Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93261
Return-Path: <rowan.collins@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 39743 invoked from network); 12 May 2016 08:58:19 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 May 2016 08:58:19 -0000
Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.51 as permitted sender)
X-PHP-List-Original-Sender: rowan.collins@gmail.com
X-Host-Fingerprint: 74.125.82.51 mail-wm0-f51.google.com  
Received: from [74.125.82.51] ([74.125.82.51:36166] helo=mail-wm0-f51.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 34/88-28272-AA544375 for <internals@lists.php.net>; Thu, 12 May 2016 04:58:19 -0400
Received: by mail-wm0-f51.google.com with SMTP id n129so250254720wmn.1
        for <internals@lists.php.net>; Thu, 12 May 2016 01:58:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=0wNzniA/h4s6nOzFDzcvSUv8VM2MpwLS00MWkcIkt/o=;
        b=aGi6EDkSafFb+IQJJvltCQjIG63QKAT+zAF80JYdfLomGVRaESP3w0cK0zdiEVwj+B
         /OuxjtjP6W6WmOE+DmuBezNMskxFb8OL6rDoiKdft5WIcYkY4Uh/Bm8lK8tm9pEYs+Yv
         BqcifIrfyooKtGMYgtzTSTD8lEZw09XtCOcny6bGbvMgblRjNPozRElzeXn8S1d3ZtA8
         ez11rU1+YLlpebMRzpTgosQ3u1N2hUZwIOlDUM9zUnmgUnfObq2SItG3G0wjZdsA2gQr
         VabsJTekz7a4yDZ9LoQD+UJlniCKJakZtcuv1abt9dStbuwlQ/N9+TWMr2SlI+XNsV3u
         m3SQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=0wNzniA/h4s6nOzFDzcvSUv8VM2MpwLS00MWkcIkt/o=;
        b=d1aZwDHNRxyXAr8LLSc9YnjyHRsZ/Hx9x0ibeh7DdfQ945UPnZWw0ZiXgQVKohY+rp
         fTPBT7RK66Rqb56l+JtIy/krPDNr/sGazUzN4k2GtD3xOE/7ZB3dUZ7EpLw2aga9oO49
         1vwOA4P6gZCMePApXTCPRvMU5eUJ+meIYzYnCbh8KSVvNJAu6txP0PwbxlSSGb7cIjMx
         aNDHwk/4pZG+R8jnNNCYhCI4m9pWLPjj7l91zMa5QrWRVhQX8tExEy0BIiCdUQL+sSAy
         8Ovc6URZulmX2/MkFEWyX/kkqRwX7/Hn61wzkZroUhbsq+AIp1lB9P/mForL+dsR79jL
         CKeg==
X-Gm-Message-State: AOPr4FXE4GC7o+3swkh4lPFIc3WeDEu28p5dS3QUbz3ilkshtXC2D9gMnM5veX8NBO8Sng==
X-Received: by 10.194.18.18 with SMTP id s18mr9048284wjd.100.1463043496203;
        Thu, 12 May 2016 01:58:16 -0700 (PDT)
Received: from [192.168.0.98] ([93.188.182.58])
        by smtp.gmail.com with ESMTPSA id 8sm40239119wms.14.2016.05.12.01.58.15
        for <internals@lists.php.net>
        (version=TLSv1/SSLv3 cipher=OTHER);
        Thu, 12 May 2016 01:58:15 -0700 (PDT)
To: internals@lists.php.net
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
 <c21d1d4b-a790-e1a9-7c93-2c5af4baf5d1@gmail.com>
 <CAGa2bXboop3KDFnYtcdO-K+hL0To5te_yeHeFEFO-kCVuzNOJQ@mail.gmail.com>
 <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com>
 <CAGa2bXZwRK0GuXbT53B4w+h5ySiVJnJpo-d87Uiw-reYHi80zQ@mail.gmail.com>
 <CANUQDChxOeydBRLPrvuumf+edqJNKV+TOstGz66X_tg+Y7knPQ@mail.gmail.com>
 <CAGa2bXZC8Qp8-Ggyfj5+0X5aiktSX_AyfRdKAPXFZ=x4+A1XDQ@mail.gmail.com>
 <CANUQDCgi-P4=rWA5H+53_BcWyqeWaC_QOADUNMb_jV70KuhEPw@mail.gmail.com>
 <CAL0xaBFTF28h7ZTCkk=gn2=kepv0xe_Gk0+zjhmZzDmLJYU3-w@mail.gmail.com>
 <CAGa2bXbX_YhpJEr+9XjTb3xxgb2KTw=LEjC97A0vM4_WNiSvnA@mail.gmail.com>
 <CAGa2bXZrqvzNSQY=f3xM-czo4bAFZSF4cN0xLpBo6V0K91bivQ@mail.gmail.com>
 <ae235ace-7d9c-8b75-ed5a-10f1f264dfd5@gmail.com>
Message-ID: <0e99dcee-44d9-053e-f4e8-4270f3e616c9@gmail.com>
Date: Thu, 12 May 2016 09:55:46 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.0
MIME-Version: 1.0
In-Reply-To: <ae235ace-7d9c-8b75-ed5a-10f1f264dfd5@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: rowan.collins@gmail.com (Rowan Collins)

On 11/05/2016 13:29, Rowan Collins wrote:
> Thinking about it, the only part that has some value being in core is
> the HTML rewriting. Perhaps what is actually needed is a lower-level
> function that PHP libraries can use to hook into this with whatever
> parameters they want, e.g.
>
> register_html_rewrite_callback(
>     function() { return [ 'csrf_token' => MyFramework\CSRF::getToken()
> ]; },
>     REWRITE_POST_FORMS | REWRITE_URL
> );

I realised I over-complicated this, all you need is:

# ob_add_rewrite_param(array $fields, int $flags)

ob_add_rewrite_param( [ 'csrf_token' => MyFramework\CSRF::getToken() ], 
REWRITE_POST_FORMS | REWRITE_URL_LINKS );


That said, this - and the CSRF mechanism as currently proposed - rely 
heavily on the quality of that output rewriting engine. I've never used 
it, so have no idea how well it actually works with a modern application.

Regards,
-- 
Rowan Collins
[IMSoP]