Jump to content

Security Guidelines for Plugins


Recommended Posts

Posted

Hello plugin authors! We recently published a blog post about some security issues in earlier versions of Unraid and we want to make sure that plugins don’t have similar issues. Please review your plugins for the following potential issues:

 

1. GET vs POST

Use GET sparingly. It is ok when displaying information, like `view.php?id=7` but never for taking action, like `delete.php?id=7`. Any scripts that take action on an input must get that input via POST. In PHP that means using the $_POST and $_GET superglobals specifically rather than the more generic $_REQUEST

 

The CSRF token should never be passed on the querystring via GET. In most cases the webGUI will add it to POST methods automatically.

 

2. XSS

Ensure that any variable is wrapped with `htmlspecialchars($variable)` right before it is output to the browser. This is critical for data that comes from the user via $_POST or $_GET, or from data that is read from config files, or any other place that a user/attacker could affect the contents.

 

It is important to do this right before outputting the variable so there is no risk of running the variable through the htmlspecialchars function twice.

 

Note: this is not strictly necessary if you have already taken steps to ensure the variably only contains integers, or is one of three specific strings, etc. But in general it is safest to always wrap variables before outputting them.

 

3. Reading config files

If you read plugin settings via something like this:

$config_file = "/boot/config/$plugin/$plugin.cfg";
$cfg = is_file($config_file) ? @parse_ini_file($config_file, true) : array();

Please consider switching to this:

require_once "$docroot/plugins/dynamix/include/Wrappers.php"; // might not be necessary
$cfg = parse_plugin_cfg($plugin);

 

This will automatically merge the plugin's config file from the flash drive:

/boot/config/plugins/$plugin/$plugin.cfg

with a default config (if the plugin has defined one):

$docroot/plugins/$plugin/default.cfg

 

And in recent releases it will sanitize the values in the config files to make them safer.

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...