Fix issue #20, fix issue with page index, remove dependency on .htaccess

2024-03-23 22:34:24 +01:00 · 2024-03-23 22:34:24 +01:00 · 3adf419b35
parent 42bf11bdee
commit 3adf419b35
6 changed files with 67 additions and 16 deletions
--- a/README.md
+++ b/README.md
@ -17,8 +17,6 @@ generates pages on-the-fly.
 - sqlite3
 - php-mbstring
 - Web server
-  - You probably want Apache. It will work with another web server,
-  but you'll need to port the .htaccess to your preferred web server.

 - On Gentoo, you'll need to enable USE flag `sqlite` for package `dev-lang/php`
 in case you're testing locally using `php -S`.
@ -30,6 +28,7 @@ plugin if you want to use Apache.

 1. Set up a web server with php and sqlite3
 2. Point it to `index.php`
+3. Make sure users cannot access the database or any of the config files (See docs/apache-sample.conf for an example)

 When no admin account is set up, you'll be prompted to create one.

--- a/core.php
+++ b/core.php
@ -299,6 +299,7 @@ function convertMarkdownToHTML($contents) {
 function printHeader($html, $printpage) {
    include "config.php";

+    $pid = -1;
    $id = -1;

    if (isset($_REQUEST['id'])) {
@ -309,15 +310,29 @@ function printHeader($html, $printpage) {
    $DatabaseQuery = $Database->query('SELECT * FROM pages');

    $wasFound = 0;
-    $i = 0;

    $title = $instanceName;
    $description = $instanceDescription;

-    $subdir = isset($_GET['endpoint']) ? $_GET['endpoint'] : '/';
+    $subdir = "";
+    if (isset($_GET['endpoint'])) {
+        $subdir = $_GET['endpoint'];
+    } else if (isset($_SERVER['REQUEST_URI'])) {
+        $subdir = '/' . trim(strtok($_SERVER['REQUEST_URI'], '?'), '/');
+    } else {
+        $subdir = '/';
+    }
+
    while ($line = $DatabaseQuery->fetchArray()) {
        $endpoint = $line['endpoint'];
-        if (((($endpoint == $subdir || "$endpoint/" == "$subdir") && $id == -1) || ($id != -1 && $i == $id)) && $printpage == 1) {
+        if ((($endpoint == $subdir || "$endpoint/" == "$subdir") && $id == -1) || ($id != -1 && $printpage == 1)) {
+            $pid = $line['id'];
+
+            if ($pid != $id && $id != -1) {
+                $pid = -1;
+                continue;
+            }
+
            $wasFound = 1;
            $ret = convertMarkdownToHTML(file_get_contents($line['file']));

@ -404,7 +419,6 @@ function printHeader($html, $printpage) {
            }

            if (isset($_SESSION['type']) && $_SESSION['type'] == 2) {
-                $pid = $i + 1;
                $html .= "\t\t\t\t<a id='edit' href=\"/edit.php?id=$pid\">Edit</a>\n";
            }

@ -448,8 +462,6 @@ function printHeader($html, $printpage) {
                    $html .= "\t\t\t\t<a id=\"source\" href=\"/$sourceFile\">Source</a>\n";
                }

-                $pid = $i + 1;
-
                if (isset($_SESSION['type'])) {
                    $html .= "\t\t\t\t<a id=\"modify\" href=\"/edit-page.php?id=$pid\">Request changes</a>\n";
                }
@ -459,14 +471,13 @@ function printHeader($html, $printpage) {
                }

                if ($ret->allowComments == "true") {
-                    $html = printCommentField($html, $line['id'], $i);
+                    $html = printCommentField($html, $line['id'], $pid);
                }
            }

-        break;
-        }
+            break;

-        $i++;
+        }
    }

    if ($wasFound != 1) {
@ -574,7 +585,8 @@ function printHeader($html, $printpage) {
                    $Err = convertMarkdownToHTML(file_get_contents($err['file']));

                    $html .= "\t\t\t$Err->data\n";
-            break;
+
+                    break;
                }
            }

--- a/docs/apache-sample.conf
+++ b/docs/apache-sample.conf
@ -0,0 +1,21 @@
+# This is a sample config for Apache with csgen.
+<VirtualHost *:80>
+    ServerName example.com
+    ServerAlias www.example.com
+    DocumentRoot /var/www/csgen
+
+    # No access to the database
+    <FilesMatch "\.sql$">
+        Require all denied
+    </FilesMatch>
+
+    # No access to config.ini
+    <Files "config.ini">
+        Require all denied
+    </Files>
+
+    # No access to config.def.ini
+    <Files "config.def.ini">
+        Require all denied
+    </Files>
+</VirtualHost>
--- a/docs/htaccess-sample
+++ b/docs/htaccess-sample
--- a/index.php
+++ b/index.php
@ -5,16 +5,24 @@ include "core.php";

 $Error = "";
 $html = "";
+$subdir = "";

 if (isset($_REQUEST['e'])) $Error = htmlspecialchars($_REQUEST['e']);
-$subdir = isset($_GET['endpoint']) ? $_GET['endpoint'] : '/';
+
+if (isset($_GET['endpoint'])) {
+    $subdir = $_GET['endpoint'];
+} else if (isset($_SERVER['REQUEST_URI'])) {
+    $subdir = '/' . trim(strtok($_SERVER['REQUEST_URI'], '?'), '/');
+} else {
+    $subdir = '/';
+}

 if (!checkIfAdminExists()) {
    header("Location: setup.php");
    die();
 }

-$html = printHeader($html, 1);
+$html = printHeader($html, 1); // also prints page content
 $html = printFooter($html);

 print "$html";
--- a/update.php
+++ b/update.php
@ -76,7 +76,7 @@ if (isset($_REQUEST['endpoint']) && htmlspecialchars($_REQUEST['endpoint']) != "
    if ($Redirect == "admin") {
        header("Location: admin.php?e=endpoint");
    } else if ($Redirect == "edit") {
-        header("Location: edit.php?e=endpoint&action=articles");
+        header("Location: edit.php?e=endpoint&action=write");
    } else {
        header("Location: /");
    }
@ -89,6 +89,17 @@ while ($line = $DatabaseQuery->fetchArray()) {
    if ($line['id'] == $id && $id != -1) {
        $File = $line['file'];
    }
+    if ($line['endpoint'] == $Endpoint && $line['id'] != $id) {
+        if ($Redirect == "admin") {
+            header("Location: admin.php?e=exists");
+        } else if ($Redirect == "edit") {
+            header("Location: edit.php?e=exists&action=write");
+        } else {
+            header("Location: /");
+        }
+
+        die();
+    }
 }

 $OldFile = "";