Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:125896 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 26B0A1A00BD for ; Mon, 4 Nov 2024 11:38:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1730720443; bh=Gl+/YGtaJcqbjHS20BNWXznNQLJiCau54hrLU52e89o=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=AYlyHZWzhhfE/dTaYwYC6fmTLzM6ih98rzieCuOk7Rb/oyE0By8R8oDcM4w0tM8mj 1VONLdmpicCVyOFgGVeM+TCNEbRJ/CVYBeUZn68MrALqf2nSqNz8tiMiCNvGlJGIew 4tfv8UMx2iK6/fkyTfmIV9jpExgsJRHr4zCXRHmNDT74g3pcMOcQDN9NwdLAWS3VWw cknmR4WeAK5eYDwSO7puZ1V34rTiwl+MFsbUtpgCAwray7sAHaEkZOJyqq0JAgoxBY ktzGrWcHMLThyxSNE3Tm6F9G05Gqjaw8RLKBmHI34GAL8TG5Ug+Hp6O25kYokbn2Ng T4Jy+DkYO14oQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id F1852180037 for ; Mon, 4 Nov 2024 11:40:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 4 Nov 2024 11:40:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be; s=mail20171119; t=1730720288; bh=TKxQgJdOWbkTFCuRFNZ6SncZxGnh7vPpymWSe9notVQ=; h=MIME-Version:Date:From:To:Cc:Subject:In-Reply-To:References: Message-ID:Content-Type:from:to:cc:subject:message-id; b=a+LKEK7So9olq6Bp2YJdGe2ySgeZXYbKqyQmmqcQEjVn7GPAQOXmpcibD3eB5Oyjy AKlOa0nbK3xPS+K96LUCDp1/bfZYPSgBM/+l5QrDq3ulIYxs1T0b3esza2sVCIph7B af/zglPKo/yCwTNGCiJmKnb5p0uTl+1Hk8z1GugTYdzWbS0Jf0eoS1aFxnMndfP2C8 w91lCJ2N3UogmYZ+JisRVeiFIuRePEkVDFZe1kg9T0C7VjPDaY3oviEFj3YaYuMZzp IKWUzzRb7/sJkMHQoTVORWwkxIzH7Q7vWwYWWPLmhMsm2vEnW3dP5QgyJVCzRo9weP UafenKHwfpGfg== Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net x-ms-reactions: disallow MIME-Version: 1.0 Date: Mon, 04 Nov 2024 12:38:08 +0100 To: erictnorris@gmail.com Cc: PHP internals Subject: Re: [PHP-DEV] [VOTE] Add persistent curl share handles In-Reply-To: References: <6e533102b9a2e9c8f6a2183440b2601a@bastelstu.be> Message-ID: <9dd47a928fd4dc673a137c6433cd3130@bastelstu.be> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=C3=BCsterhus?=) Hi Am 2024-10-28 16:31, schrieb Eric Norris: > I think it's interesting to note that within a request, users are > still vulnerable to accidentally over-sharing cookies. It's unclear to Yes. > me why we would draw the line at persistence, considering it would be > opt-in. That is, even if you're not using persistence, you must not > accidentally share cookies within a request (say, if you were issuing > batch requests for multiple users at once); if you're using > persistence, you must also not accidentally share cookies between > persistent handles. > > My concern is that this feels a little arbitrary, and it may in fact > be useful for users to share cookies between requests, so removing the > functionality when persistence is enabled might be a mistake. That > said, if this RFC vote fails and the only way to get a "yes" vote was > to remove shared cookie functionality, I would do that. The differences between using a CurlShareHandle in a single request and using it across multiple requests are: 1. For a majority of applications, the security boundary (e.g. the currently logged-in user) does not change within a single request, making it less likely to actually be an issue. 2. Unless using globals or static variables - which are generally considered a bad practice in newly written PHP code -, you generally would have a fairly explicit data flow using local variables, parameters and return values for a single CurlShareHandle, making it hard to *accidentally* reuse a CurlShareHandle where not intended. The persistence across requests is effectively pulling a handle in an unknown from a global array, in other words: Spooky action from a distance. > Here's a pull request indicating that the curl team considers TLS > reuse safe: https://github.com/curl/curl/pull/1917. I believe they > consider it a vulnerability if you are able to make curl incorrectly > reuse a TLS session with differing TLS settings. Thank you. That would be useful to include in the “References” section of the RFC. Changing that one even during the vote seems legal to me, because it does not change the actual proposal. > I am also a big fan of misuse-resistant design - I am on the Security > team at Etsy - but I'm struggling with the hypothetical here. > Persistence is not enabled by default, so developers would have to > opt-in. If a library internally chooses to use persistent share > handles, the author of the library should be responsible for designing > a misuse-resistant library. The same goes for an add-on in custom CMS > software. Designing a misuse-resistant API around globally shared mutable state is very hard. I believe needs to happen on the lowest level, because a single high-level library can't have a full picture of the situation. libcurl making it impossible to hold incorrectly - with the Exception of Cookies - is a good thing here. > That said, as I mentioned above I would be fine with removing cookie > jar persistence if that was necessary to secure a passing vote, since > it's not our primary focus. Given the information regarding the TLS re-use, the cookie sharing is my only remaining concern. In fact with cookie sharing disabled it might not even be necessary for the user to choose an ID: Given that libcurl does the heavy lifting, as a user I should only need a single share handle and let libcurl figure out the details, no? A boolean “share connections across requests” when initializing a CurlHandle should probably sufficient. > In the same vein as the "subtle" talk above, I'd point out that a > library developer could set CURLOPT_SSL_VERIFYPEER to false "because > it's faster". They shouldn't, because a library should have the right > security settings for a user. I would expect that the library would > not use the cookie jar functionality unless they exposed a way to > select the correct security context. See above: Globally shared mutable state is much different than changing a setting in a localized fashion. The former is very hard to statically analyze for safety, the latter can easily be audited with a `grep` (leaving aside users intentionally obfuscating the constant's value). Best regards Tim Düsterhus