====== DokuWiki/PHP Security Checklist ======
**Version:** 2.0\\
**Scope:** DokuWiki Plugin Development und PHP-spezifisches Security Hardening.
**Diese Sektion erweitert die Common Checklist für DokuWiki Plugin Development.**
===== PHP-Specific Security =====
^ Check ^ CWE ^ Description ^ Solution ^
| [ ] XSS Prevention | CWE-79 | User Input in HTML Output | ''hsc()'', ''htmlspecialchars()'' |
| [ ] SQL Injection | CWE-89 | Database Queries | DokuWiki DB Abstraction, Prepared Statements |
| [ ] Path Traversal | CWE-22 | File Path Manipulation | ''cleanID()'', ''resolve_id()'' |
| [ ] CSRF Protection | CWE-352 | Form Submissions | ''getSecurityToken()'', ''checkSecurityToken()'' |
| [ ] Command Injection | CWE-78 | Shell Commands | Avoid ''exec()'', ''shell_exec()'', ''system()'' |
| [ ] File Upload | CWE-434 | Malicious File Uploads | MIME Validation, Extension Whitelist |
| [ ] Open Redirect | CWE-601 | URL Redirects | Whitelist allowed Domains |
| [ ] Session Fixation | CWE-384 | Session Handling | DokuWiki Session Management |
===== DokuWiki Input Handling =====
^ Function ^ Purpose ^ When to Use ^
| ''hsc($str)'' | HTML Escape | All User Input in HTML |
| ''$INPUT->str('param')'' | Safe GET/POST String | Form Parameters |
| ''$INPUT->int('param')'' | Safe Integer Input | Numeric Parameters |
| ''$INPUT->arr('param')'' | Safe Array Input | Array Parameters |
| ''cleanID($id)'' | Sanitize Page ID | Wiki Page References |
| ''resolve_id($ns, $id)'' | Resolve Relative ID | Namespace Resolution |
===== DokuWiki Output Encoding =====
// CORRECT - Always escape user input
echo '' . hsc($userInput) . '
';
// WRONG - XSS vulnerability!
echo '' . $userInput . '
';
// CORRECT - Attribute escaping
echo '' . hsc($text) . '';
// CORRECT - JavaScript context
echo '';
===== DokuWiki Plugin Structure =====
^ Check ^ Description ^
| [ ] ''plugin.info.txt'' existiert | Plugin Metadata |
| [ ] ''@license'' Header in allen PHP Files | GPL 2 oder kompatibel |
| [ ] ''@author'' Header mit Email | Attribution |
| [ ] Verwendet ''$this->getLang()'' | Localization |
| [ ] Verwendet DokuWiki Events | Extensibility |
| [ ] Kein direkter ''$_GET''/'$_POST'' Zugriff | Verwende ''$INPUT'' Object |
| [ ] Keine direkten File Writes | Verwende DokuWiki APIs |
===== DokuWiki Security Audit Checklist =====
^ Check ^ CWE ^ PHP Code Pattern to Find ^
| [ ] XSS in echo | CWE-79 | ''echo $var'' ohne ''hsc()'' |
| [ ] XSS in print | CWE-79 | ''print $var'' ohne ''hsc()'' |
| [ ] Direct $_GET | CWE-20 | ''$_GET['param']'' |
| [ ] Direct $_POST | CWE-20 | ''$_POST['param']'' |
| [ ] Direct $_REQUEST | CWE-20 | ''$_REQUEST['param']'' |
| [ ] SQL concat | CWE-89 | ''"SELECT * FROM " . $var'' |
| [ ] Shell exec | CWE-78 | ''exec()'', ''shell_exec()'', ''system()'', Backticks |
| [ ] File include | CWE-98 | ''include($var)'', ''require($var)'' |
| [ ] Unvalidated redirect | CWE-601 | ''header("Location: " . $var)'' |
| [ ] Eval | CWE-94 | ''eval($var)'' |
| [ ] Preg mit e modifier | CWE-94 | ''preg_replace('/...$/e', ...)'' (deprecated) |
===== DokuWiki Security Functions Reference =====
^ Function ^ Purpose ^ CWE Prevented ^
| ''hsc()'' | HTML Special Chars | CWE-79 (XSS) |
| ''cleanID()'' | Clean Page ID | CWE-22 (Path Traversal) |
| ''resolve_id()'' | Resolve Page ID | CWE-22 (Path Traversal) |
| ''getSecurityToken()'' | Get CSRF Token | CWE-352 (CSRF) |
| ''checkSecurityToken()'' | Verify CSRF Token | CWE-352 (CSRF) |
| ''auth_quickaclcheck()'' | Check Permissions | CWE-862 (Missing Auth) |
| ''$INPUT->str()'' | Safe String Input | CWE-20 (Input Validation) |
| ''$INPUT->int()'' | Safe Integer Input | CWE-20 (Input Validation) |
----
plugin.info.txt existiert
@license Header in allen PHP Files
@author Header mit Email
Kein direkter $_GET/$_POST Zugriff
XSS Prevention (hsc() verwendet)
----
//Version: 2.0 (Split)//\\
//Autor: Wolfgang van der Stille//
Zurück zu [[.:start|Stack Checklists]] | [[..:start|Review Checklists]]
~~DISCUSSION:off~~