ljm42 Posted January 22 Posted January 22 Hello plugin authors! We recently published a blog post about some security issues in earlier versions of Unraid and we want to make sure that plugins don’t have similar issues. Please review your plugins for the following potential issues: 1. GET vs POST Use GET sparingly. It is ok when displaying information, like `view.php?id=7` but never for taking action, like `delete.php?id=7`. Any scripts that take action on an input must get that input via POST. In PHP that means using the $_POST and $_GET superglobals specifically rather than the more generic $_REQUEST The CSRF token should never be passed on the querystring via GET. In most cases the webGUI will add it to POST methods automatically. 2. XSS Ensure that any variable is wrapped with `htmlspecialchars($variable)` right before it is output to the browser. This is critical for data that comes from the user via $_POST or $_GET, or from data that is read from config files, or any other place that a user/attacker could affect the contents. It is important to do this right before outputting the variable so there is no risk of running the variable through the htmlspecialchars function twice. Note: this is not strictly necessary if you have already taken steps to ensure the variably only contains integers, or is one of three specific strings, etc. But in general it is safest to always wrap variables before outputting them. 3. Reading config files If you read plugin settings via something like this: $config_file = "/boot/config/$plugin/$plugin.cfg"; $cfg = is_file($config_file) ? @parse_ini_file($config_file, true) : array(); Please consider switching to this: require_once "$docroot/plugins/dynamix/include/Wrappers.php"; // might not be necessary $cfg = parse_plugin_cfg($plugin); This will automatically merge the plugin's config file from the flash drive: /boot/config/plugins/$plugin/$plugin.cfg with a default config (if the plugin has defined one): $docroot/plugins/$plugin/default.cfg And in recent releases it will sanitize the values in the config files to make them safer. 1 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.