From b2e3bd8b82508cfa5ade59522b8bbcce2cb8568d Mon Sep 17 00:00:00 2001
From: Sascha Leib <sascha.leib@kolmio.com>
Date: Fri, 5 Sep 2025 09:15:08 +0200
Subject: [PATCH] Security fixes

---
 action.php     | 15 +++++----
 php_errors.log | 53 ++++++++++++++++++++++++++-----
 pview.php      | 44 ++++++++++++++++++--------
 script.js      |  5 ++-
 tick.php       | 85 ++++++++++++++++++++++++++++----------------------
 5 files changed, 135 insertions(+), 67 deletions(-)

diff --git a/action.php b/action.php
index 8ba36f8..bf3f118 100644
--- a/action.php
+++ b/action.php
@@ -56,12 +56,8 @@ class action_plugin_botmon extends DokuWiki_Action_Plugin {
 		/* Write out server-side info to a server log: */
 
 		// what is the session identifier?
-		$sessionId = $username;
-		$sessionType = 'usr';
-		if ($sessionId == '') {
-			$sessionId = $_COOKIE['DokuWiki'] ?? '';
-			$sessionType = 'dw';
-		}
+		$sessionId = $_COOKIE['DokuWiki']  ?? '';
+		$sessionType = 'dw';
 		if ($sessionId == '') {
 			$sessionId = $_SERVER['REMOTE_ADDR'] ?? '';
 			if ($sessionId == '127.0.0.1' || $sessionId == '::1') {
@@ -70,11 +66,14 @@ class action_plugin_botmon extends DokuWiki_Action_Plugin {
 			$sessionType = 'ip';
 		}
 
