From 322f6972dbbdf4ef1e63d3222f07be45308e20e6 Mon Sep 17 00:00:00 2001
From: Olivier Bellone <ob@stripe.com>
Date: Mon, 20 May 2019 11:25:58 -0700
Subject: [PATCH] Use absolute value when checking timestamp tolerance

---
 lib/Webhook.php              |  4 ++--
 lib/WebhookSignature.php     |  2 +-
 tests/Stripe/WebhookTest.php | 12 +++++++++++-
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/lib/Webhook.php b/lib/Webhook.php
index e0ab3021a..45c7dc0f3 100644
--- a/lib/Webhook.php
+++ b/lib/Webhook.php
@@ -24,6 +24,8 @@ abstract class Webhook
      */
     public static function constructEvent($payload, $sigHeader, $secret, $tolerance = self::DEFAULT_TOLERANCE)
     {
+        WebhookSignature::verifyHeader($payload, $sigHeader, $secret, $tolerance);
+
         $data = json_decode($payload, true);
         $jsonError = json_last_error();
         if ($data === null && $jsonError !== JSON_ERROR_NONE) {
@@ -33,8 +35,6 @@ public static function constructEvent($payload, $sigHeader, $secret, $tolerance
         }
         $event = Event::constructFrom($data);
 
-        WebhookSignature::verifyHeader($payload, $sigHeader, $secret, $tolerance);
-
         return $event;
     }
 }
diff --git a/lib/WebhookSignature.php b/lib/WebhookSignature.php
index 73e70dbd7..9f8be8777 100644
--- a/lib/WebhookSignature.php
+++ b/lib/WebhookSignature.php
@@ -60,7 +60,7 @@ public static function verifyHeader($payload, $header, $secret, $tolerance = nul
         }
 
         // Check if timestamp is within tolerance
-        if (($tolerance > 0) && ((time() - $timestamp) > $tolerance)) {
+        if (($tolerance > 0) && (abs(time() - $timestamp) > $tolerance)) {
             throw new Error\SignatureVerification(
                 "Timestamp outside the tolerance zone",
                 $header,
diff --git a/tests/Stripe/WebhookTest.php b/tests/Stripe/WebhookTest.php
index dcd82671a..395d7e8f2 100644
--- a/tests/Stripe/WebhookTest.php
+++ b/tests/Stripe/WebhookTest.php
@@ -84,12 +84,22 @@ public function testNoValidSignatureForPayload()
      * @expectedException \Stripe\Error\SignatureVerification
      * @expectedExceptionMessage Timestamp outside the tolerance zone
      */
-    public function testTimestampOutsideTolerance()
+    public function testTimestampTooOld()
     {
         $sigHeader = $this->generateHeader(["timestamp" => time() - 15]);
         WebhookSignature::verifyHeader(self::EVENT_PAYLOAD, $sigHeader, self::SECRET, 10);
     }
 
+    /**
+     * @expectedException \Stripe\Error\SignatureVerification
+     * @expectedExceptionMessage Timestamp outside the tolerance zone
+     */
+    public function testTimestampTooRecent()
+    {
+        $sigHeader = $this->generateHeader(["timestamp" => time() + 15]);
+        WebhookSignature::verifyHeader(self::EVENT_PAYLOAD, $sigHeader, self::SECRET, 10);
+    }
+
     public function testValidHeaderAndSignature()
     {
         $sigHeader = $this->generateHeader();