Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93235 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 52594 invoked from network); 11 May 2016 12:31:42 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 12:31:42 -0000 Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.53 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 74.125.82.53 mail-wm0-f53.google.com Received: from [74.125.82.53] ([74.125.82.53:38006] helo=mail-wm0-f53.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 01/9B-28272-D2623375 for ; Wed, 11 May 2016 08:31:42 -0400 Received: by mail-wm0-f53.google.com with SMTP id g17so79855824wme.1 for ; Wed, 11 May 2016 05:31:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=gBxPKcF8H2ZUPnY6bDIs42yPOetuToE9tWD7FZvyFYw=; b=Xh253C9Cke+9S8pINB1K8WVPxfvSPkqWh7M+OyJldb8yJWhiZi4zRpQ56nSa3DVY7/ lA9SsAu1ntPNUeOx8ap60bm+UkTBbefjv5m8PZBnQ4353ldhqgXdvf8ECGkrHKYFaFVj bS2uFGkswOMsNt9948x6b6YZ37HbBv51hjSzH8Ecep1GKNvQjUoSKLs7GzbZk18hun6H OFAMDL31+Ty7UtcbuGOHbqtNG0riK6BZTJkh9w5y4bZZ6xYRAoG5IGcp7tr47a8d/Pfh XXgexuZfeL+/lKgJWxcg9J3OAHY1t86E12ljHCGhkQtA2LM4fvz4R4mzhhqghJweJvN7 QQzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=gBxPKcF8H2ZUPnY6bDIs42yPOetuToE9tWD7FZvyFYw=; b=NaYqth/lPFVbeRsMQw0JiVtfN4urjwfLtcAzu5+BVKgxSRay0TGiPgrK1jU8+b8dWJ fY7vFR/vPevfQ7NYw5pXa0GuENYUAFMBkigt7QQWCDbyzFQIwqyegiG6Tmb5CEOeTSbi /RMrN+nhjQnOtES5VfSSk3BInONiQfK//Q+MYox4qN1IZmWesbsjyhIYtIN/3DvHyxEp 7sZqV5WBSvPWKjOcyyJm77zC0/PYjyOHkSMIyXi34CRGki8VMnwT96UWI9k6ojWUqDvA WnEnUI9X9WU0O2nUDYfQk0IfjElasHMvJYm6XZUYncrRj07RVRb6hmY2h49XXAau0F5p 3DVg== X-Gm-Message-State: AOPr4FUsYVxr3SQw4C4d1M9G3HmGzVdbkolSYJt0Q67ZPeF+IvfnSXfFcHdkmIojxllzlA== X-Received: by 10.28.216.83 with SMTP id p80mr23380756wmg.49.1462969898318; Wed, 11 May 2016 05:31:38 -0700 (PDT) Received: from [192.168.0.98] ([93.188.182.58]) by smtp.gmail.com with ESMTPSA id gk4sm7865010wjd.7.2016.05.11.05.31.37 for (version=TLSv1/SSLv3 cipher=OTHER); Wed, 11 May 2016 05:31:37 -0700 (PDT) To: internals@lists.php.net References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> Message-ID: Date: Wed, 11 May 2016 13:29:12 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: rowan.collins@gmail.com (Rowan Collins) On 11/05/2016 09:13, Yasuo Ohgaki wrote: > Why > > session_start(['csrf_rewrite'=>SESSION_CSRF_POST, > 'csrf_validate'=>SESSION_CSRF_POST]); > ?> > > and protect CSRF attacks against POST requests are bad for PHP and its users? 1) Because it gives users a false sense of security. If you say "turn this on and don't think about CSRF", and then somebody is caught by a CSRF vulnerability because the HTML rewriter wasn't smart enough to inject the parameter in the right place, they will feel you misled them. If you can't say that, then it's not really as simple as you implied. 2) Because it treats all users as malicious actors, rather than fallible ones. If you take too long writing a comment, you shouldn't get a 500 error when you submit it, you should get a friendly message and a pre-filled form. That requires integration with the application framework, not with the session manager. 3) Because it complicates the session code with extra responsibilities, rather than concentrating on safely persisting arbitrary state data. 4) Because it adds yet another global setting that would be essential to be turned on for some applications, off for others. The current proposal has effectively 4 features: - Automatic generation and storage of a CSRF token on session start; a fairly trivial task to implement in plain PHP. - Optional automatic rewriting of HTML to include the token. This is the only part that is actually hard to do without the core's involvement, but see point 1 above. - A method to validate the CSRF token. Again, this is fairly simple to implement in PHP, and a quick glance at Packagist shows there are plenty of off-the-shelf implementations with various features. - Optional automatic enforcement of the CSRF check. This is also fairly easy to implement in plain PHP, and since the user is likely to need to implement user code to make use of it anyway (e.g. set_error_handler is mentioned in the current RFC), it may actually be easier to perform the check manually. Thinking about it, the only part that has some value being in core is the HTML rewriting. Perhaps what is actually needed is a lower-level function that PHP libraries can use to hook into this with whatever parameters they want, e.g. register_html_rewrite_callback( function() { return [ 'csrf_token' => MyFramework\CSRF::getToken() ]; }, REWRITE_POST_FORMS | REWRITE_URL ); Regards, -- Rowan Collins [IMSoP]