<?php
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    http_response_code(405);
    exit('Method not allowed');
}

$file = $_POST['files'] ?? '';
$file = str_replace('\\', '/', $file);
$file = ltrim($file, '/');

if ($file === '' || str_contains($file, '..') || !str_ends_with($file, '.bz2')) {
    http_response_code(400);
    exit('Invalid file');
}

$base = realpath(__DIR__);
$path = realpath($base . DIRECTORY_SEPARATOR . $file);

if ($path === false || !str_starts_with($path, $base) || !is_file($path)) {
    http_response_code(404);
    exit('File not found');
}

header('Content-Type: application/octet-stream');
header('Content-Length: ' . filesize($path));
readfile($path);