ObsidianJustSharePlease/server/public/share.php

<?php

switch ($_SERVER["REQUEST_METHOD"]) {
    case "GET":
        handle_get();
        break;
    case "POST":
        handle_post();
        break;
    case "PATCH":
        handle_patch();
        break;
    case "DELETE":
        handle_delete();
        break;
    default:
        http_response_code(405);
        echo "Unsupported method";
}

function handle_get(): void {
    parse_str($_SERVER["QUERY_STRING"], $query);
    $content = file_get_contents(get_markdown_path($query["id"]));
    if ($content === false) {
        http_response_code(404);
        echo "Not found";
        return;
    }
    echo $content;
}

function handle_post(): void {
    $content = get_markdown_content();
    if ($content === null)
        return;

    try {
        // generate id and deletion/edit password
        $id = bin2hex(random_bytes(4));
        $password = bin2hex(random_bytes(16));
    } catch (Exception $e) {
        http_response_code(500);
        echo $e->getMessage();
        return;
    }

    $meta = json_encode([
        "id" => $id,
        "password" => $password
    ]);

    // store markdown and metadata in data path
    file_put_contents(get_markdown_path($id), $content);
    file_put_contents(get_meta_path($id), $meta);

    echo $meta;
}

function handle_patch(): void {
    $info = get_patch_delete_info();
    $content = get_markdown_content();
    if (!$info || $content === null)
        return;
    [$id, $password] = $info;
    if (!check_password($id, $password))
        return;

    file_put_contents(get_markdown_path($id), $content);
}

function handle_delete(): void {
    $info = get_patch_delete_info();
    if (!$info)
        return;
    [$id, $password] = $info;
    if (!check_password($id, $password))
        return;

    // delete content and meta
    unlink(get_markdown_path($id));
    unlink(get_meta_path($id));
}

function check_password(string $id, string $password): bool {
    $meta = json_decode(file_get_contents(get_meta_path($id)), true);
    if ($password != $meta["password"]) {
        http_response_code(401);
        echo "Unauthorized";
        return false;
    }
    return true;
}

function get_patch_delete_info(): ?array {
    parse_str($_SERVER["QUERY_STRING"], $query);
    $id = $query["id"];
    $password = $_SERVER["HTTP_PASSWORD"];
    if (!$id || !$password) {
        http_response_code(400);
        echo "No id or password";
        return null;
    }
    return [$id, $password];
}

function get_markdown_content(): ?string {
    $body = json_decode(file_get_contents("php://input"), true);
    if (!array_key_exists("content", $body)) {
        http_response_code(400);
        echo "No content";
        return null;
    }
    return $body["content"];
}

function get_markdown_path(string $id): string {
    return get_id_base_path($id) . ".md";
}

function get_meta_path(string $id): string {
    return get_id_base_path($id) . ".json";
}

function get_id_base_path(string $id): string {
    // ensure id can't be used to traverse into other directories
    return dirname(getcwd()) . "/data/" . basename($id);
}
<?php 2023-08-09 18:11:29 +02:00			`<?php`
slightly change plans 2023-08-09 17:57:29 +02:00
serve GET requests 2023-08-09 20:13:44 +02:00			`switch ($_SERVER["REQUEST_METHOD"]) {`
			`case "GET":`
finished basic backend 2023-08-11 17:55:30 +02:00			`handle_get();`
serve GET requests 2023-08-09 20:13:44 +02:00			`break;`
			`case "POST":`
finished basic backend 2023-08-11 17:55:30 +02:00			`handle_post();`
serve GET requests 2023-08-09 20:13:44 +02:00			`break;`
implement POST 2023-08-10 19:47:55 +02:00			`case "PATCH":`
finished basic backend 2023-08-11 17:55:30 +02:00			`handle_patch();`
			`break;`
serve GET requests 2023-08-09 20:13:44 +02:00			`case "DELETE":`
finished basic backend 2023-08-11 17:55:30 +02:00			`handle_delete();`
serve GET requests 2023-08-09 20:13:44 +02:00			`break;`
implemented plugin menu items 2023-08-11 19:01:10 +02:00			`default:`
			`http_response_code(405);`
			`echo "Unsupported method";`
serve GET requests 2023-08-09 20:13:44 +02:00			`}`
implement POST 2023-08-10 19:47:55 +02:00
finished basic backend 2023-08-11 17:55:30 +02:00			`function handle_get(): void {`
			`parse_str($_SERVER["QUERY_STRING"], $query);`
			`$content = file_get_contents(get_markdown_path($query["id"]));`
implemented plugin menu items 2023-08-11 19:01:10 +02:00			`if ($content === false) {`
finished basic backend 2023-08-11 17:55:30 +02:00			`http_response_code(404);`
			`echo "Not found";`
			`return;`
			`}`
			`echo $content;`
			`}`

