1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-13 16:21:07 +01:00

Allow insecure mail auth with "Reply-To" header

Summary: Quora wants to handle some moderation tasks with Phabricator, but want
to lower the barrier to entry for the install and let moderators adopt it
gradually. One request is to allow auth rules to be relaxed so we can auth based
on Reply-To to make things easier. This is insecure if configured but not really
a big deal and the patch isn't big or complicated.

Test Plan: Sent a test email with bogus "From" but valid "Reply-To". It was
rejected with this setting off, and allowed with this setting on.

Reviewers: jungejason, tuomaspelkonen, aran

Reviewed By: jungejason

CC: aran, jungejason

Differential Revision: 842
This commit is contained in:
epriestley 2011-08-21 12:03:57 -07:00
parent 04b4f04cb9
commit d1134810d6
2 changed files with 28 additions and 1 deletions

View file

@ -253,6 +253,16 @@ return array(
// Email" in the documentation for more information. // Email" in the documentation for more information.
'metamta.maniphest.public-create-email' => null, 'metamta.maniphest.public-create-email' => null,
// If you enable 'metamta.public-replies', Phabricator uses "From" to
// authenticate users. You can additionally enable this setting to try to
// authenticate with 'Reply-To'. Note that this is completely spoofable and
// insecure (any user can set any 'Reply-To' address) but depending on the
// nature of your install or other deliverability conditions this might be
// okay. Generally, you can't do much more by spoofing Reply-To than be
// annoying (you can write but not read content). But, you know, this is
// still **COMPLETELY INSECURE**.
'metamta.insecure-auth-with-reply-to' => false,
// -- Auth ------------------------------------------------------------------ // // -- Auth ------------------------------------------------------------------ //

View file

@ -232,9 +232,26 @@ class PhabricatorMetaMTAReceivedMail extends PhabricatorMetaMTADAO {
$from = idx($this->headers, 'from'); $from = idx($this->headers, 'from');
$from = $this->getRawEmailAddress($from); $from = $this->getRawEmailAddress($from);
return id(new PhabricatorUser())->loadOneWhere( $user = id(new PhabricatorUser())->loadOneWhere(
'email = %s', 'email = %s',
$from); $from);
// If Phabricator is configured to allow "Reply-To" authentication, try
// the "Reply-To" address if we failed to match the "From" address.
$config_key = 'metamta.insecure-auth-with-reply-to';
$allow_reply_to = PhabricatorEnv::getEnvConfig($config_key);
if (!$user && $allow_reply_to) {
$reply_to = idx($this->headers, 'reply-to');
$reply_to = $this->getRawEmailAddress($reply_to);
if ($reply_to) {
$user = id(new PhabricatorUser())->loadOneWhere(
'email = %s',
$reply_to);
}
}
return $user;
} }
} }