Security fix: unauthorized access (#10091)

* Security fix: unauthorized access
Affects nginx users:
Moved php files outside of public html directory (Apache was protected by .htaccess)

Affects all users:
Some files did not check for authentication and could disclose some info.
Better checks before including files from user input

* git mv html/includes/ includes/html
git mv html/pages/ includes/html/

includes/html/pages/device/stp.inc.php

@@ -0,0 +1,47 @@
+<?php
+
+$link_array = array(
+               'page'   => 'device',
+               'device' => $device['device_id'],
+               'tab'    => 'stp',
+              );
+
+print_optionbar_start();
+
+echo "<span style='font-weight: bold;'>STP</span> &#187; ";
+
+if (!$vars['view']) {
+    $vars['view'] = 'basic';
+}
+
+$menu_options['basic'] = 'Basic';
+$menu_options['ports'] = 'Ports';
+$sep = '';
+foreach ($menu_options as $option => $text) {
+    echo $sep;
+    if ($vars['view'] == $option) {
+        echo "<span class='pagemenu-selected'>";
+    }
+
+    echo generate_link($text, $link_array, array('view' => $option));
+    if ($vars['view'] == $option) {
+        echo '</span>';
+    }
+
+    $sep = ' | ';
+}
+
+unset($sep);
+
+print_optionbar_end();
+
+if ($vars['view'] == 'basic') {
+    include 'includes/html/print-stp.inc.php';
+}
+
+if ($vars['view'] == 'ports') {
+    include 'includes/html/common/stp-ports.inc.php';
+    echo implode('', $common_output);
+}
+
+$pagetitle[] = 'STP';