+		// clean the page ID
+		$pageId = preg_replace('/[\x00-\x1F]/', "\u{FFFD}", $INFO['id'] ?? '');
+
 		$logArr = Array(
 			$_SERVER['REMOTE_ADDR'] ?? '', /* remote IP */
-			$INFO['id'] ?? '', /* page ID */
+			$pageId, /* page ID */
 			$sessionId, /* Session ID */
-			$sessionType,
+			$sessionType, /* session ID type */
 			$username,
 			$_SERVER['HTTP_USER_AGENT'] ?? '', /* User agent */
 			$_SERVER['HTTP_REFERER'] ?? '' /* HTTP Referrer */
diff --git a/php_errors.log b/php_errors.log
index 3705f86..ecddbba 100644
--- a/php_errors.log
+++ b/php_errors.log
@@ -1,8 +1,45 @@
-[03-Sep-2025 15:22:41 UTC] PHP Warning:  Undefined variable $file in D:\Webroot\development\lib\plugins\botmon\cleanup.php on line 14
-[03-Sep-2025 15:22:54 UTC] PHP Warning:  Undefined variable $file in D:\Webroot\development\lib\plugins\botmon\cleanup.php on line 14
-[03-Sep-2025 15:25:36 UTC] PHP Parse error:  syntax error, unexpected end of file, expecting "," or ";" in D:\Webroot\development\lib\plugins\botmon\cleanup.php on line 15
-[03-Sep-2025 15:35:57 UTC] PHP Deprecated:  Using ${var} in strings is deprecated, use {$var} instead in D:\Webroot\development\lib\plugins\botmon\cleanup.php on line 14
-[03-Sep-2025 15:37:51 UTC] PHP Warning:  unlink(logs/.): Is a directory in D:\Webroot\development\lib\plugins\botmon\cleanup.php on line 15
-[03-Sep-2025 15:37:51 UTC] PHP Warning:  unlink(logs/..): Resource temporarily unavailable in D:\Webroot\development\lib\plugins\botmon\cleanup.php on line 15
-[03-Sep-2025 15:38:10 UTC] PHP Warning:  unlink(logs/.): Is a directory in D:\Webroot\development\lib\plugins\botmon\cleanup.php on line 17
-[03-Sep-2025 15:38:10 UTC] PHP Warning:  unlink(logs/..): Resource temporarily unavailable in D:\Webroot\development\lib\plugins\botmon\cleanup.php on line 17
+[05-Sep-2025 05:57:33 UTC] PHP Warning:  preg_match(): No ending delimiter '/' found in D:\Webroot\development\lib\plugins\botmon\tick.php on line 17
+[05-Sep-2025 05:57:33 UTC] PHP Warning:  Undefined property: ErrorException::$getMessage in D:\Webroot\development\lib\plugins\botmon\tick.php on line 55
+[05-Sep-2025 05:57:43 UTC] PHP Warning:  preg_match(): No ending delimiter '/' found in D:\Webroot\development\lib\plugins\botmon\tick.php on line 17
+[05-Sep-2025 05:57:43 UTC] PHP Warning:  Undefined property: ErrorException::$getMessage in D:\Webroot\development\lib\plugins\botmon\tick.php on line 55
+[05-Sep-2025 05:58:04 UTC] PHP Warning:  preg_match(): No ending delimiter '/' found in D:\Webroot\development\lib\plugins\botmon\tick.php on line 17
+[05-Sep-2025 05:58:04 UTC] PHP Warning:  Undefined property: ErrorException::$getMessage in D:\Webroot\development\lib\plugins\botmon\tick.php on line 55
+[05-Sep-2025 05:58:13 UTC] PHP Warning:  preg_match(): No ending delimiter '/' found in D:\Webroot\development\lib\plugins\botmon\tick.php on line 17
+[05-Sep-2025 05:58:13 UTC] PHP Warning:  Undefined property: ErrorException::$getMessage in D:\Webroot\development\lib\plugins\botmon\tick.php on line 55
+[05-Sep-2025 05:58:35 UTC] PHP Warning:  preg_match(): No ending delimiter '/' found in D:\Webroot\development\lib\plugins\botmon\tick.php on line 17
+[05-Sep-2025 05:58:35 UTC] PHP Warning:  Undefined property: ErrorException::$getMessage in D:\Webroot\development\lib\plugins\botmon\tick.php on line 55
+[05-Sep-2025 05:58:43 UTC] PHP Warning:  preg_match(): No ending delimiter '/' found in D:\Webroot\development\lib\plugins\botmon\tick.php on line 17
+[05-Sep-2025 05:58:43 UTC] PHP Warning:  Undefined property: ErrorException::$getMessage in D:\Webroot\development\lib\plugins\botmon\tick.php on line 55
+[05-Sep-2025 06:55:56 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 06:56:00 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 06:56:27 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 06:56:30 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 06:56:58 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 06:57:00 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 06:57:29 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 06:57:30 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 06:58:00 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 06:58:00 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 06:58:31 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 06:58:31 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 06:59:01 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 06:59:02 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 06:59:31 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 06:59:33 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 07:00:01 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 07:00:04 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 07:00:31 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 07:00:35 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 07:01:01 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 07:01:06 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 07:01:31 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 07:01:37 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 07:02:01 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 07:02:08 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 07:02:31 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 07:02:39 UTC] PHP Parse error:  syntax error, unexpected token "=" in D:\Webroot\development\lib\plugins\botmon\tick.php on line 18
+[05-Sep-2025 07:06:01 UTC] PHP Parse error:  syntax error, unexpected token "}" in D:\Webroot\development\lib\plugins\botmon\pview.php on line 36
+[05-Sep-2025 07:09:36 UTC] PHP Fatal error:  Uncaught Error: Undefined constant "loadTime" in D:\Webroot\development\lib\plugins\botmon\pview.php:34
+Stack trace:
+#0 {main}
+  thrown in D:\Webroot\development\lib\plugins\botmon\pview.php on line 34
diff --git a/pview.php b/pview.php
index 0ed3f3b..4208919 100644
--- a/pview.php
+++ b/pview.php
@@ -4,16 +4,12 @@
 $json = json_decode($_POST['pageview'], true);
 if (!$json) {
 	http_response_code(400);
-	die("Error: Invalid JSON data sent to server.");
+	die("Invalid JSON Data.");
 }
 