			`function handle_post(): void {`
			`$content = get_markdown_content();`
implemented plugin menu items 2023-08-11 19:01:10 +02:00			`if ($content === null)`
finished basic backend 2023-08-11 17:55:30 +02:00			`return;`

			`try {`
			`// generate id and deletion/edit password`
			`$id = bin2hex(random_bytes(4));`
			`$password = bin2hex(random_bytes(16));`
			`} catch (Exception $e) {`
			`http_response_code(500);`
			`echo $e->getMessage();`
			`return;`
			`}`

			`$meta = json_encode([`
			`"id" => $id,`
implemented plugin menu items 2023-08-11 19:01:10 +02:00			`"password" => $password`
finished basic backend 2023-08-11 17:55:30 +02:00			`]);`

			`// store markdown and metadata in data path`
			`file_put_contents(get_markdown_path($id), $content);`
			`file_put_contents(get_meta_path($id), $meta);`

			`echo $meta;`
			`}`

			`function handle_patch(): void {`
			`$info = get_patch_delete_info();`
			`$content = get_markdown_content();`
implemented plugin menu items 2023-08-11 19:01:10 +02:00			`if (!$info \|\| $content === null)`
finished basic backend 2023-08-11 17:55:30 +02:00			`return;`
			`[$id, $password] = $info;`
			`if (!check_password($id, $password))`
			`return;`

			`file_put_contents(get_markdown_path($id), $content);`
			`}`

			`function handle_delete(): void {`
			`$info = get_patch_delete_info();`
			`if (!$info)`
			`return;`
			`[$id, $password] = $info;`
			`if (!check_password($id, $password))`
			`return;`

			`// delete content and meta`
			`unlink(get_markdown_path($id));`
			`unlink(get_meta_path($id));`
			`}`

			`function check_password(string $id, string $password): bool {`
			`$meta = json_decode(file_get_contents(get_meta_path($id)), true);`
implemented plugin menu items 2023-08-11 19:01:10 +02:00			`if ($password != $meta["password"]) {`
finished basic backend 2023-08-11 17:55:30 +02:00			`http_response_code(401);`
			`echo "Unauthorized";`
			`return false;`
			`}`
			`return true;`
			`}`

			`function get_patch_delete_info(): ?array {`
			`parse_str($_SERVER["QUERY_STRING"], $query);`
			`$id = $query["id"];`
			`$password = $_SERVER["HTTP_PASSWORD"];`
			`if (!$id \|\| !$password) {`
			`http_response_code(400);`
			`echo "No id or password";`
			`return null;`
			`}`
			`return [$id, $password];`
			`}`

implemented plugin menu items 2023-08-11 19:01:10 +02:00			`function get_markdown_content(): ?string {`
finished basic backend 2023-08-11 17:55:30 +02:00			`$body = json_decode(file_get_contents("php://input"), true);`
implemented plugin menu items 2023-08-11 19:01:10 +02:00			`if (!array_key_exists("content", $body)) {`
finished basic backend 2023-08-11 17:55:30 +02:00			`http_response_code(400);`
			`echo "No content";`
implemented plugin menu items 2023-08-11 19:01:10 +02:00			`return null;`
finished basic backend 2023-08-11 17:55:30 +02:00			`}`
implemented plugin menu items 2023-08-11 19:01:10 +02:00			`return $body["content"];`
finished basic backend 2023-08-11 17:55:30 +02:00			`}`

implement POST 2023-08-10 19:47:55 +02:00			`function get_markdown_path(string $id): string {`
prevent directory traversal on server 2023-08-18 13:03:03 +02:00			`return get_id_base_path($id) . ".md";`
implement POST 2023-08-10 19:47:55 +02:00			`}`

			`function get_meta_path(string $id): string {`
prevent directory traversal on server 2023-08-18 13:03:03 +02:00			`return get_id_base_path($id) . ".json";`
implement POST 2023-08-10 19:47:55 +02:00			`}`

prevent directory traversal on server 2023-08-18 13:03:03 +02:00			`function get_id_base_path(string $id): string {`
			`// ensure id can't be used to traverse into other directories`
			`return dirname(getcwd()) . "/data/" . basename($id);`
implement POST 2023-08-10 19:47:55 +02:00			`}`