From 634d7150e59d03e4a4987164bfe9948fb8828c70 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Wed, 29 Aug 2007 22:15:38 +0200
Subject: CSRF prevention for admin plugins

This patch adds a session based token to all form in the default action plugins.
The validity of the token is checked before any administrative function is
executed aiming to protect DokuWiki's admin functions from Cross-site request
forgery (CSRF) attacks.

Another patch will follow to add the same functionality on other, less critical
functions.

More details on CSRF attacks can be found at
http://en.wikipedia.org/wiki/Cross-site_request_forgery

darcs-hash:20070829201538-7ad00-d0770224a3351fd8e38968e3a9d8e73520482445.gz
---
 inc/plugin.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'inc/plugin.php')

diff --git a/inc/plugin.php b/inc/plugin.php
index d7dea4130..763b57bf2 100644
--- a/inc/plugin.php
+++ b/inc/plugin.php
@@ -155,7 +155,7 @@ class DokuWiki_Plugin {
 
     return $conf;
   }
-  
+
   /**
    * Loads a given helper plugin (if enabled)
    *
@@ -163,7 +163,7 @@ class DokuWiki_Plugin {
    *
    * @param   $name   name of plugin to load
    * @param   $msg    message to display in case the plugin is not available
-   * 
+   *
    * @return  object  helper plugin object
    */
   function loadHelper($name, $msg){
-- 
cgit v1.2.3