CSRF prevention for admin plugins

This patch adds a session based token to all form in the default action plugins.
The validity of the token is checked before any administrative function is
executed aiming to protect DokuWiki's admin functions from Cross-site request
forgery (CSRF) attacks.

Another patch will follow to add the same functionality on other, less critical
functions.

More details on CSRF attacks can be found at
http://en.wikipedia.org/wiki/Cross-site_request_forgery

darcs-hash:20070829201538-7ad00-d0770224a3351fd8e38968e3a9d8e73520482445.gz

1 files changed, 7 insertions, 0 deletions

diff --git a/lib/plugins/plugin/admin.php b/lib/plugins/plugin/admin.php
index 5172568a3..5845f5183 100644
--- a/lib/plugins/plugin/admin.php
+++ b/lib/plugins/plugin/admin.php
@@ -116,6 +116,11 @@ class admin_plugin_plugin extends DokuWiki_Admin_Plugin {
         $this->plugin = '';
       }
 
+      if(($this->cmd != 'manage' || $this->plugin != '') && !checkSecurityToken()){
+        $this->cmd = 'manage';
+        $this->plugin = '';
+      }
+
       // create object to handle the command
       $class = "ap_".$this->cmd;
       if (!class_exists($class)) $class = 'ap_manage';
@@ -181,6 +186,7 @@ class ap_manage {
           ptln('    <fieldset class="hidden">',4);
           ptln('      <input type="hidden" name="do"   value="admin" />');
           ptln('      <input type="hidden" name="page" value="plugin" />');
+          formSecurityToken();
           ptln('    </fieldset>');
           ptln('    <fieldset>');
           ptln('      <legend>'.$this->lang['download'].'</legend>');
@@ -199,6 +205,7 @@ class ap_manage {
             ptln('  <fieldset class="hidden">');
             ptln('    <input type="hidden" name="do"     value="admin" />');
             ptln('    <input type="hidden" name="page"   value="plugin" />');
+            formSecurityToken();
             ptln('  </fieldset>');
 
             $this->html_pluginlist();