Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:125870 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 570241A00BD for ; Mon, 28 Oct 2024 15:32:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1730129682; bh=ts06yz0XAaj/k7Hy25Q/sip8nAXOwKMe+u5vqPCC5H8=; h=References:In-Reply-To:Reply-To:From:Date:Subject:To:From; b=L2SDw+l3EbiDYuITK6lJHOJdSIjAU6lxZp6QGzvkj210iZCGh8mZCIBU0eqJ6fhD/ Fgcj5ZD59IV6ikhrOF6RFyeNaWjoDLXGMdcipezmQWWNqSkBPVW1IWcD/K5ezM9GgQ TDkGXn525KkIrMAg3dejaeNokgIbIHhH2fLnyJlfEk/FRLXq44SVjTBv6wsc3mofR1 Aa/4B+cPwuQ9W9CY7YeQygL21atX7nWLVKPpvD64cE5aw9eWByE09+cySAQKdh6yj2 uSWyPb/3ztWYE3ukugEgKptTsSUL6bP+NIf3pYmhpFmbVi4xLFXOlYqNRT9u8GraFZ 6UJHe3SGIyHlw== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id AF85318007B for ; Mon, 28 Oct 2024 15:34:41 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, FREEMAIL_REPLYTO,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-io1-f43.google.com (mail-io1-f43.google.com [209.85.166.43]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 28 Oct 2024 15:34:41 +0000 (UTC) Received: by mail-io1-f43.google.com with SMTP id ca18e2360f4ac-83ace760016so158875339f.1 for ; Mon, 28 Oct 2024 08:32:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1730129533; x=1730734333; darn=lists.php.net; h=to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ts06yz0XAaj/k7Hy25Q/sip8nAXOwKMe+u5vqPCC5H8=; b=F0NNvLUOzdtLRhVocnenPjGmQunZQ+mrLkRSE03ap1TxEDRTCTvbNFhHEb3qg1qH64 Di0f3ShH+rTeJUQXhajc20hOFP0zM0wQp/ozRAsEg5W9+ky6uJSRxqKRw/aHzqtrf3GC sxIV11hCKmh5OI5Gr3SElN482oDqywv8Ps3KQnCqJ7LwhwOGN9hW/VbHnRlLIDAjU6Tm /B7Fypm87ljuBDLuV035I2hUnnsak1LO7b1LbLf+lq1ODQeSTgQ5Nu5QaYKlClInjXZS phkVpb3pAzY/12Qytmii4YHRjnwe4qZDVud/Dn55aCut0zBKOPrx1Xjw46TXOEDaoQuX YOPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1730129533; x=1730734333; h=to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ts06yz0XAaj/k7Hy25Q/sip8nAXOwKMe+u5vqPCC5H8=; b=VO2wrwZqqmeNja3V5sPfSXISjLcBFAhpl/37K6yyY6pHt5qb2OFfchXLX/nC9uFfiV fKBSAHhIK8U8qIErqlbBp/gCvhkMhVlek79gnbMQ8l0jYGdwC/6A/RMznb/wMw8bqvuS u4AVJ0t4x+xJowqh9DIGM59885y1xKqvfOZ9nCZxf6X0jZamCMGApxSbFZBTXjvVqPmS 7dD741w/GG1cnQ4ZhrNusxSz66AgzJC8mdGOX88FZmgoARf40q/QDftw0JKkAQ8I/dUK Vqzqc7haIcJ7Tu2wcOAtuUwo4XHPzYxXVE1I9/XyDEEpCJn+nHGpYvGTK1Mb6NW5xtGo rz+A== X-Gm-Message-State: AOJu0YwQ6R4LFtiCcMDI3RDfQoMHgBd4kMN/1i5FfHzn2td7qJRTm54T mOPGkoxccS5gKh1JuQHMPNN110tEun7IszoeyiBjQFpoRbz8ebXL1BKTCKOj7wnlvCYJ+YCj33b EBDq/ZCLh0TCLMSPQxsPaOrCLNuiljix2 X-Google-Smtp-Source: AGHT+IFlapI8iICp0ytSgt5RDVR4y5h7RzyuiPAEnjl4Y6mRfcQxjp/UXmrBC0Je+L+cJgPfZ88b4yO6M/IpcNJfXsA= X-Received: by 2002:a05:6e02:1a41:b0:3a3:a639:a594 with SMTP id e9e14a558f8ab-3a508dea49bmr115825ab.4.1730129532777; Mon, 28 Oct 2024 08:32:12 -0700 (PDT) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 References: <6e533102b9a2e9c8f6a2183440b2601a@bastelstu.be> In-Reply-To: Reply-To: erictnorris@gmail.com Date: Mon, 28 Oct 2024 11:31:56 -0400 Message-ID: Subject: Re: [PHP-DEV] [VOTE] Add persistent curl share handles To: PHP internals Content-Type: text/plain; charset="UTF-8" From: eric.t.norris@gmail.com (Eric Norris) > >> Accidentally sharing a cookie jar for unrelated requests due to a > >> badly > >> chosen `$persistent_id` sounds like a vulnerability to is bound to > >> happen to someone. > > > > I'll admit that I don't have a good response to this, since while I > > agree this is possible, I don't think it outweighs the benefit that > > persistence gives to the applications that need it (again, we won't be > > using the cookie jar). I see you've noted concerns about > > documentation, would this be something you'd at least feel more > > comfortable with if curl persistence documentation included a strong > > warning? > > Yes, I would be *more* comfortable if the documentation would ensure to > appropriately the possible issues with persisting the share handle > across multiple requests, possibly giving suggestions as to how a good > persistent ID could be constructed (e.g. by using a hash of the current > security context or something like that). > > I would also be more comfortable, if persisting a share handle with > cookie jar sharing enabled would not be possible / would be ignored, > because that only leaves the TLS session sharing (see below) as a > possible safety issue. I think it's interesting to note that within a request, users are still vulnerable to accidentally over-sharing cookies. It's unclear to me why we would draw the line at persistence, considering it would be opt-in. That is, even if you're not using persistence, you must not accidentally share cookies within a request (say, if you were issuing batch requests for multiple users at once); if you're using persistence, you must also not accidentally share cookies between persistent handles. My concern is that this feels a little arbitrary, and it may in fact be useful for users to share cookies between requests, so removing