diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2007-08-29 22:15:38 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2007-08-29 22:15:38 +0200 |
| commit | 634d7150e59d03e4a4987164bfe9948fb8828c70 (patch) | |
| tree | 93357ea3c0c54840cf5ef040ecbc75ddbb3a5b66 /inc | |
| parent | 0e1a261ed103bc8f11934d76ec8c7ec412f02220 (diff) | |
| download | rpg-634d7150e59d03e4a4987164bfe9948fb8828c70.tar.gz rpg-634d7150e59d03e4a4987164bfe9948fb8828c70.tar.bz2 | |
CSRF prevention for admin plugins
This patch adds a session based token to all form in the default action plugins.
The validity of the token is checked before any administrative function is
executed aiming to protect DokuWiki's admin functions from Cross-site request
forgery (CSRF) attacks.
Another patch will follow to add the same functionality on other, less critical
functions.
More details on CSRF attacks can be found at
http://en.wikipedia.org/wiki/Cross-site_request_forgery
darcs-hash:20070829201538-7ad00-d0770224a3351fd8e38968e3a9d8e73520482445.gz
Diffstat (limited to 'inc')
| -rw-r--r-- | inc/common.php | 38 | ||||
| -rw-r--r-- | inc/plugin.php | 4 |
2 files changed, 40 insertions, 2 deletions
diff --git a/inc/common.php b/inc/common.php index e812d181d..73e8e9369 100644 --- a/inc/common.php +++ b/inc/common.php @@ -53,6 +53,44 @@ function stripctl($string){ } /** + * Return a secret token to be used for CSRF attack prevention + * + * @author Andreas Gohr <andi@splitbrain.org> + * @link http://en.wikipedia.org/wiki/Cross-site_request_forgery + * @link http://christ1an.blogspot.com/2007/04/preventing-csrf-efficiently.html + * @return string + */ +function getSecurityToken(){ + return md5(auth_cookiesalt().session_id()); +} + +/** + * Check the secret CSRF token + */ +function checkSecurityToken($token=null){ + if(is_null($token)) $token = $_REQUEST['sectok']; + if(getSecurityToken() != $token){ + msg('Security Token did not match. Possible CSRF attack.',-1); + return false; + } + return true; +} + +/** + * Print a hidden form field with a secret CSRF token + * + * @author Andreas Gohr <andi@splitbrain.org> + */ +function formSecurityToken($print=true){ + $ret = '<input type="hidden" name="sectok" value="'.getSecurityToken().'" />'."\n"; + if($print){ + echo $ret; + }else{ + return $ret; + } +} + +/** * Return info about the current document as associative * array. * diff --git a/inc/plugin.php b/inc/plugin.php index d7dea4130..763b57bf2 100644 --- a/inc/plugin.php +++ b/inc/plugin.php @@ -155,7 +155,7 @@ class DokuWiki_Plugin { return $conf; } - + /** * Loads a given helper plugin (if enabled) * @@ -163,7 +163,7 @@ class DokuWiki_Plugin { * * @param $name name of plugin to load * @param $msg message to display in case the plugin is not available - * + * * @return object helper plugin object */ function loadHelper($name, $msg){ |