Why is timestamp tolerance check in WebhookSignature one-sided?

[CyberiaResurrection]

PHP version: 7.2.18
stripe-php version: v6.35.0

If this is deliberate, then fair enough, can a maintainer close this issue and make sure it's documented.

Line 63 of lib/WebhookSignature.php:

        // Check if timestamp is within tolerance
        if (($tolerance > 0) && ((time() - $timestamp) > $tolerance)) {
            throw new Error\SignatureVerification(
                "Timestamp outside the tolerance zone",
                $header,
                $payload
            );
        }

When time() is greater than supplied timestamp -
time() - 1558331514
timestamp - 1558331213

and default 300 second tolerance, that blows up because time() is 301 seconds greater than timestamp.

In light of the doc block for verifyHeader, namely

     * @param int $tolerance maximum difference allowed between the header's
     *  timestamp and the current time

Why, since tolerances tend to be two-sided in my experience, doesn't the timestamp check blow up when the values of time() and timestamp are reversed - ie, timestamp is more than 5 minutes ahead of time() ?

[ob-stripe]

Hi @CyberiaResurrection, thanks for reporting this. This looks like an implementation error -- the check should probably be abs(time() - $timestamp) > $tolerance. We'll release a fix soon.

[ob-stripe]

Fixed in 6.35.1.