the functionality when persistence is enabled might be a mistake. That said, if this RFC vote fails and the only way to get a "yes" vote was to remove shared cookie functionality, I would do that. > >> As for sharing a TLS or HTTP connection, > >> this might or might not lead to vulnerabilities similarly to cookie > >> sharing, when TLS client certificates are used for authentication. > > > > I believe curl itself handles this - it won't re-use a connection if > > the settings aren't the same. > > Okay, the curl documentation does not say anything about this in > https://curl.se/libcurl/c/CURLSHOPT_SHARE.html#CURLLOCKDATASSLSESSION. Here's a pull request indicating that the curl team considers TLS reuse safe: https://github.com/curl/curl/pull/1917. I believe they consider it a vulnerability if you are able to make curl incorrectly reuse a TLS session with differing TLS settings. > >> Also badly chosen `$persistent_id`s might result in a > >> large number of handles accumulating, without any kind of garbage > >> collection. For the existing persistent handles (e.g. for database > >> connections), the ID is chosen by PHP itself, ensuring a somewhat > >> predictable behavior. > > > > I agree that this may be a risk, but it's not clear to me that this is > > a risk that people would realistically run into, considering you'd > > want to have a small number of persistent IDs in order to benefit from > > re-using them. Dynamically picking your persistent IDs would lead to > > less re-use. > > I believe in misuse-resistant API design. Folks should be steered > towards doing the right thing by default. As an example: What if a > library internally choses to use persistent share handles for whatever > reason? Or an add-on you install in your CMS software? PHP for better or > worse is not just used for in-house software with an experienced > development team. I am also a big fan of misuse-resistant design - I am on the Security team at Etsy - but I'm struggling with the hypothetical here. Persistence is not enabled by default, so developers would have to opt-in. If a library internally chooses to use persistent share handles, the author of the library should be responsible for designing a misuse-resistant library. The same goes for an add-on in custom CMS software. In a sense, I could think of this as something akin to the "subtle" cryptography library pattern you'll find elsewhere. For example, take https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto. Cryptography library authors use the subtle API to implement misuse-resistant abstractions on top of these primitives; if you find yourself using the primitive, you are at risk of misusing it. The risk here is *much* lower than dealing with subtle cryptography APIs, as there are two clear misuse patterns: allocating too many persistent handles without closing them, and reusing a persistent handle *with a cookie jar* for multiple user-associated requests. That said, as I mentioned above I would be fine with removing cookie jar persistence if that was necessary to secure a passing vote, since it's not our primary focus. > > Regarding the RFC text, I apologize for not filling it out more, but > > it seemed straightforward to me: curl supports the share interface as > > a primary feature, and there are no glaring warnings in the > > documentation (https://curl.se/libcurl/c/libcurl-share.html) > > indicating that you might hold the share interface incorrectly. As I > > The difference to me is that when using libcurl directly, you would > generally have a more explicit data flow and don't pull a curl share > handle in an unknown state out of thin air. See the library example > above. In the same vein as the "subtle" talk above, I'd point out that a library developer could set CURLOPT_SSL_VERIFYPEER to false "because it's faster". They shouldn't, because a library should have the right security settings for a user. I would expect that the library would not use the cookie jar functionality unless they exposed a way to select the correct security context. > > If I were to add notes about these both to the documentation, and > > curl_share_close closed persistent share handles, would you change > > your vote for this or a future RFC? > > I'm not sure about whether I consider documentation alone to be > sufficient, but when share handles with cookie sharing enabled would not > be persisted (and removed from persistence when enabling the option > after the fact), then I would be fine with trusting libcurl to do the > right thing. Ideally this could be confirmed with some reference to the > libcurl source code or getting upstream confirmation that this is safe > to do. Understood. I appreciate that even if I don't convince you of the acceptability of the proposed API as-is, you have provided me with enough information to try again if this RFC fails to pass. Thank you! Eric