.php --process-duplicates` to pipe mail in a whole lot of times.
  - Tried bad hashes, saw rejections.
  - Tried good hash, saw mail accepted.

Reviewers: chad

Reviewed By: chad

Differential Revision: https://secure.phabricator.com/D14455
This commit is contained in:
epriestley 2015-11-10 09:51:57 -08:00
parent 64ad44cffb
commit b3d3130b71

View file

@ -126,7 +126,7 @@ abstract class PhabricatorObjectMailReceiver extends PhabricatorMailReceiver {
$expect_hash = self::computeMailHash($object->getMailKey(), $check_phid);
if ($expect_hash != $parts['hash']) {
if (!phutil_hashes_are_identical($expect_hash, $parts['hash'])) {
throw new PhabricatorMetaMTAReceivedMailProcessingException(
MetaMTAReceivedMailStatus::STATUS_HASH_MISMATCH,
pht(