From 7e4193689033fd0156d8eeba2041827b1cbb616f Mon Sep 17 00:00:00 2001
From: Bartosz Firyn <songo.bercik@interia.pl>
Date: Mon, 16 Sep 2013 18:53:44 +0200
Subject: [PATCH] Fix pico_editor when Pico installed within non-empty base_url

---
 pico_editor.php | 31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/pico_editor.php b/pico_editor.php
index 01f1f2b..6c8580c 100644
--- a/pico_editor.php
+++ b/pico_editor.php
@@ -63,6 +63,7 @@ public function before_render(&$twig_vars, &$twig)
 				if(isset($_POST['password'])){
 					if(sha1($_POST['password']) == $this->password){
 						$_SESSION['pico_logged_in'] = true;
+						$_SESSION['pico_config'] = $twig_vars['config'];
 					} else {
 						$twig_vars['login_error'] = 'Invalid password.';
 						echo $twig_editor->render('login.html', $twig_vars); // Render login.html
@@ -78,7 +79,27 @@ public function before_render(&$twig_vars, &$twig)
 			exit; // Don't continue to render template
 		}
 	}
-	
+
+	/**
+	 * Returns real file name to be edited.
+	 *
+	 * @param string $file_url the file URL to be edited
+	 * @return string
+	 */
+	private static function get_real_filename($file_url) {
+
+		$file_components = parse_url($file_url); // inner
+		$base_components = parse_url($_SESSION['pico_config']['base_url']);
+		$file_path = rtrim($file_components['path'], '/');
+		$base_path = rtrim($base_components['path'], '/');
+
+		if (empty($file_path) || $file_path === $base_path) {
+			return 'index';
+		} else {
+			return basename(strip_tags($file_path));
+		}
+	}
+
 	private function do_new()
 	{
 		if(!isset($_SESSION['pico_logged_in']) || !$_SESSION['pico_logged_in']) die(json_encode(array('error' => 'Error: Unathorized')));
@@ -111,7 +132,7 @@ private function do_open()
 	{
 		if(!isset($_SESSION['pico_logged_in']) || !$_SESSION['pico_logged_in']) die(json_encode(array('error' => 'Error: Unathorized')));
 		$file_url = isset($_POST['file']) && $_POST['file'] ? $_POST['file'] : '';
-		$file = basename(strip_tags($file_url));
+		$file = self::get_real_filename($file_url);
 		if(!$file) die('Error: Invalid file');
 		
 		$file .= CONTENT_EXT;
@@ -123,7 +144,7 @@ private function do_save()
 	{
 		if(!isset($_SESSION['pico_logged_in']) || !$_SESSION['pico_logged_in']) die(json_encode(array('error' => 'Error: Unathorized')));
 		$file_url = isset($_POST['file']) && $_POST['file'] ? $_POST['file'] : '';
-		$file = basename(strip_tags($file_url));
+		$file = self::get_real_filename($file_url);
 		if(!$file) die('Error: Invalid file');
 		$content = isset($_POST['content']) && $_POST['content'] ? $_POST['content'] : '';
 		if(!$content) die('Error: Invalid content');
@@ -137,7 +158,7 @@ private function do_delete()
 	{
 		if(!isset($_SESSION['pico_logged_in']) || !$_SESSION['pico_logged_in']) die(json_encode(array('error' => 'Error: Unathorized')));
 		$file_url = isset($_POST['file']) && $_POST['file'] ? $_POST['file'] : '';
-		$file = basename(strip_tags($file_url));
+		$file = self::get_real_filename($file_url);
 		if(!$file) die('Error: Invalid file');
 		
 		$file .= CONTENT_EXT;
@@ -171,4 +192,4 @@ private function slugify($text)
 	
 }
 
-?>
\ No newline at end of file
+?>