-// what is the session identifier?
-$sessionId = $json['u'] ?? '';
-$sessionType = 'usr';
-if ($sessionId == '') {
-	$sessionId = $_COOKIE['DokuWiki'] ?? '';
-	$sessionType = 'dw';
-}
+// select the session identifier?
+$sessionId = $_COOKIE['DokuWiki']  ?? '';
+$sessionType = 'dw';
 if ($sessionId == '') {
 	$sessionId = $_SERVER['REMOTE_ADDR'] ?? '';
 	if ($sessionId == '127.0.0.1' || $sessionId == '::1') {
@@ -22,15 +18,37 @@ if ($sessionId == '') {
 	$sessionType = 'ip';
 }
 
+// check if valid session id string:
+if (strlen($sessionId) < 46 && !preg_match('/^[\w\d\.:]+$/', $sessionId)) {
+	$sessionId = 'invalid-session-id';
+}
+
+// clean the page ID
+$pageId = preg_replace('/[\x00-\x1F{};]/', "\u{FFFD}", $json['pg'] ?? '');
+
+// clean the user-name
+$userName = preg_replace('/[\x00-\x1F]/', "\u{FFFD}", $json['u'] ?? '');
+
+// check load time
+$loadTime = $json['lt'] ?? '';
+if ($loadTime !== '' ) $loadTime = intval($loadTime);
+
+// clean the user agent string
+$agent = preg_replace('/[\x00-\x1F]/', "\u{FFFD}", $_SERVER['HTTP_USER_AGENT'] ?? '');
+
+// clean the referer
+$referer = preg_replace('/[\x00-\x1F]/', "\u{FFFD}", $json['r'] ?? '');
+
+
 /* build the resulting log line (ensure fixed column positions!) */
 $logArr = Array(
 	$_SERVER['REMOTE_ADDR'] ?? '', /* remote IP */
-	$json['pg'] ?? '', /* DW page ID */
+	$pageId, /* DW Page ID */
 	$sessionId, /* Session ID */
-	$json['u'] ?? '', /* DW User id (if logged in) */
-	$json['lt'] ?? '', /* load time */
-	$json['r'] ?? '', /* Referrer URL */
-	$_SERVER['HTTP_USER_AGENT'] ?? '' /* User agent */
+	$userName, /* DW User name (if logged in) */
+	$loadTime, /* load time */
+	$referer, /* Referrer URL */
+	$agent /* User agent */
 	// $json['lg'] ?? '', /* browser language */
 	// $json['scr'] ?? '', /* Screen dimensions */
 	// $json['tz'] ?? '', /* timzone offset */
diff --git a/script.js b/script.js
index 8437043..1278677 100644
--- a/script.js
+++ b/script.js
@@ -443,7 +443,7 @@ BotMon.live = {
 
 						this.groups.users.push(v);
 						this.data.bots.users += 1;
-						
+
 					} else {
 
 						// TODO: find suspected bots
@@ -1005,6 +1005,9 @@ BotMon.live = {
 				dl.appendChild(make('dt', {}, "IP-Address:"));
 				dl.appendChild(make('dd', {'class': 'has_icon ip' + ipType}, data.ip));
 
+				dl.appendChild(make('dt', {}, "ID:"));
+				dl.appendChild(make('dd', {'class': 'has_icon ip' + data.typ}, data.id));
+
 				if ((data._lastSeen - data._firstSeen) < 1) {
 					dl.appendChild(make('dt', {}, "Seen:"));
 					dl.appendChild(make('dd', {'class': 'seen'}, data._firstSeen.toLocaleString()));
diff --git a/tick.php b/tick.php
index fe11038..b5393e7 100644
--- a/tick.php
+++ b/tick.php
@@ -1,46 +1,57 @@
 <?php /* BOTMON PLUGIN HEARTBEAT TICKER SCRIPT */
 
+	// Note: this script is called in HEAD mode, therefore it can not return any payload.
 
