Fix a potentially lax hash comparison

Summary: Via HackerOne. See D14025. I missed this comparison when making the original change. Test Plan: - Used `cat mail.txt | scripts/mail/mail_handler.php --process-duplicates` to pipe mail in a whole lot of times. - Tried bad hashes, saw rejections. - Tried good hash, saw mail accepted. Reviewers: chad Reviewed By: chad Differential Revision: https://secure.phabricator.com/D14455
2024-11-10 08:52:39 +01:00 · 2015-11-10 09:51:57 -08:00 · 2015-11-10 09:51:57 -08:00 · b3d3130b71
commit b3d3130b71
parent 64ad44cffb
1 changed files with 1 additions and 1 deletions
--- a/src/applications/metamta/receiver/PhabricatorObjectMailReceiver.php
+++ b/src/applications/metamta/receiver/PhabricatorObjectMailReceiver.php
@ -126,7 +126,7 @@ abstract class PhabricatorObjectMailReceiver extends PhabricatorMailReceiver {

    $expect_hash = self::computeMailHash($object->getMailKey(), $check_phid);

-    if ($expect_hash != $parts['hash']) {
+    if (!phutil_hashes_are_identical($expect_hash, $parts['hash'])) {
      throw new PhabricatorMetaMTAReceivedMailProcessingException(
        MetaMTAReceivedMailStatus::STATUS_HASH_MISMATCH,
        pht(