DokuWiki/PHP Security Checklist

Version: 2.0
Scope: DokuWiki Plugin Development und PHP-spezifisches Security Hardening.

Diese Sektion erweitert die Common Checklist für DokuWiki Plugin Development.

PHP-Specific Security

Check	CWE	Description	Solution
[ ] XSS Prevention	CWE-79	User Input in HTML Output	`hsc()`, `htmlspecialchars()`
[ ] SQL Injection	CWE-89	Database Queries	DokuWiki DB Abstraction, Prepared Statements
[ ] Path Traversal	CWE-22	File Path Manipulation	`cleanID()`, `resolve_id()`
[ ] CSRF Protection	CWE-352	Form Submissions	`getSecurityToken()`, `checkSecurityToken()`
[ ] Command Injection	CWE-78	Shell Commands	Avoid `exec()`, `shell_exec()`, `system()`
[ ] File Upload	CWE-434	Malicious File Uploads	MIME Validation, Extension Whitelist
[ ] Open Redirect	CWE-601	URL Redirects	Whitelist allowed Domains
[ ] Session Fixation	CWE-384	Session Handling	DokuWiki Session Management

DokuWiki Input Handling

Function	Purpose	When to Use
`hsc($str)`	HTML Escape	All User Input in HTML
`$INPUT→str('param')`	Safe GET/POST String	Form Parameters
`$INPUT→int('param')`	Safe Integer Input	Numeric Parameters
`$INPUT→arr('param')`	Safe Array Input	Array Parameters
`cleanID($id)`	Sanitize Page ID	Wiki Page References
`resolve_id($ns, $id)`	Resolve Relative ID	Namespace Resolution

DokuWiki Output Encoding

// CORRECT - Always escape user input
echo '<div>' . hsc($userInput) . '</div>';
 
// WRONG - XSS vulnerability!
echo '<div>' . $userInput . '</div>';
 
// CORRECT - Attribute escaping
echo '<a href="' . hsc($url) . '">' . hsc($text) . '</a>';
 
// CORRECT - JavaScript context
echo '<script>var data = ' . json_encode($data, JSON_HEX_TAG) . ';</script>';

DokuWiki Plugin Structure

Check	Description
[ ] `plugin.info.txt` existiert	Plugin Metadata
[ ] `@license` Header in allen PHP Files	GPL 2 oder kompatibel
[ ] `@author` Header mit Email	Attribution
[ ] Verwendet `$this→getLang()`	Localization
[ ] Verwendet DokuWiki Events	Extensibility
[ ] Kein direkter `$_GET`/'$_POST `Zugriff \| Verwende` $INPUT`Object \| \| [ ] Keine direkten File Writes \| Verwende DokuWiki APIs \| ===== DokuWiki Security Audit Checklist ===== ^ Check ^ CWE ^ PHP Code Pattern to Find ^ \| [ ] XSS in echo \| CWE-79 \|`echo $var `ohne` hsc()`\| \| [ ] XSS in print \| CWE-79 \|`print $var `ohne` hsc()`\| \| [ ] Direct $_GET \| CWE-20 \|`$_GET['param']`\| \| [ ] Direct $_POST \| CWE-20 \|`$_POST['param']`\| \| [ ] Direct $_REQUEST \| CWE-20 \|`$_REQUEST['param']`\| \| [ ] SQL concat \| CWE-89 \|`„SELECT * FROM “ . $var`\| \| [ ] Shell exec \| CWE-78 \|`exec()`,` shell_exec()`,` system()`, Backticks \| \| [ ] File include \| CWE-98 \|`include($var)`,` require($var)`\| \| [ ] Unvalidated redirect \| CWE-601 \|`header(„Location: “ . $var)`\| \| [ ] Eval \| CWE-94 \|`eval($var)`\| \| [ ] Preg mit e modifier \| CWE-94 \|`preg_replace('/…$/e', …)`(deprecated) \| ===== DokuWiki Security Functions Reference ===== ^ Function ^ Purpose ^ CWE Prevented ^ \|`hsc()`\| HTML Special Chars \| CWE-79 (XSS) \| \|`cleanID()`\| Clean Page ID \| CWE-22 (Path Traversal) \| \|`resolve_id()`\| Resolve Page ID \| CWE-22 (Path Traversal) \| \|`getSecurityToken()`\| Get CSRF Token \| CWE-352 (CSRF) \| \|`checkSecurityToken()`\| Verify CSRF Token \| CWE-352 (CSRF) \| \|`auth_quickaclcheck()`\| Check Permissions \| CWE-862 (Missing Auth) \| \|`$INPUT→str()`\| Safe String Input \| CWE-20 (Input Validation) \| \|`$INPUT→int()''	Safe Integer Input	CWE-20 (Input Validation)

<wvds:audit:template> plugin.info.txt existiert @license Header in allen PHP Files @author Header mit Email Kein direkter $_GET/$_POST Zugriff XSS Prevention (hsc() verwendet) </wvds:audit:template>

Version: 2.0 (Split)
Autor: Wolfgang van der Stille

Zurück zu Stack Checklists | Review Checklists