Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93144 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 60108 invoked from network); 10 May 2016 11:44:38 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 May 2016 11:44:38 -0000 Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.218 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.218 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.218] ([81.169.146.218:38543] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7B/A1-49800-2A9C1375 for ; Tue, 10 May 2016 07:44:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1462880672; l=7796; s=domk; d=kelunik.com; h=Content-Type:Cc:To:Subject:Date:From:In-Reply-To:References: MIME-Version; bh=p/JoaIiJsDqTBfA/KuNtQFdN9w07t+Rw1GAkhaP/IqU=; b=NTDClu4en0TaQqr3MQHIhzfPvLnoZYdUCSFya0NBDDUqTS0LfVNebriN6NrQm8eHDyd 3gF+V43WVeVGSBtRrFOsfSlUA0t9z6zo+xmABIapXr8r357fGQT9SQjeu2J7pG5eL9k/L 4PZ0EdCQn/N6IPF3upz5XD6ecb00VKT0I/k= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtO3U6 X-RZG-CLASS-ID: mo00 Received: from mail-wm0-f46.google.com ([74.125.82.46]) by smtp.strato.de (RZmta 37.26 AUTH) with ESMTPSA id 60439as4ABiVCbc (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA)) (Client did not present a certificate) for ; Tue, 10 May 2016 13:44:31 +0200 (CEST) Received: by mail-wm0-f46.google.com with SMTP id g17so22645118wme.1 for ; Tue, 10 May 2016 04:44:31 -0700 (PDT) X-Gm-Message-State: AOPr4FVcsfJixDTcMmY412ZwdjOFuxZgos+rHY2g2WE/mVd4eAmIs2uiDerwGHHxXP1Dc+eYWJZoBCVisd42ig== X-Received: by 10.194.87.103 with SMTP id w7mr38817923wjz.13.1462880671706; Tue, 10 May 2016 04:44:31 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Tue, 10 May 2016 11:44:21 +0000 X-Gmail-Original-Message-ID: Message-ID: To: Yasuo Ohgaki , Rowan Collins Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=047d7bf10b54c938ac05327b721c Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: me@kelunik.com (Niklas Keller) --047d7bf10b54c938ac05327b721c Content-Type: text/plain; charset=UTF-8 Yasuo Ohgaki schrieb am Di., 10. Mai 2016 12:57: > Hi Rowan, > > On Tue, May 10, 2016 at 6:38 PM, Rowan Collins > wrote: > > Yasuo Ohgaki wrote on 10/05/2016 04:24: > >> > >> Hi all, > >> > >> It's not nice to work on the same code (i.e. session module) for > >> multiple RFCs, but time is limited. > >> > >> I would like to hear from ideas/comments before I write patch for this. > >> https://wiki.php.net/rfc/automatic_csrf_protection > > > > > > I think rewriting every URL, and erroring if the token on a URL has > expired, > > will not be useful for most people. What happens if I copy the URL of a > page > > into an e-mail or Twitter post? As soon as anybody clicks that link, > they're > > going to get an error raised; maybe it will recover by clearing their > > session, causing them to log out unnecessarily; maybe it will refuse to > show > > the content claiming they're not authenticated. In the worst case, > someone > > might take my URL and use the CSRF token against me - they have a time > > limit, but if the application author relied on this protection, the same > > token will be valid for any action on the site. > > To protect all of URLs automatically, all URLs need to have token. > That's the reason why all URLs have token. The risk is the same as > Trans SID session management. > > > As described, the feature seems to assume that all pages are potential > CSRF > > targets, when even an authenticated user on a forum spends most of their > > time on URLs which retrieve data and have no side effects. As Stas > pointed > > out, not all content is amenable to rewriting, either, which could lead > to a > > false sense of security - dare I compare the infamous magic quotes? A > good > > implementation of CSRF protection has to consider when to generate a > token, > > when to check it, and what to do on failure - trying to submit a comment > > with an invalid CSRF token might re-display the comment form with > pre-filled > > content, for instance - and this proposal doesn't seem to address that. > > > > I think this is the kind of feature that can only really be addressed by > an > > application framework, which can have greater knowledge of when actions > are > > being triggered, link tokens to specific actions, and so on. > > Because of likelihood of the vulnerability, it's better provide basic > infrastructure. IMO. It's possible to give more control to users. > > - Specify protected method GET/POST or both. > GET should never require automatic CSRF protection. If you need this, you're doing something fundamentally wrong. The only exception are things like OAuth, but these have to be handled manually anyway. - Add session_csrf_validate() for manual validation > > Implementation is simple enough even with these addition. (Added to RFC) > > I considered to protect whole application while I was writing this RFC > draft. Thank you for point this out! > > Regards, > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --047d7bf10b54c938ac05327b721c--