From f0d2a630277dfa2b57321c16f88643892a596d16 Mon Sep 17 00:00:00 2001
From: Nick White <git@njw.me.uk>
Date: Fri, 6 Nov 2009 04:18:09 +0000
Subject: Enable looking in root for content

Update download-source link to remove extension
Look in the root directory if a file is not found in webpages/
Tighten up sanitation slightly
---
 includes/footer.php |  2 +-
 index.php           | 22 +++++++++++++++-------
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/includes/footer.php b/includes/footer.php
index 7706ccf..599801e 100644
--- a/includes/footer.php
+++ b/includes/footer.php
@@ -31,7 +31,7 @@ print '
 
 	<div id="copyright">
 		<p>The text on this website is licensed under the <a href="http://creativecommons.org/licenses/by-sa/3.0/" rel="license">Creative Commons Attribution-Share Alike 3.0 License</a>.</p>
-		<p>The code running this website is released under the <a href="http://www.fsf.org/licensing/licenses/agpl.html" rel="license">GNU Affero General Public License</a>. <a href="/download-source.php">Download the source code</a>.</p>
+		<p>The code running this website is released under the <a href="http://www.fsf.org/licensing/licenses/agpl.html" rel="license">GNU Affero General Public License</a>. <a href="/download-source">Download the source code</a>.</p>
 	</div>
 
 </div>
diff --git a/index.php b/index.php
index e86cf11..29d468c 100644
--- a/index.php
+++ b/index.php
@@ -16,15 +16,12 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-$contentpath = $_SERVER['DOCUMENT_ROOT'] . "/webpages/" . $_SERVER['REQUEST_URI'];
-
-if ( is_dir($contentpath) == TRUE )
-	$contentpath .= 'index.php';
+$request = $_SERVER['REQUEST_URI'];
 
 /* Sanitise */
-if (preg_match ( '/\.\./', $contentpath )  || /* don't go up the filesystem */
-	preg_match ( '/[\'\"]/', $contentpath )|| /* string terminators */
-	preg_match ( '/\\\0/', $contentpath ) )   /* null bytes */
+if (preg_match ( '/\.\./', $request )  || /* don't go up the filesystem */
+	preg_match ( '/[\'\"]/', $request )|| /* string terminators */
+	preg_match ( '/\\\0/', $request ) )   /* null bytes */
 
 {
 	header('HTTP/1.0 500 Internal Error');
@@ -32,6 +29,17 @@ if (preg_match ( '/\.\./', $contentpath )  || /* don't go up the filesystem */
 	exit (0);
 }
 
+$contentpath = $_SERVER['DOCUMENT_ROOT'] . '/webpages/' . $request;
+
+/* if nothing exists in webpages directory, try root */
+if ( ! is_dir($contentpath) && ! is_file($contentpath.'.php') )
+	$contentpath = $_SERVER['DOCUMENT_ROOT'] . $request;
+
+if ( is_dir($contentpath) == TRUE )
+	$contentpath .= 'index.php';
+else
+	$contentpath .= '.php';
+
 if ( ! is_file($contentpath) )
 {
 	header('HTTP/1.0 404 Not Found');
-- 
cgit v1.2.3