-// what is the session identifier?
-$sessionId = $_GET['u'] ?? '';
-if ($sessionId == '') {
-	$sessionId = $_COOKIE['DokuWiki'] ?? '';
-}
-if ($sessionId == '') {
-	$sessionId = $_SERVER['REMOTE_ADDR'] ?? '';
-	if ($sessionId == '127.0.0.1' || $sessionId == '::1') {
-		$sessionId = 'localhost';
+	// select the session identifier?
+	$sessionId = $_COOKIE['DokuWiki']  ?? '';
+	$sessionType = 'dw';
+	if ($sessionId == '') {
+		$sessionId = $_SERVER['REMOTE_ADDR'] ?? '';
+		if ($sessionId == '127.0.0.1' || $sessionId == '::1') {
+			$sessionId = 'localhost';
+		}
+		$sessionType = 'ip';
 	}
-}
 
-/* build the resulting log line (ensure fixed column positions!) */
-$logArr = Array(
-	$_SERVER['REMOTE_ADDR'] ?? '', /* remote IP */
-	$_GET['p'] ?? '', /* page ID */
-	$sessionId, /* Session ID */
-	$_SERVER['HTTP_USER_AGENT'] ?? '' /* User agent */
-);
+	// check if valid session id string:
+	if (strlen($sessionId) < 46 && !preg_match('/^[\w\d\.:]+$/', $sessionId)) {
+		$sessionId = 'invalid-session-id';
+	}
 
-/* create the log line */
-$filename = 'logs/' . gmdate('Y-m-d') . '.tck.txt'; /* use GMT date for filename */
-$line = gmdate('Y-m-d H:i:s'); /* use GMT time for log entries */
-foreach ($logArr as $val) {
-	$line .= "\t" . $val;
-};
+	// clean the page ID
+	$pageId = preg_replace('/[\x00-\x1F]/', "\u{FFFD}", $_GET['p'] ?? '');
 
-/* write the log line to the file */
-$tickfile = fopen($filename, 'a');
-if (!$tickfile) {
-	http_response_code(500);
-	die("Error: Unable to open log file. Please check file permissions.");
-}
-if (fwrite($tickfile, $line . "\n") === false) {
-	http_response_code(500);
+	// clean the user agent string
+	$agent = preg_replace('/[\x00-\x1F]/', "\u{FFFD}", $_SERVER['HTTP_USER_AGENT'] ?? '');
+	
+	/* build the resulting log line */
+	$logArr = Array(
+		$_SERVER['REMOTE_ADDR'] ?? '', /* Remote IP */
+		$pageId, /* Page ID */
+		$sessionId, /* Session ID */
+		$agent /* User agent */
+	);
+
+	/* create the log line */
+	$filename = 'logs/' . gmdate('Y-m-d') . '.tck.txt'; /* use GMT date for filename */
+	$line = gmdate('Y-m-d H:i:s'); /* use GMT time for log entries */
+	foreach ($logArr as $val) {
+		$line .= "\t" . $val;
+	};
+
+	/* write the log line to the file */
+	$tickfile = fopen($filename, 'a');
+	if (!$tickfile) {
+		http_response_code(500);
+		die("Error: Unable to open log file. Please check file permissions.");
+	}
+	if (fwrite($tickfile, $line . "\n") === false) {
+		http_response_code(507);
+		fclose($tickfile);
+		die("Error: Could not write to log file.");
+	}
 	fclose($tickfile);
-	die("Error: Could not write to log file.");
-}
-fclose($tickfile);
 
-/* Send "Accepted" header */
-http_response_code(202);
-echo "OK";
\ No newline at end of file
+	/* Send "Accepted" header */
+	http_response_code(202);
+	echo "OK";
\ No newline at end of file