Inhaltsverzeichnis
DokuWiki/PHP Security Checklist
Version: 2.0
Scope: DokuWiki plugin development and PHP-specific security hardening.
This section extends the common checklist for DokuWiki plugin development.
PHP-Specific Security
| Check | CWE | Description | Solution |
|---|---|---|---|
| [ ] XSS Prevention | CWE-79 | User input in HTML output | hsc(), htmlspecialchars() |
| [ ] SQL Injection | CWE-89 | Database queries | DokuWiki DB abstraction, prepared statements |
| [ ] Path Traversal | CWE-22 | File path manipulation | cleanID(), resolve_id() |
| [ ] CSRF Protection | CWE-352 | Form submissions | getSecurityToken(), checkSecurityToken() |
| [ ] Command Injection | CWE-78 | Shell commands | Avoid exec(), shell_exec(), system() |
| [ ] File Upload | CWE-434 | Malicious file uploads | MIME validation, extension whitelist |
| [ ] Open Redirect | CWE-601 | URL redirects | Whitelist allowed domains |
| [ ] Session Fixation | CWE-384 | Session handling | DokuWiki session management |
DokuWiki Input Handling
| Function | Purpose | When to Use |
|---|---|---|
hsc($str) | HTML escape | All user input in HTML |
$INPUT→str('param') | Safe GET/POST string | Form parameters |
$INPUT→int('param') | Safe integer input | Numeric parameters |
$INPUT→arr('param') | Safe array input | Array parameters |
cleanID($id) | Sanitize page ID | Wiki page references |
resolve_id($ns, $id) | Resolve relative ID | Namespace resolution |
DokuWiki Output Encoding
// CORRECT - Always escape user input echo '<div>' . hsc($userInput) . '</div>'; // WRONG - XSS vulnerability! echo '<div>' . $userInput . '</div>'; // CORRECT - Attribute escaping echo '<a href="' . hsc($url) . '">' . hsc($text) . '</a>'; // CORRECT - JavaScript context echo '<script>var data = ' . json_encode($data, JSON_HEX_TAG) . ';</script>';
DokuWiki Plugin Structure
| Check | Description | |
|---|---|---|
[ ] plugin.info.txt exists | Plugin metadata | |
[ ] @license header in all PHP files | GPL 2 or compatible | |
[ ] @author header with email | Attribution | |
[ ] Uses $this→getLang() | Localization | |
| [ ] Uses DokuWiki events | Extensibility | |
[ ] No direct $_GET/'$_POST access | Use $INPUT object |
| [ ] No direct file writes | Use DokuWiki APIs |
===== DokuWiki Security Audit Checklist =====
^ Check ^ CWE ^ PHP Code Pattern to Find ^
| [ ] XSS in echo | CWE-79 | echo $var without hsc() |
| [ ] XSS in print | CWE-79 | print $var without hsc() |
| [ ] Direct $_GET | CWE-20 | $_GET['param'] |
| [ ] Direct $_POST | CWE-20 | $_POST['param'] |
| [ ] Direct $_REQUEST | CWE-20 | $_REQUEST['param'] |
| [ ] SQL concat | CWE-89 | „SELECT * FROM “ . $var |
| [ ] Shell exec | CWE-78 | exec(), shell_exec(), system(), backticks |
| [ ] File include | CWE-98 | include($var), require($var) |
| [ ] Unvalidated redirect | CWE-601 | header(„Location: “ . $var) |
| [ ] Eval | CWE-94 | eval($var) |
| [ ] Preg with e modifier | CWE-94 | preg_replace('/…$/e', …) (deprecated) |
===== DokuWiki Security Functions Reference =====
^ Function ^ Purpose ^ CWE Prevented ^
| hsc() | HTML special chars | CWE-79 (XSS) |
| cleanID() | Clean page ID | CWE-22 (Path Traversal) |
| resolve_id() | Resolve page ID | CWE-22 (Path Traversal) |
| getSecurityToken() | Get CSRF token | CWE-352 (CSRF) |
| checkSecurityToken() | Verify CSRF token | CWE-352 (CSRF) |
| auth_quickaclcheck() | Check permissions | CWE-862 (Missing Auth) |
| $INPUT→str() | Safe string input | CWE-20 (Input Validation) |
| $INPUT→int()'' | Safe integer input | CWE-20 (Input Validation) |
<wvds:audit:template> plugin.info.txt exists @license header in all PHP files @author header with email No direct $_GET/$_POST access XSS prevention (hsc() used) </wvds:audit:template>
Version: 2.0 (Split)
Author: Wolfgang van der Stille
Back to Stack Checklists | Review Checklists
Zuletzt geändert: on 2026/01/08 at 04:47 AM
