From 487771a9db7678090c96997cda323b53706f95a9 Mon Sep 17 00:00:00 2001
From: Mischa POSLAWSKY <perl@shiar.org>
Date: Wed, 13 Sep 2017 20:03:32 +0200
Subject: [PATCH] edit: replace executable check by filename validation

No more distinction in php files; prefer a-x.
---
 auth.inc.php | 0
 edit.php     | 4 ++--
 foot.inc.php | 0
 3 files changed, 2 insertions(+), 2 deletions(-)
 mode change 100755 => 100644 auth.inc.php
 mode change 100755 => 100644 edit.php
 mode change 100755 => 100644 foot.inc.php

diff --git a/auth.inc.php b/auth.inc.php
old mode 100755
new mode 100644
diff --git a/edit.php b/edit.php
old mode 100755
new mode 100644
index 1856336..cf9b6c0
--- a/edit.php
+++ b/edit.php
@@ -14,9 +14,9 @@ if (!isset($_SERVER['PATH_INFO']) or strlen($_SERVER['PATH_INFO']) <= 1)
 	abort('409 input error', "geen bestand aangeleverd");
 
 $filename = ltrim($Args, '/').'.html';
-if (file_exists($filename) and !is_writable($filename))
+if (!preg_match('{^(?:[/a-z0-9-])+\.html$}', $filename))
 	abort('403 input error', "ongeldige bestandsnaam: $filename");
-if (is_executable($filename))
+if (file_exists($filename) and !is_writable($filename))
 	abort('403 input error', "onwijzigbaar bestand: $filename");
 
 if (!isset($_POST['body']))
diff --git a/foot.inc.php b/foot.inc.php
old mode 100755
new mode 100644
-- 
2.30.0