Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:125896
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id 26B0A1A00BD
	for <internals@lists.php.net>; Mon,  4 Nov 2024 11:38:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1730720443; bh=Gl+/YGtaJcqbjHS20BNWXznNQLJiCau54hrLU52e89o=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=AYlyHZWzhhfE/dTaYwYC6fmTLzM6ih98rzieCuOk7Rb/oyE0By8R8oDcM4w0tM8mj
	 1VONLdmpicCVyOFgGVeM+TCNEbRJ/CVYBeUZn68MrALqf2nSqNz8tiMiCNvGlJGIew
	 4tfv8UMx2iK6/fkyTfmIV9jpExgsJRHr4zCXRHmNDT74g3pcMOcQDN9NwdLAWS3VWw
	 cknmR4WeAK5eYDwSO7puZ1V34rTiwl+MFsbUtpgCAwray7sAHaEkZOJyqq0JAgoxBY
	 ktzGrWcHMLThyxSNE3Tm6F9G05Gqjaw8RLKBmHI34GAL8TG5Ug+Hp6O25kYokbn2Ng
	 T4Jy+DkYO14oQ==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id F1852180037
	for <internals@lists.php.net>; Mon,  4 Nov 2024 11:40:42 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <tim@bastelstu.be>
Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon,  4 Nov 2024 11:40:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be;
	s=mail20171119; t=1730720288;
	bh=TKxQgJdOWbkTFCuRFNZ6SncZxGnh7vPpymWSe9notVQ=;
	h=MIME-Version:Date:From:To:Cc:Subject:In-Reply-To:References:
	 Message-ID:Content-Type:from:to:cc:subject:message-id;
	b=a+LKEK7So9olq6Bp2YJdGe2ySgeZXYbKqyQmmqcQEjVn7GPAQOXmpcibD3eB5Oyjy
	 AKlOa0nbK3xPS+K96LUCDp1/bfZYPSgBM/+l5QrDq3ulIYxs1T0b3esza2sVCIph7B
	 af/zglPKo/yCwTNGCiJmKnb5p0uTl+1Hk8z1GugTYdzWbS0Jf0eoS1aFxnMndfP2C8
	 w91lCJ2N3UogmYZ+JisRVeiFIuRePEkVDFZe1kg9T0C7VjPDaY3oviEFj3YaYuMZzp
	 IKWUzzRb7/sJkMHQoTVORWwkxIzH7Q7vWwYWWPLmhMsm2vEnW3dP5QgyJVCzRo9weP
	 UafenKHwfpGfg==
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
Date: Mon, 04 Nov 2024 12:38:08 +0100
To: erictnorris@gmail.com
Cc: PHP internals <internals@lists.php.net>
Subject: Re: [PHP-DEV] [VOTE] Add persistent curl share handles
In-Reply-To: <CA+NMNO0HVQAXkzcyYPjuF0KQBs-=1DE0-Bki2w0KXPUmvfjovA@mail.gmail.com>
References: <CA+NMNO16_p1=vmjpKSfWgSVCVqgxC0v-VGgfX4H5RhfGNNpSvg@mail.gmail.com>
 <6e533102b9a2e9c8f6a2183440b2601a@bastelstu.be>
 <CA+NMNO3rNd3vDth_0n6MOEdDorfHZXGymQXnk_ehwM=htvLeyQ@mail.gmail.com>
 <cd7343897b0a92d43c82062a49520fa5@bastelstu.be>
 <CA+NMNO0HVQAXkzcyYPjuF0KQBs-=1DE0-Bki2w0KXPUmvfjovA@mail.gmail.com>
Message-ID: <9dd47a928fd4dc673a137c6433cd3130@bastelstu.be>
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: 8bit
From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=C3=BCsterhus?=)

Hi

Am 2024-10-28 16:31, schrieb Eric Norris:
> I think it's interesting to note that within a request, users are
> still vulnerable to accidentally over-sharing cookies. It's unclear to

Yes.

> me why we would draw the line at persistence, considering it would be
> opt-in. That is, even if you're not using persistence, you must not
> accidentally share cookies within a request (say, if you were issuing
> batch requests for multiple users at once); if you're using
> persistence, you must also not accidentally share cookies between
> persistent handles.
> 
> My concern is that this feels a little arbitrary, and it may in fact
> be useful for users to share cookies between requests, so removing the
> functionality when persistence is enabled might be a mistake. That
> said, if this RFC vote fails and the only way to get a "yes" vote was
> to remove shared cookie functionality, I would do that.

The differences between using a CurlShareHandle in a single request and 
using it across multiple requests are:

1. For a majority of applications, the security boundary (e.g. the 
currently logged-in user) does not change within a single request, 
making it less likely to actually be an issue.
2. Unless using globals or static variables - which are generally 
considered a bad practice in newly written PHP code -, you generally 
would have a fairly explicit data flow using local variables, parameters 
and return values for a single CurlShareHandle, making it hard to 
*accidentally* reuse a CurlShareHandle where not intended. The 
persistence across requests is effectively pulling a handle in an 
unknown from a global array, in other words: Spooky action from a 
distance.

> Here's a pull request indicating that the curl team considers TLS
> reuse safe: https://github.com/curl/curl/pull/1917. I believe they
> consider it a vulnerability if you are able to make curl incorrectly
> reuse a TLS session with differing TLS settings.

Thank you. That would be useful to include in the “References” section 
of the RFC. Changing that one even during the vote seems legal to me, 
because it does not change the actual proposal.

> I am also a big fan of misuse-resistant design - I am on the Security
> team at Etsy - but I'm struggling with the hypothetical here.
> Persistence is not enabled by default, so developers would have to
> opt-in. If a library internally chooses to use persistent share
> handles, the author of the library should be responsible for designing
> a misuse-resistant library. The same goes for an add-on in custom CMS
> software.

Designing a misuse-resistant API around globally shared mutable state is 
very hard. I believe needs to happen on the lowest level, because a 
single high-level library can't have a full picture of the situation. 
libcurl making it impossible to hold incorrectly - with the Exception of 
Cookies - is a good thing here.

> That said, as I mentioned above I would be fine with removing cookie
> jar persistence if that was necessary to secure a passing vote, since
> it's not our primary focus.

Given the information regarding the TLS re-use, the cookie sharing is my 
only remaining concern. In fact with cookie sharing disabled it might 
not even be necessary for the user to choose an ID: Given that libcurl 
does the heavy lifting, as a user I should only need a single share 
handle and let libcurl figure out the details, no? A boolean “share 
connections across requests” when initializing a CurlHandle should 
probably sufficient.

> In the same vein as the "subtle" talk above, I'd point out that a
> library developer could set CURLOPT_SSL_VERIFYPEER to false "because
> it's faster". They shouldn't, because a library should have the right
> security settings for a user. I would expect that the library would
> not use the cookie jar functionality unless they exposed a way to
> select the correct security context.

See above: Globally shared mutable state is much different than changing 
a setting in a localized fashion. The former is very hard to statically 
analyze for safety, the latter can easily be audited with a `grep` 
(leaving aside users intentionally obfuscating the constant's value).

Best regards
Tim Düsterhus