Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93141
Return-Path: <rowan.collins@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 50590 invoked from network); 10 May 2016 09:40:41 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 May 2016 09:40:41 -0000
Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.54 as permitted sender)
X-PHP-List-Original-Sender: rowan.collins@gmail.com
X-Host-Fingerprint: 209.85.215.54 mail-lf0-f54.google.com  
Received: from [209.85.215.54] ([209.85.215.54:33256] helo=mail-lf0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 96/10-49800-89CA1375 for <internals@lists.php.net>; Tue, 10 May 2016 05:40:40 -0400
Received: by mail-lf0-f54.google.com with SMTP id y84so8356425lfc.0
        for <internals@lists.php.net>; Tue, 10 May 2016 02:40:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=md//4T4zdT3LFSaX1YB6IUgAULmY3/fu9VpKGj+pttg=;
        b=MTm1tlKaqze96pi0uzEv5ZQ2ETWlfMvEkL1keqPaJwwS7eLMTWE/LUxNoup5J7Li+8
         tc8LZSVlOzGmHCwdahwyVBlJs0vk2iuOItU1j3/qH1yaYleVWQtuDZEvW5EfoYyqyU/X
         0HSDmKMksSdHu58EiuFMD6ungQcxg/1QQwoHMa1DOaecuSoAO/EKTv4mQxOb5zeKJHxr
         skNTyel6dVBBVtb4h5msk2c9AUGZ9Mg4qM1MocVJdN6YSTPUulDVRyHsdxvbvzk8a1R7
         WrZf4ALuD+Z8vpnNQynhJvG5Jdw5M8mFuoLJzrKn5/QrSvHmJzVi7xEfkEkNjP8fqxNy
         dyDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=md//4T4zdT3LFSaX1YB6IUgAULmY3/fu9VpKGj+pttg=;
        b=VVR7ZcZEL9rotlmrIPyAdx8lsKdsxqBizK66R82qGCVtqX5tSx+j6vS4pUcurTUaUE
         haaV1FcI7DaRP88VOKgZbR+pUd6NXQUn5y0DMMGDbtKfa0hLkMWOLkQZfhQu0WjQu0je
         hA+WE/+kTUlmkoxYedYNWGrot9iOt98qgSanF9tUJLyWBL70miexZBsIJk9BF4ZDvgxT
         KMM+qe6D7uOpCOoXAVQr+8Ado4jwFAtlokk0rXESEp8T9sFD6Fcc2VM+5y0ZvEfNuP3M
         nMG/Xjr9gy56kz12w4I7bpTv+LQc+A+Qj4etzwMl1AOJ2DShXIJFS9zNAErjZX57EKMd
         EAkQ==
X-Gm-Message-State: AOPr4FUV+e9PbGnd3NAl87IMgmj23yzmSDo0BxqCToqaD1bC6V0wjEwGR2CfGFnMZf+uQQ==
X-Received: by 10.25.27.130 with SMTP id b124mr13514286lfb.99.1462873237550;
        Tue, 10 May 2016 02:40:37 -0700 (PDT)
Received: from [192.168.0.76] ([93.188.182.58])
        by smtp.googlemail.com with ESMTPSA id pb3sm224417lbb.37.2016.05.10.02.40.36
        for <internals@lists.php.net>
        (version=TLSv1/SSLv3 cipher=OTHER);
        Tue, 10 May 2016 02:40:36 -0700 (PDT)
To: internals@lists.php.net
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
Message-ID: <e9b34da1-a6c7-261e-1a83-9bf34d2ed8ac@gmail.com>
Date: Tue, 10 May 2016 10:38:17 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.0
MIME-Version: 1.0
In-Reply-To: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: rowan.collins@gmail.com (Rowan Collins)

Yasuo Ohgaki wrote on 10/05/2016 04:24:
> Hi all,
>
> It's not nice to work on the same code (i.e. session module) for
> multiple RFCs, but time is limited.
>
> I would like to hear from ideas/comments before I write patch for this.
> https://wiki.php.net/rfc/automatic_csrf_protection

I think rewriting every URL, and erroring if the token on a URL has 
expired, will not be useful for most people. What happens if I copy the 
URL of a page into an e-mail or Twitter post? As soon as anybody clicks 
that link, they're going to get an error raised; maybe it will recover 
by clearing their session, causing them to log out unnecessarily; maybe 
it will refuse to show the content claiming they're not authenticated. 
In the worst case, someone might take my URL and use the CSRF token 
against me - they have a time limit, but if the application author 
relied on this protection, the same token will be valid for any action 
on the site.

As described, the feature seems to assume that all pages are potential 
CSRF targets, when even an authenticated user on a forum spends most of 
their time on URLs which retrieve data and have no side effects. As Stas 
pointed out, not all content is amenable to rewriting, either, which 
could lead to a false sense of security - dare I compare the infamous 
magic quotes? A good implementation of CSRF protection has to consider 
when to generate a token, when to check it, and what to do on failure - 
trying to submit a comment with an invalid CSRF token might re-display 
the comment form with pre-filled content, for instance - and this 
proposal doesn't seem to address that.

I think this is the kind of feature that can only really be addressed by 
an application framework, which can have greater knowledge of when 
actions are being triggered, link tokens to specific actions, and so on.

Regards,
-- 
Rowan Collins
[IMSoP]