From 634d7150e59d03e4a4987164bfe9948fb8828c70 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Wed, 29 Aug 2007 22:15:38 +0200 Subject: CSRF prevention for admin plugins This patch adds a session based token to all form in the default action plugins. The validity of the token is checked before any administrative function is executed aiming to protect DokuWiki's admin functions from Cross-site request forgery (CSRF) attacks. Another patch will follow to add the same functionality on other, less critical functions. More details on CSRF attacks can be found at http://en.wikipedia.org/wiki/Cross-site_request_forgery darcs-hash:20070829201538-7ad00-d0770224a3351fd8e38968e3a9d8e73520482445.gz --- inc/common.php | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) (limited to 'inc/common.php') diff --git a/inc/common.php b/inc/common.php index e812d181d..73e8e9369 100644 --- a/inc/common.php +++ b/inc/common.php @@ -52,6 +52,44 @@ function stripctl($string){ return preg_replace('/[\x00-\x1F]+/s','',$string); } +/** + * Return a secret token to be used for CSRF attack prevention + * + * @author Andreas Gohr + * @link http://en.wikipedia.org/wiki/Cross-site_request_forgery + * @link http://christ1an.blogspot.com/2007/04/preventing-csrf-efficiently.html + * @return string + */ +function getSecurityToken(){ + return md5(auth_cookiesalt().session_id()); +} + +/** + * Check the secret CSRF token + */ +function checkSecurityToken($token=null){ + if(is_null($token)) $token = $_REQUEST['sectok']; + if(getSecurityToken() != $token){ + msg('Security Token did not match. Possible CSRF attack.',-1); + return false; + } + return true; +} + +/** + * Print a hidden form field with a secret CSRF token + * + * @author Andreas Gohr + */ +function formSecurityToken($print=true){ + $ret = ''."\n"; + if($print){ + echo $ret; + }else{ + return $ret; + } +} + /** * Return info about the current document as associative * array. -- cgit v1.2.3