edit: allow any non-hidden filename

[minimedit.git] / edit.php

diff --git a/edit.php b/edit.php
index 80a49eb5e6dba49a62dad68d9a8190dc48df34d6..3b280ee4e3a961d827adda8c7f0e9fbd7966d930 100644 (file)
--- a/edit.php
+++ b/edit.php
@@ -1,19 +1,25 @@
-#!/usr/bin/php-cgi
 <?php
+ob_clean();
+
 function abort($status, $body) {
        header("HTTP/1.1 $status");
        print "$body\n";
        exit;
 }
 
+if (!@$User['admin'])
+       abort('401 unauthorised', "geen beheersrechten");
+
 if (!$_POST)
        abort('405 post error', "niets te doen");
 if (!isset($_SERVER['PATH_INFO']) or strlen($_SERVER['PATH_INFO']) <= 1)
        abort('409 input error', "geen bestand aangeleverd");
 
-$filename = preg_replace('/(?:\.html)?$/', '.html', ltrim($_SERVER['PATH_INFO'], '/'), 1);
-if (file_exists($filename) and !is_writable($filename))
+$filename = ltrim($Args, '/').'.html';
+if (preg_match('{^\.}', $filename))
        abort('403 input error', "ongeldige bestandsnaam: $filename");
+if (file_exists($filename) and !is_writable($filename))
+       abort('403 input error', "onwijzigbaar bestand: $filename");
 
 if (!isset($_POST['body']))
        abort('409 input error', "geen inhoud aangeleverd");
@@ -28,10 +34,10 @@ if (!strlen($upload)) {
        exit;
 }
 
-$prepend = '<!--#include virtual="/head.inc.html" -->'."\n\n";
-$append  = "\n".'<!--#include virtual="/foot.inc.html" -->'."\n";
+if (!file_exists(dirname($filename)) and !mkdir(dirname($filename)))
+       abort('500 save error', "fout bij aanmaken van map voor $filename");
 
-if (!file_put_contents($filename, $prepend . $upload . $append))
+if (!file_put_contents($filename, $upload))
        abort('500 save error', "fout bij schrijven van $filename");
 
 print "Bestand opgeslagen";