Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93146
Return-Path: <rowan.collins@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 65940 invoked from network); 10 May 2016 12:38:48 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 May 2016 12:38:48 -0000
Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.66 as permitted sender)
X-PHP-List-Original-Sender: rowan.collins@gmail.com
X-Host-Fingerprint: 74.125.82.66 mail-wm0-f66.google.com  
Received: from [74.125.82.66] ([74.125.82.66:35552] helo=mail-wm0-f66.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 1C/30-63163-756D1375 for <internals@lists.php.net>; Tue, 10 May 2016 08:38:48 -0400
Received: by mail-wm0-f66.google.com with SMTP id e201so2460079wme.2
        for <internals@lists.php.net>; Tue, 10 May 2016 05:38:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:cc:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-transfer-encoding;
        bh=dVx0eJwYHmGNppPf0dOiVrBxC+pjm0iKB2l5D8pZR/A=;
        b=o96VwRalU2lEsXzS86P0owmcZsnHTJVJgvv844LhUoCwY0Q0Pc9uvIgkWI6SVPzy7N
         rQ4Fs84JQNEIyac97VPAWbSUMU5ZBTi/8wRrpR1Hq1WPuB4juVKlSBn/LWCnRE+mu4+s
         uFR6c05cOM0wo9RA3hsoI7ANsT//lNAi68mFDa2PFlXVJwS8CIFH108KySqbCIaArS2g
         g3mT++NEwxpoUzsDTy8Fp58r5U2ZVMnYexnuTMK8+uV3sL9yLarhoOAU4+NLSbGeF9S2
         LZ72f2FNgMmgl9uQh1ITG3/+Hh1Gucr/7mzYFR2e3thU7rwHacsGgdP8PAMcmTFLsitJ
         3eJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:cc:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=dVx0eJwYHmGNppPf0dOiVrBxC+pjm0iKB2l5D8pZR/A=;
        b=KzGnJmBOahcHhvDWXjb9ligjZeWYNoCz3HeALHHGEmGmW9XB6XaMsOQ+MAG+LYMk6L
         U3xZls3+0nS/cl59IR5ua1iJ8LRYLzrYp083zcixAYLasVv5ugL4z6r2vM3Kj3wGe4s9
         SNaL2nrLYYYmPOdm6zAGcNmaTGGaIAqKPxfhwklw4QLoqL5mdYlHhSY0iKCIm8PHNtfz
         vt4Jp+BORppjy7tp2iZ19lSd5KkNwbwRdVWvO/KaNITJYIgmaXqjt/opv+TR/47KpvGD
         EGZlFJ+PkYbtiHofz0b4hrDvog5iq9+skHsbE2bRJP9PmXKMaELzaP/EcfgDcI+lFLTw
         F35w==
X-Gm-Message-State: AOPr4FWb85PlP/u07E+VNtDrR2tkF3XX9qZbdXMq3R0kAvRB+tHPX7v4H0ALpccZnG3OZQ==
X-Received: by 10.28.91.209 with SMTP id p200mr14466095wmb.19.1462883925088;
        Tue, 10 May 2016 05:38:45 -0700 (PDT)
Received: from [192.168.0.76] ([93.188.182.58])
        by smtp.googlemail.com with ESMTPSA id gk4sm2343184wjd.7.2016.05.10.05.38.43
        (version=TLSv1/SSLv3 cipher=OTHER);
        Tue, 10 May 2016 05:38:44 -0700 (PDT)
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
 <e9b34da1-a6c7-261e-1a83-9bf34d2ed8ac@gmail.com>
 <CAGa2bXZp5HavxNw6ZFk0RnOc2HvAtukLz2mnT8FC_UE8O9PNmw@mail.gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Message-ID: <b7bf68fd-bef5-7c25-90c8-d5c40cd055b3@gmail.com>
Date: Tue, 10 May 2016 13:36:24 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.0
MIME-Version: 1.0
In-Reply-To: <CAGa2bXZp5HavxNw6ZFk0RnOc2HvAtukLz2mnT8FC_UE8O9PNmw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: rowan.collins@gmail.com (Rowan Collins)

Yasuo Ohgaki wrote on 10/05/2016 11:57:
> To protect all of URLs automatically, all URLs need to have token.
> That's the reason why all URLs have token.

In my opinion, that fails on both counts: not all URLs need protection 
(I would say for most applications, the majority of URLs do not need 
it), and not all URLs will be protected automatically (because rewriting 
HTML is a hard problem, and because some submissions that need 
protecting are not generated as HTML).

Interestingly, the OWASP page has a whole section on the dangers of 
exposing CSRF tokens in URLs: 
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL 
It backs up my gut feeling that exposing the CSRF token too widely can 
severely diminish its usefulness; for instance, by exposing tokens in 
Referer headers sent to external sites.

There may be types of application that would benefit from every page 
having a "CSRF or die" policy - e.g. online banking - but I don't think 
they represent a large proportion of the PHP user space, or benefit 
significantly from having the functionality built into the language. For 
everyone else, all that's needed is functions to manually generate, 
save, and validate tokens, and those can trivially be written as a 
userland library. Indeed there are plenty: 
https://packagist.org/search/?q=csrf

Regards,
-- 
Rowan Collins
[IMSoP]