Merge pull request #658 from stripe/ob-fix-657

Use absolute value when checking timestamp tolerance
stripe · May 20, 2019 · 6cec639 · 6cec639
2 parents a5f6d81 + 322f697
commit 6cec639
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 4 deletions.
diff --git a/lib/Webhook.php b/lib/Webhook.php
@@ -24,6 +24,8 @@ abstract class Webhook
      */
     public static function constructEvent($payload, $sigHeader, $secret, $tolerance = self::DEFAULT_TOLERANCE)
     {
+        WebhookSignature::verifyHeader($payload, $sigHeader, $secret, $tolerance);
+
         $data = json_decode($payload, true);
         $jsonError = json_last_error();
         if ($data === null && $jsonError !== JSON_ERROR_NONE) {
@@ -33,8 +35,6 @@ public static function constructEvent($payload, $sigHeader, $secret, $tolerance
         }
         $event = Event::constructFrom($data);
 
-        WebhookSignature::verifyHeader($payload, $sigHeader, $secret, $tolerance);
-
         return $event;
     }
 }
diff --git a/lib/WebhookSignature.php b/lib/WebhookSignature.php
@@ -60,7 +60,7 @@ public static function verifyHeader($payload, $header, $secret, $tolerance = nul
         }
 
         // Check if timestamp is within tolerance
-        if (($tolerance > 0) && ((time() - $timestamp) > $tolerance)) {
+        if (($tolerance > 0) && (abs(time() - $timestamp) > $tolerance)) {
             throw new Error\SignatureVerification(
                 "Timestamp outside the tolerance zone",
                 $header,

diff --git a/tests/Stripe/WebhookTest.php b/tests/Stripe/WebhookTest.php
@@ -84,12 +84,22 @@ public function testNoValidSignatureForPayload()
      * @expectedException \Stripe\Error\SignatureVerification
      * @expectedExceptionMessage Timestamp outside the tolerance zone
      */
-    public function testTimestampOutsideTolerance()
+    public function testTimestampTooOld()
     {
         $sigHeader = $this->generateHeader(["timestamp" => time() - 15]);
         WebhookSignature::verifyHeader(self::EVENT_PAYLOAD, $sigHeader, self::SECRET, 10);
     }
 
+    /**
+     * @expectedException \Stripe\Error\SignatureVerification
+     * @expectedExceptionMessage Timestamp outside the tolerance zone
+     */
+    public function testTimestampTooRecent()
+    {
+        $sigHeader = $this->generateHeader(["timestamp" => time() + 15]);
+        WebhookSignature::verifyHeader(self::EVENT_PAYLOAD, $sigHeader, self::SECRET, 10);
+    }
+
     public function testValidHeaderAndSignature()
     {
         $sigHeader = $this->generateHeader();