From: Mischa POSLAWSKY <perl@shiar.org>
Date: Wed, 13 Sep 2017 18:03:32 +0000 (+0200)
Subject: edit: replace executable check by filename validation
X-Git-Tag: v2.1~11
X-Git-Url: http://git.shiar.net/minimedit.git/commitdiff_plain/487771a9db7678090c96997cda323b53706f95a9

edit: replace executable check by filename validation

No more distinction in php files; prefer a-x.
---

diff --git a/auth.inc.php b/auth.inc.php
old mode 100755
new mode 100644
diff --git a/edit.php b/edit.php
old mode 100755
new mode 100644
index 1856336..cf9b6c0
--- a/edit.php
+++ b/edit.php
@@ -14,9 +14,9 @@ if (!isset($_SERVER['PATH_INFO']) or strlen($_SERVER['PATH_INFO']) <= 1)
 	abort('409 input error', "geen bestand aangeleverd");
 
 $filename = ltrim($Args, '/').'.html';
-if (file_exists($filename) and !is_writable($filename))
+if (!preg_match('{^(?:[/a-z0-9-])+\.html$}', $filename))
 	abort('403 input error', "ongeldige bestandsnaam: $filename");
-if (is_executable($filename))
+if (file_exists($filename) and !is_writable($filename))
 	abort('403 input error', "onwijzigbaar bestand: $filename");
 
 if (!isset($_POST['body']))
diff --git a/foot.inc.php b/foot.inc.php
old mode 100755
new mode 100644