// login.php
<?php

// file for passwords
include "/var/www/secrets/secrets--tools-app.php";
if (!isset($secret_password)) die("error: missing a secrets.php file!");

// session variable for login/logout from login/logout form
session_start();
if ($_REQUEST["submit"] == "login" && $_REQUEST["passwd"] == $secret_password) {
    $_SESSION["loggedin"] = true;
}
if ($_REQUEST["submit"] == "logout") {
    $_SESSION["loggedin"] = false;
}

?>
<!doctype html>
<title>login</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta charset="utf-8">

<!-- login/logout form -->
Status: <?= $_SESSION["loggedin"] ? "logged in" : "logged out" ?>
<form action="" method="post">
    <input type="text" name="tools_app_user_name">
    <input type="password" name="passwd" size="7"> <br>
    <input type="submit" value="login" name="submit">
    <input type="submit" value="logout" name="submit">
</form>// end of : login.php


// protected.php
<?php session_start();
$_SESSION["loggedin"] or die("error: you aren't authorized!\n"); ?>

content// end of : protected.php


// shell.php
<?php session_start();
$_SESSION["loggedin"] or die("error: you aren't authorized!\n"); ?>
<!doctype html>
<title>shell</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta charset="utf-8">
<form action="" method="post">
    <input name="input">
</form>
<?php
if (!isset($_SESSION["cwd"])) $_SESSION["cwd"] = getcwd();
if (!isset($_SESSION["screen"]))
    $_SESSION["screen"] = "";
function my_exec($command)
{
    $exec_output = null;
    chdir($_SESSION["cwd"]);
    exec($command . " ; pwd", $exec_output);
    $_SESSION["cwd"] = array_pop($exec_output); //getcwd();
    return implode("\n", $exec_output) . "\n";
}
$input = $_REQUEST["input"];
if ($input == "clear") $_SESSION["screen"] = "";
else if ($input)
    $_SESSION["screen"] =
        htmlspecialchars("input: [[ $input ]]" . " cwd: " . $_SESSION["cwd"] . "\n") .
        htmlspecialchars(my_exec($input)) . "<hr>" .
        $_SESSION["screen"];
echo "cwd: " . htmlspecialchars($_SESSION["cwd"]) . " <br>\n";
echo "<hr><pre>\n" . $_SESSION["screen"] . "</pre>\n";
?>// end of : shell.php


// upload.php
<?php session_start();
$_SESSION["loggedin"] or die("error: you aren't authorized!\n"); ?>
<!doctype html>
<title>upload</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta charset="utf-8">
<form action="" method="post" enctype="multipart/form-data">
    <input type="file" name="file">
    <input type="submit" name="upload" value="Upload!">
</form>

<?php

print_r($_FILES);
print("<br>\n");

$temp = $_FILES["file"]["tmp_name"];
$name = $_FILES["file"]["name"];
move_uploaded_file($temp, $name) or print("move_uploaded_file() error<br>\n");
?>
<img src="<?= $name ?>">// end of : upload.php


// text-edit.php
<?php session_start();
$_SESSION["loggedin"] or die("error: you aren't authorized!\n"); ?>
<!doctype html>
<title>editor</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta charset="utf-8">

<?php
$filename = $_REQUEST['filename'];
if (isset($_REQUEST['file_content']))
    file_put_contents($filename, $_REQUEST['file_content']);
?>

<form method="post" onsubmit="sync_to_send()">
    <input type="submit" value="save"> <input value="<?= htmlentities($filename) ?>" id="filename">
    <button onclick="setTimeout(()=>location='?filename='+filename.value)">open</button> <br>

    <div contenteditable id="file_content" style="white-space: pre; overflow: scroll; border: 1px solid black; min-height: 100px;"><?= htmlentities(file_get_contents($filename)) ?></div>
    <textarea hidden name="file_content" id="textarea_to_send"></textarea>
    <script>
        function sync_to_send() {
            textarea_to_send.textContent = file_content.innerText
        }
    </script>

</form>// end of : text-edit.php


// code.php
<?php

// validity for safety (well chosen)
$valid_filenames = [
    "login.php",
    "protected.php",
    "shell.php",
    "upload.php",
    "text-edit.php",
    "code.php"
];

$filename = $_REQUEST["filename"]; // from expose() <a> link tag
if (in_array($filename, $valid_filenames)) {

    // $filename is code-injection safe (being in validity array)

    // as plain text
    header("Content-Type: text/plain");
    echo file_get_contents($filename);
} else {

    // as HTML text
    function expose($filename)
    { // $filename is code-injection safe (being used only from safe foreach)
        echo "// <a href='?filename=$filename' >$filename</a>\n";
        echo htmlspecialchars(file_get_contents($filename));
        echo "// end of : $filename\n\n\n";
    }

    echo "<pre>";
    foreach ($valid_filenames as $filename) {
        // $filename is code-injection safe (being taken from $valid_filenames)
        expose($filename);
    }
    echo "</pre>";
}
// end of : code.php