2 files changed, 40 insertions, 2 deletions

diff --git a/inc/common.php b/inc/common.php
index e812d181d..73e8e9369 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -53,6 +53,44 @@ function stripctl($string){
 }
 
 /**
+ * Return a secret token to be used for CSRF attack prevention
+ *
+ * @author  Andreas Gohr <andi@splitbrain.org>
+ * @link    http://en.wikipedia.org/wiki/Cross-site_request_forgery
+ * @link    http://christ1an.blogspot.com/2007/04/preventing-csrf-efficiently.html
+ * @return  string
+ */
+function getSecurityToken(){
+  return md5(auth_cookiesalt().session_id());
+}
+
+/**
+ * Check the secret CSRF token
+ */
+function checkSecurityToken($token=null){
+  if(is_null($token)) $token = $_REQUEST['sectok'];
+  if(getSecurityToken() != $token){
+    msg('Security Token did not match. Possible CSRF attack.',-1);
+    return false;
+  }
+  return true;
+}
+
+/**
+ * Print a hidden form field with a secret CSRF token
+ *
+ * @author  Andreas Gohr <andi@splitbrain.org>
+ */
+function formSecurityToken($print=true){
+  $ret = '<input type="hidden" name="sectok" value="'.getSecurityToken().'" />'."\n";
+  if($print){
+    echo $ret;
+  }else{
+    return $ret;
+  }
+}
+
+/**
  * Return info about the current document as associative
  * array.
  *
diff --git a/inc/plugin.php b/inc/plugin.php
index d7dea4130..763b57bf2 100644
--- a/inc/plugin.php
+++ b/inc/plugin.php
@@ -155,7 +155,7 @@ class DokuWiki_Plugin {
 
     return $conf;
   }
-  
+
   /**
    * Loads a given helper plugin (if enabled)
    *
@@ -163,7 +163,7 @@ class DokuWiki_Plugin {
    *
    * @param   $name   name of plugin to load
    * @param   $msg    message to display in case the plugin is not available
-   * 
+   *
    * @return  object  helper plugin object
    */
   function loadHelper($name, $msg){