Prevent application email addresses from shadowing user email addresses

Summary: Fixes T13234. Don't let application email addresses be configured with user addresses. This might prevent an unlikely bit of mischief where someone does this intentionally, detailed in T13234. (Possibly, these tables should just be merged some day, similar to how the "Password" table is now a shared resource that's modular enough for multiple applications to use it.) Test Plan: {F6132259} Reviewers: amckinley Reviewed By: amckinley Maniphest Tasks: T13234 Differential Revision: https://secure.phabricator.com/D19974
2024-11-10 00:42:41 +01:00 · 2019-01-15 06:29:34 -08:00 · 2019-01-15 06:29:34 -08:00 · c5f446defb
commit c5f446defb
parent dc4d7f1f3e
3 changed files with 29 additions and 0 deletions
--- a/src/applications/metamta/editor/PhabricatorMetaMTAApplicationEmailEditor.php
+++ b/src/applications/metamta/editor/PhabricatorMetaMTAApplicationEmailEditor.php
@ -103,6 +103,7 @@ final class PhabricatorMetaMTAApplicationEmailEditor
              $type,
              pht('Invalid'),
              pht('Email address is not formatted properly.'));
+            continue;
          }

          $address = new PhutilEmailAddress($email);
@ -113,6 +114,19 @@ final class PhabricatorMetaMTAApplicationEmailEditor
              pht(
                'This email address is reserved. Choose a different '.
                'address.'));
+            continue;
+          }
+
+          // See T13234. Prevent use of user email addresses as application
+          // email addresses.
+          if (PhabricatorMailUtil::isUserAddress($address)) {
+            $errors[] = new PhabricatorApplicationTransactionValidationError(
+              $type,
+              pht('In Use'),
+              pht(
+                'This email address is already in use by a user. Choose '.
+                'a different address.'));
+            continue;
          }
        }

--- a/src/applications/metamta/storage/PhabricatorMetaMTAReceivedMail.php
+++ b/src/applications/metamta/storage/PhabricatorMetaMTAReceivedMail.php
@ -170,6 +170,13 @@ final class PhabricatorMetaMTAReceivedMail extends PhabricatorMetaMTADAO {
          unset($targets[$key]);
          continue;
        }
+
+        // See T13234. Don't process mail if a user has attached this address
+        // to their account.
+        if (PhabricatorMailUtil::isUserAddress($target)) {
+          unset($targets[$key]);
+          continue;
+        }
      }

      $any_accepted = false;
--- a/src/applications/metamta/util/PhabricatorMailUtil.php
+++ b/src/applications/metamta/util/PhabricatorMailUtil.php
@ -108,4 +108,12 @@ final class PhabricatorMailUtil
    return false;
  }

+  public static function isUserAddress(PhutilEmailAddress $address) {
+    $user_email = id(new PhabricatorUserEmail())->loadOneWhere(
+      'address = %s',
+      $address->getAddress());
+
+    return (bool)$user_email;
+  }
+
 }