Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93142 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 55552 invoked from network); 10 May 2016 10:58:06 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 May 2016 10:58:06 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.172 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.220.172 mail-qk0-f172.google.com Received: from [209.85.220.172] ([209.85.220.172:33048] helo=mail-qk0-f172.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5C/D0-49800-DBEB1375 for ; Tue, 10 May 2016 06:58:05 -0400 Received: by mail-qk0-f172.google.com with SMTP id n63so4087672qkf.0 for ; Tue, 10 May 2016 03:58:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=gXWK6dgyZ5Np5Y4NA4RfqZH3BEzPSZC+g7IclaxICXs=; b=tO9R4I3tQirbJJ0ix5M8JqWH5nAQR9LHMscQV6XEy8W0W3cW3MsjCTj/lrnFE9TliZ gGuWzf4+fhF/LnFQavdQLw5XW6OErg3UGMSaH0uGCC08T0FrFiSkBJrOpF9LWPPhpQ4g kDztMkUF9ajFWbse8ycvP1g2SoO3cl0RPrW4v0Pc5QgKmiJz3FGyCfQxwTlLyQKt50j8 TPfvQjcBXHwgA7r55ewdmnqD9nnPVdDShoEiNG7siaWp9QLoS4A8D+FlvXp0GfqBkavw wKoA8N26rm3yOsUSSSJcfA3OyZX9hheg3MGF5SaHRVo/B0L2Zv0MdL/wQ5Fd/q4r4SqV QvlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=gXWK6dgyZ5Np5Y4NA4RfqZH3BEzPSZC+g7IclaxICXs=; b=gOyx6ygYiBYL3oB9nV8+axvqNhjzbAetM3CLBhIGwM0NCPX874HEYRWYQKyAZwUmww ln2xsEDx4Uv7f1ukRKvf3gEA0Q9AWT3BSCXIZkyDqhEp/n8jjh9sdf/Tqg0L/2Ynj/mk MJ5JVVObN/arTvz8pKTBg7Wa/Kd/rPy9WffO55OdMhFSYRY/x9KUEMcvv9ArLCAKCm1j ShX5rOdTNCUN+VMTKxf9q0c39Muu0oFVzBhQ2KLt3bb5jn14QMv08d2KxK59dDvvR+NS 9tJxTPJNr7vCZfFZstouq8Fn4KanslWASyko1EiDObng4/fCQ3fvKAjCHdn39JKKb0iB lVfA== X-Gm-Message-State: AOPr4FWqfhQ0YqMRN2erl+IHsw8gyxueqmp30ykR2YUyZWMG/nZAet6Tbxwk3HU4/cMl264hvkW/NwPn+A4bhg== X-Received: by 10.55.80.136 with SMTP id e130mr43266101qkb.28.1462877882875; Tue, 10 May 2016 03:58:02 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.140.27.133 with HTTP; Tue, 10 May 2016 03:57:23 -0700 (PDT) In-Reply-To: References: Date: Tue, 10 May 2016 19:57:23 +0900 X-Google-Sender-Auth: 8mzfF6qbtXh5HhBSMZKz90xkuwQ Message-ID: To: Rowan Collins Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Rowan, On Tue, May 10, 2016 at 6:38 PM, Rowan Collins wrote: > Yasuo Ohgaki wrote on 10/05/2016 04:24: >> >> Hi all, >> >> It's not nice to work on the same code (i.e. session module) for >> multiple RFCs, but time is limited. >> >> I would like to hear from ideas/comments before I write patch for this. >> https://wiki.php.net/rfc/automatic_csrf_protection > > > I think rewriting every URL, and erroring if the token on a URL has expired, > will not be useful for most people. What happens if I copy the URL of a page > into an e-mail or Twitter post? As soon as anybody clicks that link, they're > going to get an error raised; maybe it will recover by clearing their > session, causing them to log out unnecessarily; maybe it will refuse to show > the content claiming they're not authenticated. In the worst case, someone > might take my URL and use the CSRF token against me - they have a time > limit, but if the application author relied on this protection, the same > token will be valid for any action on the site. To protect all of URLs automatically, all URLs need to have token. That's the reason why all URLs have token. The risk is the same as Trans SID session management. > As described, the feature seems to assume that all pages are potential CSRF > targets, when even an authenticated user on a forum spends most of their > time on URLs which retrieve data and have no side effects. As Stas pointed > out, not all content is amenable to rewriting, either, which could lead to a > false sense of security - dare I compare the infamous magic quotes? A good > implementation of CSRF protection has to consider when to generate a token, > when to check it, and what to do on failure - trying to submit a comment > with an invalid CSRF token might re-display the comment form with pre-filled > content, for instance - and this proposal doesn't seem to address that. > > I think this is the kind of feature that can only really be addressed by an > application framework, which can have greater knowledge of when actions are > being triggered, link tokens to specific actions, and so on. Because of likelihood of the vulnerability, it's better provide basic infrastructure. IMO. It's possible to give more control to users. - Specify protected method GET/POST or both. - Add session_csrf_validate() for manual validation Implementation is simple enough even with these addition. (Added to RFC) I considered to protect whole application while I was writing this RFC draft. Thank you for point this out! Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net