devel:security
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
devel:security [2015-11-07 16:19] – [Security Guidelines for Plugin Authors] 50.141.100.133 | devel:security [2023-08-14 13:41] (current) – Klap-in | ||
---|---|---|---|
Line 6: | Line 6: | ||
===Summary=== | ===Summary=== | ||
+ | |||
A list of the most common security issues and how to avoid them can be found on this page. A short summary: | A list of the most common security issues and how to avoid them can be found on this page. A short summary: | ||
* Cross Site Scripting (XSS) -- inserts malicious code into website to manipulate site in browser of user | * Cross Site Scripting (XSS) -- inserts malicious code into website to manipulate site in browser of user | ||
- | * Cross Site Request Forgery (CSRF) -- tricks to let you self do unknowingly harmful actions on your site | + | * Cross Site Request Forgery (CSRF) -- tricks to let you do unknowingly harmful actions on your site |
* Remote Code Inclusion -- includes code on server that's executed there | * Remote Code Inclusion -- includes code on server that's executed there | ||
- | * Information leaks -- there is too much information | + | * Information leaks -- there is too much information |
* SQL injection -- one can do unwanted requests on your data | * SQL injection -- one can do unwanted requests on your data | ||
Line 25: | Line 26: | ||
===Escaping output=== | ===Escaping output=== | ||
- | At an absolute minimum the plugin should ensure any raw data output has all HTML special characters converted to HTML entities using the [[phpfn> | + | At an absolute minimum the plugin should ensure any raw data output has all HTML special characters converted to HTML entities using the [[phpfn> |
Also any wiki data extracted and used internally (eg. user names) should be treated with suspicion. | Also any wiki data extracted and used internally (eg. user names) should be treated with suspicion. | ||
Line 31: | Line 32: | ||
===Input checking=== | ===Input checking=== | ||
Check always all your input. Use whitelists, filters, conversions to the exact data type you mean e.g. from a number inputted as mixed php value to integer and more to ensure you have __only__ data you allowed. | Check always all your input. Use whitelists, filters, conversions to the exact data type you mean e.g. from a number inputted as mixed php value to integer and more to ensure you have __only__ data you allowed. | ||
+ | |||
+ | Please also refer to our chapter on processing [[request vars]] like '' | ||
+ | |||
==See also:== | ==See also:== | ||
Line 51: | Line 55: | ||
// common plugin functions ommited | // common plugin functions ommited | ||
- | function connectTo($mode) { | + | |
- | $this-> | + | $this-> |
} | } | ||
- | function handle($match, | + | |
- | return | + | return |
} | } | ||
- | function render($mode, &$R, $data) { | + | |
- | if($mode != ' | + | if($format |
- | $R->doc .= '< | + | $renderer->doc .= '< |
} | } | ||
} | } | ||
Line 74: | Line 78: | ||
// common plugin functions ommited | // common plugin functions ommited | ||
- | function connectTo($mode) { | + | |
- | $this-> | + | $this-> |
} | } | ||
- | function handle($match, | + | |
- | return | + | return |
} | } | ||
- | function render($mode, &$R, $data) { | + | |
- | if($mode != ' | + | if($format |
- | $R->doc .= '< | + | $renderer->doc .= '< |
} | } | ||
} | } | ||
Line 112: | Line 116: | ||
</ | </ | ||
</ | </ | ||
+ | |||
+ | In general it is recommended to not hand-craft forms, but use DokuWiki' | ||
=== Classes and other Attributes === | === Classes and other Attributes === | ||
Line 126: | Line 132: | ||
<code php> | <code php> | ||
- | $renderer-> | + | $renderer-> |
- | | + | . htmlspecialchars($message) |
- | | + | . '</ |
</ | </ | ||
Line 135: | Line 141: | ||
<code php> | <code php> | ||
- | $allowed = array(' | + | $allowed = [' |
- | if(!in_array($class, | + | if(!in_array($class, |
- | $class = ' | + | $class = ' |
} | } | ||
- | $renderer-> | + | $renderer-> |
- | | + | . htmlspecialchars($message) |
- | | + | . '</ |
</ | </ | ||
Line 152: | Line 158: | ||
<code php> | <code php> | ||
// empty URL on protocol mismatch | // empty URL on protocol mismatch | ||
- | if(!preg_match('/ | + | if(!preg_match('/ |
+ | | ||
+ | } | ||
</ | </ | ||
Line 159: | Line 167: | ||
This vulnerability often appears into plugins due to the lack of understanding of this issue, often confused with the XSS. | This vulnerability often appears into plugins due to the lack of understanding of this issue, often confused with the XSS. | ||
- | Cross Site Request Forgery refers to an attack where the victim' | + | Cross Site Request Forgery refers to an attack where the victim' |
===Adding security token=== | ===Adding security token=== | ||
- | DokuWiki offers functions to help you deal against CSRF attacks: [[xref> | ||
+ | DokuWiki offers functions to help you deal against CSRF attacks. [[xref> | ||
+ | |||
+ | |||
+ | It is your resposibility as the plugin author to actually check the token before executing authorized actions using the [[xref> | ||
==See also== | ==See also== | ||
Line 184: | Line 195: | ||
</ | </ | ||
- | Then you process this form has follow: | + | Then you process this form as follows: |
<code php> | <code php> | ||
- | if(isset($_GET[' | + | global $INPUT; |
- | do_something_with_yn($_GET[' | + | |
+ | if($INPUT-> | ||
+ | do_something_with_yn($INPUT-> | ||
} | } | ||
</ | </ | ||
Line 199: | Line 212: | ||
</ | </ | ||
- | What the user's browser | + | What will the user's browser do then? |
- | The browser will process this image as any other and will send a request to this URL. Your plugin will then see that $_GET[' | + | The browser will process this image as any other and will send a request to this URL. Your plugin will then see that '' |
That's one of the examples of CSRF. Now, how to fix this security hole? | That's one of the examples of CSRF. Now, how to fix this security hole? | ||
Line 218: | Line 231: | ||
</ | </ | ||
- | Do you see the first input? Yes? Good. Now you have to check the security token when you recieve | + | Do you see the first input? Yes? Good. Now you have to check the security token when you receive |
<code php> | <code php> | ||
- | if(isset($_GET[' | + | global $INPUT; |
- | do_something_with_yn($_GET[' | + | |
+ | if($INPUT-> | ||
+ | do_something_with_yn($INPUT-> | ||
} | } | ||
</ | </ | ||
Line 228: | Line 243: | ||
As the malicious website will never find the value of the " | As the malicious website will never find the value of the " | ||
- | **Note:** If the security token is not valid, the checkSecurityToken() function displays a message which inform | + | **Note:** If the security token is not valid, the '' |
Line 234: | Line 249: | ||
===== Remote Code Inclusion ===== | ===== Remote Code Inclusion ===== | ||
- | This attack allows an attacker to inject (PHP) code into your application. This may occur on including files, or using unsafe operations functions like [[phpfn> | + | This attack allows an attacker to inject (PHP) code into your application. This may occur on including files, or using unsafe operations functions like [[phpfn> |
**Always filter any input** that will be used to load files or that is passed as an argument to external commands. | **Always filter any input** that will be used to load files or that is passed as an argument to external commands. |
devel/security.1446909580.txt.gz · Last modified: 2015-11-07 16:19 by 50.141.100.133