diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2007-08-29 22:15:38 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2007-08-29 22:15:38 +0200 |
| commit | 634d7150e59d03e4a4987164bfe9948fb8828c70 (patch) | |
| tree | 93357ea3c0c54840cf5ef040ecbc75ddbb3a5b66 /lib/plugins/acl/admin.php | |
| parent | 0e1a261ed103bc8f11934d76ec8c7ec412f02220 (diff) | |
| download | rpg-634d7150e59d03e4a4987164bfe9948fb8828c70.tar.gz rpg-634d7150e59d03e4a4987164bfe9948fb8828c70.tar.bz2 | |
CSRF prevention for admin plugins
This patch adds a session based token to all form in the default action plugins.
The validity of the token is checked before any administrative function is
executed aiming to protect DokuWiki's admin functions from Cross-site request
forgery (CSRF) attacks.
Another patch will follow to add the same functionality on other, less critical
functions.
More details on CSRF attacks can be found at
http://en.wikipedia.org/wiki/Cross-site_request_forgery
darcs-hash:20070829201538-7ad00-d0770224a3351fd8e38968e3a9d8e73520482445.gz
Diffstat (limited to 'lib/plugins/acl/admin.php')
| -rw-r--r-- | lib/plugins/acl/admin.php | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/plugins/acl/admin.php b/lib/plugins/acl/admin.php index 172c13af3..dd50bfb39 100644 --- a/lib/plugins/acl/admin.php +++ b/lib/plugins/acl/admin.php @@ -78,7 +78,9 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { if($user == '@all') $user = '@ALL'; //special group! (now case insensitive) $perm = (int) $perm; if($perm > AUTH_DELETE) $perm = AUTH_DELETE; - //FIXME sanitize scope!!! + + // check token + if(!checkSecurityToken()) return; //nothing to do? if(empty($cmd) || empty($scope) || empty($user)) return; @@ -295,6 +297,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { ptln(' <input type="hidden" name="do" value="admin" />',4); ptln(' <input type="hidden" name="page" value="acl" />',4); ptln(' <input type="hidden" name="acl_cmd" value="save" />',4); + formSecurityToken(); //scope select ptln($this->lang['acl_perms'],4); @@ -374,6 +377,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { // update form ptln('<td class="centeralign">',4); ptln(' <form method="post" action="'.wl($ID).'"><div class="no">',4); + formSecurityToken(); ptln(' <input type="hidden" name="do" value="admin" />',4); ptln(' <input type="hidden" name="page" value="acl" />',4); ptln(' <input type="hidden" name="acl_cmd" value="save" />',4); @@ -392,6 +396,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { $ask .= $id.' '.$conf['name'].' '.$conf['perm']; ptln('<td class="centeralign">',4); ptln(' <form method="post" action="'.wl($ID).'" onsubmit="return confirm(\''.str_replace('\\\\n','\\n',addslashes($ask)).'\')"><div class="no">',4); + formSecurityToken(); ptln(' <input type="hidden" name="do" value="admin" />',4); ptln(' <input type="hidden" name="page" value="acl" />',4); ptln(' <input type="hidden" name="acl_cmd" value="delete" />',4); |