php · symfony/mailomat-mailerHeads-up
symfony/mailomat-mailer enforces SHA-256 HMAC signature validation
MailomatRequestParser::validateSignature() now requires the signature header to be of the form sha256=<hex> and verifies the signature with HMAC-SHA256 using a constant-time comparison.
What changed
MailomatRequestParser::validateSignature() now requires the signature header to be of the form sha256=<hex> and verifies the signature with HMAC-SHA256 using a constant-time comparison. Any other algorithm is rejected.
Who it affects
Users of symfony/mailomat-mailer who use the Mailomat webhook receiver.
What to do today
Update to the patched version of symfony/mailomat-mailer (branch 7.4, 8.0, or 8.1) to enforce SHA-256 HMAC validation.
The trail
Collected→
Audited→
Written→
Published