Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93252 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 96535 invoked from network); 11 May 2016 21:14:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 21:14:23 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.180 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.220.180 mail-qk0-f180.google.com Received: from [209.85.220.180] ([209.85.220.180:36558] helo=mail-qk0-f180.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 1B/82-28272-DA0A3375 for ; Wed, 11 May 2016 17:14:21 -0400 Received: by mail-qk0-f180.google.com with SMTP id x7so32906434qkd.3 for ; Wed, 11 May 2016 14:14:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=5+4lH7Dr3V+WnDO9Lfeqxjiz797gdiufiwSHkp2VMRo=; b=sPDIRpWLyrj7I8Rsl/ihuMv/qP2vWuJCoFHHZe25X6NbCUf4Z9+k3m5tXB/7DTw24M iFZWlZFmZaUVcCRLImq8JzNvA/S26v/4J8nIEgYro5pEOYu7eT4tF/7eLZqlqW4jgdhz UiS9yQTcicYEmYsnl7vfAz//630upDeAuW8MjL5iLGAviEfW0e+4h44qUOyOGaGHnbLD SL/OnrQinTCvfQCcB0U46zI+FOVbYZy6vedaA6j7x1tAOxdVcI1wGNG2mceXuQ+Y/b5n 07XMXagdyV2XnY9/P6MzDVU8Ksj1H4XvE49niccOKzXlZhWLn9L1yWgEMMjIwMZHA5A7 t4vw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=5+4lH7Dr3V+WnDO9Lfeqxjiz797gdiufiwSHkp2VMRo=; b=kKd8qbyx5Bzp/SEk1vrGfQdSM8CDgsFcGJ2h6pOdmOZCXU3AiFjzEBLVUsaohjmgJu ACL3RjPPDl/rhzpy2J5wMvOW+LczEZYAzoN3viSEPkXBLF7iZZXBjl/uCqMnBmYycMbW RLkbqrKR4RfjLc5W03K6hMFk7Tc8tM95YzE2Kzj18RTb2U4WEffW+5NyYMPtX4K6zaDm 7TGipilBmOUqPWVZQ4Hazo1oiahASE7eJBfVDKm+Ki7Z6mPl9YbohgEW7/IKhT+rroM5 Pv06iaGJJxEVK3dgcbPB9kIrvWGzNIVpbzJj2usE0+GWEKpTE7YezURBG07L9v10LAAj U7VQ== X-Gm-Message-State: AOPr4FXnEoDCwTZMaIyP+xRgSEuk7WiS58xaK/n0kwufzWgRlwfjB1e0/Xlw/btE9x1ERVcwkwTnxhz9zd3KgQ== X-Received: by 10.55.74.141 with SMTP id x135mr6422933qka.20.1463001258720; Wed, 11 May 2016 14:14:18 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.140.27.133 with HTTP; Wed, 11 May 2016 14:13:38 -0700 (PDT) In-Reply-To: References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> Date: Thu, 12 May 2016 06:13:38 +0900 X-Google-Sender-Auth: LoDuvYqespNcEdiOnSfHTqwiJX8 Message-ID: To: Arvids Godjuks Cc: Niklas Keller , Stanislav Malyshev , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Arvids, On Wed, May 11, 2016 at 5:54 PM, Arvids Godjuks wrote: > 2016-05-11 11:05 GMT+03:00 Yasuo Ohgaki : >> >> Hi Arvids, >> >> On Wed, May 11, 2016 at 4:33 PM, Arvids Godjuks >> wrote: >> > i'm -1 on the CSRF in the sessions at all. Even more -1 on having it on >> > by >> > default and having any INI settings that affect how engine processes >> > data in >> > runtime. >> > People just don't learn until they shotgun themselves I guess. >> >> Override them if you don't like admins to set INI values. I've >> modified session_start() so that it can set INI values as function >> parameter. >> http://php.net/session_start > > > Admins can just forbid to change any settings. And there is an ini setting > "disable_functions" and alike. They will setup up session auto start and > forbid usage of the session_start. And force the CSRF. Been in similar > situations, done that, never want to deal with it again. Then you should check offending settings. INI system has downsides, but it has lots of upsides. You just have to live with it. Regarding this RFC, you don't have to care "don't work situation" because it's obvious to users. I'll make sure the manual has proper warnings. I understand you don't like INI system, but it cannot be good reason for declining tool for major security issue. There should be stronger reason to decline. IMHO. > I'm not even talking about the fact, that I may have reasons to use a > different hashing algorithm in the first place. > Dealing with JS side, when you need to pass the CSRF token there is next can > of worms. > And then you get to the part, where you need to use a distributed session > management, that has it's own can of worms. And forcing CSRF handling into > the session module probably is going to make it hard to deal with it at all. > > So no, sessions are sessions, they should have only one thing to be > responsible for - storing data. Nothing else. It's a module that already has > a lot of issues. What you are proposing, is to do what APC did - mixing code > opcache with shared memory storage. We all know how it ended. Session task is not a storing data. If you need storage, you can simply use file, database, etc. Session task, by definition, is to manage state of connections/requests, distinguish connections/requests i.e. provide authenticity. CSRF is authenticity problem by its definition. Therefore, it is a task of session manager. I know other system's session managers fail to cover it, but we don't have to follow inferior design. > >> >> >> >> > What I personally would be for, is a CSRF aPI module that comes as >> > default, >> > like the Password API one, that gives ability to generate good quality >> > CSRF >> > tokens and manage it. >> >> Imagine number of CSRF vulnerabilities in PHP apps. It's countless. >> >> Letting users to choose right way is not an good options. It is >> proven. I've added session.use_strict_mode (disallows permanent >> session hijack, etc) many years ago, but fair number of users aren't >> enabling this option. I suspect most majority of users aren't enabled >> it. Even if we provide solution, it's hard to be adopted. If there is >> no solution, outcome is easy to imagine. IMHO. >> >> Users had access to good PRNG. Even if mt_rand() is used, it is hard >> enough for attackers to guess, yet there are countless CSRF >> vulnerabilities. What's the reason to ignore the fact, huge number of >> CSRF vulnerabilities exist in PHP apps? >> >> I cannot understand rationale behind you and others think it should be >> users task completely... > > > If user does not want to use CSRF, you can't force him. And realisticly > speaking, how are you going to force the tokents on the GET urls? Rewrite > them. In JSON? In XML? etc? C'mon, these days url's there are single page > apps with their own routing and stuff and you will never get a CSRF token in > any automated maner there. It needs to be done by developer of the app. I don't force, but CSRF protection is optional. If you don't need it, don't use simply. > >> >> >> Anyway, I fails to see the reason why PHP should not invalidate CSRF >> attacks against POST requests with 2 simple parameter or INI... > > > Because they may be out of your control and just forced on you by a 3rd party. > Not to mention that 3rd party libraries will do stuff that will not take into account > this setting or do some hack, and that will negate any security. If apps has its own CSRF protection, it works independently. What will negate security? I can think of "session.csrf_domains" misuse/abuse, but it is the same as cross origin request misuse/abuse. Cross origin request is common these days and user should be able to use them correctly. "session.csrf_domains" misuse/abuse is not our problem. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net