2 files changed, 9 insertions, 10 deletions

diff --git a/inc/auth.php b/inc/auth.php
index 4db852d5c..76ce525cf 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -310,7 +310,7 @@ function auth_aclcheck($id,$user,$groups){
   }
 
   //check exact match first
-  $matches = preg_grep('/^'.$id.'\s+('.$regexp.')\s+/',$AUTH_ACL);
+  $matches = preg_grep('/^'.preg_quote($id,'/').'\s+('.$regexp.')\s+/',$AUTH_ACL);
   if(count($matches)){
     foreach($matches as $match){
       $match = preg_replace('/#.*$/','',$match); //ignore comments
diff --git a/inc/pageutils.php b/inc/pageutils.php
index bf629c097..1dc66981d 100644
--- a/inc/pageutils.php
+++ b/inc/pageutils.php
@@ -13,19 +13,16 @@
  * Uses either standard $_REQUEST variable or extracts it from
  * the full request URI when userewrite is set to 2
  *
- * For $param='id' $conf['start'] is returned if no id was found
- * and the returned ID will be cleaned. For other params the
- * cleaning has to be done outside this function
+ * For $param='id' $conf['start'] is returned if no id was found.
+ * If the second parameter is true (default) the ID is cleaned.
  * 
  * @author Andreas Gohr <andi@splitbrain.org>
  */
-function getID($param='id'){
+function getID($param='id',$clean=true){
   global $conf;
 
   $id = $_REQUEST[$param];
 
-  if($param == 'id') $id = cleanID($id);
-  
   //construct page id from request URI
   if(empty($id) && $conf['userewrite'] == 2){
     //get the script URL
@@ -52,10 +49,12 @@ function getID($param='id'){
       $id = preg_replace ('/\?.*/','',$match[1]);
     }
     $id = urldecode($id);
-    $id = cleanID($id);
+    //strip leading slashes
+    $id = preg_replace('!^/+!','',$id);
   }
-  if(empty($id) && $param=='id') $id = cleanID($conf['start']);
-
+  if(empty($id) && $param=='id') $id = $conf['start'];
+  if($clean) $id = cleanID($id);
+  
   return $id;
 }