====== DokuWiki/PHP Security Checklist ======
**Version:** 2.0\\
**Scope:** DokuWiki plugin development and PHP-specific security hardening.
**This section extends the common checklist for DokuWiki plugin development.**
===== PHP-Specific Security =====
^ Check ^ CWE ^ Description ^ Solution ^
| [ ] XSS Prevention | CWE-79 | User input in HTML output | ''hsc()'', ''htmlspecialchars()'' |
| [ ] SQL Injection | CWE-89 | Database queries | DokuWiki DB abstraction, prepared statements |
| [ ] Path Traversal | CWE-22 | File path manipulation | ''cleanID()'', ''resolve_id()'' |
| [ ] CSRF Protection | CWE-352 | Form submissions | ''getSecurityToken()'', ''checkSecurityToken()'' |
| [ ] Command Injection | CWE-78 | Shell commands | Avoid ''exec()'', ''shell_exec()'', ''system()'' |
| [ ] File Upload | CWE-434 | Malicious file uploads | MIME validation, extension whitelist |
| [ ] Open Redirect | CWE-601 | URL redirects | Whitelist allowed domains |
| [ ] Session Fixation | CWE-384 | Session handling | DokuWiki session management |
===== DokuWiki Input Handling =====
^ Function ^ Purpose ^ When to Use ^
| ''hsc($str)'' | HTML escape | All user input in HTML |
| ''$INPUT->str('param')'' | Safe GET/POST string | Form parameters |
| ''$INPUT->int('param')'' | Safe integer input | Numeric parameters |
| ''$INPUT->arr('param')'' | Safe array input | Array parameters |
| ''cleanID($id)'' | Sanitize page ID | Wiki page references |
| ''resolve_id($ns, $id)'' | Resolve relative ID | Namespace resolution |
===== DokuWiki Output Encoding =====
// CORRECT - Always escape user input
echo '' . hsc($userInput) . '
';
// WRONG - XSS vulnerability!
echo '' . $userInput . '
';
// CORRECT - Attribute escaping
echo '' . hsc($text) . '';
// CORRECT - JavaScript context
echo '';
===== DokuWiki Plugin Structure =====
^ Check ^ Description ^
| [ ] ''plugin.info.txt'' exists | Plugin metadata |
| [ ] ''@license'' header in all PHP files | GPL 2 or compatible |
| [ ] ''@author'' header with email | Attribution |
| [ ] Uses ''$this->getLang()'' | Localization |
| [ ] Uses DokuWiki events | Extensibility |
| [ ] No direct ''$_GET''/'$_POST'' access | Use ''$INPUT'' object |
| [ ] No direct file writes | Use DokuWiki APIs |
===== DokuWiki Security Audit Checklist =====
^ Check ^ CWE ^ PHP Code Pattern to Find ^
| [ ] XSS in echo | CWE-79 | ''echo $var'' without ''hsc()'' |
| [ ] XSS in print | CWE-79 | ''print $var'' without ''hsc()'' |
| [ ] Direct $_GET | CWE-20 | ''$_GET['param']'' |
| [ ] Direct $_POST | CWE-20 | ''$_POST['param']'' |
| [ ] Direct $_REQUEST | CWE-20 | ''$_REQUEST['param']'' |
| [ ] SQL concat | CWE-89 | ''"SELECT * FROM " . $var'' |
| [ ] Shell exec | CWE-78 | ''exec()'', ''shell_exec()'', ''system()'', backticks |
| [ ] File include | CWE-98 | ''include($var)'', ''require($var)'' |
| [ ] Unvalidated redirect | CWE-601 | ''header("Location: " . $var)'' |
| [ ] Eval | CWE-94 | ''eval($var)'' |
| [ ] Preg with e modifier | CWE-94 | ''preg_replace('/...$/e', ...)'' (deprecated) |
===== DokuWiki Security Functions Reference =====
^ Function ^ Purpose ^ CWE Prevented ^
| ''hsc()'' | HTML special chars | CWE-79 (XSS) |
| ''cleanID()'' | Clean page ID | CWE-22 (Path Traversal) |
| ''resolve_id()'' | Resolve page ID | CWE-22 (Path Traversal) |
| ''getSecurityToken()'' | Get CSRF token | CWE-352 (CSRF) |
| ''checkSecurityToken()'' | Verify CSRF token | CWE-352 (CSRF) |
| ''auth_quickaclcheck()'' | Check permissions | CWE-862 (Missing Auth) |
| ''$INPUT->str()'' | Safe string input | CWE-20 (Input Validation) |
| ''$INPUT->int()'' | Safe integer input | CWE-20 (Input Validation) |
----
plugin.info.txt exists
@license header in all PHP files
@author header with email
No direct $_GET/$_POST access
XSS prevention (hsc() used)
----
//Version: 2.0 (Split)//\\
//Author: Wolfgang van der Stille//
Back to [[start|Stack Checklists]] | [[..:start|Review Checklists]]
~~DISCUSSION:off~~