<?php
+ob_clean();
+
function abort($status, $body) {
header("HTTP/1.1 $status");
print "$body\n";
exit;
}
+if (!@$User['admin'])
+ abort('401 unauthorised', "geen beheersrechten");
+
if (!$_POST)
abort('405 post error', "niets te doen");
if (!isset($_SERVER['PATH_INFO']) or strlen($_SERVER['PATH_INFO']) <= 1)
abort('409 input error', "geen bestand aangeleverd");
-$filename = preg_replace('/(?:\.php)?$/', '.php', ltrim($_SERVER['PATH_INFO'], '/'), 1);
-if (file_exists($filename) and !is_writable($filename))
+$filename = ltrim($Args, '/').'.html';
+if (!preg_match('{^(?:[/a-z0-9-])+\.html$}', $filename))
abort('403 input error', "ongeldige bestandsnaam: $filename");
-if (is_executable($filename))
+if (file_exists($filename) and !is_writable($filename))
abort('403 input error', "onwijzigbaar bestand: $filename");
if (!isset($_POST['body']))
exit;
}
-$rootpath = str_repeat('../', substr_count($filename, '/'));
-$prepend = "<?php include '${rootpath}head.inc.php'; ?>\n\n";
-$append = "\n";
-
-if (!file_put_contents($filename, $prepend . $upload . $append))
+if (!file_put_contents($filename, $upload))
abort('500 save error', "fout bij schrijven van $filename");
print "Bestand opgeslagen";