diff options
| -rw-r--r-- | _test/cases/inc/pageutils_getID.test.php | 28 | ||||
| -rw-r--r-- | inc/auth.php | 2 | ||||
| -rw-r--r-- | inc/pageutils.php | 17 | ||||
| -rw-r--r-- | lib/exe/detail.php | 15 | ||||
| -rw-r--r-- | lib/exe/fetch.php | 2 |
5 files changed, 50 insertions, 14 deletions
diff --git a/_test/cases/inc/pageutils_getID.test.php b/_test/cases/inc/pageutils_getID.test.php index 33ff12c79..e6ddb5e3b 100644 --- a/_test/cases/inc/pageutils_getID.test.php +++ b/_test/cases/inc/pageutils_getID.test.php @@ -12,16 +12,38 @@ class init_getID_test extends UnitTestCase { function test1(){ global $conf; $conf['basedir'] = '//'; - $conf['urlrewrite'] = 2; + $conf['userewrite'] = 2; $conf['deaccent'] = 0; // the default (1) gives me strange exceptions $_SERVER['SCRIPT_FILENAME'] = '/lib/exe/fetch.php'; $_SERVER['REQUEST_URI'] = '/lib/exe/fetch.php/myhdl-0.5dev1.tar.gz?id=snapshots&cache=cache'; - $this->assertEqual(getID($param='not_id'), 'myhdl-0.5dev1.tar.gz'); + $this->assertEqual(getID('media'), 'myhdl-0.5dev1.tar.gz'); } -} + /** + * getID with internal mediafile, urlrewrite=2, no basedir set, apache, mod_php + */ + function test2(){ + global $conf; + $conf['basedir'] = ''; + $conf['userewrite'] = '2'; + $conf['baseurl'] = ''; + $conf['useslash'] = '1'; + $_SERVER['DOCUMENT_ROOT'] = '/var/www/'; + $_SERVER['HTTP_HOST'] = 'xerxes.my.home'; + $_SERVER['SCRIPT_FILENAME'] = '/var/www/dokuwiki/lib/exe/detail.php'; + $_SERVER['PHP_SELF'] = '/dokuwiki/lib/exe/detail.php/wiki/discussion/button-dw.png'; + $_SERVER['REQUEST_URI'] = '/dokuwiki/lib/exe/detail.php/wiki/discussion/button-dw.png?id=test&debug=1'; + $_SERVER['SCRIPT_NAME'] = '/dokuwiki/lib/exe/detail.php'; + $_SERVER['PATH_INFO'] = '/wiki/discussion/button-dw.png'; + $_SERVER['PATH_TRANSLATED'] = '/var/www/wiki/discussion/button-dw.png'; + + $this->assertEqual(getID('media',true), 'wiki:discussion:button-dw.png'); + $this->assertEqual(getID('media',false), 'wiki/discussion/button-dw.png'); + } +} +//Setup VIM: ex: et ts=4 enc=utf-8 : diff --git a/inc/auth.php b/inc/auth.php index 4db852d5c..76ce525cf 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -310,7 +310,7 @@ function auth_aclcheck($id,$user,$groups){ } //check exact match first - $matches = preg_grep('/^'.$id.'\s+('.$regexp.')\s+/',$AUTH_ACL); + $matches = preg_grep('/^'.preg_quote($id,'/').'\s+('.$regexp.')\s+/',$AUTH_ACL); if(count($matches)){ foreach($matches as $match){ $match = preg_replace('/#.*$/','',$match); //ignore comments diff --git a/inc/pageutils.php b/inc/pageutils.php index bf629c097..1dc66981d 100644 --- a/inc/pageutils.php +++ b/inc/pageutils.php @@ -13,19 +13,16 @@ * Uses either standard $_REQUEST variable or extracts it from * the full request URI when userewrite is set to 2 * - * For $param='id' $conf['start'] is returned if no id was found - * and the returned ID will be cleaned. For other params the - * cleaning has to be done outside this function + * For $param='id' $conf['start'] is returned if no id was found. + * If the second parameter is true (default) the ID is cleaned. * * @author Andreas Gohr <andi@splitbrain.org> */ -function getID($param='id'){ +function getID($param='id',$clean=true){ global $conf; $id = $_REQUEST[$param]; - if($param == 'id') $id = cleanID($id); - //construct page id from request URI if(empty($id) && $conf['userewrite'] == 2){ //get the script URL @@ -52,10 +49,12 @@ function getID($param='id'){ $id = preg_replace ('/\?.*/','',$match[1]); } $id = urldecode($id); - $id = cleanID($id); + //strip leading slashes + $id = preg_replace('!^/+!','',$id); } - if(empty($id) && $param=='id') $id = cleanID($conf['start']); - + if(empty($id) && $param=='id') $id = $conf['start']; + if($clean) $id = cleanID($id); + return $id; } diff --git a/lib/exe/detail.php b/lib/exe/detail.php index 21a34d721..5d7de0119 100644 --- a/lib/exe/detail.php +++ b/lib/exe/detail.php @@ -14,6 +14,21 @@ $IMG = getID('media'); $ID = cleanID($_REQUEST['id']); + //FIXME remove me later + if($_REQUEST['debug']){ + print '<pre>'; + foreach(explode(' ','basedir userewrite baseurl useslash') as $x){ + print '$'."conf['$x'] = '".$conf[$x]."';\n"; + } + foreach(explode(' ','DOCUMENT_ROOT HTTP_HOST SCRIPT_FILENAME PHP_SELF '. + 'REQUEST_URI SCRIPT_NAME PATH_INFO PATH_TRANSLATED') as $x){ + print '$'."_SERVER['$x'] = '".$_SERVER[$x]."';\n"; + } + print "getID('media'): ".getID('media')."\n"; + print "getID('media',false): ".getID('media',false)."\n"; + print '</pre>'; + } + $ERROR = false; // check image permissions $AUTH = auth_quickaclcheck($IMG); diff --git a/lib/exe/fetch.php b/lib/exe/fetch.php index 902d9248e..89c88090c 100644 --- a/lib/exe/fetch.php +++ b/lib/exe/fetch.php @@ -18,7 +18,7 @@ $mimetypes = getMimeTypes(); //get input - $MEDIA = getID('media'); + $MEDIA = getID('media',false); // no cleaning - maybe external $CACHE = calc_cache($_REQUEST['cache']); $WIDTH = $_REQUEST['w']; $HEIGHT = $_REQUEST['h']; |