[WIP][RFC] Signed internal uris #6463
Conversation
|
@asm89 looks like a good concept. You should improve you PR comment and code. What about HInclude, it seems the code has been removed ? (I think I understand but the reason why butit should be mentionned in your post)
Wrong, HInclude. And we don't really care if they are generated or not. The important thing is whether they are routed or not.
Not everybody use a RP & HInclude must be accessible to the outside world. And one last but important q, why would using a controller be better than using a path ? |
|
@vicb: i was replying to the question "And one last but important q, why would using a controller be better than using a path ?" not having to define a route is easier than having to define one, at least initially because is one required step less, since often render calls are to controllers that are otherwise not supposed to be accessible .. there are of course plenty of cases where using a route is better and more flexible. |
|
Ok, thanks for clarification. In fact I'd like to know if asm89 as any other reason in mind (ie something we would have missed) |
|
Hiya guys! I'm also interested in this, for the same as @lsmith77 mentioned - usability, i.e. not needing to create+secure a route that's only used for a non-standalone render. That's especially important for developers that don't use ESI or HInclude, but just come across features that require them to need to render another controller. I don't care as much about the implementation - I would be ok with or without needing to create routes to use ESI/HInclude, as long as you didn't need to create (and secure) a route to use a non-standalone render. The internal URL stuff is convenient for people using ESI/HInclude, but it's also a bit magical, requires some extra "teaching" for people to understand how it works. In that way, I don't mind the route for those cases. Thanks! |
| list($service, $method) = explode(':', $controller, 2); | ||
| $class = get_class($this->container->get($service)); | ||
|
|
||
| if (!preg_match('/Controller$/', $class)) { |
There was a problem hiding this comment.
I know this is the convention, but why must it be a hard requirement? (Maybe it already is in full stack, not sure.)
There was a problem hiding this comment.
Using direct controllers is not supported at all in 2.2. This change allows to limit the security issue by allowing to execute code only in controllers (as this feature cannot be removed in maintenance release)
|
From a Drupal perspective, the most important usability factor is not having to manually create additional routes for each thing that you could non-subrequest-access (ESI, etc.). We're still working toward making the entire page mostly partial-based, and not having to replicate every partial we could possibly have as a unique route would make life a lot easier. I'm unclear how the signing would work for hInclude, though. Since that's always coming from the browser, what exactly is the benefit? |
|
@Crell avoiding links forged by the client by modifying the url. If the client modifies the target code, he won't be able to provide the update hash |
With signed uris
Yes, so adding HInclude was one of the things that fully opened up a security hole it seems. It would be nice however to attempt to fix it. :)
Not having to create a route for every single controller action? Why should a controller action be tied to the routing system? If you rely on rendering partials, having to add a route for all of them is a real dealbreaker imo (not to mention each partial now has to generate a url, go through the url matcher etc). The point is that the creation of @fabpot Any thoughts? |
|
@asm89 thanks for adding details I think were missing from your original PR. I wish the severity of the original issue would have been understood sooner & faster by the core team (I include myself here) so that we might have found a better solution. |
|
@vicb Yes, but since 2.2 is not out yet the complete removal of the feature could still be reverted? |
|
"reverted" is probably not a word I would use here. 2.2 is supposed to be feature complete sometime next week & entering a 2 month "stabilization" phase. Strictly speaking the modification you request is beyond the scope of the stabilization phase... So I think only @fabpot could answer your question. |
|
I spoke to several people about the removal of the I decided to remove these internal routes because of the big security issue they allow when not used properly. However, the proposal in this PR sounds good, but instead of reverting and applying this patch, I'd like to first finish and merge PR #6459 because it will then be much easier to implement what you propose selectively (depending on the rendering strategy). For instance, for the default and ESI rendering strategies, we can automatically reject any request not coming from localhost or trusted proxies; and use a signed URI for Hinclude. |
