Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93187
Return-Path: <kinncj@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 54805 invoked from network); 11 May 2016 02:53:27 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 May 2016 02:53:27 -0000
Authentication-Results: pb1.pair.com header.from=kinncj@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=kinncj@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.179 as permitted sender)
X-PHP-List-Original-Sender: kinncj@gmail.com
X-Host-Fingerprint: 209.85.220.179 mail-qk0-f179.google.com  
Received: from [209.85.220.179] ([209.85.220.179:33611] helo=mail-qk0-f179.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EE/20-63163-5AE92375 for <internals@lists.php.net>; Tue, 10 May 2016 22:53:27 -0400
Received: by mail-qk0-f179.google.com with SMTP id n63so18324260qkf.0
        for <internals@lists.php.net>; Tue, 10 May 2016 19:53:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc;
        bh=r9Rd4vB00mOwMxnmZd2YDLiHITKdnsJKuksM916NCb0=;
        b=wDeb0OdY5QGgi+6eTJuVVKpu4hlNXCPPn3hurGTaANsOURYocxNg4bpKsO8qNeBxay
         USrEMUUenjxKT/e0Udc36WhsjQTurYKuQM8zx/ULVTTy1slKb5ES+zFLWs7XS3MVjxnW
         opQB8CdiunnJbUvTwPVejhdjvBOpuWJUak1FZLXTQYPVHXFciAKFJwHuUD8RE2PH8P3i
         30cFJkbhbxzK2yhWARzn3Jk0DTF7aBdImGiMbhqgkFyW5VWqQ49KSF3gQrT52w543zJ4
         1XbpWmhZRV2/9kofITw0i27NY4W2Sg+xYwHLZxHMe0feGD3dqfFG9fvQZmY9h6OHW8O1
         65vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc;
        bh=r9Rd4vB00mOwMxnmZd2YDLiHITKdnsJKuksM916NCb0=;
        b=PTuWiBGQUNh00bkSyrbwZ+83BqROMbT73QCYhE2flSRSkHQytTn7FmGmXTXPQ3Llod
         CSNKFoEDDaT1CvKPpnjduwq9/kEfpvk8j1m/wc+2tTIMX/oSajr2cGPL3mNob6CMUOHB
         RyFxnHRzYgrxwnmQeVLAXbwaDmAM5rbK4oUGFgxnnVLuGwryU/1JdKY5ZYrrkmWT/S6A
         aCvx2B0iAhIzwcfCozX9qKYw8u06LSFRWRA4Jd8/P1CG3MvwFpvEmHfPTa7rHqM1LJ6r
         ERqlw5htG0sksA6IUKZ+zy5OkBe7Ldj72JX7cdQ/ed/0Ghb5yIHSG5ulg8EaPjqhuRFt
         OMWw==
X-Gm-Message-State: AOPr4FXKo/Ecr4VfBNNgFMxYcDR41EuxMMRqREObkmPw+naL72SIB+UZSLTolJ5XRhNvSmqB6U/B97+JZe/ROg==
MIME-Version: 1.0
X-Received: by 10.55.172.78 with SMTP id v75mr100141qke.45.1462935202609; Tue,
 10 May 2016 19:53:22 -0700 (PDT)
Received: by 10.237.36.147 with HTTP; Tue, 10 May 2016 19:53:22 -0700 (PDT)
Received: by 10.237.36.147 with HTTP; Tue, 10 May 2016 19:53:22 -0700 (PDT)
In-Reply-To: <CAGa2bXaiZ5tnHHHjOhVkbdbAnE4_UCKye10cwvboaV-QBpmGGA@mail.gmail.com>
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
	<c21d1d4b-a790-e1a9-7c93-2c5af4baf5d1@gmail.com>
	<CAGa2bXboop3KDFnYtcdO-K+hL0To5te_yeHeFEFO-kCVuzNOJQ@mail.gmail.com>
	<3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com>
	<CAGa2bXZwRK0GuXbT53B4w+h5ySiVJnJpo-d87Uiw-reYHi80zQ@mail.gmail.com>
	<fc0c78c6-744e-08bb-5ed2-b957458ea3e0@gmail.com>
	<CAGa2bXZbpdaHDakds6-K-rEjO+zcS9oWuVoD24WBxFDs9-ZJRQ@mail.gmail.com>
	<CAF+u_Bz4f6CY0Cq9LA6Up8kC5NkN77uM=PD9AR3U2dO7ePwEjQ@mail.gmail.com>
	<CAGa2bXaiZ5tnHHHjOhVkbdbAnE4_UCKye10cwvboaV-QBpmGGA@mail.gmail.com>
Date: Tue, 10 May 2016 22:53:22 -0400
Message-ID: <CAF+u_BwAbSoEjaAnWeuc=BuwQohGeJoWk7_qHCXKZ2Axc=1O9w@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: internals@lists.php.net, Stanislav Malyshev <smalyshev@gmail.com>
Content-Type: multipart/alternative; boundary=001a114f03e414c41005328825dd
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: kinncj@gmail.com (=?UTF-8?B?S2lubiBKdWxpw6Nv?=)

--001a114f03e414c41005328825dd
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

You seemed to misunderstood your own "get_csrf_token.php" and how attackers
would benefit from that.

Anyway, you're trying to transfer an application behaviour to the core...
Stick to -1.
On May 10, 2016 10:18 PM, "Yasuo Ohgaki" <yohgaki@ohgaki.net> wrote:

> Hi Kinn,
>
> On Wed, May 11, 2016 at 10:20 AM, Kinn Juli=C3=A3o <kinncj@gmail.com> wro=
te:
> >> JS code that does not have pages at all may obtain CSRF token manually=
.
> >
> > That's against CSRF protection... in fact, a remote app can obtain the
> token
> > also and make the cross site request forgery...
> >
> > -1
>
> You seem to __misunderstood__ behavior.
>
> Random CSRF token generation key is stored in session data which is
> private to users.
> CSRF token is generated by using the secret key.
>
> Therefore, attacker cannot get CSRF token unless they have stolen
> session already (which is not scope of this RFC)
>
> Regards,
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>

--001a114f03e414c41005328825dd--