|
As the signature for the tag/function should be the same for everything, I was thinking about adding a new {% render url('path') %}
{% render path('path') %}
{% render controller('BlogBundle:Post:list', { 'limit': 2}) %} |
|
@fabpot I don't understand how url() and path() would differ there. Having controller() be a separate op makes sense to me, but how would that work outside of Twig? (Drupal's unlikely to be calling HttpKernel::render() from in a Twig file, more likely from its own PHP code.) |
|
@asm89 I have been thinking a little more about this PR. I think that having 2 different paths (secure vs HSI) is a must have. However I am not really comfortable with URL signing. Your app will still be exposed to brute force attacks. There could be an other simple solution that was exposed to @fabpot and @schmittjoh in my initial threat report. Hopefuly I can get feedback soon. The final solution might be a conjuction of both signing & this - I am sorry to be vague here but I think not giving too many details is preferable. |
|
@fabpot In that case, maybe @vicb If you're comfortable with it you can e-mail me about this too (iam.asm89 [at] gma...). While I tend to agree with the general feeling that the app will be exposed to brute force attacks when using url signing, in the end this isn't different from your |
|
@asm89 the difference being that |
|
@asm89 and brute-forcing an URL is much more powerull for an hacker: you can get access to the DB, file system, ... |
|
see #6459 for an implementation of the signing strategy. |
|
Closing in favor of #6459 |
This PR was merged into the master branch. Commits ------- 76fefe3 updated CHANGELOG and UPGRADE files f7da1f0 added some unit tests (and fixed some bugs) f17f586 moved the container aware HTTP kernel to the HttpKernel component 2eea768 moved the deprecation logic calls outside the new HttpContentRenderer class bd102c5 made the content renderer work even when ESI is disabled or when no templating engine is available (the latter being mostly useful when testing) a8ea4e4 [FrameworkBundle] deprecated HttpKernel::forward() (it is only used once now and not part of any interface anyway) 1240690 [HttpKernel] made the strategy a regular parameter in HttpContentRenderer::render() adc067e [FrameworkBundle] made some services private 1f1392d [HttpKernel] simplified and enhanced code managing the hinclude strategy 403bb06 [HttpKernel] added missing phpdoc and tweaked existing ones 892f00f [HttpKernel] added a URL signer mechanism for hincludes a0c49c3 [TwigBridge] added a render_* function to ease usage of custom rendering strategies 9aaceb1 moved the logic from HttpKernel in FrameworkBundle to the HttpKernel component Discussion ---------- [WIP] Kernel refactor Currently, the handling of sub-requests (including ESI and hinclude) is mostly done in FrameworkBundle. It makes these important features harder to implement for people using only HttpKernel (like Drupal and Silex for instance). This PR moves the code to HttpKernel instead. The code has also been refactored to allow easier integration of other rendering strategies (refs #6108). The internal route has been re-introduced but it can only be used for trusted IPs (so for the internal rendering which is managed by Symfony itself, or by a trusted reverse proxy like Varnish for ESI handling). For the hinclude strategy, when using a controller, the URL is automatically signed (see #6463). The usage of a listener instead of a controller to handle internal sub-requests speeds up things quite a lot as it saves one sub-request handling. In Symfony 2.0 and 2.1, the handling of a sub-request actually creates two sub-requests. Rendering a sub-request from a controller can be done with the following code: ```jinja {# default strategy #} {{ render(path("partial")) }} {{ render(controller("SomeBundle:Controller:partial")) }} {# ESI strategy #} {{ render(path("partial"), { strategy: 'esi' }) }} {{ render(controller("SomeBundle:Controller:partial"), { strategy: 'esi' }) }} {# hinclude strategy #} {{ render(path("default1"), { strategy: 'hinclude' }) }} ``` The second commit allows to simplify the calls a little bit thanks to some nice syntactic sugar: ```jinja {# default strategy #} {{ render(path("partial")) }} {{ render(controller("SomeBundle:Controller:partial")) }} {# ESI strategy #} {{ render_esi(path("partial")) }} {{ render_esi(controller("SomeBundle:Controller:partial")) }} {# hinclude strategy #} {{ render_hinclude(path("default1")) }} ``` --------------------------------------------------------------------------- by fabpot at 2013-01-03T17:58:49Z I've just pushed a new version of the code that actually works in my browser (but I've not yet written any unit tests). I've updated the PR description accordingly. All comments welcome! --------------------------------------------------------------------------- by Koc at 2013-01-03T20:11:43Z what about `render(controller="SomeBundle:Controller:partial", strategy="esi")`? --------------------------------------------------------------------------- by stof at 2013-01-04T09:01:01Z shouldn't we have interfaces for the UriSigner and the HttpContentRenderer ? --------------------------------------------------------------------------- by lsmith77 at 2013-01-04T19:28:09Z btw .. as mentioned in #6213 i think it would make sense to refactor the HttpCache to use a cache layer to allow more flexibility in where to cache the data (including clustering) and better invalidation. as such if you are refactoring HttpKernel .. it might also make sense to explore splitting off HttpCache. --------------------------------------------------------------------------- by fabpot at 2013-01-04T19:30:07Z @lsmith77 This is a totally different topic. This PR is just about moving things from FrameworkBundle to HttpKernel to make them more reusable outside of the full-stack framework. --------------------------------------------------------------------------- by fabpot at 2013-01-05T09:39:52Z I think this PR is almost ready now. I still need to update the docs and add some unit tests. Any other comments on the whole approach? The class names? The `controller` function thingy? The URI signer mechanism? The proxy protection for the internal controller? The proxy to handle internal routes? --------------------------------------------------------------------------- by sstok at 2013-01-05T10:08:25Z Looks good to me :+1: --------------------------------------------------------------------------- by sdboyer at 2013-01-07T18:17:08Z @Crell asked me to weigh in, since i'm one of the Drupal folks who's likely to work most with this. i think i've grokked about 60% of the big picture here, and i'm generally happy with what i see. the assumption that the HInclude strategy makes about working with templates probably isn't one that we'll be able to use (and so, would need to write our own), but that's not a big deal since the whole goal here is to make strategies pluggable. so, yeah. +1. --------------------------------------------------------------------------- by winzou at 2013-01-09T20:21:44Z Just for my information: will this PR be merged for 2.2 version? Thanks. --------------------------------------------------------------------------- by stof at 2013-01-09T20:41:04Z @winzou according to the blog post announcing the beta 1 release, yes. It is explicitly listed as being one of the reason to make it a beta instead of the first RC. --------------------------------------------------------------------------- by winzou at 2013-01-09T20:49:36Z OK thanks, I've totally skipped this blog post. --------------------------------------------------------------------------- by fabpot at 2013-01-10T15:26:15Z I've just added a bunch of unit tests and fix some bugs I found while writing the tests.
Recently a security issue with the
_internaluris of the FrameworkBundle led to the removal of the ability to directly render partials with controller actions, e.g.{% render 'BlogBundle:Post:list' with { 'limit': 2} %}. For me, people around me and probably other developers this mechanism was a big plus of Symfony2, because it was very easy to enable rendering these partials asstandaloneand get all the nice features of Varnish/esi.With this pull request I propose to revert to the "old" render behavior, but only remove the
/_internal_publicroute and secure the/_internalroute by signing the url. The implementation in this PR is far from finished, but I'm looking for comments.The complete removal of the feature should not have happened in my opinion, because not everyone relies on solely the routing firewall for security (annotations/aop, access checks in controllers, etc). Furthermore, if you do not use ESI,
_internaluris will never be generated! Finally there are also other ways to make sure that_internalurls are only requested by your reverse proxy (e.g. Varnish) and are not accessible for the outside world.There is also a POC by @fabpot that will allow for different rendering strategies if merged (#6459). The signed urls could also be a separate rendering strategy, but then it would still be useful to be able to do things like
{% render 'BlogBundle:...%}.